From jra at samba.org Wed Apr 1 00:00:57 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 1 00:01:11 2009 Subject: [SAMBA3] Really confused about convert_string returns In-Reply-To: <1238541757.8333.16.camel@naomi.s4.naomi.abartlet.net> References: <1238541757.8333.16.camel@naomi.s4.naomi.abartlet.net> Message-ID: <20090401000057.GA21271@jeremy-desktop> On Wed, Apr 01, 2009 at 10:22:37AM +1100, Andrew Bartlett wrote: > While working on my failed attempt to merge the charcnv core (I still > propose to merge the APIs), I was following the convert_string and > convert_string_internal APIs. > > The use of the return value in this code is rather inconsistent, and I'm > a little confused: > > Firstly, it does not seem to return -1 in the error cases (see patch). > Even if it did, then in some other cases it has: > > return retval + convert_string_internal(... > > where retval can be an integer representing how many bytes have been > converted in the the destination charset so far, but > convert_string_internal() can return (size_t)-1! > > Is it presumed that retval + (size_t)-1 will always be -1? That's a bug, I'll take a look at it. Jeremy. From jra at samba.org Wed Apr 1 00:19:03 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 1 00:19:15 2009 Subject: [SAMBA3] Really confused about convert_string returns In-Reply-To: <1238541757.8333.16.camel@naomi.s4.naomi.abartlet.net> References: <1238541757.8333.16.camel@naomi.s4.naomi.abartlet.net> Message-ID: <20090401001903.GB21271@jeremy-desktop> On Wed, Apr 01, 2009 at 10:22:37AM +1100, Andrew Bartlett wrote: > While working on my failed attempt to merge the charcnv core (I still > propose to merge the APIs), I was following the convert_string and > convert_string_internal APIs. > > The use of the return value in this code is rather inconsistent, and I'm > a little confused: > > Firstly, it does not seem to return -1 in the error cases (see patch). > Even if it did, then in some other cases it has: > > return retval + convert_string_internal(... > > where retval can be an integer representing how many bytes have been > converted in the the destination charset so far, but > convert_string_internal() can return (size_t)-1! > > Is it presumed that retval + (size_t)-1 will always be -1? > > Anyway, I wondered if someone might like to take a look a this. Thanks ! I think this is the correct fix (E2BIG shouldn't return (size_t)-1 as it's not a fatal error). Testing and will commit if it passes. Cheers, Jeremy. -------------- next part -------------- diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c index c3b3451..03b32c1 100644 --- a/source3/lib/charcnv.c +++ b/source3/lib/charcnv.c @@ -242,7 +242,7 @@ static size_t convert_string_internal(charset_t from, charset_t to, DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",reason,inbuf)); if (allow_bad_conv) goto use_as_is; - break; + return (size_t)-1; case E2BIG: reason="No more room"; if (!conv_silent) { @@ -263,11 +263,12 @@ static size_t convert_string_internal(charset_t from, charset_t to, DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",reason,inbuf)); if (allow_bad_conv) goto use_as_is; - break; + + return (size_t)-1; default: if (!conv_silent) DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",reason,inbuf)); - break; + return (size_t)-1; } /* smb_panic(reason); */ } @@ -412,7 +413,11 @@ size_t convert_string(charset_t from, charset_t to, #ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS goto general_case; #else - return retval + convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv); + size_t ret = convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv); + if (ret == (size_t)-1) { + return ret; + } + return retval + ret; #endif } } @@ -448,7 +453,11 @@ size_t convert_string(charset_t from, charset_t to, #ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS goto general_case; #else - return retval + convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv); + size_t ret = convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv); + if (ret == (size_t)-1) { + return ret; + } + return retval + ret; #endif } } @@ -484,7 +493,11 @@ size_t convert_string(charset_t from, charset_t to, #ifdef BROKEN_UNICODE_COMPOSE_CHARACTERS goto general_case; #else - return retval + convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv); + size_t ret = convert_string_internal(from, to, p, slen, q, dlen, allow_bad_conv); + if (ret == (size_t)-1) { + return ret; + } + return retval + ret; #endif } } From crquan at gmail.com Wed Apr 1 09:22:35 2009 From: crquan at gmail.com (Cheng Renquan) Date: Wed Apr 1 09:21:59 2009 Subject: [PATCH] For posix compliance: replace index with strchr Message-ID: <1238577755-9493-1-git-send-email-crquan@gmail.com> When compiled with other posix conforming libc, like uclibc, it will fail with the lack of "index" function, in fact, index is really legacy, and dropped in POSIX.1-2008 >From index(3): CONFORMING TO 4.3BSD; marked as LEGACY in POSIX.1-2001. POSIX.1-2008 removes the specifications of index() and rindex(). Signed-off-by: Cheng Renquan --- source/client/cifs.upcall.c | 4 ++-- source/registry/reg_perfcount.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/source/client/cifs.upcall.c b/source/client/cifs.upcall.c index 4110de3..2393faa 100644 --- a/source/client/cifs.upcall.c +++ b/source/client/cifs.upcall.c @@ -99,7 +99,7 @@ decode_key_description(const char *desc, int *ver, secType_t * sec, const char *tkn = desc; do { - pos = index(tkn, ';'); + pos = strchr(tkn, ';'); if (strncmp(tkn, "host=", 5) == 0) { int len; @@ -164,7 +164,7 @@ cifs_resolver(const key_serial_t key, const char *key_descr) const char *keyend = key_descr; /* skip next 4 ';' delimiters to get to description */ for (c = 1; c <= 4; c++) { - keyend = index(keyend+1, ';'); + keyend = strchr(keyend+1, ';'); if (!keyend) { syslog(LOG_WARNING, "invalid key description: %s", key_descr); diff --git a/source/registry/reg_perfcount.c b/source/registry/reg_perfcount.c index e608847..4cf8e3c 100644 --- a/source/registry/reg_perfcount.c +++ b/source/registry/reg_perfcount.c @@ -616,14 +616,14 @@ static bool _reg_perfcount_add_counter(PERF_DATA_BLOCK *block, obj = NULL; memset(buf, 0, PERFCOUNT_MAX_LEN); memcpy(buf, data.dptr, data.dsize); - begin = index(buf, '['); - end = index(buf, ']'); + begin = strchr(buf, '['); + end = strchr(buf, ']'); if(begin == NULL || end == NULL) return False; start = begin+1; while(start < end) { - stop = index(start, ','); + stop = strchr(start, ','); if(stop == NULL) stop = end; *stop = '\0'; -- 1.6.0.6 From metze at samba.org Wed Apr 1 10:39:28 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Wed Apr 1 10:39:45 2009 Subject: TDB signed vs. unsigned char (was Re: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-554-gf942cb6) In-Reply-To: <20090318224459.0B3B11CC0A0@us2.samba.org> References: <20090318224459.0B3B11CC0A0@us2.samba.org> Message-ID: <49D34460.2010703@samba.org> Hi Jeremy, > commit f942cb616e981e5370fab122969127de0910b58b > Author: Jeremy Allison > Date: Wed Mar 18 15:44:13 2009 -0700 > > Fix bug #6195 - Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly. > This is a really nasty one to fix as in order to successfully update the > passdb.tdb we must do the equivalent of a tdbbackup to move to the new hash > values before we do the upgrade. > Jeremy. Sorry, that I "introducted" the change that triggers with problems... But it shows once again that we really need to use 'uint8_t *' instead of 'char *' to represent raw bytes! As the same problem is there, if we copy passdb.tdb from a machine where char is signed to a machine were char is unsigned, while using exactly the same source on both machines. So we should really try to get rid of all 'char *buf' pointers we have, but as the above example shows we need to be extremly careful and add explicit cast in the right spots in order to avoid upgrade problems. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090401/88976449/signature.bin From kseeger at samba.org Wed Apr 1 13:50:25 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 1 13:50:30 2009 Subject: [Announce] Samba 3.2.10 Available for Download Message-ID: ================================================================ "A life spent making mistakes is not only more honorable, but more useful than a life spent doing nothing." George Bernard Shaw ================================================================ Release Announcements ===================== This is a maintenance release of the Samba 3.2 series. In Samba 3.2.9, there is an issue while migrating passdb.tdb files from older Samba versions (e.g. 3.2.8). That causes panics of smbd child processes until the parent smbd is restarted once after converting the passdb.tdb file. This issue is fixed in Samba 3.2.10. Sorry for the inconveniences! ###################################################################### Changes ####### Changes since 3.2.9 ------------------- o Michael Adam * BUG #6195: Don't let smbd child processes panic. ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/ The release notes are available online at: http://www.samba.org/samba/ftp/history/samba-3.2.10.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090401/e6811006/attachment.bin From kseeger at samba.org Wed Apr 1 13:51:34 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 1 13:51:33 2009 Subject: [Announce] Samba 3.3.3 Available for Download Message-ID: ================================================================= "Never refuse any advance of friendship, for if nine out of ten bring you nothing, one alone may repay you." Madame de Tencin ================================================================= Release Announcements ===================== This is the latest bugfix release release of the Samba 3.3 series. Major enhancements in Samba 3.3.3 include: o Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly (bug #6195). o Fix serving of files with colons to CIFS/VFS client (bug #6196). o Fix "map readonly" (bug #6186). ###################################################################### Changes ####### Changes since 3.3.2: -------------------- o Michael Adam * BUG 6195: Don't let smbd child processes panic. * Add backend_requires_messaging() method to libsmbconf. * Add methods is_writeable() and wrapper smbconf_is_writeable() to libsmbconf. * Fall back to file backend when no valid backend was found. * Fix a memleak in dbwrap_rbt. * Provide transaction_start|commit|cancel fns for the registry tdb. * Speed up "net conf drop". * Speed up "net conf import". * Add transactions to the libsmbconf API. * Reduce memory usage of "net conf import". * Registry cleanup. * Fix handling of SAMBA_VERSION_VENDOR_PATCH. * Fix build of pam_winbind.so with static linking. * Tidy up some convert_string_internal error cases. o Jeremy Allison * BUG 6186: Fix map readonly. * BUG 6195: Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly. * BUG 6196: Unable to serve files with colons to Linux CIFS/VFS client. * BUG 6224: nmbd waits 5 minutes at startup before checking if it needs to run elections. * Allow DFS client paths to work when POSIX pathnames have been selected. * Try and fix the build farm RAW-STREAMS errors. * Ensure files starting with multiple dots are hidden. o G?nther Deschner * BUG 6102: NetQueryDisplayInformation could return wrong information. * BUG 6193: Avoid messing with sync_context in libnet_samsync_delta(). * Fix notify_printer_status_byname. * Fix Coverity IDs 722, 762, 774, 775, 776. o Bj?rn Jacke * Fix build on old Heimdal based systems. * Fix compile warning. * Use parentheses in if condition to make negation clear. o Andy Kelk * Add dirsort module. o Steve Langasek * BUG 6147: Fix detection of the GNU ld version. o Volker Lendecke * BUG 6097: Fix smbd segfault. * BUG 6130: Don't crash in winbindd_rpc lookup_groupmem() on unmapped members. * BUG 6139: Add missing whitespace in mount.cifs error message. * Fix a malloc/talloc mismatch when cli_initialise() fails. * Fix a valgrind error. * Speed up "net conf list". * Add sorted subkey cache. * Use StrCaseCmp in the dirsort module. * Document the dirsort module. * Fix the build on HP/UX. * Disable dns_sd by default. * Add avahi detection to configure. * Add event avahi binding. * Use avahi to register _smb._tcp in smbd. * Fix two memleaks in the encryption code. * Fix a scary "fill_share_mode_lock failed" message. o Derrell Lipman * BUG 6228: Fix SMBC_open_ctx failure due to path resolve failure doesn't set errno. o Stefan Metzmacher * Don't use reserved words in smbconftort. * Fix smb signing for fragmented trans/trans2/nttrans requests. o Tim Prouty * Parse_packet can return NULL which is then dereferenced in match_mailslot_name. o Timur * Format the header check for netinet/ip.h more nicely. * Fix detection of netinet/ip.h on FreeBSD. o Alexander Zagrebin * Missing break in conversion function prevents tdb password database update. ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/ The release notes are available online at: http://www.samba.org/samba/ftp/history/samba-3.3.3.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090401/103ee017/attachment.bin From jra at samba.org Wed Apr 1 15:55:48 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 1 15:55:47 2009 Subject: TDB signed vs. unsigned char (was Re: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-554-gf942cb6) In-Reply-To: <49D34460.2010703@samba.org> References: <20090318224459.0B3B11CC0A0@us2.samba.org> <49D34460.2010703@samba.org> Message-ID: <20090401155547.GA4406@jeremy-desktop> On Wed, Apr 01, 2009 at 12:39:28PM +0200, Stefan (metze) Metzmacher wrote: > Hi Jeremy, > > > commit f942cb616e981e5370fab122969127de0910b58b > > Author: Jeremy Allison > > Date: Wed Mar 18 15:44:13 2009 -0700 > > > > Fix bug #6195 - Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly. > > This is a really nasty one to fix as in order to successfully update the > > passdb.tdb we must do the equivalent of a tdbbackup to move to the new hash > > values before we do the upgrade. > > Jeremy. > > Sorry, that I "introducted" the change that triggers with problems... No problem, everyone makes mistakes (as we have seen today :-). > But it shows once again that we really need to use 'uint8_t *' instead > of 'char *' to represent raw bytes! As the same problem is there, > if we copy passdb.tdb from a machine where char is signed to a machine > were char is unsigned, while using exactly the same source on both machines. > > So we should really try to get rid of all 'char *buf' pointers we have, Yeah, we should start cleaning up the code here (much of which is extremely old of course :-). > but as the above example shows we need to be extremly careful and add > explicit cast in the right spots in order to avoid upgrade problems. It's too late for that cast now, there were existing databases out there. (I did think about doing that, but we couldn't get away with it). Jeremy. From metze at samba.org Wed Apr 1 16:10:40 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Wed Apr 1 16:10:59 2009 Subject: TDB signed vs. unsigned char (was Re: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-554-gf942cb6) In-Reply-To: <20090401155547.GA4406@jeremy-desktop> References: <20090318224459.0B3B11CC0A0@us2.samba.org> <49D34460.2010703@samba.org> <20090401155547.GA4406@jeremy-desktop> Message-ID: <49D39200.90906@samba.org> Jeremy Allison schrieb: > On Wed, Apr 01, 2009 at 12:39:28PM +0200, Stefan (metze) Metzmacher wrote: >> Hi Jeremy, >> >>> commit f942cb616e981e5370fab122969127de0910b58b >>> Author: Jeremy Allison >>> Date: Wed Mar 18 15:44:13 2009 -0700 >>> >>> Fix bug #6195 - Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly. >>> This is a really nasty one to fix as in order to successfully update the >>> passdb.tdb we must do the equivalent of a tdbbackup to move to the new hash >>> values before we do the upgrade. >>> Jeremy. >> Sorry, that I "introducted" the change that triggers with problems... > > No problem, everyone makes mistakes (as we have seen today :-). :-) >> But it shows once again that we really need to use 'uint8_t *' instead >> of 'char *' to represent raw bytes! As the same problem is there, >> if we copy passdb.tdb from a machine where char is signed to a machine >> were char is unsigned, while using exactly the same source on both machines. >> >> So we should really try to get rid of all 'char *buf' pointers we have, > > Yeah, we should start cleaning up the code here (much of which > is extremely old of course :-). > >> but as the above example shows we need to be extremly careful and add >> explicit cast in the right spots in order to avoid upgrade problems. > > It's too late for that cast now, there were existing databases out there. > (I did think about doing that, but we couldn't get away with it). I mean for future code changes. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090401/505a95d7/signature.bin From kai at samba.org Wed Apr 1 16:39:15 2009 From: kai at samba.org (Kai Blin) Date: Wed Apr 1 16:39:28 2009 Subject: Students, get in your GSoC proposals NOW. Message-ID: <200904011839.15458.kai@samba.org> Hi folks, Google has asked the mentoring orgs to remind students to submit their applications now rather than later, so Google can plan ahead better. You still can edit your proposals up until the deadline. Cheers, Kai -- Kai Blin WorldForge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- Will code for cotton. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba-technical/attachments/20090401/5c22068e/attachment.bin From Haywoodqbbjavesqeg at gmail.com Wed Apr 1 17:11:25 2009 From: Haywoodqbbjavesqeg at gmail.com (Thelma Madison) Date: Wed Apr 1 17:38:37 2009 Subject: General Dentists List in the US Message-ID: <20090401171128.4E2861EE860B@mail.maceng.com.br> New for this Year: Database --> 164,561 Dentist.s --> 158,703 Business Addresses --> 163,219 Phone Numbers --> 77,418 Faxes --> 45,144 e mails for only this week the new lowered price is $296 For details please send an email to FrancisSprague@statlists.com Forward email to delete9@statlists.com to purge you from our records From metze at samba.org Wed Apr 1 18:23:13 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Wed Apr 1 18:23:38 2009 Subject: Proposal: Add v3-4-test to the build farm, and revamp the build farm policy In-Reply-To: <3B9E5D49-ED58-4FC3-9EBA-53D108229168@samba.org> References: <8F20AD7F-09C5-45B8-9ABD-B5C28EF69010@samba.org> <1237168284.3952.218.camel@naomi.s4.naomi.abartlet.net> <49BF785A.5040203@samba.org> <7487DE6B-ECDF-40CA-836E-03E98A86E387@samba.org> <1EAB35EC-99D1-43A0-9BE2-27CED021F484@samba.org> <49C88921.2040708@samba.org> <3B9E5D49-ED58-4FC3-9EBA-53D108229168@samba.org> Message-ID: <49D3B111.9060704@samba.org> Tim Prouty schrieb: > > On Mar 24, 2009, at 12:17 AM, Stefan (metze) Metzmacher wrote: > >> would >> >> samba_3_current => v3-3-test >> samba_3_next => v3-4-test >> samba_3_master => master >> >> work for you? > > Yep, that sounds great! samba_3_current and samba_3_master are done, I'll wait a few days before I add samba_3_next to the build. I also added tree=>branch mappings to a lot of places in the web interface and the broken build reports. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090401/c95fb3e3/signature.bin From hyc at highlandsun.com Wed Apr 1 19:48:48 2009 From: hyc at highlandsun.com (Howard Chu) Date: Wed Apr 1 19:49:07 2009 Subject: tdb API issues Message-ID: <49D3C520.3020202@highlandsun.com> Unfortunately we still have a problem in incorporating tdb into a slapd backend - slapd is threaded, and tdb->ecode is shared state. I had intended to wrap tdb calls inside a reader/writer lock but if multiple readers encounter errors, tdb->ecode will be overwritten and that will make proper error handling impossible. A number of suggestions were made on IRC, but all of them involve fairly invasive changes to the tdb code. 1) use thread-specific-data (TSD) for tdb->ecode. This is probably the most transparent change, but imposes a direct dependency on pthreads in the tdb library. (And it introduces Windows compatibility issues; a different set of TSD APIs will be needed for various other platforms as well.) 2) rewrite the tdb APIs to return their actual error code instead of just 0 / -1 success/fail status. No platform dependency issues, but a drastic impact on the API. 3) introduce a second set of APIs (tdb_foo_r) that parallels the existing API but stores the error code in a new function argument. Somewhat less impact on the API. (All of the existing APIs would then be reimplemented as wrappers around the _r functions.) All of these choices will require touching all of the tdb source files. Even with (3), leaving as much of the exported API unchanged as possible, things like the log_fn callback will still need to be changed. At this point I'm stopped until we decide which way forward. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From tridge at samba.org Wed Apr 1 23:33:50 2009 From: tridge at samba.org (tridge@samba.org) Date: Wed Apr 1 23:34:23 2009 Subject: tdb API issues In-Reply-To: <49D3C520.3020202@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> Message-ID: <18899.63966.786033.179358@samba.org> Hi Howard, The error code isn't the only place where tdb doesn't mix well with threads. Things like tdb_traverse() involve state in the tdb context, and all the tdb_lock primitives would affect the whole process, not just a thread. The same goes for the transaction code. For a threaded environment, you'd like it if it worked so that when thread1 was in a transaction, that thread2 would be blocked in writes, and reads would see the pre-transaction data (this is what happens with two processes in tdb). If you can arrange it so that each thread has its own tdb context then life will be much simpler. That gives you a separate ecode per thread as well. The problem is that you'll probably need to use some other locking mechanism than fcntl locks, so you'll need to offer a hook that abstracts away the locking primitives. Trying to make this work so that tdb operations can also be performed safely by other processes on the same tdb that is being used by your threaded task will be interesting (I think its possible, just a bit tricky). tdb and threads certainly isn't easy :-) Cheers, Tridge From hyc at highlandsun.com Thu Apr 2 00:20:55 2009 From: hyc at highlandsun.com (Howard Chu) Date: Thu Apr 2 00:21:12 2009 Subject: tdb API issues In-Reply-To: <18899.63966.786033.179358@samba.org> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> Message-ID: <49D404E7.6080404@highlandsun.com> tridge@samba.org wrote: > Hi Howard, > > The error code isn't the only place where tdb doesn't mix well with > threads. Things like tdb_traverse() involve state in the tdb context, Ah, I wasn't planning to use tdb_traverse() so I hadn't even looked at that. It would probably require splitting the traverse state out of the tdb_context and into its own dynamically allocated cursor struct. > and all the tdb_lock primitives would affect the whole process, not > just a thread. I didn't expect this would be a problem since normally only one slapd process accesses a DB at a time. (With the exception that slapcat is allowed read-only access.) I figured using a rdwr lock to control calls into tdb should be sufficient. Did I miss something? > The same goes for the transaction code. For a threaded environment, > you'd like it if it worked so that when thread1 was in a transaction, > that thread2 would be blocked in writes, and reads would see the > pre-transaction data (this is what happens with two processes in tdb). Yes, I was thinking that we'd be getting dirty reads when I looked at this code; I'd forgotten that it was protecting against other processes and not other threads. So we'd need a way to make sure only the thread that invoked the transaction used transaction_read(), while all the other threads still fell into the default tdb_read(). Sounds like we need an actual transaction handle as well, instead of just leaving all this in the tdb_context. > If you can arrange it so that each thread has its own tdb context then > life will be much simpler. That gives you a separate ecode per thread > as well. The problem is that you'll probably need to use some other > locking mechanism than fcntl locks, so you'll need to offer a hook > that abstracts away the locking primitives. Trying to make this work > so that tdb operations can also be performed safely by other processes > on the same tdb that is being used by your threaded task will be > interesting (I think its possible, just a bit tricky). I'd thought of that at first, but it seems that a separate context per thread would also multiply the address space consumed per DB, since they would each have their own complete mmap of the data. Doesn't sound too practical. Yeah, coordinating the fcntl locks across multiple tdb_context's would also be a pain. Pretty sure that splitting to a separate context per thread is the wrong level of granularity... ;) > tdb and threads certainly isn't easy :-) > > Cheers, Tridge > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From idra at samba.org Thu Apr 2 01:04:43 2009 From: idra at samba.org (simo) Date: Thu Apr 2 01:04:16 2009 Subject: tdb API issues In-Reply-To: <49D404E7.6080404@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> Message-ID: <1238634283.7649.13.camel@pico.li.ssimo.org> On Wed, 2009-04-01 at 17:20 -0700, Howard Chu wrote: > I'd thought of that at first, but it seems that a separate context per > thread > would also multiply the address space consumed per DB, since they > would each > have their own complete mmap of the data. Doesn't sound too practical. You should be able to change the tdb_context init code so that all contexts will actually use the same mmap space. You must open the file just once anyway otherwise you loose all locks if any thread closes the file. > Yeah, coordinating the fcntl locks across multiple tdb_context's would > also be > a pain. It would require careful thought, but given you already need to make threads talk to each other to make internal process locking it shouldn't be that bad. > Pretty sure that splitting to a separate context per thread is the > wrong level of granularity... ;) To be honest, I think Tridge is right in proposing to have a context per thread. It's probably a very good way to achieve what's needed without having to change the API (may require linking in pthreads), or with minimal additions (additional API used just by threaded processes to set up per thread access). Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From jra at samba.org Thu Apr 2 03:17:25 2009 From: jra at samba.org (Jeremy Allison) Date: Thu Apr 2 03:17:26 2009 Subject: tdbsam: RID/SID change issue + patch In-Reply-To: References: Message-ID: <20090402031725.GB19307@jeremy-desktop> On Wed, Mar 18, 2009 at 08:44:51PM +0300, Alexander Zagrebin wrote: > I'm using samba 3.3.2 > I have found, that, when using tdbsam, pdbedit refuses to change account's > rid/sid. > > # pdbedit -U 3000 -u test > Unable to modify TDB passwd: NT_STATUS_UNSUCCESSFUL! > Unable to modify entry! > > Suppose we have changed RID from to . > When updating account information with changed RID, pdbedit tries to update > key USER_ and > key RID_. But passdb.tdb contains RID_, but not > RID_. > That's a source of above described error. > So instead of updating RID_ pdbedit have to delete RID_ > and add > RID_. > > The attached patch resolves this issue. I modified this some to fit our current coding standards (and fix a couple of memory leaks on error paths). This is what I've committed to all trees. Thanks a *lot* for the fix ! Jeremy. -------------- next part -------------- diff --git a/source/passdb/pdb_tdb.c b/source/passdb/pdb_tdb.c index 73814ef..b35d209 100644 --- a/source/passdb/pdb_tdb.c +++ b/source/passdb/pdb_tdb.c @@ -817,12 +817,17 @@ static bool tdb_update_ridrec_only( struct samu* newpwd, int flag ) static bool tdb_update_sam(struct pdb_methods *my_methods, struct samu* newpwd, int flag) { - if (!pdb_get_user_rid(newpwd)) { + uint32_t oldrid; + uint32_t newrid; + + if (!(newrid = pdb_get_user_rid(newpwd))) { DEBUG(0,("tdb_update_sam: struct samu (%s) with no RID!\n", pdb_get_username(newpwd))); return False; } + oldrid = newrid; + /* open the database */ if ( !tdbsam_open( tdbsam_filename ) ) { @@ -835,11 +840,60 @@ static bool tdb_update_sam(struct pdb_methods *my_methods, struct samu* newpwd, return false; } - if (!tdb_update_samacct_only(newpwd, flag) - || !tdb_update_ridrec_only(newpwd, flag)) { + /* If we are updating, we may be changing this users RID. Retrieve the old RID + so we can check. */ + + if (flag == TDB_MODIFY) { + struct samu *account = samu_new(talloc_tos()); + if (account == NULL) { + DEBUG(0,("tdb_update_sam: samu_new() failed\n")); + goto cancel; + } + if (!NT_STATUS_IS_OK(tdbsam_getsampwnam(my_methods, account, pdb_get_username(newpwd)))) { + DEBUG(0,("tdb_update_sam: tdbsam_getsampwnam() for %s failed\n", + pdb_get_username(newpwd))); + TALLOC_FREE(account); + goto cancel; + } + if (!(oldrid = pdb_get_user_rid(account))) { + DEBUG(0,("tdb_update_sam: pdb_get_user_rid() failed\n")); + TALLOC_FREE(account); + goto cancel; + } + TALLOC_FREE(account); + } + + /* Update the new samu entry. */ + if (!tdb_update_samacct_only(newpwd, flag)) { goto cancel; } + /* Now take care of the case where the RID changed. We need + * to delete the old RID key and add the new. */ + + if (flag == TDB_MODIFY && newrid != oldrid) { + fstring keystr; + + /* Delete old RID key */ + DEBUG(10, ("tdb_update_sam: Deleting key for RID %u\n", oldrid)); + slprintf(keystr, sizeof(keystr) - 1, "%s%.8x", RIDPREFIX, oldrid); + if (!NT_STATUS_IS_OK(dbwrap_delete_bystring(db_sam, keystr))) { + DEBUG(0, ("tdb_update_sam: Can't delete %s\n", keystr)); + goto cancel; + } + /* Insert new RID key */ + DEBUG(10, ("tdb_update_sam: Inserting key for RID %u\n", newrid)); + if (!tdb_update_ridrec_only(newpwd, TDB_INSERT)) { + goto cancel; + } + } else { + DEBUG(10, ("tdb_update_sam: %s key for RID %u\n", + flag == TDB_MODIFY ? "Updating" : "Inserting", newrid)); + if (!tdb_update_ridrec_only(newpwd, flag)) { + goto cancel; + } + } + if (db_sam->transaction_commit(db_sam) != 0) { DEBUG(0, ("Could not commit transaction\n")); return false; From tridge at samba.org Thu Apr 2 02:06:08 2009 From: tridge at samba.org (tridge@samba.org) Date: Thu Apr 2 04:29:51 2009 Subject: tdb API issues In-Reply-To: <49D404E7.6080404@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> Message-ID: <18900.7568.707088.229101@samba.org> Hi Howard, > I'd thought of that at first, but it seems that a separate context per thread > would also multiply the address space consumed per DB, since they would each > have their own complete mmap of the data. Doesn't sound too practical. It would multiply the virtual address space used, but not the physical memory used. Do you think thats really a problem? How many threads do you have? It might also be possible to have a common virtual address space. To do that we'd break up the tdb_context structure into per-thread and per-process parts, and put the mapped pointers in the per-process part. It would require some thought to make sure this is safe, but at first glance I think its doable. Cheers, Tridge From karthikeyan.chetty at wipro.com Thu Apr 2 05:12:10 2009 From: karthikeyan.chetty at wipro.com (karthikeyan.chetty@wipro.com) Date: Thu Apr 2 05:38:14 2009 Subject: Regarding samba3.0.14a Compile error on Linux-FC9 Message-ID: Hi, I'm facing problem when compiling Samba3.0.14a on Linux-FC9. Following are the error when I enter the "make" command. lib/sysquotas_4A.c: In function sys_get_vfs_quota: lib/sysquotas_4A.c:102: error: struct dqblk has no member named dqb_curblocks lib/sysquotas_4A.c:119: error: struct dqblk has no member named dqb_curblocks lib/sysquotas_4A.c:165: error: struct dqblk has no member named dqb_curblocks make: *** [lib/sysquotas_4A.o] Error 1 I have updated my FC9 with latest LDAP-2.4.15. Could you please anyone help me to solve this error. Thanks & Regards S.Karthikeyan Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From abartlet at samba.org Thu Apr 2 05:46:36 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Thu Apr 2 05:46:55 2009 Subject: [SAMBA4] Summer of code idea - syntax correctness Message-ID: <1238651196.7448.29.camel@ruth> I've been working with tridge on pulling in the schema, and we realised there is a very nice (but very large) Samba4 task that someone might like to take a look at for Google Summer of Code. The Samba4 LDB layer uses the Microsoft AD schema to determine what data types apply to each attribute. The schema contains references to oMsyntax, oMobjectClass and attributeSyntax, that we then correlate with our internal data type tables. The table for this is in dsdb/schema/schema_syntax.c (and then this referrs to parts of ldb and elsewhere for some syntaxes). The problem is, many of these data types are not handled correctly in replication (anything with a DATA_BLOB conversion to and from DRS is suspect), and even if they are, we do not apply strict tests for conformance of the data to to the data type when adding it to the database. The task for the student or otherwise interested onlooker would be to investigate the comparison and conversion rules for each type of attribute, and to write tests to prove they are correct. This sould include for the DRSUAPI replication of the data. Tests that do a DRS replication against windows, and then prove we still present the correct values in LDAP are also required. See the wspp-schema in tridge's GIT area for our current work in progress (making changes to how the schema is loaded and applied to LDB), which will be a clearer basis for this work. It also indicates how to add new comparison rules. Smaller parts of this (and it would need to be done in parts anyway) could be done by anyone interested in the correctness of Samba4's LDAP server. See also bugs in bugzilla regarding incorrect handling of 32 bit integers in our LDAP server. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/9b8aaca8/attachment.bin From diego.zuccato at unibo.it Thu Apr 2 06:37:06 2009 From: diego.zuccato at unibo.it (Diego Zuccato) Date: Thu Apr 2 06:47:39 2009 Subject: R: tdb API issues In-Reply-To: <18900.7568.707088.229101@samba.org> References: <49D3C520.3020202@highlandsun.com><18899.63966.786033.179358@samba.org><49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> Message-ID: <50B447CB28C1E34A90AFE10EE027312677DA2D@EXBK04.personale.dir.unibo.it> > It might also be possible to have a common virtual address space. To > do that we'd break up the tdb_context structure into per-thread and > per-process parts, and put the mapped pointers in the per-process > part. It would require some thought to make sure this is safe, but at > first glance I think its doable. What about using a single thread for tdb access? Who uses GTK is already used to such a scheme (only one thread handles the GUI, others just setup requests with callbacks). The API impact is minimal (could even be limited to an external library) and there's no additional dependency on threading libraries if the threading API is not linked in (obvious if the "external library" path is chosen). Extra functions would be something like an "init" that spawns a thread and a series of wrappers that do the proper locking/unlocking and data handling, communicating with the handler thread. Often harder to explain than to do it... :-) BYtE, Diego. From scott.lovenberg at gmail.com Thu Apr 2 07:24:25 2009 From: scott.lovenberg at gmail.com (scott.lovenberg@gmail.com) Date: Thu Apr 2 07:24:25 2009 Subject: Regarding samba3.0.14a Compile error on Linux-FC9 In-Reply-To: References: <1088538168-1238654683-cardhu_decombobulator_blackberry.rim.net-178996374-@bxe1108.bisx.prod.on.blackberry> Message-ID: <469345104-1238657057-cardhu_decombobulator_blackberry.rim.net-92509291-@bxe1108.bisx.prod.on.blackberry> No worries. We're all new at some point. On fedora you can install the headers with 'yum install ldap-devel'. I've cc'ed the list now that I've found the reply-all on my new phone. Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Date: Thu, 2 Apr 2009 12:40:51 To: Subject: RE: Regarding samba3.0.14a Compile error on Linux-FC9 Thanks for your quick reply, I'm new to this, could you tell me the header file name for resolving this error. Able to compile samba3.0.32 on same machine. How can I get the header file? Thanks & Regards N.S.Karthikeyan -----Original Message----- From: scott.lovenberg@gmail.com [mailto:scott.lovenberg@gmail.com] Sent: Thursday, April 02, 2009 12:15 PM To: Karthikeyan Sarkarai chetty (WT01 - PES-Peripheral-Technology) Subject: Re: Regarding samba3.0.14a Compile error on Linux-FC9 Do you have the header files? They should be in the ldap_devel package on fedora. That '_' is a hyphen that I can't find on my new phone. ------Original Message------ From: karthikeyan.chetty@wipro.com Sender: samba-technical-bounces+scott.lovenberg=gmail.com@lists.samba.org To: samba-technical@lists.samba.org Subject: Regarding samba3.0.14a Compile error on Linux-FC9 Sent: Apr 2, 2009 01:12 Hi, I'm facing problem when compiling Samba3.0.14a on Linux-FC9. Following are the error when I enter the "make" command. lib/sysquotas_4A.c: In function sys_get_vfs_quota: lib/sysquotas_4A.c:102: error: struct dqblk has no member named dqb_curblocks lib/sysquotas_4A.c:119: error: struct dqblk has no member named dqb_curblocks lib/sysquotas_4A.c:165: error: struct dqblk has no member named dqb_curblocks make: *** [lib/sysquotas_4A.o] Error 1 I have updated my FC9 with latest LDAP-2.4.15. Could you please anyone help me to solve this error. Thanks & Regards S.Karthikeyan Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com Sent from my Verizon Wireless BlackBerry Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From amit.anjarlekar at tcs.com Thu Apr 2 08:13:26 2009 From: amit.anjarlekar at tcs.com (amit.anjarlekar@tcs.com) Date: Thu Apr 2 08:27:27 2009 Subject: Fw: Query - How do i configure CIFS protocol for sharing a printer to windows client Message-ID: Hi team, Anybody have idea on below issue. Pls suggest.. Regards Amit Sudhir Anjarlekar Asst. Systems Engr. Tata Consultancy Services Mailto: amit.anjarlekar@tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Outsourcing ____________________________________________ ----- Forwarded by Amit Anjarlekar/MUM/TCS on 04/02/2009 01:42 PM ----- Michael Adam 04/02/2009 01:38 PM Please respond to obnox@samba.org To amit.anjarlekar@tcs.com cc Steve French , sfrench@samba.org Subject Re: Query - How do i configure CIFS protocol for sharing a printer to windows client As Steve already pointed out: Please direct such questions / discussions to the samba@lists.samba.org mailing list. Or to samba-technical@lists.samba.org if it is related to development of Samba. You can subscribe to our mailing lists under https://lists.samba.org/mailman/ Cheers - Michael amit.anjarlekar@tcs.com wrote: > Hi Steve, > Thanks for replying.. > I wl just clarify the things much better... Mine quota settings for local > users on samba server is working.. How do i get same applied to samba > users? > I had integrated linux client with AD using winbind... But now how to > configure "username map" variable, means what exactly i have to do before > putting this entry in smb.conf? > I want my ads users to get linux shared printer mapped with ads login only > with quota restriction enabled using windows login... So that they dont > have to give extra password for getting access to samba printer.. > How do i go for the same? I had configured cups for printer sharing.. > Pls let m know for any further clarification.. > > Thanks & Regards > Amit Sudhir Anjarlekar > Asst. Systems Engr. > Tata Consultancy Services > Mailto: amit.anjarlekar@tcs.com > Website: http://www.tcs.com > ____________________________________________ > Experience certainty. IT Services > Business Solutions > Outsourcing > ____________________________________________ > > > > Steve French > 04/01/2009 10:09 PM > > To > amit.anjarlekar@tcs.com > cc > sfrench@samba.org, obnox@samba.org > Subject > Re: Query - How do i configure CIFS protocol for sharing a printer to > windows client > > > > > > > Sounds like a better question for the samba mailing list, but it isn't > clear whether you have problems with configuring smb printing from a > Linux client (you say both Linux client and Windows client). > Presumably you really have a question about how to configure Samba > server for printing and configuring Samba server security settings > which are better asked on the mailing list after you have looked > through Samba server documentation. > > > ---------- Forwarded message ---------- > From: > Date: Wed, Apr 1, 2009 at 3:09 AM > Subject: Query - How do i configure CIFS protocol for sharing a > printer to windows client > To: sfrench@samba.org, obnox@samba.org > > > > Hi team, > I am working on print quota project . I want my linux shared printer > which has quota set should be accessed by windows client without > password. I integrated my linux client in wndows AD. How do i > configure next steps? > Pls let me know if u have any solution. > > Regards > Amit Sudhir Anjarlekar > Asst. Systems Engr. > Tata Consultancy Services > Mailto: amit.anjarlekar@tcs.com > Website: http://www.tcs.com > ____________________________________________ > Experience certainty. IT Services > Business Solutions > Outsourcing > ____________________________________________ > > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you > > > > > > -- > Thanks, > > Steve > > ForwardSourceID:NT000213DE > =====-----=====-----===== > Notice: The information contained in this e-mail > message and/or attachments to it may contain > confidential or privileged information. If you are > not the intended recipient, any dissemination, use, > review, distribution, printing or copying of the > information contained in this e-mail message > and/or attachments to it are strictly prohibited. If > you have received this communication in error, > please notify us by reply e-mail or telephone and > immediately and permanently delete the message > and any attachments. Thank you -- Michael Adam SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE [attachment "attxc9iw.dat" deleted by Amit Anjarlekar/MUM/TCS] ForwardSourceID:NT00021466 =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you From obnox at samba.org Thu Apr 2 08:58:07 2009 From: obnox at samba.org (Michael Adam) Date: Thu Apr 2 08:58:11 2009 Subject: RFC: static / dynamic linking in samba3 Message-ID: I have just started to revise the s3-linking of internal subsystems as static vs. shared libraries. As a first step, I have cleaned the SMB_LIBRARY mechanism so that I could remove the @LIBFOO_STATIC@ stuff from the object collections. (branches master / v3-4-test) This was based on a patch found in the debian packaging code. There are a few items that are on my list next: * I would like to unify the use of external libs: Therefore I would like to rename the configure parameter "--with-wbclient" to "--enable-external-libwbclient" to be consistent with "--enable-external-talloc". Any objections? * I would also like to (re-)unify the configuration of libwbclient with the other libs (libtalloc, libtdb, libnetapi, ...) to be configured with SMB_LIBRARY(). This means that it will also be possible again to build and link libwbclient statically, removing the restriction imposed when libsmbclient was originally created that it should only be possible to build/link libwbclient statically with --enable-develper. I think this is artificial. Sometimes you just want to link a library statically. Vendors are patching the sources to allow for building and linking statically anyways. * Finally, I would come up with a linking scheme that copes better with the fact that our libraries like libtalloc start to appear as sytem libraries in the distributions (maybe triggered by our introduction of building libtalloc and friends shared in Samba 3.2). A scheme for building (that is basically also what samba4 does) initially discussed with Jelmer and Lars (among others) on irc could be the following: - check wheter libfoo is in the system and check whether it suits our version requirements (current checks use pkg-config for this) - if libfoo is available and version is ok, then adapt compile / link flags according to pkg-config to link against that library - if either the library is not found or version is not ok, then build libfoo internally and link it in _statically_ This would be the scheme for very isolated libraries like libtalloc, libtdb. Other, more samba-specific subsystems that won't find their way into distributions any time soon could still be built and linked dynamically internally. Folks, I would like to hear your comments on the suggestions above. Cheers - Michael -- Michael Adam SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/9b0d3600/attachment.bin From bradh at frogmouth.net Thu Apr 2 10:22:09 2009 From: bradh at frogmouth.net (Brad Hards) Date: Thu Apr 2 10:22:18 2009 Subject: [proposed patch] Samba 4 - Allow loading of other applications in web server Message-ID: <200904022122.10601.bradh@frogmouth.net> Hi, I understand that the plan is to provide a new SWAT (written in python). However in the mean time, the web_server service isn't very useful, because it can only load a module called "swat" and it doesn't get installed. I'm interested in using the web_server service to support other things - especially static pages and an autodiscovery service for OpenChange (based on MS-OXDISCO and MS-OXDSCLI, not least because of all the cool variable names you can make up...). To allow this, I'd like to make a change like the attached patch (only lightly tested). Thoughts? Brad -------------- next part -------------- A non-text attachment was scrubbed... Name: wsgi-app-name.patch Type: text/x-diff Size: 4470 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/619d4a99/wsgi-app-name.bin From mat+Informatique.Samba at matws.net Thu Apr 2 11:32:31 2009 From: mat+Informatique.Samba at matws.net (Matthieu Patou) Date: Thu Apr 2 11:32:43 2009 Subject: Hooking a program on AD event Message-ID: <49D4A24F.1020002@matws.net> Dear list, I am wondering if it's possible to hook some scripts or programs of C/Python function calls when some event are happening in the AD. For instance my idea right now is to run some script to do some stuff on samba shares when a workstation is added to the domain. Matthieu. From sassyn at gmail.com Thu Apr 2 11:41:09 2009 From: sassyn at gmail.com (Sassy Natan) Date: Thu Apr 2 11:41:25 2009 Subject: Hooking a program on AD event In-Reply-To: <49D4A24F.1020002@matws.net> References: <49D4A24F.1020002@matws.net> Message-ID: <529a12f40904020441i388927c4p87dc0f7a9044973a@mail.gmail.com> If you using Samba4 with OpenLDAP Backend then you can use the slapo-accesslog(5) overlay, and watch the status of the accesslog database. when a new object is created (for example a workstation) in some container in the LDAP, then you can run your script. I didn't give it a try - but it should work Sassy On Thu, Apr 2, 2009 at 2:32 PM, Matthieu Patou < mat+Informatique.Samba@matws.net >wrote: > Dear list, > > I am wondering if it's possible to hook some scripts or programs of > C/Python function calls when some event are happening in the AD. > > For instance my idea right now is to run some script to do some stuff on > samba shares when a workstation is added to the domain. > > > Matthieu. > > From boyang at suse.de Thu Apr 2 13:21:16 2009 From: boyang at suse.de (boyang) Date: Thu Apr 2 13:13:28 2009 Subject: [PATCH] Only set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5_auth is enabled in v3-0-test Message-ID: <49D4BBCC.4010703@suse.de> Hi, Only set WBFLAG_PAM_CONTACT_TRUSTDOM when krb5_auth is enabled. V3-2 and higher is OK with that. Please review the patch Thanks Best Regards BoYang -------------- next part -------------- A non-text attachment was scrubbed... Name: pam_winbind_flag-v3-0-test.diff Type: text/x-patch Size: 941 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/0f4ed231/pam_winbind_flag-v3-0-test.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: boyang.vcf Type: text/x-vcard Size: 187 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/0f4ed231/boyang.vcf From boyang at suse.de Thu Apr 2 13:25:46 2009 From: boyang at suse.de (boyang) Date: Thu Apr 2 13:17:49 2009 Subject: [PATCH] Set WBFLAG_PAM_CONTACT_TRUSTDOM in do_ccache_ntlm_auth() when krb5_auth is enabled Message-ID: <49D4BCDA.6050405@suse.de> Hi, When krb5_auth is enabled, PAM_AUTH is forwarded to trusted domain, which cause the cached credentials being stored in the process of trusted domain. When we do NTLM_CCACHE_AUTH, if WBFLAG_PAM_CONTACT_TRUSTDOM is not set in request flags, the request will be forwarded to primary domain, which causes NTLM_CCACHE_AUTH fail. I think we should check pam_winbind.conf to figure out whether we should set WBFLAG_PAM_CONTACT_TRUSTDOM. patch is for master. Please review it. Thanks! Best Regards BoYang -------------- next part -------------- A non-text attachment was scrubbed... Name: ntlm_auth_request_flags-master.diff Type: text/x-patch Size: 5047 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/a9e290da/ntlm_auth_request_flags-master.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: boyang.vcf Type: text/x-vcard Size: 187 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/a9e290da/boyang.vcf From hyc at highlandsun.com Thu Apr 2 13:25:14 2009 From: hyc at highlandsun.com (Howard Chu) Date: Thu Apr 2 13:25:31 2009 Subject: tdb API issues In-Reply-To: <18900.7568.707088.229101@samba.org> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> Message-ID: <49D4BCBA.9080407@highlandsun.com> tridge@samba.org wrote: > Hi Howard, > > > I'd thought of that at first, but it seems that a separate context per thread > > would also multiply the address space consumed per DB, since they would each > > have their own complete mmap of the data. Doesn't sound too practical. > > It would multiply the virtual address space used, but not the physical > memory used. Do you think thats really a problem? How many threads do > you have? By default we use 16 threads. More on larger SMP systems. Currently in a 32 bit OS there's a practical limit of about 1 million entries for a completely in-memory DB. (1M ~ 20 bits, average entry size ~1K : 10 bits, 30 bits of address space used right off the top, +/- other overheads...) If we have a separate map per thread then our max DB size is drastically reduced, which drastically reduces the range of applicability of this solution. We don't need this to scale to billions and billions of entries, but it'd be nice to cover the hundreds of thousands; that would make it viable for a large portion of our user base. > It might also be possible to have a common virtual address space. To > do that we'd break up the tdb_context structure into per-thread and > per-process parts, and put the mapped pointers in the per-process > part. It would require some thought to make sure this is safe, but at > first glance I think its doable. OK, this sounds like a reasonable avenue to explore. If we also provide some callbacks for creating, locking/unlocking and freeing mutexes then we can explicitly make the relevant parts safe. simo@samba.org wrote: > You should be able to change the tdb_context init code so that all > contexts will actually use the same mmap space. > You must open the file just once anyway otherwise you loose all locks if > any thread closes the file. Right. > To be honest, I think Tridge is right in proposing to have a context per > thread. It's probably a very good way to achieve what's needed without > having to change the API (may require linking in pthreads), or with > minimal additions (additional API used just by threaded processes to set > up per thread access). Yes, as long as we keep everything using the same mmap it would be fine. diego.zuccato@unibo.it wrote: > What about using a single thread for tdb access? Given the rise of multicore processors, I think this is out of the question for us. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From lukeh at padl.com Thu Apr 2 14:02:17 2009 From: lukeh at padl.com (Luke Howard) Date: Thu Apr 2 14:02:32 2009 Subject: Hooking a program on AD event In-Reply-To: <529a12f40904020441i388927c4p87dc0f7a9044973a@mail.gmail.com> References: <49D4A24F.1020002@matws.net> <529a12f40904020441i388927c4p87dc0f7a9044973a@mail.gmail.com> Message-ID: <75973476-C419-4676-9313-250F35DA7E0A@padl.com> On 02/04/2009, at 10:41 PM, Sassy Natan wrote: > If you using Samba4 with OpenLDAP Backend then you can use > the slapo-accesslog(5) overlay, and watch the status of the accesslog > database. > when a new object is created (for example a workstation) in some > container > in the LDAP, then you can run your script. If you're using OpenLDAP, you can just write an overlay or SLAPI plugin. If you are using DSfW (XAD), then you can write an NDS event handler (or use SLAPI). For AD proper, I don't believe there is any way to get notifications except for writing a password change notify DLL (obviously only works for password changes) or polling the directory with LDAPSync/DRS. -- Luke From sam at liddicott.com Thu Apr 2 14:11:14 2009 From: sam at liddicott.com (Sam Liddicott) Date: Thu Apr 2 14:12:37 2009 Subject: krb auth weirdness found out Message-ID: <49D4C782.4080705@liddicott.com> I have the answer (which turns out to be another question) after spending a couple of dreary days investigating why I get dcerpc_bind_auth_send() from openchange (with specified creds) causing errors like this: kinit for Sam@GALAXY failed (Cannot contact any KDC for requested realm: unable to reach any KDC in realm GALAXY) Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for requested realm Cannot reach a KDC we require to contact host@NOVA Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER (when GALAXY is a domain value not a REALM value which should be galaxy.test.dbamsystems.local) and I have to wait for the time it takes to fail this before it continues with the NTML auth (which is what it should have been doing all along). Strangely the reason is that the specified credentials had a domain specified but not a realm, and although the default realm was picked up, it was still true that (cred->domain_obtained > cred->realm_obtained) which means that when kerberos_util.c/kinit_to_ccache calls kerberos_util.c/principal_from_credentials which does: princ_string = cli_credentials_get_principal(credentials, mem_ctx); the princ_string is of the form user@domain and not user@realm, e.g. = "sam@GALAXY" HOWEVER principal_from_credentials() then calls krb5_parse_name to put GALAXY in princ->realm which is passed back to kinit_to_cache. I don't think GALAXY should be in princ->realm as it isn't a realm value. [remember (cred->domain_obtained > cred->realm_obtained)] kinit_to_ccache then passes this princ instead of the credentials to kerberos_kinit_password_cc which calls krb5_get_init_creds_password to populate some krb5_creds from princ, thus filling in the krb5_creds realm with GALAXY (parsed from princ when GALAXY clearly is not a realm! [I hope you can follow all this, it took me hours!] And this makes it to nested functions so that this is used as the realm in init_cred_loop and krb5_sendto_kdc_flags which of course fail! All this is the behaviour if the realm is not filled in on the original credentials. Bugs? I think the first semantic "error" is in principal_from_credentials which seems to presume that the value after @ will always be a realm value; but also I think that kinit_to_ccache needs some code path to avoid calling kerberos_kinit_password_cc if it doesn't have a realm. I'm not sure if it matters that is because principal_from_credentials leaves realm to NULL or because it detects that the realm has no dots in, or it checks (cred->domain_obtained > cred->realm_obtained) HOWEVER[2] despite all this, the auth mechanism then goes on to use the username and password (who knows why it was using kerberos for specified creds?) and makes a connection successfully. Hurrah! HOWEVER[3] if I do fill in the realm value explicitly for specified credentials I avoid the kerberos error entirely but openchange fails further on (but doesn't fail if I leave in the wrong realm). I've been getting the "ASN.1 unexpected field number" below since I added and removed an extra windows DC. GSS Update(krb5)(2) Update failed: Miscellaneous failure (see text): ASN.1 unexpected field number SPNEGO(gssapi_krb5) login failed: NT_STATUS_LOGON_FAILURE librpc/rpc/dcerpc_connect.c:700 continue_pipe_auth Failed to bind to uuid f5cc5a18-4264-101a-8c59-08002b2f8426 - NT_STATUS_LOGON_FAILURE But this is a different bug I'll continue with. Julien, please can you try editing ./mapiproxy/dcesrv_mapiproxy.c and fill in the realm somewhat like this: realm = lp_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_mapiproxy", "realm"); .. if (realm) { cli_credentials_set_realm(credentials, realm, CRED_SPECIFIED); } and see if mapiproxy still works for you? And I'll try to get to the bottom of the ASN.1 error. Sam From zahari.zahariev at postpath.com Thu Apr 2 14:12:56 2009 From: zahari.zahariev at postpath.com (Zahari Zahariev) Date: Thu Apr 2 14:12:58 2009 Subject: Test for reproducing Security ace object add to descriptor bug Message-ID: <49D4C7E8.1010409@postpath.com> Hello Jelmer & Samaba4, This is a bug that I found when tried to create a custom nTScurityDescriptor. To do that I created "security.ace" object which I made "Deny read to Administrator" ACE but when it comes to the "trustee" property that has to be "security.dom_sid" object something goes wrong after assignment. The initial ObjectSID value is not the same any more. Therefore when this ACE is added to the descriptor there is most of the time "(SID ERR)" instead of the real SID in SDDL representation. I have prepared a Python unittest that validates the error described above. Cheers, Zahari -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Security.ace-object-added-to-descriptor-error.patch Type: text/x-patch Size: 5627 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/d3435aed/0001-Security.ace-object-added-to-descriptor-error.bin From john.center at villanova.edu Thu Apr 2 14:19:48 2009 From: john.center at villanova.edu (John Center) Date: Thu Apr 2 14:19:59 2009 Subject: Problem with configure compiling 64-bit under Solaris 10 In-Reply-To: <49CD2189.9010700@villanova.edu> References: <49BD3CDC.6040205@villanova.edu> <49CD2189.9010700@villanova.edu> Message-ID: <49D4C984.8080302@villanova.edu> Hi Bj?rn, I haven't downloaded the new version of 3.3, yet, but was my patch used? Thanks. -John On 3/27/2009 2:57 PM, John Center wrote: > Hi Bj?rn, > > Please see https://bugzilla.samba.org/show_bug.cgi?id=6162 for the > problem I'm trying to address. > > Thanks. > > -John > > > On 3/27/2009 2:25 PM, Bj?rn Jacke wrote: >> Hi John, >> >> On 2009-03-15 at 13:37 -0400 John Center sent off: >>> The offending lines in configure are often in the form: >>> >>> old_CFLAGS="$CFLAGS"; >>> CFLAGS="$Werror_FLAGS"; >>> export CFLAGS; >>> >>> where Werror_FLAGS is defined as: Werror_FLAGS="". >>> >>> I think Werror_FLAGS should be redefined instead as: >>> >>> Werror_FLAGS="$CFLAGS" >>> >>> maintaining the builder's CFLAGS. This would prevent problems like this >>> from occurring in the future. >> what problem do you see in particular? I tried a compile with the Studio >> compiler with CFLAGS=-m64 and didn't have problems. Even if the configure check >> like the above mentioned are done without the user supplied CFLAGS the correct >> result is also found out with a 32bit compile test. In the end we still have >> -m64 in our CFLAGS in the Makefile here. >> >> Cheers >> Bj?rn From Sun_Peixing at emc.com Thu Apr 2 15:54:33 2009 From: Sun_Peixing at emc.com (Sun_Peixing@emc.com) Date: Thu Apr 2 15:57:28 2009 Subject: Does Samba4 Alpha6 support IPV6? Message-ID: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA816@CORPUSMX50C.corp.emc.com> Hi All: I downloaded and installed Samba4 Alpha6 on my IPV6 compatible Linux client. I tried to use smbclient to connect a share using IPV4 IP, it works. I tried to use smbclient to connect another share using IPV6 IP, it failed with BAD_NETWORK_NAME error. I searched on Google for "Samba4" and IPV6, I think Samba4 doesn't support IPV6. Could anybody confirm this for me? Thanks Peixing Sun root@rtptcs44026 kumar]# ./smbclient //18.28.46.26/svr2sh1 -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin smb: \> quit [root@rtptcs44026 kumar]# ./smbclient //2620:0:170:446:0:bad:beef:2/svr2sh1 -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin Connection to \\2620:0:170:446:0:bad:beef:2\svr2sh1 failed - NT_STATUS_BAD_NETWORK_NAME From david.holder at erion.co.uk Thu Apr 2 16:05:38 2009 From: david.holder at erion.co.uk (David Holder) Date: Thu Apr 2 16:15:11 2009 Subject: Does Samba4 Alpha6 support IPV6? In-Reply-To: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA816@CORPUSMX50C.corp.emc.com> References: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA816@CORPUSMX50C.corp.emc.com> Message-ID: <49D4E252.4090602@erion.co.uk> Peixing Sun, Samba 4 alpha 6 does not support IPv6. In order to get it working you need to patch it. Regards, David ------------------------------------------------------------------------ Dr David Holder CEng FIET MIEEE Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT Reception: +44 (0)1422 207000 Direct Dial: +44 (0)131 2026317 Cell: +44 (0) 7768 456831 Registered in England and Wales. Registered Number 3521142 VAT Number: GB 698 3633 78 Sun_Peixing@emc.com wrote: > Hi All: > > > > I downloaded and installed Samba4 Alpha6 on my IPV6 compatible Linux > client. > > I tried to use smbclient to connect a share using IPV4 IP, it works. > > I tried to use smbclient to connect another share using IPV6 IP, it > failed with BAD_NETWORK_NAME error. > > > > I searched on Google for "Samba4" and IPV6, I think Samba4 doesn't > support IPV6. > > Could anybody confirm this for me? > > > > Thanks > > > > Peixing Sun > > > > > > root@rtptcs44026 kumar]# ./smbclient //18.28.46.26/svr2sh1 > -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin > > smb: \> quit > > > > [root@rtptcs44026 kumar]# ./smbclient > //2620:0:170:446:0:bad:beef:2/svr2sh1 > -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin > > Connection to \\2620:0:170:446:0:bad:beef:2\svr2sh1 > failed - > NT_STATUS_BAD_NETWORK_NAME > > > > > > > > From sam at liddicott.com Thu Apr 2 16:26:36 2009 From: sam at liddicott.com (Sam Liddicott) Date: Thu Apr 2 16:27:32 2009 Subject: krb auth weirdness found out References: <49D4C782.4080705@liddicott.com> Message-ID: <49D4E73C.7000705@liddicott.com> * Sam Liddicott wrote, On 02/04/09 15:11: > And I'll try to get to the > bottom of the ASN.1 error. > Hmmm, wireshark says it is a kerberos error: error_code: KRB5KRB_AP_ERR_MODIFIED (41) Realm: GALAXY.TEST.DBAMSYSTEMS.LOCAL Server Name (Service and Host): host/star.galaxy.test.dbamsystems.local where star is the original domain controller and mail server but doesn't hold mail boxes any more, but I note that openchange dumps: mapiproxy::mapiproxy_op_dispatch: RfrGetNewDSA(0x0): 28 bytes RfrGetNewDSA: struct RfrGetNewDSA in: struct RfrGetNewDSA ulFlags : 0x00000000 (0) pUserDN : * pUserDN : '' ppszUnused : NULL ppszServer : * ppszServer : NULL RfrGetNewDSA: struct RfrGetNewDSA out: struct RfrGetNewDSA ppszUnused : NULL ppszServer : * ppszServer : * ppszServer : 'star.galaxy.test.dbamsystems.local' result : MAPI_E_SUCCESS (0x0) mapiproxy::mapiproxy_op_reply However when I try a different username (that was created after the mailbox move) I no longer get the ASN.1 error and I can specify the full realm in smb.conf (with a patch as I suggested Julien, so that the specified creds have the realm in), but I still get ppszServer set to star, so it can't be the ppszServer that was causing mapiproxy to connect get creds for the wrong machine causing the kerberos error. HOWEVER I note that with this different username, when I click "Check Name" in the control panel, it keeps changing back the exchange server to the REAL exchange server and not the proxy! aggh Sam From sam at liddicott.com Thu Apr 2 16:29:26 2009 From: sam at liddicott.com (Sam Liddicott) Date: Thu Apr 2 16:31:13 2009 Subject: krb auth weirdness found out References: <49D4C782.4080705@liddicott.com> <49D4E73C.7000705@liddicott.com> Message-ID: <49D4E7E6.1050707@liddicott.com> I DID get the ASN.1 krb error with the other user and this looks like the cause of it changing the mail server back to the real mail server in the control panel. * Sam Liddicott wrote, On 02/04/09 17:26: > * Sam Liddicott wrote, On 02/04/09 15:11: > >> And I'll try to get to the >> bottom of the ASN.1 error. >> >> > Hmmm, wireshark says it is a kerberos error: > > error_code: KRB5KRB_AP_ERR_MODIFIED (41) > Realm: GALAXY.TEST.DBAMSYSTEMS.LOCAL > Server Name (Service and Host): host/star.galaxy.test.dbamsystems.local > > > where star is the original domain controller and mail server but doesn't > hold mail boxes any more, but I note that openchange dumps: > > > mapiproxy::mapiproxy_op_dispatch: RfrGetNewDSA(0x0): 28 bytes > RfrGetNewDSA: struct RfrGetNewDSA > in: struct RfrGetNewDSA > ulFlags : 0x00000000 (0) > pUserDN : * > pUserDN : '' > ppszUnused : NULL > ppszServer : * > ppszServer : NULL > RfrGetNewDSA: struct RfrGetNewDSA > out: struct RfrGetNewDSA > ppszUnused : NULL > ppszServer : * > ppszServer : * > ppszServer : > 'star.galaxy.test.dbamsystems.local' > result : MAPI_E_SUCCESS (0x0) > mapiproxy::mapiproxy_op_reply > > > However when I try a different username (that was created after the > mailbox move) I no longer get the ASN.1 error and I can specify the full > realm in smb.conf (with a patch as I suggested Julien, so that the > specified creds have the realm in), but I still get ppszServer set to > star, so it can't be the ppszServer that was causing mapiproxy to > connect get creds for the wrong machine causing the kerberos error. > > HOWEVER I note that with this different username, when I click "Check > Name" in the control panel, it keeps changing back the exchange server > to the REAL exchange server and not the proxy! > > aggh > > Sam > From michael at stroeder.com Thu Apr 2 16:39:23 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu Apr 2 16:39:34 2009 Subject: Hooking a program on AD event In-Reply-To: <75973476-C419-4676-9313-250F35DA7E0A@padl.com> References: <49D4A24F.1020002@matws.net> <529a12f40904020441i388927c4p87dc0f7a9044973a@mail.gmail.com> <75973476-C419-4676-9313-250F35DA7E0A@padl.com> Message-ID: <49D4EA3B.5070407@stroeder.com> Luke Howard wrote: > > On 02/04/2009, at 10:41 PM, Sassy Natan wrote: > >> If you using Samba4 with OpenLDAP Backend then you can use >> the slapo-accesslog(5) overlay, and watch the status of the accesslog >> database. >> when a new object is created (for example a workstation) in some >> container >> in the LDAP, then you can run your script. > > If you're using OpenLDAP, you can just write an overlay or SLAPI plugin. Another option would be to implement a syncrepl client accessing the OpenLDAP backend for retrieving changes. (This gets rather a topic for the openldap-software mailing list though.) All scenarios require that one has access to the OpenLDAP backend server and fully understand the schema-quirks done inside smbd for mapping the MS AD schema to the Samba4 schema in OpenLDAP. That's something Andrew Bartlett didn't like. But personally I think it's needed. Review the discussion, in particular my reply: http://lists.samba.org/archive/samba-technical/2009-March/063757.html Ciao, Michael. From Sun_Peixing at emc.com Thu Apr 2 16:53:45 2009 From: Sun_Peixing at emc.com (Sun_Peixing@emc.com) Date: Thu Apr 2 16:55:35 2009 Subject: Does Samba4 Alpha6 support IPV6? In-Reply-To: <49D4E252.4090602@erion.co.uk> References: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA816@CORPUSMX50C.corp.emc.com> <49D4E252.4090602@erion.co.uk> Message-ID: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA818@CORPUSMX50C.corp.emc.com> David: Could you tell me where to download the patch? I hope the patch is free and reliable Thanks Peixing ________________________________ From: David Holder [mailto:david.holder@erion.co.uk] Sent: Thursday, April 02, 2009 12:06 PM To: Sun, Peixing Cc: samba-technical@lists.samba.org Subject: Re: Does Samba4 Alpha6 support IPV6? Peixing Sun, Samba 4 alpha 6 does not support IPv6. In order to get it working you need to patch it. Regards, David ________________________________ Dr David Holder CEng FIET MIEEE Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT Reception: +44 (0)1422 207000 Direct Dial: +44 (0)131 2026317 Cell: +44 (0) 7768 456831 Registered in England and Wales. Registered Number 3521142 VAT Number: GB 698 3633 78 Sun_Peixing@emc.com wrote: Hi All: I downloaded and installed Samba4 Alpha6 on my IPV6 compatible Linux client. I tried to use smbclient to connect a share using IPV4 IP, it works. I tried to use smbclient to connect another share using IPV6 IP, it failed with BAD_NETWORK_NAME error. I searched on Google for "Samba4" and IPV6, I think Samba4 doesn't support IPV6. Could anybody confirm this for me? Thanks Peixing Sun root@rtptcs44026 kumar]# ./smbclient //18.28.46.26/svr2sh1 -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin smb: \> quit [root@rtptcs44026 kumar]# ./smbclient //2620:0:170:446:0:bad:beef:2/svr2sh1 -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin Connection to \\2620:0:170:446:0:bad:beef:2\svr2sh1 failed - NT_STATUS_BAD_NETWORK_NAME From tprouty at samba.org Thu Apr 2 16:56:17 2009 From: tprouty at samba.org (Tim Prouty) Date: Thu Apr 2 16:56:15 2009 Subject: RFC: static / dynamic linking in samba3 In-Reply-To: References: Message-ID: <65540506-0162-4E5B-B8A8-6CB09C1BE3E4@samba.org> On Apr 2, 2009, at 1:58 AM, Michael Adam wrote: > As a first step, I have cleaned the SMB_LIBRARY mechanism so that > I could remove the @LIBFOO_STATIC@ stuff from the object > collections. (branches master / v3-4-test) > This was based on a patch found in the debian packaging code. Michael, I like your plan. My one request is that you do these improvements in master without backporting them to v3-4-test. As was discussed in the "What should/shouldn't go into v3-4-test" samba- technical thread, I would classify your proposal as a large, potentially destabilizing change, which shouldn't go into a release branch. To make 3.4 a solid release, v3-4-test should only have patches backported that fix bugs, and not patches that add new features. -Tim From jra at samba.org Thu Apr 2 17:25:37 2009 From: jra at samba.org (Jeremy Allison) Date: Thu Apr 2 17:25:37 2009 Subject: RFC: static / dynamic linking in samba3 In-Reply-To: References: Message-ID: <20090402172537.GB2336@samba1> On Thu, Apr 02, 2009 at 10:58:07AM +0200, Michael Adam wrote: > I have just started to revise the s3-linking of internal subsystems > as static vs. shared libraries. > > As a first step, I have cleaned the SMB_LIBRARY mechanism so that > I could remove the @LIBFOO_STATIC@ stuff from the object > collections. (branches master / v3-4-test) > This was based on a patch found in the debian packaging code. > > There are a few items that are on my list next: > > * I would like to unify the use of external libs: > Therefore I would like to rename the configure parameter > "--with-wbclient" to "--enable-external-libwbclient" > to be consistent with "--enable-external-talloc". > > Any objections? > > * I would also like to (re-)unify the configuration of libwbclient > with the other libs (libtalloc, libtdb, libnetapi, ...) to be > configured with SMB_LIBRARY(). > This means that it will also be possible again to build and link > libwbclient statically, removing the restriction imposed when > libsmbclient was originally created that it should only be > possible to build/link libwbclient statically with > --enable-develper. I think this is artificial. Sometimes you just > want to link a library statically. Vendors are patching the sources > to allow for building and linking statically anyways. > > * Finally, I would come up with a linking scheme that copes > better with the fact that our libraries like libtalloc start to > appear as sytem libraries in the distributions (maybe triggered > by our introduction of building libtalloc and friends shared in > Samba 3.2). > > A scheme for building (that is basically also what samba4 does) > initially discussed with Jelmer and Lars (among others) > on irc could be the following: > > - check wheter libfoo is in the system > and check whether it suits our version requirements > (current checks use pkg-config for this) > > - if libfoo is available and version is ok, then > adapt compile / link flags according to pkg-config to > link against that library > > - if either the library is not found or version is not ok, > then build libfoo internally and link it in _statically_ > > This would be the scheme for very isolated libraries like > libtalloc, libtdb. > > Other, more samba-specific subsystems that won't find their > way into distributions any time soon could still be built and > linked dynamically internally. > > Folks, I would like to hear your comments on the suggestions above. Sounds good to me. I agree on adding these to master so we can monitor the progress. Cheers, Jeremy. From david.holder at erion.co.uk Thu Apr 2 18:35:12 2009 From: david.holder at erion.co.uk (David Holder) Date: Thu Apr 2 18:36:40 2009 Subject: Does Samba4 Alpha6 support IPV6? In-Reply-To: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA818@CORPUSMX50C.corp.emc.com> References: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA816@CORPUSMX50C.corp.emc.com> <49D4E252.4090602@erion.co.uk> <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA818@CORPUSMX50C.corp.emc.com> Message-ID: <49D50560.8020504@erion.co.uk> Peixing, Hi! The old patch can be found here http://www.ipv6consultancy.com/ipv6blog/?p=34. I just quickly updated it for Samba4-alpha7 (see attached). It seems to work ;-). This is really a rough hack. All it does it make the Samba4 server listen on IPv4 and IPv6. Configuration options and command line options will only accept IPv4 addresses. For example, if you want to use smbclient with IPv6 addresses then use the Samba 3.2 or Samba 3.3 version of smbclient which is IPv6 enabled. Samba 4 isn't too far off being IPv6 enabled. The libraries are there (from Samba 3) and most of the code would be trivial to change. I would be very interested to know how you get on. Let me know if you have any questions. Regards, David ------------------------------------------------------------------------ Dr David Holder CEng FIET MIEEE Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT Reception: +44 (0)1422 207000 Direct Dial: +44 (0)131 2026317 Cell: +44 (0) 7768 456831 Registered in England and Wales. Registered Number 3521142 VAT Number: GB 698 3633 78 Sun_Peixing@emc.com wrote: > > David: > > > > Could you tell me where to download the patch? I hope the patch is > free and reliable > > > > Thanks > > > > Peixing > > > > ------------------------------------------------------------------------ > > *From:* David Holder [mailto:david.holder@erion.co.uk] > *Sent:* Thursday, April 02, 2009 12:06 PM > *To:* Sun, Peixing > *Cc:* samba-technical@lists.samba.org > *Subject:* Re: Does Samba4 Alpha6 support IPV6? > > > > Peixing Sun, > > Samba 4 alpha 6 does not support IPv6. In order to get it working you > need to patch it. > > Regards, > David > > ------------------------------------------------------------------------ > /Dr David Holder /CEng FIET MIEEE > > /Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT/ > > /Reception: +44 (0)1422 207000/ > > /Direct Dial: +44 (0)131 2026317/ > > /Cell: +44 (0) 7768 456831 / > > Registered in England and Wales. Registered Number 3521142 > VAT Number: GB 698 3633 78 > > > > > > Sun_Peixing@emc.com wrote: > > Hi All: > > > > I downloaded and installed Samba4 Alpha6 on my IPV6 compatible Linux > client. > > I tried to use smbclient to connect a share using IPV4 IP, it works. > > I tried to use smbclient to connect another share using IPV6 IP, it > failed with BAD_NETWORK_NAME error. > > > > I searched on Google for "Samba4" and IPV6, I think Samba4 doesn't > support IPV6. > > Could anybody confirm this for me? > > > > Thanks > > > > Peixing Sun > > > > > > root@rtptcs44026 kumar]# ./smbclient //18.28.46.26/svr2sh1 > -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin > > smb: \> quit > > > > [root@rtptcs44026 kumar]# ./smbclient > //2620:0:170:446:0:bad:beef:2/svr2sh1 > -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin > > Connection to \\2620:0:170:446:0:bad:beef:2\svr2sh1 > failed - > NT_STATUS_BAD_NETWORK_NAME > > > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: samba4-a7.patch Type: text/x-patch Size: 13616 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090402/c0e56329/samba4-a7.bin From Sun_Peixing at emc.com Thu Apr 2 18:45:46 2009 From: Sun_Peixing at emc.com (Sun_Peixing@emc.com) Date: Thu Apr 2 18:48:01 2009 Subject: Does Samba4 Alpha6 support IPV6? In-Reply-To: <49D50560.8020504@erion.co.uk> References: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA816@CORPUSMX50C.corp.emc.com> <49D4E252.4090602@erion.co.uk> <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA818@CORPUSMX50C.corp.emc.com> <49D50560.8020504@erion.co.uk> Message-ID: <8C17A1DBF3976E4F9ED5D0EEFEAA2069DAA81C@CORPUSMX50C.corp.emc.com> Hi David: I am using Samba4 to write client programs to test or SMB2 server. Samba3.x doesn't support SMB2, so I have to stick to Samba4. Thanks Peixing ________________________________ From: David Holder [mailto:david.holder@erion.co.uk] Sent: Thursday, April 02, 2009 2:35 PM To: Sun, Peixing Cc: Samba Technical Subject: Re: Does Samba4 Alpha6 support IPV6? Peixing, Hi! The old patch can be found here http://www.ipv6consultancy.com/ipv6blog/?p=34. I just quickly updated it for Samba4-alpha7 (see attached). It seems to work ;-). This is really a rough hack. All it does it make the Samba4 server listen on IPv4 and IPv6. Configuration options and command line options will only accept IPv4 addresses. For example, if you want to use smbclient with IPv6 addresses then use the Samba 3.2 or Samba 3.3 version of smbclient which is IPv6 enabled. Samba 4 isn't too far off being IPv6 enabled. The libraries are there (from Samba 3) and most of the code would be trivial to change. I would be very interested to know how you get on. Let me know if you have any questions. Regards, David ________________________________ Dr David Holder CEng FIET MIEEE Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT Reception: +44 (0)1422 207000 Direct Dial: +44 (0)131 2026317 Cell: +44 (0) 7768 456831 Registered in England and Wales. Registered Number 3521142 VAT Number: GB 698 3633 78 Sun_Peixing@emc.com wrote: David: Could you tell me where to download the patch? I hope the patch is free and reliable Thanks Peixing ________________________________ From: David Holder [mailto:david.holder@erion.co.uk] Sent: Thursday, April 02, 2009 12:06 PM To: Sun, Peixing Cc: samba-technical@lists.samba.org Subject: Re: Does Samba4 Alpha6 support IPV6? Peixing Sun, Samba 4 alpha 6 does not support IPv6. In order to get it working you need to patch it. Regards, David ________________________________ Dr David Holder CEng FIET MIEEE Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT Reception: +44 (0)1422 207000 Direct Dial: +44 (0)131 2026317 Cell: +44 (0) 7768 456831 Registered in England and Wales. Registered Number 3521142 VAT Number: GB 698 3633 78 Sun_Peixing@emc.com wrote: Hi All: I downloaded and installed Samba4 Alpha6 on my IPV6 compatible Linux client. I tried to use smbclient to connect a share using IPV4 IP, it works. I tried to use smbclient to connect another share using IPV6 IP, it failed with BAD_NETWORK_NAME error. I searched on Google for "Samba4" and IPV6, I think Samba4 doesn't support IPV6. Could anybody confirm this for me? Thanks Peixing Sun root@rtptcs44026 kumar]# ./smbclient //18.28.46.26/svr2sh1 -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin smb: \> quit [root@rtptcs44026 kumar]# ./smbclient //2620:0:170:446:0:bad:beef:2/svr2sh1 -Uqahex8.ddd.xxx.com/administrator%QA.nasadmin Connection to \\2620:0:170:446:0:bad:beef:2\svr2sh1 failed - NT_STATUS_BAD_NETWORK_NAME From steven.danneman at isilon.com Thu Apr 2 19:10:35 2009 From: steven.danneman at isilon.com (Steven Danneman) Date: Thu Apr 2 19:23:23 2009 Subject: static / dynamic linking in samba3 In-Reply-To: References: Message-ID: <4B380F71E6E9554CBDEF046D1CDF5E4C04395691@seaxch08.desktop.isilon.com> > I have just started to revise the s3-linking of internal subsystems as > static vs. shared libraries. > > As a first step, I have cleaned the SMB_LIBRARY mechanism so that I > could remove the @LIBFOO_STATIC@ stuff from the object collections. > (branches master / v3-4-test) This was based on a patch found in the > debian packaging code. > > There are a few items that are on my list next: > > * I would like to unify the use of external libs: > Therefore I would like to rename the configure parameter > "--with-wbclient" to "--enable-external-libwbclient" > to be consistent with "--enable-external-talloc". > > Any objections? > > * I would also like to (re-)unify the configuration of libwbclient > with the other libs (libtalloc, libtdb, libnetapi, ...) to be > configured with SMB_LIBRARY(). > This means that it will also be possible again to build and link > libwbclient statically, removing the restriction imposed when > libsmbclient was originally created that it should only be > possible to build/link libwbclient statically with > --enable-develper. I think this is artificial. Sometimes you just > want to link a library statically. Vendors are patching the sources > to allow for building and linking statically anyways. > > * Finally, I would come up with a linking scheme that copes > better with the fact that our libraries like libtalloc start to > appear as sytem libraries in the distributions (maybe triggered > by our introduction of building libtalloc and friends shared in > Samba 3.2). > > A scheme for building (that is basically also what samba4 does) > initially discussed with Jelmer and Lars (among others) > on irc could be the following: > > - check wheter libfoo is in the system > and check whether it suits our version requirements > (current checks use pkg-config for this) > > - if libfoo is available and version is ok, then > adapt compile / link flags according to pkg-config to > link against that library > > - if either the library is not found or version is not ok, > then build libfoo internally and link it in _statically_ > > This would be the scheme for very isolated libraries like > libtalloc, libtdb. > > Other, more samba-specific subsystems that won't find their > way into distributions any time soon could still be built and > linked dynamically internally. > > Folks, I would like to hear your comments on the suggestions above. > Michael, This sounds like a very straightforward and easy to understand plan to me. I like it. -Steven From abartlet at samba.org Thu Apr 2 22:08:06 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Thu Apr 2 22:18:21 2009 Subject: RFC: static / dynamic linking in samba3 In-Reply-To: References: Message-ID: <1238710086.4197.41.camel@naomi.s4.naomi.abartlet.net> On Thu, 2009-04-02 at 10:58 +0200, Michael Adam wrote: > I have just started to revise the s3-linking of internal subsystems > as static vs. shared libraries. > * Finally, I would come up with a linking scheme that copes > better with the fact that our libraries like libtalloc start to > appear as sytem libraries in the distributions (maybe triggered > by our introduction of building libtalloc and friends shared in > Samba 3.2). > > A scheme for building (that is basically also what samba4 does) > initially discussed with Jelmer and Lars (among others) > on irc could be the following: > > - check wheter libfoo is in the system > and check whether it suits our version requirements > (current checks use pkg-config for this) > > - if libfoo is available and version is ok, then > adapt compile / link flags according to pkg-config to > link against that library > > - if either the library is not found or version is not ok, > then build libfoo internally and link it in _statically_ > > This would be the scheme for very isolated libraries like > libtalloc, libtdb. > > Other, more samba-specific subsystems that won't find their > way into distributions any time soon could still be built and > linked dynamically internally. I really like this. We have updated libtdb in the past week for OpenLDAP and libldb to use it. It would get very sticky if we can't develop or deploy on such systems until the vendor library is updated. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/fa8bf89c/attachment.bin From jra at samba.org Thu Apr 2 23:39:35 2009 From: jra at samba.org (Jeremy Allison) Date: Thu Apr 2 23:39:40 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <200903271141.48395.mail@cynapses.org> References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> Message-ID: <20090402233935.GC6284@samba1> Andreas & Derrell, Just wanted to let you know I have a working design (and some preliminary code) for starting the process of properly threading libsmbclient. It's based on the ideas in openssl, but a little simpler. The idea is a caller desiring threads will have to initialize the thread state and locks we need by firstly calling : unsigned int SMBC_thread_num_locks() which will return the number of "big gloabl locks" (see below) we currently need and creating and initializing an array of this number of pthread_mutex_t's. Then they must call a set of functions : SMBC_thread_set_log_function() SMBC_thread_set_lock_function() SMBC_thread_set_dynamic_lock_function() SMBC_thread_set_dynamic_lock_create_function() SMBC_thread_set_dynamic_lock_destroy_function() which will be passed pointers to the callback functions libsmbclient will use internally to do the thread locking calls. Inside libsmbclient we'll start by adding "big global locks" (which we'll use to determine the number returned from SMBC_thread_num_locks()) and lock/unlock them internally by adding code like this to the internals of libsmbclient : SMBC_TLOCK(GLOBAL_LOCKID); ... access resource .... SMBC_TUNLOCK(GLOBAL_LOCKID); Where SMBC_TLOCK will be a macro that expands to: smbc_lock_(SMB_TUNLOCK, GLOBAL_LOCKID, __FILE__, __LINE__); and SMBC_TUNLOCK will expand to: smbc_lock(SMB_TLOCK|SMB_TLOCK_WRITE, GLOBAL_LOCKID, __FILE__, __LINE__); GLOBAL_LOCKID will be a #define to the specific "big global lock" we're currently using. For example : #define GLOBAL_LOCKID_LIBRARY_INITIALIZED 1 #define GLOBAL_LOCKID_NAMELOOKUP_CODE 2 etc. To start with we could just use one :-). For areas where we need dynamic locks, we create them inside libsmbclient by : void *plock = smbc_create_lock(const char *lockname, const char *file, int line); lock using the macro's : SMBC_TDYNLOCK(plock); ... access resource ... SMBC_TDYNUNLOCK(plock); then delete using : smbc_destroy_lock(void *plock, const char *file, int line) Note all these calls will be internal to libsmbclient and attendent libraries. I'm using TLOCK and TDYNLOCK prefixes so people don't get them confused with actual SMB lock calls. The really nice part of this design (from openssl) is that if you never set the callback functions this has *NO EFFECT* on existing code, and because we're hiding the pthread_mutex_t types behind an int index (for the global locks case) and a void pointer (in the dynamic case) there are *no dependencies* on any underlying threads library or primitives. For people who want pthreads we supply a module that provides a pthread sample implementation of all the callback functions above, but it's only linked in by people who want threading. I haven't started on the thread specific data part yet (which we'll need for the talloc_frame() calls), so I'll email more when I've thought about that some more. Comments / Questions ? Big thanks to Volker who got me looking at the openssl code in the first place ! Jeremy. From abartlet at samba.org Thu Apr 2 23:46:09 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Thu Apr 2 23:46:22 2009 Subject: Samba4 Full Active Directory Schema Issues? In-Reply-To: References: <1238468200.12404.29.camel@ruth> Message-ID: <1238715969.4197.180.camel@naomi.s4.naomi.abartlet.net> On Tue, 2009-03-31 at 23:56 +0300, Ido Mandril wrote: > Andrew, Thanks for the quick replay. > > I hope that the Schema you have now will be the right one for using > with Samba4. > Too bad I can not contributed to this issue, since according to you it > is almost done. As you would have seen in my mail yesterday, it seems there is much, much more work to do. We started adding support for possibleInferiors yeasterday, and instead spent the day working on making the schema lookup more efficient. (binary search instead of walking a linked list every time). It turns out that with the previous code, just running with the larger schema had a large performance cost. > When do you think this will be on the MASTER REPO So I could check it > out? Does this plan for Alpha8? if so is there any estimated date for > Alpha8? I hope to have it out by SambaXP, with the new schema and UID changing fixes in it. Perhaps if the schema issue drags on again, we might cut another 'quick' alpha before that. > Please if you think I can do anything to support this issue I will be > honored. Have a look at the tasks I suggested, and also try my wspp-schema branch out against a current OpenLDAP. > I might start with updating the Install tutorial which seem out of > date. Yeah, that will be useful. > Regarding your question, I interesting in Samba4 since I wrote a tool > as part of my studies which is similar to Microsoft SMS. This use > Windows 2008 Server AD, and run on Linux (Debian in my case). It use > the Schema for some classes and I also add 1 more call for my apps. It > could be very cool to export it to run on Samba4, but for that I need > to have a Full Microsoft Active Directory Schema. Nice! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/4426b578/attachment.bin From abartlet at samba.org Fri Apr 3 01:28:39 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Fri Apr 3 01:28:55 2009 Subject: krb auth weirdness found out In-Reply-To: <49D4C782.4080705@liddicott.com> References: <49D4C782.4080705@liddicott.com> Message-ID: <1238722119.4197.285.camel@naomi.s4.naomi.abartlet.net> On Thu, 2009-04-02 at 15:11 +0100, Sam Liddicott wrote: > I have the answer (which turns out to be another question) after > spending a couple of dreary days investigating why I get > dcerpc_bind_auth_send() from openchange (with specified creds) causing > errors like this: > > kinit for Sam@GALAXY failed (Cannot contact any KDC for requested realm: > unable to reach any KDC in realm GALAXY) > Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for > requested realm > Cannot reach a KDC we require to contact host@NOVA > Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER > > (when GALAXY is a domain value not a REALM value which should be > galaxy.test.dbamsystems.local) and I have to wait for the time it takes > to fail this before it continues with the NTML auth (which is what it > should have been doing all along). If GALAXY was in the krb5.conf as a realm, it would actually work (strange, but true). What we need is to provide a DC location plugin to Heimdal that does a lookup for the DCs in that domain, and returns them as possible kerberos KDCs. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/26fa5ea5/attachment.bin From abartlet at samba.org Fri Apr 3 02:21:24 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Fri Apr 3 02:21:37 2009 Subject: Some remarks on Samba4 with OpenLDAP backend In-Reply-To: <49C41251.1010205@stroeder.com> References: <49BA9F9B.7030708@stroeder.com> <1237159900.3952.72.camel@naomi.s4.naomi.abartlet.net> <49C3D22B.8040402@stroeder.com> <1237582858.3239.18.camel@amy> <49C41251.1010205@stroeder.com> Message-ID: <1238725284.4197.362.camel@naomi.s4.naomi.abartlet.net> On Fri, 2009-03-20 at 23:01 +0100, Michael Str?der wrote: > Andrew Bartlett wrote: > > On Fri, 2009-03-20 at 18:28 +0100, Michael Str?der wrote: > >> Andrew Bartlett wrote: > >>> On Fri, 2009-03-13 at 19:02 +0100, Michael Str?der wrote: > >>>> I hope you don't get this message wrong. The job including the > >>>> provisioning scripts is well done. Still I have some questions and remarks: > >>>> > >>>> 1. IMHO access to the LDAPI socket should also be possible for other > >>>> LDAP clients on the same system. E.g. I'm running my web2ldap as > >>>> separate user on the same system and probably I'd like to access the > >>>> OpenLDAP backend directly. So IMHO the socket file > >>>> /private/ldap/ldapi should be moved to another directory where > >>>> other clients have access. Access control should happen in slapd itself > >>>> by ACLs (as already done). > >>> The reason it is done like this is because I would strongly prefer that > >>> the backend was not accessed directly. > >> Why? The OpenLDAP backend is a LDAPv3-compliant server already enforcing > >> a particular schema. > > > > For me, this isn't a good enough reason: Just because it can be done, > > does not mean it should be done. > > > > The stack of modules that Samba applies above the OpenLDAP server are > > there for a reason, and enforce restrictions and apply semantics above > > and beyond those applied by the backend. That is why we don't allow > > windows clients to connect to the backend directly. > > I'm not talking about regular LDAP access for Windows clients. I meant > custom admin processes (e.g. for account syncing with external databases > etc.). Given that slapd can take multiple -h arguments, what is stopping you adding an additional ldapi socket for your needs in that case? I would not object to a default sasl mapping being added that maps a SASL external bind over LDAPI to a privileged identity (preferably read only, but I am willing to be convinced). Samba currently uses DIGEST-MD5 because it allows us to easily work as non-root in the 'make test' process, without having to deal with the UID problem. (Otherwise such support and such a rule would no doubt have been added earlier). > > For example, Samba maintains the 'name' attribute in OpenLDAP manually > > (mapping it to Samba4RDN). If the backend were administered directly, > > nothing would keep 'name' in sync with the RDN. > > > > While I will ask for this to be corrected (as it would also remove a > > race), it gives you an idea of the things that stand in the way. > > Since I know the weird AD schema a little bit I'm quite aware of what > you have to do in Samba4 regarding schema mapping. > > > I'm still confused why you don't want to connect via Samba4. > > E.g. SASL/EXTERNAL over Unix Domain Socket with mapping to an admin's > authz-DN for sync processes without having to provide a password. In > general I'd like to be able to do everything I'm used to do with > OpenLDAP if needed (obeying the DIT and schema requirements off course). It would be a trivial task to add EXTERNAL as an available SASL mechanism to Samba4. More difficult would be to determine what it mapped to in terms of an identity, but even so, a simple mapping from 'local root on LDAPi == SYSTEM' is practical. Would that solve your concerns? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/32634a42/attachment.bin From hyc at highlandsun.com Fri Apr 3 02:30:45 2009 From: hyc at highlandsun.com (Howard Chu) Date: Fri Apr 3 02:30:59 2009 Subject: tdb API issues In-Reply-To: <49D4BCBA.9080407@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> <49D4BCBA.9080407@highlandsun.com> Message-ID: <49D574D5.1010102@highlandsun.com> Howard Chu wrote: >> It might also be possible to have a common virtual address space. To >> do that we'd break up the tdb_context structure into per-thread and >> per-process parts, and put the mapped pointers in the per-process >> part. It would require some thought to make sure this is safe, but at >> first glance I think its doable. > > OK, this sounds like a reasonable avenue to explore. If we also provide some > callbacks for creating, locking/unlocking and freeing mutexes then we can > explicitly make the relevant parts safe. I have a preliminary patch up on http://highlandsun.com/hyc/tdbdif.txt. Jeremy, I cc'd you on this because it looks like you're about to duplicate what I've just done re: adding thread callbacks in your libsmbclient proposal. I'm not sure what's the point of OpenSSL asking the caller to pre-create some number of global locks; IMO the library should create whatever locks it needs and the caller shouldn't know about them at all. That's more the flavor of the approach I took, otherwise it's basically the same: the caller must call tdb_set_mutex() and provide it a structure which contains a table of mutex function pointers. The tdb_set_mutex() function will then create whatever locks it needs. The trick from here on out is identifying where all the locks need to be inserted. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From abartlet at samba.org Fri Apr 3 02:34:19 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Fri Apr 3 02:34:41 2009 Subject: [SAMBA4] Possible task: LDAP backend improvements Message-ID: <1238726059.4197.401.camel@naomi.s4.naomi.abartlet.net> It comes to mind that there are a few things that need some work in the LDAP backend of Samba4, and that they would make a good Summer of Code project, or perhaps be taken on in parts by other interested onlookers: The tasks are: Merge provision-backend and provision ------------------------------------- The current two-step process of provision-backend and a separate provision seems to cause a lot of challenges for folks. They often get the required command line arguments wrong, and have to manually start slapd before we can provision the data. Similarly, when we provision against Fedora DS, it would prefer to start the server right away. An improved provision script would take a path to the slapd binary (possibly detected at configure time), and incorporate the code in master/selftest/target/Samba4.pm to generate the modules.conf for the slapd.conf Then, the python script should start slapd, and watch it for improper termination. If it starts (using the command line already suggested, but only listening on ldapi) and stays started, we should provision it normally, then shut it down. Then, knowing everything worked, we can suggest how the user can start smbd and slapd as required. (the output of this could be put in a file that 'make test' can then parse, to ensure it verifies this value). As a bonus, if it remains possible to test the current provision-backend code, when a valid OpenLDAP installation is not present, all the better (help prevent bitrot). Test OpenLDAP in a normal 'make test' ------------------------------------- Detect that OpenLDAP 2.4.15 is present on the system, and it's location. If so, when 'make test' is run, then 'make quicktest' is additionally run against the LDAP backend. This should help reduce bitrot in the OpenLDAP backend because it fails to be tested. Currently testing against the OpenLDAP backend requires that you run: TEST_LDAP=yes OPENLDAP_ROOT=/usr/local make test Most developers don't do this regularly (either because they don't have the right OpenLDAP, or they don't know about it, or they don't think to). Restore the Fedora DS backend ----------------------------- Currently the Fedora DS backend won't even start. Small details have changed in both Fedora DS and Samba4, and this code has bit-rotted. The task would be to make it pass 'make test' with as few failures as possible (some are inevitable, as it has a different feature set to OpenLDAP). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/590866d3/attachment.bin From abartlet at samba.org Fri Apr 3 02:39:42 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Fri Apr 3 02:39:42 2009 Subject: [SAMBA4] Unrolling of groups (task for someone) Message-ID: <1238726382.4197.414.camel@naomi.s4.naomi.abartlet.net> Another Samba4 task that someone might like to take on is group unrolling: In AD, groups can be members of groups, but Samba4 does not recognise this, either in the PAC we return to Kerberos clients, or when we accept a login from a user who's groups are members of local system groups (such as the domain administrators being in 'administrators' of the local system). Perhaps someone would like to take this on? Writing comparative tests to show that the new behaviour matches AD would be a key part of this task. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/fc6bb66f/attachment.bin From hyc at highlandsun.com Fri Apr 3 02:42:43 2009 From: hyc at highlandsun.com (Howard Chu) Date: Fri Apr 3 03:14:54 2009 Subject: Samba4 Full Active Directory Schema Issues? Message-ID: <49D577A3.4020205@highlandsun.com> > As you would have seen in my mail yesterday, it seems there is much, > much more work to do. We started adding support for possibleInferiors > yeasterday, and instead spent the day working on making the schema > lookup more efficient. (binary search instead of walking a linked list > every time). > > It turns out that with the previous code, just running with the larger > schema had a large performance cost. One word: caching. One of the tricks I use in OpenLDAP is to use two AVL trees for schema lookups. One contains the complete schema as loaded in whatever configuration, the other only contains schema elements that were referenced by actual LDAP requests. In practice the number of unique schema elements referenced in any running LDAP instance is much smaller than the complete known set of schema; this trick is worth a fair bit of performance. (I.e., you first lookup in the small tree; if you miss in this cache then you lookup in the full tree, and insert the result into the small cache tree.) The other obvious thing is to never use plain linked lists for data items that need to be looked up in dictionary fashion... And now that I've let that cat out of the bag, I expect every other LDAP vendors' products to speed up by at least 10% in the next few weeks... Which will mean OpenLDAP will only be 4.8x faster than the second fastest, instead of 5x... ;) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From abartlet at samba.org Fri Apr 3 03:15:49 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Fri Apr 3 03:15:55 2009 Subject: Samba4 & SMB2 questions In-Reply-To: <7AA5607E1C5D7940AF553A4DE1465EEA044D6CD6@az33exm23.fsl.freescale.net> References: <7AA5607E1C5D7940AF553A4DE1465EEA044D6CD6@az33exm23.fsl.freescale.net> Message-ID: <1238728549.4197.453.camel@naomi.s4.naomi.abartlet.net> On Wed, 2009-01-14 at 07:13 -0700, Howard Gregory wrote: > Hello all, > > Please pardon me if these questions are off-topic for this list. I'd > appreciate a pointer to the correct forum. Yes it is, for Samba4 questions. I'm sorry I didn't spot your question earlier. I figure I may as well reply for reference. > I am trying to benchmark the performance difference between SMB and SMB2 > as hosted by a PowerPC-based platform. I've been trying to do this with > samba-4.0.0alpha5. I have learned the hard way that my dirt-simple > share-security-based Samba 3.0.32 configuration won't drop in easily to > Samba 4. BTW, Samba4 uses smb signing more often, so make sure this is disabled for benchmarks. > My setup consists of the PowerPC-based Samba server connected by a > single Gigabit Ethernet cable to a Windows client machine. As far as I > can tell neither system is a member of any "domain". Although smbd > compiles and runs on the server, neither XP nor Vista clients can > connect to the share. Even the "administrator" user fails. After doing > a bit of digging, I have a few questions: > > 1) Is SMB2 actually usable in Samba 4? The WHATSNEW.TXT file talks > about the SMB2 server being "disabled"; do I need to provide some > different options at compile time in order to turn it on? Or is it just > not ready to use? It can be turned on by setting 'max protocol = smb2' I think. > 2) Assuming SMB2 is functional, is it still the case that share-level > security is not yet supported in Samba 4? Correct > 3) I want to have my configuration be as "wide open" as possible in > terms of security. In the absence of "share" security, how do I set up > a user or users with NO password, NO authentication, and all access > types allowed? Best to just setup a user I think. I'm not sure what state the 'guest' access is in. > 4) Likewise, I have tried to configure my Samba server as "standalone", > as I want to avoid any entanglements with domain controllers or Active > Directory. Is there anything special I need to do to turn these > features off? Just provision as a standalone server. -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/f5005164/attachment.bin From abartlet at samba.org Fri Apr 3 03:19:05 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Fri Apr 3 03:19:16 2009 Subject: domain unjoin problem in samba4 In-Reply-To: <632603556D13804EA32DB30070258EDF04687BB4@BLR-SJP-MBX01.wipro.com> References: <632603556D13804EA32DB30070258EDF04687BB4@BLR-SJP-MBX01.wipro.com> Message-ID: <1238728745.4197.459.camel@naomi.s4.naomi.abartlet.net> On Tue, 2009-03-17 at 14:54 +0530, manoj.biswas@wipro.com wrote: > Dear Friends, > > > > I am new to samba-4 and facing some issue to un-join from win2k8 domain. I'm sorry I missed your message earlier. I hope this is still some use. > Steps which I am following to do joining and un-joining of samba4 are > > > > To join samba to win2k8 domain > > 1. ./setup/provision --realm=HUT.COM --domain=hut.com > --host-name=hostname --dnspass=password@123 --root=root > --server-role='member server' > > 2. ./net join hut.com MEMBER -U Administrator%password@123 > > > > to un-join samba > > 1. ./net leave hut.com -U Administrator%password@123 > > > > i am getting error as "leave not found" Yes, there is no 'net leave' command at this time. > so samba4 is not deleting its entry from win2k8 AD users and computers Just use AD Users and Computers on the AD server to remove the account, or use 'net user delete machine$ -U Administrator%password@123' (I think...) Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/8d1981b8/attachment.bin From hyc at highlandsun.com Fri Apr 3 03:21:19 2009 From: hyc at highlandsun.com (Howard Chu) Date: Fri Apr 3 03:21:17 2009 Subject: tdb API issues In-Reply-To: <49D574D5.1010102@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> <49D4BCBA.9080407@highlandsun.com> <49D574D5.1010102@highlandsun.com> Message-ID: <49D580AF.1070208@highlandsun.com> Howard Chu wrote: > Howard Chu wrote: >>> It might also be possible to have a common virtual address space. To >>> do that we'd break up the tdb_context structure into per-thread and >>> per-process parts, and put the mapped pointers in the per-process >>> part. It would require some thought to make sure this is safe, but at >>> first glance I think its doable. >> >> OK, this sounds like a reasonable avenue to explore. If we also provide some >> callbacks for creating, locking/unlocking and freeing mutexes then we can >> explicitly make the relevant parts safe. > > I have a preliminary patch up on http://highlandsun.com/hyc/tdbdif.txt. The majority of the patch is purely cosmetic; I added prefixes to all the tdb_context member names so that they can all be identified unambiguously. (That also makes future global replaces a lot easier...) Then I split the tdb_context into a tdb_base_context which stores the main state, and the tdb_context which is "per-thread". A thread calls tdb_clone() to get its own working copy of a tdb_context, and all of the clones share the original's tdb_base_context. In the current setup, the original tdb_context must not be closed before any clones. (I guess it would be smarter to allocate the tdb_base_context independently, and refcount it.) I'm not sure yet that I've split things between the base_context and the caller context correctly; this is still all a work in progress but I wanted to get some early feedback. MUTEX_LOCK / MUTEX_UNLOCK macros are used where needed. If the caller didn't provide a set of mutex methods (via tdb_set_mutex()) then these macros will do nothing. > the caller must call > tdb_set_mutex() and provide it a structure which contains a table of mutex > function pointers. The tdb_set_mutex() function will then create whatever > locks it needs. > > The trick from here on out is identifying where all the locks need to be inserted. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From abartlet at samba.org Fri Apr 3 03:22:21 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Fri Apr 3 03:22:19 2009 Subject: Samba4 Full Active Directory Schema Issues? In-Reply-To: <49D577A3.4020205@highlandsun.com> References: <49D577A3.4020205@highlandsun.com> Message-ID: <1238728941.4197.465.camel@naomi.s4.naomi.abartlet.net> On Thu, 2009-04-02 at 19:42 -0700, Howard Chu wrote: > > As you would have seen in my mail yesterday, it seems there is much, > > much more work to do. We started adding support for possibleInferiors > > yeasterday, and instead spent the day working on making the schema > > lookup more efficient. (binary search instead of walking a linked list > > every time). > > > > It turns out that with the previous code, just running with the larger > > schema had a large performance cost. > > One word: caching. Our problems were worse than that. In trying to keep an abstraction between ldb and Samba4, we were passing in the comparison functions one-attribute-at-a-time, and ldb was inserting them into a sorted array one at a time. This was kind of expensive on the whole schema :-) So, we now pass in a pointer for 'fetch me an attribute comparison rule', and allow Samba4 to look it up (and there we may well implement such a dual-tree if the need arises). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/02b02292/attachment.bin From michael at stroeder.com Fri Apr 3 05:26:21 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri Apr 3 05:32:49 2009 Subject: [SAMBA4] Possible task: LDAP backend improvements In-Reply-To: <1238726059.4197.401.camel@naomi.s4.naomi.abartlet.net> References: <1238726059.4197.401.camel@naomi.s4.naomi.abartlet.net> Message-ID: <49D59DFD.2040503@stroeder.com> Andrew Bartlett wrote: > An improved provision script would take a path to the slapd binary > (possibly detected at configure time), and incorporate the code in > master/selftest/target/Samba4.pm to generate the modules.conf for the > slapd.conf > > Then, the python script should start slapd, and watch it for improper > termination. If it starts (using the command line already suggested, > but only listening on ldapi) and stays started, we should provision it > normally, then shut it down. Just an idea to consider: If you already know the path to the slapd binary you could slapadd (slapd -T add) the LDIF data to be provisioned instead of starting slapd. This might also be faster. Ciao, Michael. From karthikeyan.chetty at wipro.com Fri Apr 3 06:16:40 2009 From: karthikeyan.chetty at wipro.com (karthikeyan.chetty@wipro.com) Date: Fri Apr 3 06:16:50 2009 Subject: Regarding Linux Join to on Admin USer. Message-ID: Hi , I have tested samba 3.0.14a and samba3.0.33,in latest samba 3.0.X Linux is joined to non admin user. But samba3.0.14a is not joined to non admin user. Could you please any one tell me in which samba3.0.X version fix will be available for join to Non admin user? Thanks & Regards S.Karthikeyan Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From metze at samba.org Fri Apr 3 06:21:29 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Fri Apr 3 06:21:53 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-834-g621d403 In-Reply-To: <20090402223814.93D801CC092@us2.samba.org> References: <20090402223814.93D801CC092@us2.samba.org> Message-ID: <49D5AAE9.8050700@samba.org> G?nther Deschner schrieb: > The branch, master has been updated > via 621d40332aad9d99b14c45155308a394c31b98b5 (commit) > from 31ab1d6a6487fb442ccd5b2cd093b4a2b7b80291 (commit) > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit 621d40332aad9d99b14c45155308a394c31b98b5 > Author: G?nther Deschner > Date: Fri Apr 3 00:30:13 2009 +0200 > > s3-build: fix the build after tsocket changes. > > Metze, please check. Thanks! > ----------------------------------------------------------------------- > > Summary of changes: > source3/Makefile.in | 2 -- > 1 files changed, 0 insertions(+), 2 deletions(-) > > > Changeset truncated at 500 lines: > > diff --git a/source3/Makefile.in b/source3/Makefile.in > index 9a97d8d..1578abf 100644 > --- a/source3/Makefile.in > +++ b/source3/Makefile.in > @@ -466,8 +466,6 @@ LIBCLI_LDAP_NDR_OBJ = ../libcli/ldap/ldap_ndr.o > LIBTSOCKET_OBJ = ../lib/tsocket/tsocket.o \ > ../lib/tsocket/tsocket_helpers.o \ > ../lib/tsocket/tsocket_bsd.o \ > - ../lib/tsocket/tsocket_recvfrom.o \ > - ../lib/tsocket/tsocket_sendto.o \ > ../lib/tsocket/tsocket_connect.o \ > ../lib/tsocket/tsocket_writev.o \ > ../lib/tsocket/tsocket_readv.o > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/c5f20302/signature.bin From metze at samba.org Fri Apr 3 07:04:06 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Fri Apr 3 07:04:20 2009 Subject: tdb API issues In-Reply-To: <49D580AF.1070208@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> <49D4BCBA.9080407@highlandsun.com> <49D574D5.1010102@highlandsun.com> <49D580AF.1070208@highlandsun.com> Message-ID: <49D5B4E6.7020702@samba.org> Howard Chu schrieb: > Howard Chu wrote: >> Howard Chu wrote: >>>> It might also be possible to have a common virtual address space. To >>>> do that we'd break up the tdb_context structure into per-thread and >>>> per-process parts, and put the mapped pointers in the per-process >>>> part. It would require some thought to make sure this is safe, but at >>>> first glance I think its doable. >>> >>> OK, this sounds like a reasonable avenue to explore. If we also >>> provide some >>> callbacks for creating, locking/unlocking and freeing mutexes then we >>> can >>> explicitly make the relevant parts safe. >> >> I have a preliminary patch up on http://highlandsun.com/hyc/tdbdif.txt. > > The majority of the patch is purely cosmetic; I added prefixes to all > the tdb_context member names so that they can all be identified > unambiguously. Please remember we need a small atomic patches, which make sense on their own and compile and work. So such a rename only patch can go into master now, and the rest comes when it's ready. > (That also makes future global replaces a lot easier...) > Then I split the tdb_context into a tdb_base_context which stores the > main state, and the tdb_context which is "per-thread". A thread calls > tdb_clone() to get its own working copy of a tdb_context, and all of the > clones share the original's tdb_base_context. In the current setup, the > original tdb_context must not be closed before any clones. (I guess it > would be smarter to allocate the tdb_base_context independently, and > refcount it.) > > I'm not sure yet that I've split things between the base_context and the > caller context correctly; this is still all a work in progress but I > wanted to get some early feedback. I thought about a similar problem but without real threads, we open the tdb more than once from within one process. I think in that case we should make sure that a transaction would only be used from one caller. The idea was to let tdb_transaction_start() return EWOULDBLOCK if a transaction was already started on a different tdb_context (currently it's tdbwrap_context) (if a transaction is started in a different process we would also return EWOULDBLOCK). Somehow the caller need to have way to register for a retry event, but I have no specific idea for that. Maybe the caller needs pass some callbacks so that tdb doesn't have a dependecy to an events system. This would solve the problem where we serve multiple LDAP client within one process, where each client has its own ldb_context, and we can only allow a transaction for one client. My first idea was to let tdb_transaction_start return a new tdb_context with the transaction methods activated, while the existing tdb_context gets readonly methods. That would mean only the caller who started the transaction sees the intermediate transaction states and all other's still see the pre transaction state of the tdb/ldb. It would be nice we can somehow combine this two tasks. I'm not sure if it would be possible, but I'd really like if two threads can choose not to block on MUTEX_LOCK. metze > MUTEX_LOCK / MUTEX_UNLOCK macros are used where needed. If the caller > didn't provide a set of mutex methods (via tdb_set_mutex()) then these > macros will do nothing. > >> the caller must call >> tdb_set_mutex() and provide it a structure which contains a table of >> mutex >> function pointers. The tdb_set_mutex() function will then create whatever >> locks it needs. >> >> The trick from here on out is identifying where all the locks need to >> be inserted. > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/b7322f45/signature.bin From metze at samba.org Fri Apr 3 07:11:53 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Fri Apr 3 07:12:01 2009 Subject: Hooking a program on AD event In-Reply-To: <49D4EA3B.5070407@stroeder.com> References: <49D4A24F.1020002@matws.net> <529a12f40904020441i388927c4p87dc0f7a9044973a@mail.gmail.com> <75973476-C419-4676-9313-250F35DA7E0A@padl.com> <49D4EA3B.5070407@stroeder.com> Message-ID: <49D5B6B9.2030405@samba.org> Michael Str?der schrieb: > Luke Howard wrote: >> On 02/04/2009, at 10:41 PM, Sassy Natan wrote: >> >>> If you using Samba4 with OpenLDAP Backend then you can use >>> the slapo-accesslog(5) overlay, and watch the status of the accesslog >>> database. >>> when a new object is created (for example a workstation) in some >>> container >>> in the LDAP, then you can run your script. >> If you're using OpenLDAP, you can just write an overlay or SLAPI plugin. > > Another option would be to implement a syncrepl client accessing the > OpenLDAP backend for retrieving changes. (This gets rather a topic for > the openldap-software mailing list though.) > > All scenarios require that one has access to the OpenLDAP backend server > and fully understand the schema-quirks done inside smbd for mapping the > MS AD schema to the Samba4 schema in OpenLDAP. That's something Andrew > Bartlett didn't like. But personally I think it's needed. > > Review the discussion, in particular my reply: > http://lists.samba.org/archive/samba-technical/2009-March/063757.html A combination of the LDAP_SERVER_NOTIFICATION_OID and LDAP_SERVER_DIRSYNC_OID controls would also work against windows servers. (But we don't support them yet in samba4) metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/acb79199/signature.bin From sam at liddicott.com Fri Apr 3 07:56:37 2009 From: sam at liddicott.com (Sam Liddicott) Date: Fri Apr 3 07:57:23 2009 Subject: krb auth weirdness found out References: <49D4C782.4080705@liddicott.com> <1238722119.4197.285.camel@naomi.s4.naomi.abartlet.net> Message-ID: <49D5C135.2070206@liddicott.com> * Andrew Bartlett wrote, On 03/04/09 02:28: > On Thu, 2009-04-02 at 15:11 +0100, Sam Liddicott wrote: > >> I have the answer (which turns out to be another question) after >> spending a couple of dreary days investigating why I get >> dcerpc_bind_auth_send() from openchange (with specified creds) causing >> errors like this: >> >> kinit for Sam@GALAXY failed (Cannot contact any KDC for requested realm: >> unable to reach any KDC in realm GALAXY) >> Failed to get CCACHE for GSSAPI client: Cannot contact any KDC for >> requested realm >> Cannot reach a KDC we require to contact host@NOVA >> Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER >> >> (when GALAXY is a domain value not a REALM value which should be >> galaxy.test.dbamsystems.local) and I have to wait for the time it takes >> to fail this before it continues with the NTML auth (which is what it >> should have been doing all along). >> > > If GALAXY was in the krb5.conf as a realm, it would actually work > (strange, but true). > Yeah, I'd found that, but then I was failing with these ASN.1 errors, so I followed this path to see where it led and ended up in the same place with the same ASN.1 errors :-( > What we need is to provide a DC location plugin to Heimdal that does a > lookup for the DCs in that domain, and returns them as possible kerberos > KDCs. > Does it make sense for an old windows domain to be part of a krb5_principal, even briefly? If so, then maybe you are right and it looks like krb5_principal_get_realm() is a good stub function, or krb5_get_init_creds_password() I'm not certain that this lookup belongs in Heimdal or that a krb5_principal should ever hold a domain (unless the the realm member is badly named). Surely such a lookup should be called from cli_credentials_get_principal, which is not part of Heimdal? - so that the krb5_principal never holds a domain, but only a kerbros realm. The file credentials.c which holds this function seems to manage enough callbacks that one could be installed for converting from domains to realms. Sam From gd at samba.org Fri Apr 3 08:04:03 2009 From: gd at samba.org (Guenther Deschner) Date: Fri Apr 3 08:04:06 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-835-g09265bc In-Reply-To: <20090403080159.E62101CC0B4@us2.samba.org> References: <20090403080159.E62101CC0B4@us2.samba.org> Message-ID: <49D5C2F3.4040409@samba.org> G?nther Deschner wrote: > The branch, master has been updated > via 09265bcff5a2fac42f5abf34b8b439aa0a6998a1 (commit) > from 621d40332aad9d99b14c45155308a394c31b98b5 (commit) > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit 09265bcff5a2fac42f5abf34b8b439aa0a6998a1 > Author: G?nther Deschner > Date: Fri Apr 3 09:57:53 2009 +0200 > > s3-nsswitch: Fix Bug #6238. Make sure logoff is bla bla. Arg! That should read: Make sure wbcLogoffUserParams are properly initialized before freed. Need more coffee... -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org From abartlet at samba.org Fri Apr 3 11:14:44 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Fri Apr 3 11:14:50 2009 Subject: [SAMBA4] Possible task: LDAP backend improvements In-Reply-To: <49D59DFD.2040503@stroeder.com> References: <1238726059.4197.401.camel@naomi.s4.naomi.abartlet.net> <49D59DFD.2040503@stroeder.com> Message-ID: <1238757284.4197.940.camel@naomi.s4.naomi.abartlet.net> On Fri, 2009-04-03 at 07:26 +0200, Michael Str?der wrote: > Andrew Bartlett wrote: > > An improved provision script would take a path to the slapd binary > > (possibly detected at configure time), and incorporate the code in > > master/selftest/target/Samba4.pm to generate the modules.conf for the > > slapd.conf > > > > Then, the python script should start slapd, and watch it for improper > > termination. If it starts (using the command line already suggested, > > but only listening on ldapi) and stays started, we should provision it > > normally, then shut it down. > > Just an idea to consider: If you already know the path to the slapd > binary you could slapadd (slapd -T add) the LDIF data to be provisioned > instead of starting slapd. This might also be faster. The provision system is built around using (reading/writing) a live database, so we are not able to simply slapcat in an LDIF file, as at no point does it construct a single LDIF. As such, we need a live slapd. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/b665df8a/attachment.bin From karthikeyan.chetty at wipro.com Fri Apr 3 12:09:04 2009 From: karthikeyan.chetty at wipro.com (karthikeyan.chetty@wipro.com) Date: Fri Apr 3 12:09:34 2009 Subject: regarding non admin user join to Domain fix detail. Message-ID: Hi, I have tried to join Linux to Win2K8 Domain with Non admin User. I tested in Samab3.0.27a and it is not joined to domain with non admin user. But in Samba3.0.28a it is working fine, Linux is joined to Win2K8 Domain with Non admin user. I had seen in samba.org for more detail, many fixes are given in Samba3.0.28a. Below are the fix detail given for Samba3.0.28a. Major bug fixes included in Samba 3.0.28a are: o Failure to join Windows 2008 domains o Windows Vista (including SP1 RC) interop issues May I know what is the exact fix which is given for join Linux to WIN2K8 Domain with non admin user? Thanks in advance S.Karthikeyan Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From kseeger at samba.org Fri Apr 3 13:22:53 2009 From: kseeger at samba.org (Karolin Seeger) Date: Fri Apr 3 13:22:56 2009 Subject: [Release Planning 3.4] Samba 3.4.0pre1 on April 15? In-Reply-To: References: Message-ID: Hey folks, On Fri, Mar 13, 2009 at 01:54:13PM +0100, Karolin Seeger wrote: > it's time to talk about the upcoming 3.4 release series. > > The v3-4 branches have been created today. Please make sure that S3 relevant > stuff will be picked from master to v3-4-test (and v3-3-test of course) also. > > Only critical fixes should go into into v3-2-test and v3-0-test, which are in > maintenance mode. > > What do you think about Wednesday, April 15 for 3.4.0pre1? a corresponding page has been added to the Wiki: http://wiki.samba.org/index.php/Release_Planning_for_Samba_3.4 Cheers, Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/ae580613/attachment.bin From derrell.lipman at unwireduniverse.com Fri Apr 3 13:30:31 2009 From: derrell.lipman at unwireduniverse.com (Derrell Lipman) Date: Fri Apr 3 13:30:57 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090402233935.GC6284@samba1> References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> Message-ID: On Thu, Apr 2, 2009 at 7:39 PM, Jeremy Allison wrote: > Andreas & Derrell, > > Just wanted to let you know I have a working design (and some > preliminary code) for starting the process of properly > threading libsmbclient. > Hi Jeremy, Thanks for pursuing this! I'm a bit uncertain, though, where you're going with it. If I understand you correctly, you're going to have libsmbclient create these locks that apply deep down in the bowels of the core code. If that's the case, it will mean that different threads could be blocked for a long period of time awaiting receipt of the lock. There should be no thread safety issues remaining in libsmbclient itself (as long as one uses the lower-level interface where a context is passed to each function, and not the POSIX compatibility interface that uses a static context). Each thread allocates its own context, and libsmbclient should be thread-sfae. The state that needs locking is much deeper in the code, and locking it from within libsmbclient doesn't seem the correct place to do it. Please elucidate a bit about how you anticipate this being used where you expect the lock calls to be made, and what, specifically, needs locking (i.e. where is the global state data currently). Based in ny current understanding of where you're going with this, I believe I have a different design that may be more efficient, but I'll first await your clarifications. Thanks. Derrell > It's based on the ideas in openssl, but a little simpler. > > The idea is a caller desiring threads will have to initialize > the thread state and locks we need by firstly calling : > > unsigned int SMBC_thread_num_locks() > > which will return the number of "big gloabl locks" (see > below) we currently need and creating and initializing an > array of this number of pthread_mutex_t's. > > Then they must call a set of functions : > > SMBC_thread_set_log_function() > SMBC_thread_set_lock_function() > SMBC_thread_set_dynamic_lock_function() > SMBC_thread_set_dynamic_lock_create_function() > SMBC_thread_set_dynamic_lock_destroy_function() > > which will be passed pointers to the callback functions > libsmbclient will use internally to do the thread locking calls. > > Inside libsmbclient we'll start by adding "big > global locks" (which we'll use to determine the > number returned from SMBC_thread_num_locks()) and > lock/unlock them internally by adding code > like this to the internals of libsmbclient : > > SMBC_TLOCK(GLOBAL_LOCKID); > ... access resource .... > SMBC_TUNLOCK(GLOBAL_LOCKID); > > Where SMBC_TLOCK will be a macro that expands to: > smbc_lock_(SMB_TUNLOCK, > GLOBAL_LOCKID, > __FILE__, > __LINE__); > > and SMBC_TUNLOCK will expand to: > smbc_lock(SMB_TLOCK|SMB_TLOCK_WRITE, > GLOBAL_LOCKID, > __FILE__, > __LINE__); > > GLOBAL_LOCKID will be a #define to the specific > "big global lock" we're currently using. For example : > > #define GLOBAL_LOCKID_LIBRARY_INITIALIZED 1 > #define GLOBAL_LOCKID_NAMELOOKUP_CODE 2 > > etc. To start with we could just use one :-). > > For areas where we need dynamic locks, we > create them inside libsmbclient by : > > void *plock = smbc_create_lock(const char *lockname, const char > *file, int line); > > lock using the macro's : > > SMBC_TDYNLOCK(plock); > ... access resource ... > SMBC_TDYNUNLOCK(plock); > > then delete using : > > smbc_destroy_lock(void *plock, const char *file, int line) > > Note all these calls will be internal to libsmbclient > and attendent libraries. I'm using TLOCK and TDYNLOCK > prefixes so people don't get them confused with actual > SMB lock calls. > > The really nice part of this design (from openssl) > is that if you never set the callback functions this > has *NO EFFECT* on existing code, and because we're > hiding the pthread_mutex_t types behind an int index > (for the global locks case) and a void pointer (in > the dynamic case) there are *no dependencies* on > any underlying threads library or primitives. > > For people who want pthreads we supply a module > that provides a pthread sample implementation of > all the callback functions above, but it's only > linked in by people who want threading. > > I haven't started on the thread specific data part > yet (which we'll need for the talloc_frame() calls), > so I'll email more when I've thought about that some > more. > > Comments / Questions ? > > Big thanks to Volker who got me looking at the > openssl code in the first place ! > > Jeremy. > From Volker.Lendecke at SerNet.DE Fri Apr 3 13:47:24 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Fri Apr 3 13:47:21 2009 Subject: level2 kernel oplocks? Message-ID: Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/dfeb85eb/attachment.bin From jerry at samba.org Fri Apr 3 14:57:35 2009 From: jerry at samba.org (jerry) Date: Fri Apr 3 14:57:43 2009 Subject: RFC: static / dynamic linking in samba3 In-Reply-To: References: Message-ID: <49D623DF.8060208@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Adam wrote: > * I would also like to (re-)unify the configuration of libwbclient > with the other libs (libtalloc, libtdb, libnetapi, ...) to be > configured with SMB_LIBRARY(). > This means that it will also be possible again to build and link > libwbclient statically, removing the restriction imposed when > libsmbclient was originally created that it should only be > possible to build/link libwbclient statically with > --enable-develper. I think this is artificial. Sometimes you just > want to link a library statically. Vendors are patching the sources > to allow for building and linking statically anyways. ... > A scheme for building (that is basically also what samba4 does) > initially discussed with Jelmer and Lars (among others) > on irc could be the following: > > - check wheter libfoo is in the system > and check whether it suits our version requirements > (current checks use pkg-config for this) > > - if libfoo is available and version is ok, then > adapt compile / link flags according to pkg-config to > link against that library > > - if either the library is not found or version is not ok, > then build libfoo internally and link it in _statically_ Michael, Would you clarify one thing for me. By default, will smbd link with libwbcliebnt.a or libwbclient.so? cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewise.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ1iPfIR7qMdg1EfYRAoKvAKDJIdETVsVXIg/nTvlbDv2GBElssQCgmw7s kJjU6SaagHh71xik3Rq1vgw= =Dc2C -----END PGP SIGNATURE----- From obnox at samba.org Fri Apr 3 15:44:56 2009 From: obnox at samba.org (Michael Adam) Date: Fri Apr 3 15:45:10 2009 Subject: RFC: static / dynamic linking in samba3 In-Reply-To: <49D623DF.8060208@samba.org> References: <49D623DF.8060208@samba.org> Message-ID: Hi Jerry, jerry wrote: > > Michael Adam wrote: > > > * I would also like to (re-)unify the configuration of libwbclient > > with the other libs (libtalloc, libtdb, libnetapi, ...) to be > > configured with SMB_LIBRARY(). > > This means that it will also be possible again to build and link > > libwbclient statically, removing the restriction imposed when > > libsmbclient was originally created that it should only be > > possible to build/link libwbclient statically with > > --enable-develper. I think this is artificial. Sometimes you just > > want to link a library statically. Vendors are patching the sources > > to allow for building and linking statically anyways. > ... > > A scheme for building (that is basically also what samba4 does) > > initially discussed with Jelmer and Lars (among others) > > on irc could be the following: > > > > - check wheter libfoo is in the system > > and check whether it suits our version requirements > > (current checks use pkg-config for this) > > > > - if libfoo is available and version is ok, then > > adapt compile / link flags according to pkg-config to > > link against that library > > > > - if either the library is not found or version is not ok, > > then build libfoo internally and link it in _statically_ > > Michael, > > Would you clarify one thing for me. By default, will smbd > link with libwbcliebnt.a or libwbclient.so? This could be discussed, but _I_ would say that by default libwbclient.so would be linked in, because to my understanding, libwbclient will by default be provided by the samba packages for some time. This is different for libtalloc (and libtdb), which have found their way into debian's distribution, others following. So my proposal is to link libtalloc and libtdb statically when no system library is found and set the defaults for the other libs individually. Sounds reasonable? People (like you, Jerry) with more experience in the static vs. shared libs business should comment. I may be missing vital points here. Recently, an option has been added to link against an external libwbclient. Cheers - Michael -- Michael Adam SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/d6099673/attachment.bin From jerry at samba.org Fri Apr 3 15:50:40 2009 From: jerry at samba.org (jerry) Date: Fri Apr 3 15:50:33 2009 Subject: RFC: static / dynamic linking in samba3 In-Reply-To: References: <49D623DF.8060208@samba.org> Message-ID: <49D63050.6080807@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Adam wrote: >> Would you clarify one thing for me. By default, will smbd >> link with libwbcliebnt.a or libwbclient.so? > > This could be discussed, but _I_ would say that by default > libwbclient.so would be linked in, because to my understanding, > libwbclient will by default be provided by the samba packages > for some time. Sounds good to me. :-) > This is different for libtalloc (and libtdb), which > have found their way into debian's distribution, > others following. > > So my proposal is to link libtalloc and libtdb statically > when no system library is found and set the defaults for > the other libs individually. Sounds reasonable? Yup. Entirely reasonable OTTOMH. cheers, jerry - -- ===================================================================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewise.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ1jBQIR7qMdg1EfYRAi3fAKDMaAs2gy8y/rGGj5gnCVDUtatMHACfQw80 WQkvwBruBVRQotc1Z4wsHdU= =5ARn -----END PGP SIGNATURE----- From jra at samba.org Fri Apr 3 16:27:24 2009 From: jra at samba.org (Jeremy Allison) Date: Fri Apr 3 16:27:21 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> Message-ID: <20090403162724.GB22818@samba1> On Fri, Apr 03, 2009 at 09:30:31AM -0400, Derrell Lipman wrote: > > Thanks for pursuing this! I'm a bit uncertain, though, where you're going > with it. If I understand you correctly, you're going to have libsmbclient > create these locks that apply deep down in the bowels of the core code. If > that's the case, it will mean that different threads could be blocked for a > long period of time awaiting receipt of the lock. > > There should be no thread safety issues remaining in libsmbclient itself (as > long as one uses the lower-level interface where a context is passed to each > function, and not the POSIX compatibility interface that uses a static > context). Each thread allocates its own context, and libsmbclient should be > thread-sfae. The state that needs locking is much deeper in the code, and > locking it from within libsmbclient doesn't seem the correct place to do it. Ok, so my comment "inside libsmbclient" was incorrect :-). > Please elucidate a bit about how you anticipate this being used where you > expect the lock calls to be made, and what, specifically, needs locking > (i.e. where is the global state data currently). Based in ny current > understanding of where you're going with this, I believe I have a different > design that may be more efficient, but I'll first await your clarifications. The places that need locking are deep inside the utility code (name lookup, parameter reading etc.). So that's where the call must go. The entry points for adding the callback functions are smbc_XXX as I'm imagining the libsmbclient people will be the first users. The nice thing about this is that it has zero impact on any of our other code (just some dummy function calls in the code paths). Jeremy. From grey.karapetyan at gmail.com Fri Apr 3 16:38:34 2009 From: grey.karapetyan at gmail.com (Grey Karapetyan) Date: Fri Apr 3 16:44:23 2009 Subject: Samba VERY SLOW RPC (Spoolss, GetStatusPrinter). Samba Bug? Message-ID: <338569cc0904030938w6738b09xcc0e87dba323ddab@mail.gmail.com> Hi Guys, Very need help. I have a printserver (Samba + Cups with passdb backend = ldapsam:ldap://x.x.x.x (another server - Fedora Directory Server)) situation: when windows client try open shared folders\files - works FAST(2 seconds). dosen't mater how many entires in ou=Users in Ldap server. when same windows client try print (from Windows notepad or another application) - getting status printer very-very-very slow(40-50 seconds) When in ldap number entries less - performance grow (when 10 users - printerstatus shows 2 seconds) (when 2000 users - printerstatus shows 5-8 seconds) WHY this may occrus? I think this Samba RPC trouble... Help please. ========== smb.conf [global] log file = /var/log/samba/samba.log.%m log level = 3 domain logons = no domain master = no local master = no preferred master = no wins support = no dns proxy = no os level = 0 # server setup --- netbios name = testsrv workgroup = TEST security = user passdb backend = ldapsam:ldap://x.x.x.x ldap admin dn = cn=Directory Manager ldap group suffix = ou=NTGroups ldap idmap suffix = ou=Idmap ldap suffix = dc=test ldap user suffix = ou=Users # print setup --- load printers = yes printing = cups printcap = cups use client driver = yes [printers] comment = All Printers path = /var/spool/samba readonly = no browseable = no guest ok = yes writable = no printable = yes [print$] comment = Printer Driver Download Area path = /etc/samba/drivers browseable = yes guest ok = yes read only = yes ================ /etc/ldap.conf uri ldap://x.x.x.x base dc=test binddn cn=Directory Manager bindpw xxxx #pam_password exop #pam_filter objectclass=sambaSamAccount nss_base_passwd ou=Users,dc=test nss_base_shadow ou=Users,dc=test nss_base_group ou=NTGroups,dc=test ssl no ================== /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns wins networks: files dns ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: files bootparams: files automount: files aliases: files ================== obey pam restrictions = no SElinux = disabled From jra at samba.org Fri Apr 3 16:47:17 2009 From: jra at samba.org (Jeremy Allison) Date: Fri Apr 3 16:47:24 2009 Subject: tdb API issues In-Reply-To: <49D574D5.1010102@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> <49D4BCBA.9080407@highlandsun.com> <49D574D5.1010102@highlandsun.com> Message-ID: <20090403164717.GC22818@samba1> On Thu, Apr 02, 2009 at 07:30:45PM -0700, Howard Chu wrote: > > I'm not sure what's the point of OpenSSL asking the caller to pre-create > some number of global locks; IMO the library should create whatever locks > it needs and the caller shouldn't know about them at all. That's more the > flavor of the approach I took, otherwise it's basically the same: the > caller must call tdb_set_mutex() and provide it a structure which > contains a table of mutex function pointers. The tdb_set_mutex() function > will then create whatever locks it needs. The reason it's easier to have the locks pre-created is you don't then need to add lock initialization functions to existing code that doesn't currently have an initialization call. We have a lot of old global state that has no concept of locking so it makes it very easy to add lock calls for global locks you know must already exist. I'm assuming this is why openssl did this as well. Jeremy. From derrell.lipman at unwireduniverse.com Fri Apr 3 16:51:05 2009 From: derrell.lipman at unwireduniverse.com (Derrell Lipman) Date: Fri Apr 3 16:51:28 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090403162724.GB22818@samba1> References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> <20090403162724.GB22818@samba1> Message-ID: On Fri, Apr 3, 2009 at 12:27 PM, Jeremy Allison wrote: > > The places that need locking are deep inside the utility > code (name lookup, parameter reading etc.). So that's > where the call must go. The entry points for adding the > callback functions are smbc_XXX as I'm imagining the > libsmbclient people will be the first users. > Ok. > > The nice thing about this is that it has zero impact > on any of our other code (just some dummy function > calls in the code paths). > And we probably want to avoid even that, particularly in areas of code that are executed frequently. Function calls can be expensive. It's probably much more efficient to say "if (func_ptr != NULL) (*func_ptr)(params);" than to call a dummy function via func_ptr. That could all be hidden behind a macro, though, so the code isn't cluttered by it. Derrell From hyc at highlandsun.com Fri Apr 3 17:00:24 2009 From: hyc at highlandsun.com (Howard Chu) Date: Fri Apr 3 17:00:30 2009 Subject: tdb API issues In-Reply-To: <20090403164717.GC22818@samba1> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> <49D4BCBA.9080407@highlandsun.com> <49D574D5.1010102@highlandsun.com> <20090403164717.GC22818@samba1> Message-ID: <49D640A8.2020400@highlandsun.com> Jeremy Allison wrote: > On Thu, Apr 02, 2009 at 07:30:45PM -0700, Howard Chu wrote: >> >> I'm not sure what's the point of OpenSSL asking the caller to pre-create >> some number of global locks; IMO the library should create whatever locks >> it needs and the caller shouldn't know about them at all. That's more the >> flavor of the approach I took, otherwise it's basically the same: the >> caller must call tdb_set_mutex() and provide it a structure which >> contains a table of mutex function pointers. The tdb_set_mutex() function >> will then create whatever locks it needs. > > The reason it's easier to have the locks pre-created is you don't > then need to add lock initialization functions to existing code that > doesn't currently have an initialization call. We have a lot of old > global state that has no concept of locking so it makes it very easy > to add lock calls for global locks you know must already exist. Sure, but that should be the library's responsibility. When a caller provides you set of mutex methods, you should at that point create whatever global locks you're going to need. (Which is what tdb_set_mutex() does - it checks the provided set of methods and then goes about creating the globals. Of course at that point in time, I only had 1 global...) I.e., the moment that a caller gives you a set of mutex methods *is* the lock initialization call for the entire library, you don't need any further initialization functions. > I'm assuming this is why openssl did this as well. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From jra at samba.org Fri Apr 3 17:02:18 2009 From: jra at samba.org (Jeremy Allison) Date: Fri Apr 3 17:02:31 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> <20090403162724.GB22818@samba1> Message-ID: <20090403170218.GF22818@samba1> On Fri, Apr 03, 2009 at 12:51:05PM -0400, Derrell Lipman wrote: > > And we probably want to avoid even that, particularly in areas of code that are > executed frequently. Function calls can be expensive. It's probably much more > efficient to say "if (func_ptr != NULL) (*func_ptr)(params);" than to call a > dummy function via func_ptr. That could all be hidden behind a macro, though, > so the code isn't cluttered by it. I'm a fan of the "premature optimization is the root of all evil" :-). But yeah, the goal is that the lock/unlock calls are called internally via macro's so we can add that if we need to. Jeremy. From jra at samba.org Fri Apr 3 17:11:18 2009 From: jra at samba.org (Jeremy Allison) Date: Fri Apr 3 17:11:33 2009 Subject: tdb API issues In-Reply-To: <49D640A8.2020400@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> <49D4BCBA.9080407@highlandsun.com> <49D574D5.1010102@highlandsun.com> <20090403164717.GC22818@samba1> <49D640A8.2020400@highlandsun.com> Message-ID: <20090403171118.GG22818@samba1> On Fri, Apr 03, 2009 at 10:00:24AM -0700, Howard Chu wrote: > > Sure, but that should be the library's responsibility. When a caller > provides you set of mutex methods, you should at that point create > whatever global locks you're going to need. (Which is what > tdb_set_mutex() does - it checks the provided set of methods and then > goes about creating the globals. Of course at that point in time, I only > had 1 global...) I.e., the moment that a caller gives you a set of mutex > methods *is* the lock initialization call for the entire library, you > don't need any further initialization functions. Good point - might as well have the internal code create the global lock array..... I'll make that change - thanks ! Jeremy. From jra at samba.org Fri Apr 3 17:14:43 2009 From: jra at samba.org (Jeremy Allison) Date: Fri Apr 3 17:14:55 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-835-g09265bc In-Reply-To: <49D5C2F3.4040409@samba.org> References: <20090403080159.E62101CC0B4@us2.samba.org> <49D5C2F3.4040409@samba.org> Message-ID: <20090403171443.GH22818@samba1> On Fri, Apr 03, 2009 at 10:04:03AM +0200, Guenther Deschner wrote: > G?nther Deschner wrote: > > The branch, master has been updated > > via 09265bcff5a2fac42f5abf34b8b439aa0a6998a1 (commit) > > from 621d40332aad9d99b14c45155308a394c31b98b5 (commit) > > > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master > > > > > > - Log ----------------------------------------------------------------- > > commit 09265bcff5a2fac42f5abf34b8b439aa0a6998a1 > > Author: G?nther Deschner > > Date: Fri Apr 3 09:57:53 2009 +0200 > > > > s3-nsswitch: Fix Bug #6238. Make sure logoff is bla bla. > > Arg! > > That should read: Make sure wbcLogoffUserParams are properly initialized > before freed. > > Need more coffee... Love your commit messages. Have you thought of writing a novel ? :-). From hyc at highlandsun.com Fri Apr 3 17:56:42 2009 From: hyc at highlandsun.com (Howard Chu) Date: Fri Apr 3 17:56:58 2009 Subject: tdb API issues In-Reply-To: <49D5B4E6.7020702@samba.org> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> <49D4BCBA.9080407@highlandsun.com> <49D574D5.1010102@highlandsun.com> <49D580AF.1070208@highlandsun.com> <49D5B4E6.7020702@samba.org> Message-ID: <49D64DDA.3030102@highlandsun.com> Stefan (metze) Metzmacher wrote: > Howard Chu schrieb: >> Howard Chu wrote: >>> Howard Chu wrote: >>>>> It might also be possible to have a common virtual address space. To >>>>> do that we'd break up the tdb_context structure into per-thread and >>>>> per-process parts, and put the mapped pointers in the per-process >>>>> part. It would require some thought to make sure this is safe, but at >>>>> first glance I think its doable. >>>> >>>> OK, this sounds like a reasonable avenue to explore. If we also >>>> provide some >>>> callbacks for creating, locking/unlocking and freeing mutexes then we >>>> can >>>> explicitly make the relevant parts safe. >>> >>> I have a preliminary patch up on http://highlandsun.com/hyc/tdbdif.txt. >> >> The majority of the patch is purely cosmetic; I added prefixes to all >> the tdb_context member names so that they can all be identified >> unambiguously. > > Please remember we need a small atomic patches, which make sense on > their own OK. > and compile and work. Now you're just being greedy. (Yes, it all compiles and works; if you don't call tdb_set_mutex() to provide the mutex callbacks then no other behaviors change.) I've attached two separate patches here: one to just rename the tdb_context elements, and the other to split tdb_context into two pieces. I'm holding off on the mutex bits now because I'm not sure I'll be using them. > So such a rename only patch can go into master now, and the rest comes > when it's ready. > >> (That also makes future global replaces a lot easier...) >> Then I split the tdb_context into a tdb_base_context which stores the >> main state, and the tdb_context which is "per-thread". A thread calls >> tdb_clone() to get its own working copy of a tdb_context, and all of the >> clones share the original's tdb_base_context. In the current setup, the >> original tdb_context must not be closed before any clones. (I guess it >> would be smarter to allocate the tdb_base_context independently, and >> refcount it.) The new patch does the latter, separate alloc + refcount. So there's no functional difference between a clone context and the original. >> I'm not sure yet that I've split things between the base_context and the >> caller context correctly; this is still all a work in progress but I >> wanted to get some early feedback. > I thought about a similar problem but without real threads, > we open the tdb more than once from within one process. > > I think in that case we should make sure that a transaction would only > be used from one caller. > > The idea was to let tdb_transaction_start() return EWOULDBLOCK > if a transaction was already started on a different tdb_context > (currently it's tdbwrap_context) (if a transaction is started in > a different process we would also return EWOULDBLOCK). That makes sense. My initial approach would allow this, but I didn't keep it: We simply add a have_transaction_lock flag in both the tdb_base_context and the tdb_context. If both are true, tdb_transaction_start simply nests as before. If tbc-> is true but tc-> is not, then return EWOULDBLOCK. > Somehow the caller need to have way to register for a retry event, > but I have no specific idea for that. Maybe the caller needs pass some > callbacks so that tdb doesn't have a dependecy to an events system. Callbacks don't seem to offer any particular advantage here; the caller still has to get back to a particular polling point where it can do something useful. If you tried to do actual work in a callback you'd run the risk of stack blowout, so all you can safely do in a callback is set a flag. As such, it may be best to do nothing and let the caller just try transaction_start again later, until it stops returning EWOUDLBLOCK. > This would solve the problem where we serve multiple LDAP client within > one process, where each client has its own ldb_context, and we can only > allow a transaction for one client. > > My first idea was to let tdb_transaction_start return a new tdb_context > with the transaction methods activated, while the existing tdb_context > gets readonly methods. That would mean only the caller who started the > transaction sees the intermediate transaction states and all other's > still see the pre transaction state of the tdb/ldb. > > It would be nice we can somehow combine this two tasks. > I'm not sure if it would be possible, but I'd really like > if two threads can choose not to block on MUTEX_LOCK. OK. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Namespace-cleanup-add-prefix-to-tdb_context-field-n.patch Type: text/x-patch Size: 109054 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/14a1d486/0001-Namespace-cleanup-add-prefix-to-tdb_context-field-n.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Split-tdb_context-into-two-parts-add-tdb_clone-to.patch Type: text/x-patch Size: 7842 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090403/14a1d486/0002-Split-tdb_context-into-two-parts-add-tdb_clone-to.bin From hyc at highlandsun.com Fri Apr 3 19:09:58 2009 From: hyc at highlandsun.com (Howard Chu) Date: Fri Apr 3 19:10:20 2009 Subject: tdb API issues In-Reply-To: <49D64DDA.3030102@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D404E7.6080404@highlandsun.com> <18900.7568.707088.229101@samba.org> <49D4BCBA.9080407@highlandsun.com> <49D574D5.1010102@highlandsun.com> <49D580AF.1070208@highlandsun.com> <49D5B4E6.7020702@samba.org> <49D64DDA.3030102@highlandsun.com> Message-ID: <49D65F06.1070604@highlandsun.com> Howard Chu wrote: > Stefan (metze) Metzmacher wrote: >>> I'm not sure yet that I've split things between the base_context and the >>> caller context correctly; this is still all a work in progress but I >>> wanted to get some early feedback. > >> I thought about a similar problem but without real threads, >> we open the tdb more than once from within one process. >> >> I think in that case we should make sure that a transaction would only >> be used from one caller. >> >> The idea was to let tdb_transaction_start() return EWOULDBLOCK >> if a transaction was already started on a different tdb_context >> (currently it's tdbwrap_context) (if a transaction is started in >> a different process we would also return EWOULDBLOCK). > > That makes sense. My initial approach would allow this, but I didn't keep it: > We simply add a have_transaction_lock flag in both the tdb_base_context and > the tdb_context. If both are true, tdb_transaction_start simply nests as > before. If tbc-> is true but tc-> is not, then return EWOULDBLOCK. Try this patch instead of the 0002 I sent earlier. Again, this splits the tdb_context structure; it also checks for tdb_transaction_start() conflicts and tdb_traverse() conflicts. I think it accomplishes most of what you're looking for. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ -------------- next part -------------- diff --git a/lib/tdb/common/lock.c b/lib/tdb/common/lock.c index 0ed63b3..640b32d 100644 --- a/lib/tdb/common/lock.c +++ b/lib/tdb/common/lock.c @@ -304,6 +304,12 @@ int tdb_transaction_lock(struct tdb_context *tdb, int ltype) if (tdb->tc_have_transaction_lock || tdb->tc_global_lock.count) { return 0; } + if (tdb->tc_base->tbc_have_transaction_lock) { + TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_lock: transaction lock held by someone else\n")); + tdb->tc_ecode = TDB_ERR_LOCK; + errno = EWOULDBLOCK; + return -1; + } if (tdb->tc_methods->tdb_brlock(tdb, TRANSACTION_LOCK, ltype, F_SETLKW, 0, 1) == -1) { TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_lock: failed to get transaction lock\n")); @@ -311,6 +317,7 @@ int tdb_transaction_lock(struct tdb_context *tdb, int ltype) return -1; } tdb->tc_have_transaction_lock = 1; + tdb->tc_base->tbc_have_transaction_lock = 1; return 0; } @@ -326,6 +333,7 @@ int tdb_transaction_unlock(struct tdb_context *tdb) ret = tdb->tc_methods->tdb_brlock(tdb, TRANSACTION_LOCK, F_UNLCK, F_SETLKW, 0, 1); if (ret == 0) { tdb->tc_have_transaction_lock = 0; + tdb->tc_base->tbc_have_transaction_lock = 0; } return ret; } diff --git a/lib/tdb/common/open.c b/lib/tdb/common/open.c index 61c53ec..4884adb 100644 --- a/lib/tdb/common/open.c +++ b/lib/tdb/common/open.c @@ -159,7 +159,14 @@ struct tdb_context *tdb_open_ex(const char *name, int hash_size, int tdb_flags, errno = ENOMEM; goto fail; } + if (!(tdb->tc_base = (struct tdb_base_context *)calloc(1, + sizeof *tdb->tc_base))) { + /* Can't log this */ + errno = ENOMEM; + goto fail; + } tdb_io_init(tdb); + tdb->tc_base->tbc_refcount = 1; tdb->tc_fd = -1; tdb->tc_name = NULL; tdb->tc_map_ptr = NULL; @@ -339,6 +346,7 @@ struct tdb_context *tdb_open_ex(const char *name, int hash_size, int tdb_flags, if (tdb->tc_fd != -1) if (close(tdb->tc_fd) != 0) TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_open_ex: failed to close tdb->tc_fd on error!\n")); + SAFE_FREE(tdb->tc_base); SAFE_FREE(tdb); errno = save_errno; return NULL; @@ -346,6 +354,26 @@ struct tdb_context *tdb_open_ex(const char *name, int hash_size, int tdb_flags, } /* + * Clone an open database, for multi-threaded access + */ +struct tdb_context *tdb_clone(struct tdb_context *tdb) +{ + struct tdb_context *tc2; + + if (!(tc2 = (struct tdb_context *)calloc(1, sizeof *tc2))) { + /* Can't log this */ + errno = ENOMEM; + return NULL; + } + tc2->tc_base = tdb->tc_base; + tdb->tc_base->tbc_refcount++; + tc2->tc_flags = tdb->tc_flags | TDB_CLONE; + tdb_io_init(tc2); + /* clones aren't in the tdbs list */ + return tc2; +} + +/* * Set the maximum number of dead records per hash chain */ @@ -364,26 +392,33 @@ int tdb_close(struct tdb_context *tdb) struct tdb_context **i; int ret = 0; - if (tdb->tc_transaction) { + if (tdb->tc_transaction && tdb->tc_in_transaction) { tdb_transaction_cancel(tdb); } - if (tdb->tc_map_ptr) { - if (tdb->tc_flags & TDB_INTERNAL) - SAFE_FREE(tdb->tc_map_ptr); - else - tdb_munmap(tdb); - } - SAFE_FREE(tdb->tc_name); - if (tdb->tc_fd != -1) - ret = close(tdb->tc_fd); - SAFE_FREE(tdb->tc_lockrecs); - - /* Remove from contexts list */ - for (i = &tdbs; *i; i = &(*i)->tc_next) { - if (*i == tdb) { - *i = tdb->tc_next; - break; + if (--tdb->tc_base->tbc_refcount < 1) { + if (tdb->tc_map_ptr) { + if (tdb->tc_flags & TDB_INTERNAL) + SAFE_FREE(tdb->tc_map_ptr); + else + tdb_munmap(tdb); + } + SAFE_FREE(tdb->tc_name); + if (tdb->tc_fd != -1) + ret = close(tdb->tc_fd); + SAFE_FREE(tdb->tc_lockrecs); + memset(tdb->tc_base, 0, sizeof(*tdb->tc_base)); + SAFE_FREE(tdb->tc_base); + } + + /* clones aren't in the list */ + if (!(tdb->tc_flags & TDB_CLONE)) { + /* Remove from contexts list */ + for (i = &tdbs; *i; i = &(*i)->tc_next) { + if (*i == tdb) { + *i = tdb->tc_next; + break; + } } } diff --git a/lib/tdb/common/tdb_private.h b/lib/tdb/common/tdb_private.h index 311e9dd..fdc8d28 100644 --- a/lib/tdb/common/tdb_private.h +++ b/lib/tdb/common/tdb_private.h @@ -141,34 +141,63 @@ struct tdb_methods { int (*tdb_brlock)(struct tdb_context *, tdb_off_t , int, int, int, size_t); }; +struct tdb_base_context { + char *tbc_name; /* the name of the database */ + void *tbc_map_ptr; /* where it is currently mapped */ + int tbc_fd; /* open file descriptor for the database */ + tdb_len_t tbc_map_size; /* how much space has been mapped */ + int tbc_read_only; /* opened read-only */ + int tbc_traverse_read; /* read-only traversal */ + int tbc_traverse_write; /* read-write traversal */ + struct tdb_lock_type tbc_global_lock; + int tbc_num_lockrecs; + struct tdb_lock_type *tbc_lockrecs; /* only real locks, all with count>0 */ + struct tdb_header tbc_header; /* a cached copy of the header */ + dev_t tbc_device; /* uniquely identifies this tdb */ + ino_t tbc_inode; /* uniquely identifies this tdb */ + struct tdb_logging_context tbc_log; + unsigned int (*tbc_hash_fn)(TDB_DATA *key); + int tbc_open_flags; /* flags used in the open - needed by reopen */ + unsigned int tbc_num_locks; /* number of chain locks held */ + struct tdb_transaction *tbc_transaction; + int tbc_page_size; + int tbc_max_dead_records; + bool tbc_have_transaction_lock; + int tbc_refcount; + volatile sig_atomic_t *tbc_interrupt_sig_ptr; +}; + +#define tc_name tc_base->tbc_name +#define tc_map_ptr tc_base->tbc_map_ptr +#define tc_fd tc_base->tbc_fd +#define tc_map_size tc_base->tbc_map_size +#define tc_read_only tc_base->tbc_read_only +#define tc_traverse_read tc_base->tbc_traverse_read +#define tc_traverse_write tc_base->tbc_traverse_write +#define tc_global_lock tc_base->tbc_global_lock +#define tc_num_lockrecs tc_base->tbc_num_lockrecs +#define tc_lockrecs tc_base->tbc_lockrecs +#define tc_header tc_base->tbc_header +#define tc_device tc_base->tbc_device +#define tc_inode tc_base->tbc_inode +#define tc_log tc_base->tbc_log +#define tc_hash_fn tc_base->tbc_hash_fn +#define tc_open_flags tc_base->tbc_open_flags +#define tc_num_locks tc_base->tbc_num_locks +#define tc_page_size tc_base->tbc_page_size +#define tc_max_dead_records tc_base->tbc_max_dead_records +#define tc_interrupt_sig_ptr tc_base->tbc_interrupt_sig_ptr +#define tc_transaction tc_base->tbc_transaction + struct tdb_context { - char *tc_name; /* the name of the database */ - void *tc_map_ptr; /* where it is currently mapped */ - int tc_fd; /* open file descriptor for the database */ - tdb_len_t tc_map_size; /* how much space has been mapped */ - int tc_read_only; /* opened read-only */ - int tc_traverse_read; /* read-only traversal */ - int tc_traverse_write; /* read-write traversal */ - struct tdb_lock_type tc_global_lock; - int tc_num_lockrecs; - struct tdb_lock_type *tc_lockrecs; /* only real locks, all with count>0 */ - enum TDB_ERROR tc_ecode; /* error code for last tdb error */ - struct tdb_header tc_header; /* a cached copy of the header */ + struct tdb_base_context *tc_base; uint32_t tc_flags; /* the flags passed to tdb_open */ + enum TDB_ERROR tc_ecode; /* error code for last tdb error */ struct tdb_traverse_lock tc_travlocks; /* current traversal locks */ struct tdb_context *tc_next; /* all tdbs to avoid multiple opens */ - dev_t tc_device; /* uniquely identifies this tdb */ - ino_t tc_inode; /* uniquely identifies this tdb */ - struct tdb_logging_context tc_log; - unsigned int (*tc_hash_fn)(TDB_DATA *key); - int tc_open_flags; /* flags used in the open - needed by reopen */ - unsigned int tc_num_locks; /* number of chain locks held */ const struct tdb_methods *tc_methods; - struct tdb_transaction *tc_transaction; - int tc_page_size; - int tc_max_dead_records; bool tc_have_transaction_lock; - volatile sig_atomic_t *tc_interrupt_sig_ptr; + bool tc_in_transaction; }; /* diff --git a/lib/tdb/common/transaction.c b/lib/tdb/common/transaction.c index 385b3a2..c7839d6 100644 --- a/lib/tdb/common/transaction.c +++ b/lib/tdb/common/transaction.c @@ -429,6 +429,12 @@ int tdb_transaction_start(struct tdb_context *tdb) /* cope with nested tdb_transaction_start() calls */ if (tdb->tc_transaction != NULL) { + if (!tdb->tc_in_transaction) { + TDB_LOG((tdb, TDB_DEBUG_ERROR, "tdb_transaction_start: someone else already owns the transaction\n")); + tdb->tc_ecode = TDB_ERR_LOCK; + errno = EWOULDBLOCK; + return -1; + } tdb->tc_transaction->nesting++; TDB_LOG((tdb, TDB_DEBUG_TRACE, "tdb_transaction_start: nesting %d\n", tdb->tc_transaction->nesting)); @@ -444,7 +450,7 @@ int tdb_transaction_start(struct tdb_context *tdb) return -1; } - if (tdb->tc_travlocks.next != NULL) { + if (tdb->tc_traverse_read || tdb->tc_traverse_write) { /* you cannot use transactions inside a traverse (although you can use traverse inside a transaction) as otherwise you can end up with deadlock */ @@ -504,6 +510,7 @@ int tdb_transaction_start(struct tdb_context *tdb) transaction specific methods */ tdb->tc_transaction->io_methods = tdb->tc_methods; tdb->tc_methods = &transaction_methods; + tdb->tc_in_transaction = true; return 0; @@ -607,6 +614,7 @@ int tdb_transaction_cancel(struct tdb_context *tdb) tdb_transaction_unlock(tdb); SAFE_FREE(tdb->tc_transaction->hash_heads); SAFE_FREE(tdb->tc_transaction); + tdb->tc_in_transaction = false; return ret; } diff --git a/lib/tdb/include/tdb.h b/lib/tdb/include/tdb.h index c00b6cb..a2736b0 100644 --- a/lib/tdb/include/tdb.h +++ b/lib/tdb/include/tdb.h @@ -48,6 +48,7 @@ extern "C" { #define TDB_NOSYNC 64 /* don't use synchronous transactions */ #define TDB_SEQNUM 128 /* maintain a sequence number */ #define TDB_VOLATILE 256 /* Activate the per-hashchain freelist, default 5 */ +#define TDB_CLONE 512 /* clone of existing context (internal use) */ /* error codes */ enum TDB_ERROR {TDB_SUCCESS=0, TDB_ERR_CORRUPT, TDB_ERR_IO, TDB_ERR_LOCK, @@ -93,6 +94,7 @@ struct tdb_context *tdb_open_ex(const char *name, int hash_size, int tdb_flags, int open_flags, mode_t mode, const struct tdb_logging_context *log_ctx, tdb_hash_func hash_fn); +struct tdb_context *tdb_clone(struct tdb_context *tdb); void tdb_set_max_dead(struct tdb_context *tdb, int max_dead); int tdb_reopen(struct tdb_context *tdb); From steven.danneman at isilon.com Fri Apr 3 19:15:54 2009 From: steven.danneman at isilon.com (Steven Danneman) Date: Fri Apr 3 19:28:24 2009 Subject: level2 kernel oplocks? In-Reply-To: References: Message-ID: <4B380F71E6E9554CBDEF046D1CDF5E4C04395870@seaxch08.desktop.isilon.com> > Hi! > > Attached find some initial work for supporting level2 kernel oplocks. > > One thing I'm stuck with now is the following: > > * smbd (process A) holds an exclusive lease > > * someone else (process B) tries to open the file > > * smbd (process A) gets a signal > > How does smbd find out if process B opened the file for r/w, so that > process A has to drop the lease completely, or if process B opened for > r/o, so that a downgrade would be sufficient?? > > Volker Hey Volker, A Level II oplock is only contended by a write or byte-range lock request. In the case you described, where an open operation contended an existing client's Exclusive oplock, process A would downgrade its client to a Level II oplock. The access mask of the open request is ignored when deciding how to break oplocks. -Steven From jra at samba.org Fri Apr 3 19:30:43 2009 From: jra at samba.org (Jeremy Allison) Date: Fri Apr 3 19:30:45 2009 Subject: level2 kernel oplocks? In-Reply-To: <4B380F71E6E9554CBDEF046D1CDF5E4C04395870@seaxch08.desktop.isilon.com> References: <4B380F71E6E9554CBDEF046D1CDF5E4C04395870@seaxch08.desktop.isilon.com> Message-ID: <20090403193043.GM22818@samba1> On Fri, Apr 03, 2009 at 12:15:54PM -0700, Steven Danneman wrote: > > > Hi! > > > > Attached find some initial work for supporting level2 kernel oplocks. > > > > One thing I'm stuck with now is the following: > > > > * smbd (process A) holds an exclusive lease > > > > * someone else (process B) tries to open the file > > > > * smbd (process A) gets a signal > > > > How does smbd find out if process B opened the file for r/w, so that > > process A has to drop the lease completely, or if process B opened for > > r/o, so that a downgrade would be sufficient?? > > > > Volker > > Hey Volker, > > A Level II oplock is only contended by a write or byte-range lock > request. In the case you described, where an open operation contended > an existing client's Exclusive oplock, process A would downgrade its > client to a Level II oplock. The access mask of the open request is > ignored when deciding how to break oplocks. Indeed - even internally we always go down to level2 from exclusive no matter what the requestor is asking for. Jeremy. From tprouty at samba.org Fri Apr 3 21:36:30 2009 From: tprouty at samba.org (Tim Prouty) Date: Fri Apr 3 21:36:30 2009 Subject: level2 kernel oplocks? In-Reply-To: <4B380F71E6E9554CBDEF046D1CDF5E4C04395870@seaxch08.desktop.isilon.com> References: <4B380F71E6E9554CBDEF046D1CDF5E4C04395870@seaxch08.desktop.isilon.com> Message-ID: <7F8A0406-BEBC-4AA2-8FE9-C864183E4AA6@samba.org> On Apr 3, 2009, at 12:15 PM, Steven Danneman wrote: > A Level II oplock is only contended by a write or byte-range lock > request. In the case you described, where an open operation contended > an existing client's Exclusive oplock, process A would downgrade its > client to a Level II oplock. The access mask of the open request is > ignored when deciding how to break oplocks. To expand on that, there are actually a few more ways that a level 2 oplock can be contended: enum level2_contention_type { LEVEL2_CONTEND_ALLOC_SHRINK, LEVEL2_CONTEND_ALLOC_GROW, LEVEL2_CONTEND_SET_FILE_LEN, LEVEL2_CONTEND_FILL_SPARSE, LEVEL2_CONTEND_WRITE, LEVEL2_CONTEND_WINDOWS_BRL, LEVEL2_CONTEND_POSIX_BRL }; From asiani at free.fr Sat Apr 4 07:28:25 2009 From: asiani at free.fr (SIANI Alain) Date: Sat Apr 4 07:29:17 2009 Subject: Samba - loosing xls files Message-ID: <49D70C19.9060404@free.fr> Hello, I'm loosing somtimes xls files working on Excel under XP->Samba server I mount a remote share on windows to samba server... Do you have an idea ? thks, Alain From Volker.Lendecke at SerNet.DE Sat Apr 4 08:17:47 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sat Apr 4 08:20:19 2009 Subject: level2 kernel oplocks? In-Reply-To: <4B380F71E6E9554CBDEF046D1CDF5E4C04395870@seaxch08.desktop.isilon.com> References: <4B380F71E6E9554CBDEF046D1CDF5E4C04395870@seaxch08.desktop.isilon.com> Message-ID: On Fri, Apr 03, 2009 at 12:15:54PM -0700, Steven Danneman wrote: > A Level II oplock is only contended by a write or byte-range lock > request. In the case you described, where an open operation contended > an existing client's Exclusive oplock, process A would downgrade its > client to a Level II oplock. The access mask of the open request is > ignored when deciding how to break oplocks. Ah, good point, thanks :-) Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090404/35a01545/attachment.bin From Volker.Lendecke at SerNet.DE Sat Apr 4 08:16:24 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sat Apr 4 08:20:21 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> <20090403162724.GB22818@samba1> Message-ID: On Fri, Apr 03, 2009 at 12:51:05PM -0400, Derrell Lipman wrote: > And we probably want to avoid even that, particularly in areas of code that > are executed frequently. Function calls can be expensive. It's probably much > more efficient to say "if (func_ptr != NULL) (*func_ptr)(params);" than to > call a dummy function via func_ptr. That could all be hidden behind a macro, > though, so the code isn't cluttered by it. Are function calls really expensive these days? With all the levels of caches these days and just silly fast CPUs, isn't it more important to be cache friendly? When I added the "unlikely" to the DEBUG macros, it actually made a difference when looking at our cache footprint with cachegrind. And that made a few percent difference for netbench. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090404/deed81fd/attachment.bin From Volker.Lendecke at SerNet.DE Sat Apr 4 08:19:32 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sat Apr 4 08:20:23 2009 Subject: Samba VERY SLOW RPC (Spoolss, GetStatusPrinter). Samba Bug? In-Reply-To: <338569cc0904030938w6738b09xcc0e87dba323ddab@mail.gmail.com> References: <338569cc0904030938w6738b09xcc0e87dba323ddab@mail.gmail.com> Message-ID: On Fri, Apr 03, 2009 at 08:38:34PM +0400, Grey Karapetyan wrote: > Hi Guys, > Very need help. > > I have a printserver (Samba + Cups with passdb backend = > ldapsam:ldap://x.x.x.x (another server - Fedora Directory Server)) > situation: > when windows client try open shared folders\files - works FAST(2 seconds). > dosen't mater how many entires in ou=Users in Ldap server. > when same windows client try print (from Windows notepad or another > application) - getting status printer very-very-very slow(40-50 seconds) > > When in ldap number entries less - performance grow (when 10 users - > printerstatus shows 2 seconds) > (when 2000 users - printerstatus shows 5-8 seconds) > > WHY this may occrus? I think this Samba RPC trouble... > Help please. Might be due to id maps being done when checking the security descriptors. The fact that it gets slower with the number of users in LDAP might be an indication of bad or missing LDAP indexes. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090404/01a3823c/attachment.bin From bubulle at debian.org Sat Apr 4 10:23:01 2009 From: bubulle at debian.org (Christian Perrier) Date: Sat Apr 4 10:23:05 2009 Subject: Broken links to attachments in Bugzilla Message-ID: <20090404102300.GA5551@mykerinos.kheops.frmug.org> It seems that, in any bug with attachments, these can't be accessed anymore as the link is "https://bugzilla.samba.org/attachment.cgi?id=" I was suggested by Kai Blin to post this here and CC Jerry....done..:-) From ashu.yo at gmail.com Sat Apr 4 11:13:57 2009 From: ashu.yo at gmail.com (ashitosh darbarwar) Date: Sat Apr 4 11:13:47 2009 Subject: google summer of code,SWAT implementation in Python Message-ID: <67469e560904040413k159ab023q9329b725bd2c0249@mail.gmail.com> dear sir, i'm ashitosh from india curently an undergraduate from birla institute of technology and science pilani goa campus india. i'm very much interested in doing a project under samba4 and i'm interested in SWAT implementation in Python.i'm pretty good at python. this would be a great opportunity for me to learn and explore and i'm very much willing to work on this. my skillset: c,c++,python,vb.net,c#,html,javascript. thanking you ashitosh From derrell.lipman at unwireduniverse.com Sat Apr 4 12:21:56 2009 From: derrell.lipman at unwireduniverse.com (Derrell Lipman) Date: Sat Apr 4 12:22:28 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> <20090403162724.GB22818@samba1> Message-ID: On Sat, Apr 4, 2009 at 4:16 AM, Volker Lendecke wrote: > On Fri, Apr 03, 2009 at 12:51:05PM -0400, Derrell Lipman wrote: > > And we probably want to avoid even that, particularly in areas of code > that > > are executed frequently. Function calls can be expensive. It's probably > much > > more efficient to say "if (func_ptr != NULL) (*func_ptr)(params);" than > to > > call a dummy function via func_ptr. That could all be hidden behind a > macro, > > though, so the code isn't cluttered by it. > > Are function calls really expensive these days? With all the > levels of caches these days and just silly fast CPUs, isn't > it more important to be cache friendly? When I added the > "unlikely" to the DEBUG macros, it actually made a > difference when looking at our cache footprint with > cachegrind. And that made a few percent difference for > netbench. > You may be right. I'm old. :-) Some habits instilled early in my career may no longer be so necessary and I haven't researched it recently. Derrell From jerry at samba.org Sat Apr 4 13:13:38 2009 From: jerry at samba.org (jerry) Date: Sat Apr 4 13:13:31 2009 Subject: Broken links to attachments in Bugzilla In-Reply-To: <20090404102300.GA5551@mykerinos.kheops.frmug.org> References: <20090404102300.GA5551@mykerinos.kheops.frmug.org> Message-ID: <49D75D02.7000306@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christian Perrier wrote: > It seems that, in any bug with attachments, these can't be accessed > anymore as the link is "https://bugzilla.samba.org/attachment.cgi?id=" > > I was suggested by Kai Blin to post this here and CC > Jerry....done..:-) > Thanks Christian. This is probably a broken rewrite rule. I'll look into it later tonight. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ110CIR7qMdg1EfYRAuxJAKChcZtrK+ys3j4P/OGrrH5uAkkMCgCgyzVZ 3s35QFUYsRIxih+57jT5h24= =ehe0 -----END PGP SIGNATURE----- From Volker.Lendecke at SerNet.DE Sat Apr 4 14:18:24 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sat Apr 4 16:43:59 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> <20090403162724.GB22818@samba1> Message-ID: On Sat, Apr 04, 2009 at 08:21:56AM -0400, Derrell Lipman wrote: > You may be right. I'm old. :-) Some habits instilled early in my career may > no longer be so necessary and I haven't researched it recently. I'm not 100% certain I'm right in that case. We'd need to test this. But I doubt it would make a difference significant enough to not use a function call. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090404/1e2cb254/attachment.bin From hyc at highlandsun.com Sat Apr 4 17:23:26 2009 From: hyc at highlandsun.com (Howard Chu) Date: Sat Apr 4 17:23:40 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090404120246.835F3163CCD@lists.samba.org> References: <20090404120246.835F3163CCD@lists.samba.org> Message-ID: <49D7978E.8000802@highlandsun.com> > Date: Sat, 4 Apr 2009 10:16:24 +0200 > From: Volker Lendecke > On Fri, Apr 03, 2009 at 12:51:05PM -0400, Derrell Lipman wrote: >> And we probably want to avoid even that, particularly in areas of code that >> are executed frequently. Function calls can be expensive. It's probably much >> more efficient to say "if (func_ptr != NULL) (*func_ptr)(params);" than to >> call a dummy function via func_ptr. That could all be hidden behind a macro, >> though, so the code isn't cluttered by it. > > Are function calls really expensive these days? With all the > levels of caches these days and just silly fast CPUs, isn't > it more important to be cache friendly? When I added the > "unlikely" to the DEBUG macros, it actually made a > difference when looking at our cache footprint with > cachegrind. And that made a few percent difference for > netbench. It obviously depends on a lot of factors, but in my experience it's still better to test inline in the caller than to make the dummy call. The difference becomes more pronounced as the number of function arguments increases. If you're looking at it from a really low-level view (which I guess you are, since you tried cachegrind) then you have to remember that compiler hints like "unlikely" can't help you all that much. The compiler tries to arrange static branch prediction to keep the most-likely path inline, and branch to the less-likely path. But in this case, it still has to branch around the not-taken path, so the compiler hint doesn't help the code density at all. Cache footprint is still important of course. On a heavily loaded system, slapd compiled with gcc -Os runs a few percent faster than with -O3. On lighter loads, -O3 is faster. So there's other considerations and you can't make a one-size-fits-all solution. Digressing for a bit: we really need a SMP-aware version of cachegrind; it only simulates a single core and single cache hierarchy. It would be nice to have a tool that simulates multiple cores so you can trace cache line conflicts between cores... -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From Volker.Lendecke at SerNet.DE Sat Apr 4 17:30:29 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sat Apr 4 17:30:21 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <49D7978E.8000802@highlandsun.com> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> Message-ID: On Sat, Apr 04, 2009 at 10:23:26AM -0700, Howard Chu wrote: > If you're looking at it from a really low-level view (which I guess you > are, since you tried cachegrind) then you have to remember that compiler > hints like "unlikely" can't help you all that much. The compiler tries to > arrange static branch prediction to keep the most-likely path inline, and > branch to the less-likely path. But in this case, it still has to branch > around the not-taken path, so the compiler hint doesn't help the code > density at all. We'll have to test all this, for sure. In particular with the DEBUG macro which is a mess with not only one but two if statements, I think the main effect "unlikely" had was to move the unlikely branches somewhere else. And using a function might also help the branch prediction cache as it will always branch at the same code spot for all the callers. But again, this is all pure speculation :-) Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090404/009956f9/attachment.bin From hyc at highlandsun.com Sat Apr 4 17:53:12 2009 From: hyc at highlandsun.com (Howard Chu) Date: Sat Apr 4 17:53:23 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> Message-ID: <49D79E88.1000107@highlandsun.com> Volker Lendecke wrote: > On Sat, Apr 04, 2009 at 10:23:26AM -0700, Howard Chu wrote: >> If you're looking at it from a really low-level view (which I guess you >> are, since you tried cachegrind) then you have to remember that compiler >> hints like "unlikely" can't help you all that much. The compiler tries to >> arrange static branch prediction to keep the most-likely path inline, and >> branch to the less-likely path. But in this case, it still has to branch >> around the not-taken path, so the compiler hint doesn't help the code >> density at all. > > We'll have to test all this, for sure. Stepping back a bit, in the context of the mutex functions, there's another consideration. Jeremy was talking about allocating an array of global locks, which makes good sense. But if the caller hasn't initialized the mutex methods, then that array will most likely be NULL, and calling a dummy mutex function unconditionally will still mean dereferencing a NULL pointer to give it the expected mutex. So for sanity's sake, this route is better... +#define MUTEX_LOCK(x) (_tdb_mutex_methods ? _tdb_mutex_methods->tmm_lock(x) : 0 ) +#define MUTEX_UNLOCK(x) (_tdb_mutex_methods ? _tdb_mutex_methods->tmm_unlock(x) : 0 ) +#define MUTEX_TRYLOCK(x) (_tdb_mutex_methods ? _tdb_mutex_methods->tmm_trylock(x) : 0 ) +/* Callbacks that must be set for mutex/thread safety */ +typedef int (tdb_mutex_op)(void * mutex); +typedef void *(tdb_mutex_create)(int num); +typedef void (tdb_mutex_destroy)(void *mutex, int num); + +struct tdb_mutex_methods { + tdb_mutex_create *tmm_create; + tdb_mutex_destroy *tmm_destroy; + tdb_mutex_op *tmm_lock; + tdb_mutex_op *tmm_unlock; + tdb_mutex_op *tmm_trylock; +}; + +int tdb_set_mutex(struct tdb_mutex_methods *methods); +struct tdb_mutex_methods *tdb_get_mutex(void); +struct tdb_mutex_methods *_tdb_mutex_methods = NULL; + +int tdb_set_mutex(struct tdb_mutex_methods *methods) +{ + if (!methods) + return TDB_ERR_EINVAL; + if (_tdb_mutex_methods) + return TDB_ERR_EXISTS; + if (!methods->tmm_create || + !methods->tmm_lock || + !methods->tmm_unlock || + !methods->tmm_trylock || + !methods->tmm_destroy) + return TDB_ERR_EINVAL; + tdbs_mutex = methods->tmm_create(1); + if (!tdbs_mutex) + return TDB_ERR_OOM; + + _tdb_mutex_methods = methods; + + return TDB_SUCCESS; +} -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From davecb at sun.com Sat Apr 4 17:43:20 2009 From: davecb at sun.com (David Collier-Brown) Date: Sat Apr 4 18:02:24 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> <20090403162724.GB22818@samba1> Message-ID: <49D79C38.1080500@sun.com> Volker Lendecke wrote: > On Sat, Apr 04, 2009 at 08:21:56AM -0400, Derrell Lipman wrote: > >> You may be right. I'm old. :-) Some habits instilled early in my career may >> no longer be so necessary and I haven't researched it recently. >> > > I'm not 100% certain I'm right in that case. We'd need to > test this. But I doubt it would make a difference > significant enough to not use a function call. > > Volker > Premature optimization is the root of all evil(;-)) Seriously, though, it deserves a test. The call will definitely cause an I-cache load, unless the callee was just used, so a branch-around may be cheaper. A side comment on the DEBUG macros: You said: >When I added the "unlikely" to the DEBUG macros, it actually made a > difference when looking at our cache footprint with > cachegrind. And that made a few percent difference for > netbench. I used samba as the example in a test of branch prediction many moons ago, and discovered that there was enough code in a branched-around DEBUG statement that I had a very high probability of hitting a different I-cache line, which was thrashing my cache sufficiently that I couldn't measure the speedup form the branch being predicted correctly. Your experiment may argue for (further?) minimizing the footprint of the debug macro in the caller, which I understand has already been looked at. --dave -- David Collier-Brown | Always do right. This will gratify Sun Microsystems, Toronto | some people and astonish the rest davecb@sun.com | -- Mark Twain cell: (647) 833-9377, home (416) 223-8968, bridge (877) 385-4099 code 506 9191# From hyc at highlandsun.com Sat Apr 4 18:16:58 2009 From: hyc at highlandsun.com (Howard Chu) Date: Sat Apr 4 18:17:06 2009 Subject: tdb API issues In-Reply-To: <18899.63966.786033.179358@samba.org> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> Message-ID: <49D7A41A.8000601@highlandsun.com> Also just a comment on coding practice: it's better to typedef actual objects, not pointers to objects. E.g. in tdb.h: typedef int (*tdb_traverse_func)(struct tdb_context *, TDB_DATA, TDB_DATA, void *); typedef void (*tdb_log_func)(struct tdb_context *, enum tdb_debug_level, const char *, ...) PRINTF_ATTRIBUTE(3, 4); typedef unsigned int (*tdb_hash_func)(TDB_DATA *key); struct tdb_logging_context { tdb_log_func log_fn; void *log_private; }; It would have been better to use typedef int (tdb_traverse_func)(struct tdb_context *, TDB_DATA, TDB_DATA, void *); typedef void (tdb_log_func)(struct tdb_context *, enum tdb_debug_level, const char *, ...) PRINTF_ATTRIBUTE(3, 4); struct tdb_logging_context { tdb_log_func *log_fn; void *log_private; }; This way you can use the actual typedef in function declarations, and the compiler will generate an error if you get the function signature wrong at the point the function is defined: extern tdb_traverse_func my_traverser; ... int my_traverser(struct tdb_context *foo, TDB_DATA key) /* oops */ { ... } With the pointer typedef, you'll only get a warning at the point of use, so it'll successfully build even if your code is broken. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From sam at liddicott.com Sat Apr 4 20:57:27 2009 From: sam at liddicott.com (Sam Liddicott) Date: Sat Apr 4 21:00:30 2009 Subject: Samba - loosing xls files Message-ID: <0000103882@timbuctoo.liddicott.com> Please go into more detail. What do you mean by "losing"? Does it happn if you open and close it a few times without changing or saving it? What version of Samba? What version of exel? Sam -----Original Message----- From: SIANI Alain Sent: 04 April 2009 08:28 To: samba-technical@samba.org Subject: Samba - loosing xls files Hello, I'm loosing somtimes xls files working on Excel under XP->Samba server I mount a remote share on windows to samba server... Do you have an idea ? thks, Alain From idra at samba.org Sat Apr 4 21:29:54 2009 From: idra at samba.org (simo) Date: Sat Apr 4 21:29:36 2009 Subject: tdb API issues In-Reply-To: <49D7A41A.8000601@highlandsun.com> References: <49D3C520.3020202@highlandsun.com> <18899.63966.786033.179358@samba.org> <49D7A41A.8000601@highlandsun.com> Message-ID: <1238880594.7649.18.camel@pico.li.ssimo.org> On Sat, 2009-04-04 at 11:16 -0700, Howard Chu wrote: > Also just a comment on coding practice: it's better to typedef actual objects, > not pointers to objects. E.g. in tdb.h: > > typedef int (*tdb_traverse_func)(struct tdb_context *, TDB_DATA, TDB_DATA, > void *); > typedef void (*tdb_log_func)(struct tdb_context *, enum tdb_debug_level, const > char *, ...) PRINTF_ATTRIBUTE(3, 4); > typedef unsigned int (*tdb_hash_func)(TDB_DATA *key); > > struct tdb_logging_context { > tdb_log_func log_fn; > void *log_private; > }; > > > It would have been better to use > > typedef int (tdb_traverse_func)(struct tdb_context *, TDB_DATA, TDB_DATA, void *); > typedef void (tdb_log_func)(struct tdb_context *, enum tdb_debug_level, const > char *, ...) PRINTF_ATTRIBUTE(3, 4); > > struct tdb_logging_context { > tdb_log_func *log_fn; > void *log_private; > }; > > This way you can use the actual typedef in function declarations, and the > compiler will generate an error if you get the function signature wrong at the > point the function is defined: > > extern tdb_traverse_func my_traverser; > > ... > int my_traverser(struct tdb_context *foo, TDB_DATA key) /* oops */ > { > ... > } > > With the pointer typedef, you'll only get a warning at the point of use, so > it'll successfully build even if your code is broken. I guess it's too late to change existing functions, but we should definitely keep it in mind for future declarations. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From jra at samba.org Sun Apr 5 00:33:15 2009 From: jra at samba.org (Jeremy Allison) Date: Sun Apr 5 00:33:03 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <49D79E88.1000107@highlandsun.com> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> Message-ID: <20090405003315.GB15741@jeremy-desktop> On Sat, Apr 04, 2009 at 10:53:12AM -0700, Howard Chu wrote: > > Stepping back a bit, in the context of the mutex functions, there's > another consideration. Jeremy was talking about allocating an array of > global locks, which makes good sense. But if the caller hasn't > initialized the mutex methods, then that array will most likely be NULL, > and calling a dummy mutex function unconditionally will still mean > dereferencing a NULL pointer to give it the expected mutex. > > So for sanity's sake, this route is better... > > +#define MUTEX_LOCK(x) (_tdb_mutex_methods ? > _tdb_mutex_methods->tmm_lock(x) : 0 ) > +#define MUTEX_UNLOCK(x) (_tdb_mutex_methods ? > _tdb_mutex_methods->tmm_unlock(x) : 0 ) > +#define MUTEX_TRYLOCK(x) (_tdb_mutex_methods ? > _tdb_mutex_methods->tmm_trylock(x) : 0 ) Yeah I saw your fixes. I had a long chat with tridge on Friday about this and his preference is to add this code to lib/replace rather than having each independent subsystem have to have their own thread/mutex initializers, as we're going to need to do this for more than just tdb. I feel tdb might be a special case though as it's one of the few independent libraries consumed externally. His comment was that we should also have a single macro that thread-requiring programs can call to define the "normal" pthread version of the functions that will be passed to initialize the libraries. I'm thinking of something like : SMB_PTHREAD_DEFINE_FNS(log_fn, var); Which expands into definitions of all the functions (using pthreads) we need to pass in to initialize, and a definition and declaration of the struct to pass (the logging function is optional and can be NULL if not needed). var becomes the name of the declared struct containing the vectors. The main() function would then call SMB_PTHREAD_INIT(var); to actually cause the library to initialize the thread functions, mutexes and TLS. There's also functions for TLS we have to add, but I'll look at that next week. Jeremy. From bradh at frogmouth.net Sun Apr 5 06:20:26 2009 From: bradh at frogmouth.net (Brad Hards) Date: Sun Apr 5 06:20:48 2009 Subject: google summer of code,SWAT implementation in Python In-Reply-To: <67469e560904040413k159ab023q9329b725bd2c0249@mail.gmail.com> References: <67469e560904040413k159ab023q9329b725bd2c0249@mail.gmail.com> Message-ID: <200904051620.27141.bradh@frogmouth.net> On Saturday 04 April 2009 10:13:57 pm ashitosh darbarwar wrote: > i'm very much interested in doing a project under samba4 and i'm > interested in SWAT implementation in Python.i'm > pretty good at python. I think you are too late to apply for the summer of code program for this year. See: http://socghop.appspot.com/document/show/program/google/gsoc2009/timeline Perhaps you might like to work on it anyway though? Brad From idra at samba.org Sun Apr 5 06:40:42 2009 From: idra at samba.org (simo) Date: Sun Apr 5 06:40:13 2009 Subject: An NSS module to solve UNC style ipv6 literal names Message-ID: <1238913642.7649.27.camel@pico.li.ssimo.org> After a discussion around the matter, I took some time today to build this very simple module to allow to use the same hack Microsoft built within Windows to pass ipv6 addresses in UNC path names. Obviously its just a hack, but it was fun to build, and maybe someone can find it useful. http://samba.org/~idra/code/nss-ipv6literal/README.html Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From ab at samba.org Sun Apr 5 06:40:40 2009 From: ab at samba.org (Alexander Bokovoy) Date: Sun Apr 5 06:40:35 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090402233935.GC6284@samba1> References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> Message-ID: <6062a6e60904042340k457d5c4dn3ded01522e7238b7@mail.gmail.com> On Fri, Apr 3, 2009 at 2:39 AM, Jeremy Allison wrote: > Where SMBC_TLOCK will be a macro that expands to: > ? ? ? ?smbc_lock_(SMB_TUNLOCK, > ? ? ? ? ? ? ? ? ? ? ? ?GLOBAL_LOCKID, > ? ? ? ? ? ? ? ? ? ? ? ?__FILE__, > ? ? ? ? ? ? ? ? ? ? ? ?__LINE__); > > and SMBC_TUNLOCK will expand to: > ? ? ? ?smbc_lock(SMB_TLOCK|SMB_TLOCK_WRITE, > ? ? ? ? ? ? ? ? ? ? ? ?GLOBAL_LOCKID, > ? ? ? ? ? ? ? ? ? ? ? ?__FILE__, > ? ? ? ? ? ? ? ? ? ? ? ?__LINE__); Is it the other way around? -- / Alexander Bokovoy From Volker.Lendecke at SerNet.DE Sun Apr 5 10:36:10 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sun Apr 5 10:35:41 2009 Subject: arguments to sockaddr_equal (sockaddr vs sockaddr_storage)? Message-ID: Hi! In master right now the function sockaddr_equal takes to const struct sockaddr *. In 3.3, it takes const struct sockaddr_storage. Didn't Jeremy go through big pain introducing sockaddr_storage when putting in IPv6 support? Why did we go to struct sockaddr again? I must have understood something wrong, can someone help me? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090405/3fe311c4/attachment.bin From jelmer at samba.org Sun Apr 5 12:53:35 2009 From: jelmer at samba.org (Jelmer Vernooij) Date: Sun Apr 5 12:54:16 2009 Subject: arguments to sockaddr_equal (sockaddr vs sockaddr_storage)? In-Reply-To: References: Message-ID: <49D8A9CF.1000000@samba.org> Hi Volker, Volker Lendecke wrote: > In master right now the function sockaddr_equal takes to > const struct sockaddr *. In 3.3, it takes const struct > sockaddr_storage. > > Didn't Jeremy go through big pain introducing > sockaddr_storage when putting in IPv6 support? Why did we go > to struct sockaddr again? > > I must have understood something wrong, can someone help me? > We used to use "struct sockaddr_in", not "struct sockaddr". The first is specific to IPv4, "struct sockaddr" is a generic pointer for socket addresses. "struct sockaddr" is only has a sa_family member that can be used to see what it actually contains, so it can be casted (as is done in the socket code) to (struct sockaddr_in, sockaddr_in6, sockaddr_un, etc). It is the argument received e.g. by connect(). The main difference between "struct sockaddr" and "struct sockaddr_storage" is that the latter is guaranteed to be big enough to hold a ipv6 or a ipv4 address. Since not all of these functions rely on the argument being passed being at least the size of "struct sockaddr_storage", this distinction is useful since Samba 4 can use the functions that take a "struct sockaddr" with "struct sockaddr_in" structures but can't use the functions that take a "sockaddr_storage" argument. Cheers, Jelmer From jra at samba.org Sun Apr 5 16:14:08 2009 From: jra at samba.org (Jeremy Allison) Date: Sun Apr 5 16:13:51 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <6062a6e60904042340k457d5c4dn3ded01522e7238b7@mail.gmail.com> References: <200903201911.04906.mail@cynapses.org> <200903261829.03950.mail@cynapses.org> <200903271141.48395.mail@cynapses.org> <20090402233935.GC6284@samba1> <6062a6e60904042340k457d5c4dn3ded01522e7238b7@mail.gmail.com> Message-ID: <20090405161408.GA20480@jeremy-desktop> On Sun, Apr 05, 2009 at 09:40:40AM +0300, Alexander Bokovoy wrote: > On Fri, Apr 3, 2009 at 2:39 AM, Jeremy Allison wrote: > > Where SMBC_TLOCK will be a macro that expands to: > > ? ? ? ?smbc_lock_(SMB_TUNLOCK, > > ? ? ? ? ? ? ? ? ? ? ? ?GLOBAL_LOCKID, > > ? ? ? ? ? ? ? ? ? ? ? ?__FILE__, > > ? ? ? ? ? ? ? ? ? ? ? ?__LINE__); > > > > and SMBC_TUNLOCK will expand to: > > ? ? ? ?smbc_lock(SMB_TLOCK|SMB_TLOCK_WRITE, > > ? ? ? ? ? ? ? ? ? ? ? ?GLOBAL_LOCKID, > > ? ? ? ? ? ? ? ? ? ? ? ?__FILE__, > > ? ? ? ? ? ? ? ? ? ? ? ?__LINE__); > Is it the other way around? Yep, well spotted - there's a test later :-). Thanks, Jeremy. From jra at samba.org Sun Apr 5 16:21:54 2009 From: jra at samba.org (Jeremy Allison) Date: Sun Apr 5 16:21:33 2009 Subject: arguments to sockaddr_equal (sockaddr vs sockaddr_storage)? In-Reply-To: <49D8A9CF.1000000@samba.org> References: <49D8A9CF.1000000@samba.org> Message-ID: <20090405162153.GC20480@jeremy-desktop> On Sun, Apr 05, 2009 at 02:53:35PM +0200, Jelmer Vernooij wrote: > Hi Volker, > > Volker Lendecke wrote: > > In master right now the function sockaddr_equal takes to > > const struct sockaddr *. In 3.3, it takes const struct > > sockaddr_storage. > > > > Didn't Jeremy go through big pain introducing > > sockaddr_storage when putting in IPv6 support? Why did we go > > to struct sockaddr again? > > > > I must have understood something wrong, can someone help me? > > > We used to use "struct sockaddr_in", not "struct sockaddr". The first is > specific to IPv4, "struct sockaddr" is a generic pointer for socket > addresses. > > "struct sockaddr" is only has a sa_family member that can be used to see > what it actually contains, so it can be casted (as is done in the socket > code) to (struct sockaddr_in, sockaddr_in6, sockaddr_un, etc). It is the > argument received e.g. by connect(). > > The main difference between "struct sockaddr" and "struct > sockaddr_storage" is that the latter is guaranteed to be big enough to > hold a ipv6 or a ipv4 address. Since not all of these functions rely on > the argument being passed being at least the size of "struct > sockaddr_storage", this distinction is useful since Samba 4 can use the > functions that take a "struct sockaddr" with "struct sockaddr_in" > structures but can't use the functions that take a "sockaddr_storage" > argument. Then can you add a sockaddr_equal_samba4() function and revert the sockaddr_equal please ? I really don't want to have to go through this migration in our code again. The real fix is to change S4 to use sockaddr_storage, that is what needs to be done in the long run anyway. And no, I'm not doing it again :-). Jeremy. From bubulle at debian.org Sun Apr 5 16:21:42 2009 From: bubulle at debian.org (Christian Perrier) Date: Sun Apr 5 16:21:34 2009 Subject: Debian bug #522388: samba (and mount.cifs) copy/dirs permissions error Message-ID: <20090405162142.GH5551@mykerinos.kheops.frmug.org> Before I report this to Bugzilla, would anyone care to look at Debian bug #522388: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522388 In this bug report, one of our users reports that he cannot run "cp -r" files from a local tree to a CIFS-mounted directory on another server. The same action works when doing it from a Windows, Mac OSX client, or even from konqueror... This happens with samba 3.2.5 (Debian lenny). I couldn't reproduce this with a 3.3.2 machine (mounting a directory shared by the same machine). In this bug report, the user sent a level 10 log of the failure, so there's maybe room for investigation. Before sending this to Bugzilla (as I can't reproduce it with 3.3.*, I'm not keen for this), I'd like to know if this problem looks familiar to some of you. From jelmer at samba.org Sun Apr 5 20:26:03 2009 From: jelmer at samba.org (Jelmer Vernooij) Date: Sun Apr 5 20:27:03 2009 Subject: arguments to sockaddr_equal (sockaddr vs sockaddr_storage)? In-Reply-To: <20090405162153.GC20480@jeremy-desktop> References: <49D8A9CF.1000000@samba.org> <20090405162153.GC20480@jeremy-desktop> Message-ID: <49D913DB.2000301@samba.org> Jeremy Allison wrote: > On Sun, Apr 05, 2009 at 02:53:35PM +0200, Jelmer Vernooij wrote: > >> Hi Volker, >> >> Volker Lendecke wrote: >> >>> In master right now the function sockaddr_equal takes to >>> const struct sockaddr *. In 3.3, it takes const struct >>> sockaddr_storage. >>> >>> Didn't Jeremy go through big pain introducing >>> sockaddr_storage when putting in IPv6 support? Why did we go >>> to struct sockaddr again? >>> >>> I must have understood something wrong, can someone help me? >>> >>> >> We used to use "struct sockaddr_in", not "struct sockaddr". The first is >> specific to IPv4, "struct sockaddr" is a generic pointer for socket >> addresses. >> >> "struct sockaddr" is only has a sa_family member that can be used to see >> what it actually contains, so it can be casted (as is done in the socket >> code) to (struct sockaddr_in, sockaddr_in6, sockaddr_un, etc). It is the >> argument received e.g. by connect(). >> >> The main difference between "struct sockaddr" and "struct >> sockaddr_storage" is that the latter is guaranteed to be big enough to >> hold a ipv6 or a ipv4 address. Since not all of these functions rely on >> the argument being passed being at least the size of "struct >> sockaddr_storage", this distinction is useful since Samba 4 can use the >> functions that take a "struct sockaddr" with "struct sockaddr_in" >> structures but can't use the functions that take a "sockaddr_storage" >> argument. >> > > Then can you add a sockaddr_equal_samba4() function and > revert the sockaddr_equal please ? > > I really don't want to have to go through this migration > in our code again. The real fix is to change S4 to use > sockaddr_storage, that is what needs to be done in the > long run anyway. And no, I'm not doing it again :-). sockaddr_equal() will still happily compare IPv6 and IPv4 addresses; nothing has changed in terms of its functionality. It will just not compare beyond the boundaries of "struct sockaddr_in" if the pointer passed in has sa_family AF_INET. For other functions the size of the argument that's passed in *does* matter independent of its family, e.g. for functions that set it such as zero_sockaddr() or interpret_string_addr(). In case of those functions the target pointer really has to be big enough to fit *any* socket address. Cheers, Jelmer From Volker.Lendecke at SerNet.DE Sun Apr 5 21:50:36 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sun Apr 5 21:50:05 2009 Subject: New async libwbclient Message-ID: Hi! On http://git.samba.org/?p=vl/samba.git;a=shortlog;h=refs/heads/async-libwbclient I've uploaded my current async libwbclient iteration. It's 1849 lines replaced by 1890 new ones, and it's almost midnight here. So I didn't directly push it yet. The core checkin is af7876587c3. I've done this as a large patch, you definitely don't want to see the whole history of this :-) The main difference to the current in-master library is a better abstraction: We don't need the recv_helper anymore, and we don't need to expose the innards of the async libsmbclient engine anymore. Furthermore, it does a lot less memcpy ops, it relies on writev_send. TODO: I need to test the secondary trans things with signing, and we need a writev style version of the client signing routine. The current one makes a copy and signs that. It's a ton of new code, and it has taken me two days to get my stack of 60 patches with funny gd-style checkin messages into something presentable, so eventually I want this in and promise to support it :-) Comments? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090405/251d4304/attachment.bin From patrial at winekaddy.com Sun Apr 5 22:02:29 2009 From: patrial at winekaddy.com (Busman Strittmatter) Date: Sun Apr 5 22:02:29 2009 Subject: Super Sensual Love Making In BBed Message-ID: <49D92977.8127479@afproject.it> Mega Secrets To Supeer Sensual Love Making In Bed - Be Absolutely Mind Blowing The cowlapparently he did not see the officer. Nutmeg, and four of salt, season the fowl, and. From Volker.Lendecke at SerNet.DE Mon Apr 6 06:07:14 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon Apr 6 06:07:09 2009 Subject: New async libwbclient In-Reply-To: References: Message-ID: On Sun, Apr 05, 2009 at 11:50:36PM +0200, Volker Lendecke wrote: > http://git.samba.org/?p=vl/samba.git;a=shortlog;h=refs/heads/async-libwbclient Ignore the subject, Kai just pointed out this is libsmbclient not libwbclient :-) Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090406/f106e26a/attachment.bin From metze at samba.org Mon Apr 6 07:58:47 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Mon Apr 6 07:58:41 2009 Subject: New async libwbclient In-Reply-To: References: Message-ID: <49D9B637.2090105@samba.org> Hi Volker, > On > > http://git.samba.org/?p=vl/samba.git;a=shortlog;h=refs/heads/async-libwbclient > > I've uploaded my current async libwbclient iteration. It's > 1849 lines replaced by 1890 new ones, and it's almost > midnight here. So I didn't directly push it yet. > > The core checkin is af7876587c3. I've done this as a large > patch, you definitely don't want to see the whole history of > this :-) This looks really good! > The main difference to the current in-master library is a > better abstraction: We don't need the recv_helper anymore, > and we don't need to expose the innards of the async > libsmbclient engine anymore. Furthermore, it does a lot less > memcpy ops, it relies on writev_send. > > TODO: > > I need to test the secondary trans things with signing, and > we need a writev style version of the client signing > routine. The current one makes a copy and signs that. I assume the trans code will just work. Calling cli_state_seqnum_persistent() and cli_state_seqnum_remove() is only needed for the old functions which use cli_state->inbuf/outbuf, so you should remove them from the new functions. Then you can also avoid the goto fail in cli_trans_done(). > It's a ton of new code, and it has taken me two days to get > my stack of 60 patches with funny gd-style checkin messages > into something presentable, so eventually I want this in and > promise to support it :-) I think we can move smb_splice_chain to smbd/process.c now:-) For me it would be nice if we could decouple the async_smb.c code completely from struct cli_state, but maybe we need to wait until all cli_state->inbuf users are gone. +1 for getting this code in when it's tested enough. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090406/01fbd958/signature.bin From goran.lowkrantz at ismobile.com Mon Apr 6 08:23:33 2009 From: goran.lowkrantz at ismobile.com (Goran Lowkrantz) Date: Mon Apr 6 08:30:23 2009 Subject: smbd process block In-Reply-To: References: <0000067923@timbuctoo.liddicott.com> <3776468444CEE619F82D2131@[10.255.253.2]> <499BDDA1.8080001@liddicott.com> Message-ID: Hi Sam, Did you manage to get anything out of this? I have worked my way through 3.0.34, 3.2.8 and am now at 3.3.2 but have the same problem. /glz --On February 18, 2009 19:43:12 +0100 Goran Lowkrantz wrote: > One dump available, starting before the connection is done, stopping when > the application has gone Not responding: > > > > /glz > > --On Wednesday, February 18, 2009 10:06 AM +0000 Sam Liddicott > wrote: > >> * Goran Lowkrantz wrote, On 17/02/09 22:38: >>> Three root folders >>> 20655 in 247 subfolders >>> 798 in 24 subfolders >>> 2709 in 128 subfolders >> It would be good if you could send a tcp dump that we could run through >> wireshark >> >> Something like >> >> tcpdump -n -i ETHNAME host SERVERNAME and host CLIENT NAME and \( port >> 445 or port 139 \) -s 1500 -w tcp.dump >> >> [we should probably really do -s 65535 but I don't think you are doing >> any big reads or writes that are interested in] >> >> and then stimulate the error as soon as you can. >> >> The tcp.dump log file may be very large, but you can either load it into >> wireshark and see what is going on, or you could compress it and put it >> somewhere we could download it. >> >> [You might also want to be careful of using any passwords that matter.] >> >> Then we can see if it hangs "doing nothing" or "doing something". I've >> seen some infinite loop hangs doing dir reads on a NAS box which doesn't >> continue properly. >> >> Sam >>> >>> /glz >>> >>> --On Tuesday, February 17, 2009 7:59 PM +0000 Sam Liddicott >>> wrote: >>> >>>> I'm mobile right now, so I can't check the log. >>>> Please can you say how many files are in the folders being monitored? >>>> >>>> Sam >>>> >>>> -----Original Message----- >>>> From: Goran Lowkrantz >>>> Sent: 16 February 2009 22:42 >>>> To: samba-technical@lists.samba.org >>>> Subject: smbd process block >>>> >>>> >>>> I have few Samba servers running FreeBSD 7.1 were we have a problem >>>> with smbd process blocking for a few Vista systems that run a program >>>> that watch directories and files on the samba shares. >>>> >>>> On my test setup I have managed to get a hang in less than 30 min. >>>> >>>> Samba 3.2.7 is built with minimum functions and full debug. Options >>>> don't >>>> seems to have any impact on the problem. >>>> >>>> The PC uses Vista Business SP1 and all patches, I run a DAM program >>>> called IMatch ver 3.6.076 that watches for changes in the photo >>>> database. No other application I have tested has the same problems. >>>> For example, Adobe Lightroom 2.2 works without problems when setup >>>> with a watched folder. >>>> >>>> I have attached logfiles from samba with the following extra settings: >>>> debug pid = yes >>>> debug timestamp = no >>>> debug prefix timestamp = yes >>>> debug uid = yes >>>> log level = 10 >>>> >>>> The PID of the server that hangs is 29162. >>>> >>>> The FreeBSD server is an up-to-date quad AMD server with 8GB running >>>> 7.1-STABLE. In normal operation, I see the following: >>>> >>>> # sockstat | grep 445 >>>> glz smbd 7828 23 tcp4 10.255.253.1:445 >>>> 10.255.253.2:57355 root smbd 76917 19 tcp4 127.0.0.1:445 >>>> *:* >>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>> >>>> When I get the hang, it looks like this: >>>> # sockstat | grep 445 >>>> root smbd 7828 23 tcp4 10.255.253.1:445 >>>> 10.255.253.2:57355 root smbd 76917 19 tcp4 127.0.0.1:445 >>>> *:* >>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>> >>>> and the GDB session: >>>> # gdb /usr/local/sbin/smbd 7828 >>>> GNU gdb 6.1.1 [FreeBSD] >>>> Copyright 2004 Free Software Foundation, Inc. >>>> GDB is free software, covered by the GNU General Public License, and >>>> you are welcome to change it and/or distribute copies of it under >>>> certain conditions. >>>> Type "show copying" to see the conditions. >>>> There is absolutely no warranty for GDB. Type "show warranty" for >>>> details. This GDB was configured as "amd64-marcel-freebsd"... >>>> Attaching to program: /usr/local/sbin/smbd, process 7828 >>>> Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. >>>> Loaded symbols for /usr/local/lib/libldap-2.3.so.2 >>>> Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. >>>> Loaded symbols for /usr/local/lib/liblber-2.3.so.2 >>>> Reading symbols from /usr/local/lib/libcups.so.2...done. >>>> Loaded symbols for /usr/local/lib/libcups.so.2 >>>> Reading symbols from /usr/lib/libssl.so.5...done. >>>> Loaded symbols for /usr/lib/libssl.so.5 >>>> Reading symbols from /lib/libcrypto.so.5...done. >>>> Loaded symbols for /lib/libcrypto.so.5 >>>> Reading symbols from /lib/libz.so.4...done. >>>> Loaded symbols for /lib/libz.so.4 >>>> Reading symbols from /lib/libm.so.5...done. >>>> Loaded symbols for /lib/libm.so.5 >>>> Reading symbols from /lib/libcrypt.so.4...done. >>>> Loaded symbols for /lib/libcrypt.so.4 >>>> Reading symbols from /usr/lib/libpam.so.4...done. >>>> Loaded symbols for /usr/lib/libpam.so.4 >>>> Reading symbols from /usr/local/lib/libexecinfo.so.1...done. >>>> Loaded symbols for /usr/local/lib/libexecinfo.so.1 >>>> Reading symbols from /usr/local/lib/libiconv.so.3...done. >>>> Loaded symbols for /usr/local/lib/libiconv.so.3 >>>> Reading symbols from /usr/local/lib/libdmalloc.so.1...done. >>>> Loaded symbols for /usr/local/lib/libdmalloc.so.1 >>>> Reading symbols from /usr/local/lib/libpopt.so.0...done. >>>> Loaded symbols for /usr/local/lib/libpopt.so.0 >>>> Reading symbols from /lib/libthr.so.3...done. >>>> [New Thread 0x800a62e00 (LWP 100076)] >>>> Loaded symbols for /lib/libthr.so.3 >>>> Reading symbols from /lib/libc.so.7...done. >>>> Loaded symbols for /lib/libc.so.7 >>>> Reading symbols from /usr/local/lib/libsasl2.so.2...done. >>>> Loaded symbols for /usr/local/lib/libsasl2.so.2 >>>> Reading symbols from /usr/local/lib/libintl.so.8...done. >>>> Loaded symbols for /usr/local/lib/libintl.so.8 >>>> Reading symbols from /usr/local/lib/nss_ldap.so.1...done. >>>> Loaded symbols for /usr/local/lib/nss_ldap.so.1 >>>> Reading symbols from /usr/lib/libcom_err.so.4...done. >>>> Loaded symbols for /usr/lib/libcom_err.so.4 >>>> Reading symbols from /libexec/ld-elf.so.1...done. >>>> Loaded symbols for /libexec/ld-elf.so.1 >>>> [Switching to Thread 0x800a62e00 (LWP 100076)] >>>> 0x0000000801f01d6c in select () from /lib/libc.so.7 >>>> (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ >>>> Source directories searched: >>>> /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd >>>> (gdb) bt >>>> # 0 0x0000000801f01d6c in select () from /lib/libc.so.7 >>>> # 1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 >>>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>>> # readfds=0x7fffffffd420, >>>> writefds=0x7fffffffd3a0, errorfds=0x0, tval=0x7fffffffd500) >>>> at lib/select.c:93 >>>> # 3 0x00000000004df64c in smbd_process () at smbd/process.c:839 >>>> # 4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at >>>> smbd/server.c:1450 >>>> (gdb) frame 2 >>>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>>> # readfds=0x7fffffffd420, >>>> writefds=0x7fffffffd3a0, errorfds=0x0, tval=0x7fffffffd500) >>>> at lib/select.c:93 >>>> 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); >>>> (gdb) print tval >>>> $1 = (struct timeval *) 0x7fffffffd500 >>>> (gdb) print *tval >>>> $2 = {tv_sec = 59, tv_usec = 999977} >>>> (gdb) The program is running. Quit anyway (and detach it)? (y or n) y >>>> Detaching from program: /usr/local/sbin/smbd, process 7828 >>>> >>>> The following is a truss of the process until I have seen the switch to >>>> root as owner: >>>> # time truss -p 8307 >>>> gettimeofday({1234648077.989004 },0x0) = 0 (0x0) >>>> gettimeofday({1234648077.989081 },0x0) = 0 (0x0) >>>> select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) >>>> gettimeofday({1234648099.279293 },0x0) = 0 (0x0) >>>> gettimeofday({1234648099.279370 },0x0) = 0 (0x0) >>>> gettimeofday({1234648099.279417 },0x0) = 0 (0x0) >>>> select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) >>>> gettimeofday({1234648102.286493 },0x0) = 0 (0x0) >>>> read(23,"\0\0\0r",4) = 4 (0x4) >>>> read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) >>>> geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) >>>> getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd138) >>>> = 0 (0x0) >>>> __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) = 0 >>>> (0x0) 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w >>>> >>>> # sockstat | grep 445 >>>> glz smbd 8307 23 tcp4 10.255.253.1:445 >>>> 10.255.253.2:57438 root smbd 76917 19 tcp4 127.0.0.1:445 >>>> *:* >>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>> # ps -awxl | grep 8307 >>>> 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 >>>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>>> truss >>>> -p 8307 >>>> # sockstat | grep 445 >>>> root smbd 8307 23 tcp4 10.255.253.1:445 >>>> 10.255.253.2:57438 root smbd 76917 19 tcp4 127.0.0.1:445 >>>> *:* >>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>> # ps -awxl | grep 8307 >>>> 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 >>>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>>> truss >>>> -p 8307 >>>> >>>> >>>> I can recreate this at any time and the condition by killing the >>>> offending smbd process and the PC reconnects just fine. >>>> >>>> Hope this helps to pin this down. As I can recreate the hang, please >>>> let me know if there is any more information I can supply. >>>> >>>> /glz >>>> >>>> .................................................. the future isMobile >>>> >>>> Goran Lowkrantz >>>> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >>>> Phone: +46(0)920-75559 >>>> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >>>> >>>> http://www.ismobile.com ............................................... >>> >>> >>> >>> ................................................... the future isMobile >>> >>> Goran Lowkrantz >>> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >>> Phone: +46(0)920-75559 >>> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >>> >>> http://www.ismobile.com ............................................... > > > > ................................................... the future isMobile > > Goran Lowkrantz > System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden > Phone: +46(0)920-75559 > Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 > > http://www.ismobile.com ............................................... ................................................... the future isMobile Goran Lowkrantz System Architect, isMobile AB Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden Mobile: +46(0)70-587 87 82 http://www.ismobile.com ............................................... From kai at samba.org Mon Apr 6 10:21:30 2009 From: kai at samba.org (Kai Blin) Date: Mon Apr 6 10:21:27 2009 Subject: GSoC students, check that you're subscribed to updates to your proposals. Message-ID: <200904061221.30876.kai@samba.org> Hi folks, it seems that the current GSoC webapp does not subscribe you to updates on your proposals automatically. Please log in there and make sure that you're subscribed. Otherwise you might miss comments by the mentors, which will reflect negatively on your proposal. Cheers, Kai -- Kai Blin WorldForge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- Will code for cotton. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba-technical/attachments/20090406/c8c58191/attachment.bin From bj at SerNet.DE Mon Apr 6 14:22:31 2009 From: bj at SerNet.DE (=?iso-8859-1?Q?Bj=F6rn?= JACKE) Date: Mon Apr 6 14:22:11 2009 Subject: Samba patches @apple.com Message-ID: Hi James, some days ago I found in some old bugzilla comments (#3495) that you have creation time patches for Darwin that you want to merge. As the only patches I saw so far were the birthtime patches for FreeBSD I searched for the Darwin patches. I found http://www.opensource.apple.com/darwinsource/10.5.6/samba-187.8/. There are really quite a lot of patches in the Darwin Samba release tree and it looks like a number of these patches should be merged upstream and some might need some polish and then be merged upstream. As you are samba-team member and Apple employee you might be the best one to do that. I think you are actually the only one who can do that as there are corporate copyrights in there which need to be replaced by personal ones. Some of the patched copyright headers even look like they are at least not in the spirit of the GPL. "Copyright (C) 2006-2007 Apple Inc. All right reserved." in trans2.c makes one feel like Apple bought Samba ;-). If you find or get the time to clean those things up and merge upstream that would be great! Thanks Bj?rn From sam at liddicott.com Mon Apr 6 14:28:31 2009 From: sam at liddicott.com (Sam Liddicott) Date: Mon Apr 6 14:29:34 2009 Subject: smbd process block References: Message-ID: <49DA118F.90701@liddicott.com> As far as I can tell, samba is not hanging, it's issuing responses to all the requests it gets. I think that the windows client thinks that samba has hung, because the sending of Echo Request is a sign that the client is getting fed up of waiting and is checking to see if the link is still working. So it looks like the client is waiting for some kind of response, but I haven't been able to spot a response that wasn't answered. You load the pcap into wireshark and see if you can spot a request that doesn't get a response... Sam * Goran Lowkrantz wrote, On 16/02/09 22:42: > > I have few Samba servers running FreeBSD 7.1 were we have a problem > with smbd process blocking for a few Vista systems that run a program > that watch directories and files on the samba shares. > > On my test setup I have managed to get a hang in less than 30 min. > > Samba 3.2.7 is built with minimum functions and full debug. Options > don't seems to have any impact on the problem. > > The PC uses Vista Business SP1 and all patches, I run a DAM program > called IMatch ver 3.6.076 that watches for changes in the photo > database. No other application I have tested has the same problems. > For example, Adobe Lightroom 2.2 works without problems when setup > with a watched folder. > > I have attached logfiles from samba with the following extra settings: > debug pid = yes > debug timestamp = no > debug prefix timestamp = yes > debug uid = yes > log level = 10 > > The PID of the server that hangs is 29162. > > The FreeBSD server is an up-to-date quad AMD server with 8GB running > 7.1-STABLE. In normal operation, I see the following: > > # sockstat | grep 445 > glz smbd 7828 23 tcp4 10.255.253.1:445 > 10.255.253.2:57355 > root smbd 76917 19 tcp4 127.0.0.1:445 *:* > root smbd 76917 20 tcp4 10.255.253.1:445 *:* > > When I get the hang, it looks like this: > # sockstat | grep 445 > root smbd 7828 23 tcp4 10.255.253.1:445 > 10.255.253.2:57355 > root smbd 76917 19 tcp4 127.0.0.1:445 *:* > root smbd 76917 20 tcp4 10.255.253.1:445 *:* > > and the GDB session: > # gdb /usr/local/sbin/smbd 7828 > GNU gdb 6.1.1 [FreeBSD] > Copyright 2004 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and > you are > welcome to change it and/or distribute copies of it under certain > conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for > details. > This GDB was configured as "amd64-marcel-freebsd"... > Attaching to program: /usr/local/sbin/smbd, process 7828 > Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. > Loaded symbols for /usr/local/lib/libldap-2.3.so.2 > Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. > Loaded symbols for /usr/local/lib/liblber-2.3.so.2 > Reading symbols from /usr/local/lib/libcups.so.2...done. > Loaded symbols for /usr/local/lib/libcups.so.2 > Reading symbols from /usr/lib/libssl.so.5...done. > Loaded symbols for /usr/lib/libssl.so.5 > Reading symbols from /lib/libcrypto.so.5...done. > Loaded symbols for /lib/libcrypto.so.5 > Reading symbols from /lib/libz.so.4...done. > Loaded symbols for /lib/libz.so.4 > Reading symbols from /lib/libm.so.5...done. > Loaded symbols for /lib/libm.so.5 > Reading symbols from /lib/libcrypt.so.4...done. > Loaded symbols for /lib/libcrypt.so.4 > Reading symbols from /usr/lib/libpam.so.4...done. > Loaded symbols for /usr/lib/libpam.so.4 > Reading symbols from /usr/local/lib/libexecinfo.so.1...done. > Loaded symbols for /usr/local/lib/libexecinfo.so.1 > Reading symbols from /usr/local/lib/libiconv.so.3...done. > Loaded symbols for /usr/local/lib/libiconv.so.3 > Reading symbols from /usr/local/lib/libdmalloc.so.1...done. > Loaded symbols for /usr/local/lib/libdmalloc.so.1 > Reading symbols from /usr/local/lib/libpopt.so.0...done. > Loaded symbols for /usr/local/lib/libpopt.so.0 > Reading symbols from /lib/libthr.so.3...done. > [New Thread 0x800a62e00 (LWP 100076)] > Loaded symbols for /lib/libthr.so.3 > Reading symbols from /lib/libc.so.7...done. > Loaded symbols for /lib/libc.so.7 > Reading symbols from /usr/local/lib/libsasl2.so.2...done. > Loaded symbols for /usr/local/lib/libsasl2.so.2 > Reading symbols from /usr/local/lib/libintl.so.8...done. > Loaded symbols for /usr/local/lib/libintl.so.8 > Reading symbols from /usr/local/lib/nss_ldap.so.1...done. > Loaded symbols for /usr/local/lib/nss_ldap.so.1 > Reading symbols from /usr/lib/libcom_err.so.4...done. > Loaded symbols for /usr/lib/libcom_err.so.4 > Reading symbols from /libexec/ld-elf.so.1...done. > Loaded symbols for /libexec/ld-elf.so.1 > [Switching to Thread 0x800a62e00 (LWP 100076)] > 0x0000000801f01d6c in select () from /lib/libc.so.7 > (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ > Source directories searched: > /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd > (gdb) bt > #0 0x0000000801f01d6c in select () from /lib/libc.so.7 > #1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 > #2 0x00000000006749fe in sys_select (maxfd=24, > readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, > tval=0x7fffffffd500) > at lib/select.c:93 > #3 0x00000000004df64c in smbd_process () at smbd/process.c:839 > #4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at > smbd/server.c:1450 > (gdb) frame 2 > #2 0x00000000006749fe in sys_select (maxfd=24, > readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, > tval=0x7fffffffd500) > at lib/select.c:93 > 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); > (gdb) print tval > $1 = (struct timeval *) 0x7fffffffd500 > (gdb) print *tval > $2 = {tv_sec = 59, tv_usec = 999977} > (gdb) The program is running. Quit anyway (and detach it)? (y or n) y > Detaching from program: /usr/local/sbin/smbd, process 7828 > > The following is a truss of the process until I have seen the switch > to root as owner: > # time truss -p 8307 > gettimeofday({1234648077.989004 },0x0) = 0 (0x0) > gettimeofday({1234648077.989081 },0x0) = 0 (0x0) > select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) > gettimeofday({1234648099.279293 },0x0) = 0 (0x0) > gettimeofday({1234648099.279370 },0x0) = 0 (0x0) > gettimeofday({1234648099.279417 },0x0) = 0 (0x0) > select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) > gettimeofday({1234648102.286493 },0x0) = 0 (0x0) > read(23,"\0\0\0r",4) = 4 (0x4) > read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) > geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) > getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd138) > = 0 (0x0) > __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) = 0 > (0x0) > 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w > > # sockstat | grep 445 > glz smbd 8307 23 tcp4 10.255.253.1:445 > 10.255.253.2:57438 > root smbd 76917 19 tcp4 127.0.0.1:445 *:* > root smbd 76917 20 tcp4 10.255.253.1:445 *:* > # ps -awxl | grep 8307 > 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 > /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf > 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 > truss -p 8307 > # sockstat | grep 445 > root smbd 8307 23 tcp4 10.255.253.1:445 > 10.255.253.2:57438 > root smbd 76917 19 tcp4 127.0.0.1:445 *:* > root smbd 76917 20 tcp4 10.255.253.1:445 *:* > # ps -awxl | grep 8307 > 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 > /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf > 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 > truss -p 8307 > > > I can recreate this at any time and the condition by killing the > offending smbd process and the PC reconnects just fine. > > Hope this helps to pin this down. As I can recreate the hang, please > let me know if there is any more information I can supply. > > /glz > > ................................................... the future isMobile > > Goran Lowkrantz > System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden > Phone: +46(0)920-75559 > Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 > > http://www.ismobile.com ............................................... From jorgar at gmail.com Mon Apr 6 16:03:45 2009 From: jorgar at gmail.com (James Peach) Date: Mon Apr 6 16:03:40 2009 Subject: Samba patches @apple.com In-Reply-To: References: Message-ID: 2009/4/6 Bj?rn JACKE : > Hi James, > > some days ago I found in some old bugzilla comments (#3495) that you > have creation time patches for Darwin that you want to merge. As the only > patches I saw so far were the birthtime patches for FreeBSD I searched for the > Darwin patches. I found > http://www.opensource.apple.com/darwinsource/10.5.6/samba-187.8/. There are > really quite a lot of patches in the Darwin Samba release tree and it looks > like a number of these patches should be merged upstream and some might need > some polish and then be merged upstream. As you are samba-team member and Apple > employee you might be the best one to do that. I think you are actually the > only one who can do that as there are corporate copyrights in there which need > to be replaced by personal ones. Some of the patched copyright headers even > look like they are at least not in the spirit of the GPL. ?"Copyright (C) > 2006-2007 Apple Inc. All right reserved." in trans2.c makes one feel like Apple > bought Samba ;-). > > If you find or get the time to clean those things up and merge upstream that > would be great! It's quite a lot of work to do this, and in general these patches are only interesting for Apple. If you have specific patches that you'd like let me know. -- James Peach | jorgar@gmail.com From nosendhere at eins.promotionbasis.de Mon Apr 6 17:43:45 2009 From: nosendhere at eins.promotionbasis.de (nosendhere@eins.promotionbasis.de) Date: Mon Apr 6 18:13:14 2009 Subject: mailing lists for general practitioners and dozens more specialties Message-ID: <20090406174345.E7602C31D@mx01.promotionbasis.de> Board Certified Medical Doctors in the USA Data for the many various medical specialties you can sort by many different fields like city, state or zip reduced price is now: $394 ~~~~~ The above package also comes with these four lists: ()()() --> Dentists >> Veterinarians ==> Physical Therapists -> Visiting Nurses & RN's contact your rep:: Mckinney@medexecdata.com for this week -------- to stop this email in future email us at cut@medexecdata.com From Volker.Lendecke at SerNet.DE Mon Apr 6 20:11:35 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon Apr 6 20:11:31 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-857-g2050187 In-Reply-To: <20090406135537.5B7311CC0A9@us2.samba.org> References: <20090406135537.5B7311CC0A9@us2.samba.org> Message-ID: On Mon, Apr 06, 2009 at 08:55:37AM -0500, G?nther Deschner wrote: > s3:libads Make ads_get_dn() take a talloc context > > Also remove ads_memfree(), which was only ever a wrapper around > SAFE_FREE, used only to free the DN from ads_get_ds(). > > This actually makes libgpo more consistant, as it mixed a talloc and a > malloc based string on the same element. > > Andrew Bartlett > > Signed-off-by: G?nther Deschner ... > - wkn_dn = ads_get_dn(ads, res); > + wkn_dn = ads_get_dn(ads, NULL, res); Can someone please explain to me why this NULL is not a talloc_tos()? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090406/257b71cb/attachment.bin From gd at samba.org Tue Apr 7 00:37:25 2009 From: gd at samba.org (Guenther Deschner) Date: Tue Apr 7 00:37:41 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-857-g2050187 In-Reply-To: References: <20090406135537.5B7311CC0A9@us2.samba.org> Message-ID: <49DAA045.6080201@samba.org> Volker Lendecke wrote: > On Mon, Apr 06, 2009 at 08:55:37AM -0500, G?nther Deschner wrote: >> s3:libads Make ads_get_dn() take a talloc context >> >> Also remove ads_memfree(), which was only ever a wrapper around >> SAFE_FREE, used only to free the DN from ads_get_ds(). >> >> This actually makes libgpo more consistant, as it mixed a talloc and a >> malloc based string on the same element. >> >> Andrew Bartlett >> >> Signed-off-by: G?nther Deschner > > ... > >> - wkn_dn = ads_get_dn(ads, res); >> + wkn_dn = ads_get_dn(ads, NULL, res); > > Can someone please explain to me why this NULL is not a > talloc_tos()? Should be fixed now. Good night, Guenther -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org From realrichardsharpe at gmail.com Tue Apr 7 02:15:40 2009 From: realrichardsharpe at gmail.com (Richard Sharpe) Date: Tue Apr 7 02:15:50 2009 Subject: Elided error codes in error messages in the net command ... Message-ID: <46b8a8850904061915s37d10563v8e48a439dad0ce3@mail.gmail.com> Hi, I have recently been bitten by code like this in utils/net_groupmap.c if (!NT_STATUS_IS_OK(pdb_add_aliasmem(&alias, &member))) { d_fprintf(stderr, "Could not add sid %s to alias %s\n", argv[1], argv[0]); return -1; } Unfortunately, since pdb_add_aliasmem can return something like three different error codes, it takes a great deal of digging to figure out what the problem is. It really should be something like: err = pdb_add_aliasmem(&alias, &member); if (!NT_STATUS_IS_OK(err)) { d_fprintf(stderr, "Could not add sid %s to alias %s (%s)\n", argv[1], argv[0], nt_errstr(err)); return -1; } Is there any interest in getting this fixed? I could probably run AWK over the offending code! -- Regards, Richard Sharpe From jra at samba.org Tue Apr 7 02:23:22 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 7 02:22:52 2009 Subject: Elided error codes in error messages in the net command ... In-Reply-To: <46b8a8850904061915s37d10563v8e48a439dad0ce3@mail.gmail.com> References: <46b8a8850904061915s37d10563v8e48a439dad0ce3@mail.gmail.com> Message-ID: <20090407022321.GA2943@jeremy-desktop> On Mon, Apr 06, 2009 at 07:15:40PM -0700, Richard Sharpe wrote: > Hi, > > I have recently been bitten by code like this in utils/net_groupmap.c > > if (!NT_STATUS_IS_OK(pdb_add_aliasmem(&alias, &member))) { > d_fprintf(stderr, "Could not add sid %s to alias %s\n", > argv[1], argv[0]); > return -1; > } > > Unfortunately, since pdb_add_aliasmem can return something like three > different error codes, it takes a great deal of digging to figure out > what the problem is. > > It really should be something like: > > err = pdb_add_aliasmem(&alias, &member); > if (!NT_STATUS_IS_OK(err)) { > d_fprintf(stderr, "Could not add sid %s to alias %s (%s)\n", > argv[1], argv[0], nt_errstr(err)); > return -1; > } > > Is there any interest in getting this fixed? I could probably run AWK > over the offending code! Please do - it'll help a lot of people as well as you :-). Thanks, Jeremy. From realrichardsharpe at gmail.com Tue Apr 7 03:41:31 2009 From: realrichardsharpe at gmail.com (Richard Sharpe) Date: Tue Apr 7 03:41:39 2009 Subject: Elided error codes in error messages in the net command ... In-Reply-To: <20090407022321.GA2943@jeremy-desktop> References: <46b8a8850904061915s37d10563v8e48a439dad0ce3@mail.gmail.com> <20090407022321.GA2943@jeremy-desktop> Message-ID: <46b8a8850904062041k790c80cap3f83e137669d1967@mail.gmail.com> On Mon, Apr 6, 2009 at 7:23 PM, Jeremy Allison wrote: > On Mon, Apr 06, 2009 at 07:15:40PM -0700, Richard Sharpe wrote: >> Hi, >> >> I have recently been bitten by code like this in utils/net_groupmap.c >> >> ? ? ? ? if (!NT_STATUS_IS_OK(pdb_add_aliasmem(&alias, &member))) { >> ? ? ? ? ? ? ? ? d_fprintf(stderr, "Could not add sid %s to alias %s\n", >> ? ? ? ? ? ? ? ? ? ? ? ? ?argv[1], argv[0]); >> ? ? ? ? ? ? ? ? return -1; >> ? ? ? ? } >> >> Unfortunately, since pdb_add_aliasmem can return something like three >> different error codes, it takes a great deal of digging to figure out >> what the problem is. >> >> It really should be something like: >> >> ? ? ? ? err = pdb_add_aliasmem(&alias, &member); >> ? ? ? ? if (!NT_STATUS_IS_OK(err)) { >> ? ? ? ? ? ? ? ? d_fprintf(stderr, "Could not add sid %s to alias %s (%s)\n", >> ? ? ? ? ? ? ? ? ? ? ? ? ?argv[1], argv[0], nt_errstr(err)); >> ? ? ? ? ? ? ? ? return -1; >> ? ? ? ? } >> >> Is there any interest in getting this fixed? I could probably run AWK >> over the offending code! > > Please do - it'll help a lot of people as well as you :-). I'll give it a try. It will take a little more attention than I first thought, but it does seem worth it. -- Regards, Richard Sharpe From bj at SerNet.DE Tue Apr 7 08:16:56 2009 From: bj at SerNet.DE (=?iso-8859-1?Q?Bj=F6rn?= Jacke) Date: Tue Apr 7 08:16:22 2009 Subject: Samba patches @apple.com In-Reply-To: References: Message-ID: Hi James, On 2009-04-06 at 09:03 -0700 James Peach sent off: > It's quite a lot of work to do this, and in general these patches are > only interesting for Apple. If you have specific patches that you'd > like let me know. > > -- > James Peach | jorgar@gmail.com > thanks for replying. Not all of the patches are Apple, better said Darwin specific. I contributed a number of Darwin specific patches to Samba in the past because there _are_ people that compile Samba on theirself on this platform. For that reason I would really like to see the mentioned pathes by Apple recontributed back upstream, even if some of them are in fact "just" Darwin specific. I'm really not asking you to do that in your spare time, James. If otherwise not possbile: could you simply send the patches as they are with personal copyright and removed copyright notices that are contrary with the GPL here to the list? Thanks Bj?rn From anatoliy.atanasov at postpath.com Tue Apr 7 08:59:12 2009 From: anatoliy.atanasov at postpath.com (Anatoliy Atanasov) Date: Tue Apr 7 09:09:03 2009 Subject: ACL implementation first draft Message-ID: <24E5C394AF11DB11B7E8001422525D38158E4B6@ppsd.sofia-corp.postpath.com> Hi List, I uploaded our work on ACL implementation at: git://repo.or.cz/Samba/aatanasov.git branch: master-acl It is based on WSPP documentation and it follows the algorithms described there directly. The code isn't working, but contains almost all the functionality required for this task. There are a couple of test cases already added, which run against Windows 2003. What we didn't implement yet is: * rename * delete tree * some special cases of nTSecurityDescriptor In the following days to SambaXP we plan to focus on: * your feedback * adding test cases * testing the code Regards, Nadezhda and Anatoliy From Volker.Lendecke at SerNet.DE Tue Apr 7 09:22:38 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue Apr 7 09:22:25 2009 Subject: ACL implementation first draft In-Reply-To: <24E5C394AF11DB11B7E8001422525D38158E4B6@ppsd.sofia-corp.postpath.com> References: <24E5C394AF11DB11B7E8001422525D38158E4B6@ppsd.sofia-corp.postpath.com> Message-ID: On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote: > I uploaded our work on ACL implementation at: > git://repo.or.cz/Samba/aatanasov.git > branch: master-acl > > It is based on WSPP documentation and it follows the algorithms described there directly. > The code isn't working, but contains almost all the functionality required for this task. > There are a couple of test cases already added, which run against Windows 2003. > What we didn't implement yet is: > * rename > * delete tree > * some special cases of nTSecurityDescriptor > > In the following days to SambaXP we plan to focus on: > * your feedback > * adding test cases > * testing the code Quick and probably stupid question: Is it really necessary to add another argument to se_access_check? I would think this routine is core to Windows as well, and I thought the way it's written is pretty much carved in stone. Did Microsoft really add an AD-specific argument to that core routine? For this piece, I would really like to do exactly what Microsoft does. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/d68864ef/attachment.bin From nadezhda.ivanova at postpath.com Tue Apr 7 09:40:17 2009 From: nadezhda.ivanova at postpath.com (Nadezhda Ivanova) Date: Tue Apr 7 09:40:06 2009 Subject: ACL implementation first draft Message-ID: <24E5C394AF11DB11B7E8001422525D380158F04F@ppsd.sofia-corp.postpath.com> > > Hi Volker, Indeed it is a Microsoft Fuction, and the Microsoft > function does contain an additional argument - see MS-DTYP 2.5.2.1 > (The very bottom of page 61). This additional argument is needed for > object-specific access checks, and the file system or registry > security manager does not need it, but it is absolutely necessary for > AD security. I de4cided to intoduce it to avoid code duplication, but > if you have worries, we can just write a separate function for LDAP > checks. It seems kind of redundant, though - the function just ignores > object specific stuff if this argument is null. It may be possible to > implement this in a better way - suggestions are appreciated! > > Regards, > Nadezhda Ivanova > > > > ----- Original Message ----- > > From: Volker Lendecke > To: Anatoliy > Atanasov > Cc: > samba-technical@samba.org > Sent: 07 April > 2009 12:23:20 o'clock GMT+0200 Europe;Athens > Subject: Re: ACL > implementation first draft > > > > On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote: > > I > uploaded our work on ACL implementation at: > > > git://repo.or.cz/Samba/aatanasov.git > > > branch: master-acl > > > > > > It is based on WSPP documentation and it follows the algorithms > > described there directly. > > > The code isn't working, but contains almost all the functionality > > required for this task. > > > There are a couple of test cases already added, which run against > > Windows 2003. > > > What we didn't implement yet is: > > > * rename > > > * delete tree > > > * some special cases of nTSecurityDescriptor > > > > > > In the following days to SambaXP we plan to focus on: > > > * your feedback > > > * adding test cases > > > * testing the code > > > > Quick and probably stupid question: Is it really necessary > > to add another argument to se_access_check? I would think > > this routine is core to Windows as well, and I thought the > > way it's written is pretty much carved in stone. Did > > Microsoft really add an AD-specific argument to that core > > routine? For this piece, I would really like to do exactly > > what Microsoft does. > > > > Volker From metze at samba.org Tue Apr 7 09:44:22 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Tue Apr 7 09:44:28 2009 Subject: ACL implementation first draft In-Reply-To: References: <24E5C394AF11DB11B7E8001422525D38158E4B6@ppsd.sofia-corp.postpath.com> Message-ID: <49DB2076.6010301@samba.org> Volker Lendecke schrieb: > On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote: >> I uploaded our work on ACL implementation at: >> git://repo.or.cz/Samba/aatanasov.git >> branch: master-acl >> >> It is based on WSPP documentation and it follows the algorithms described there directly. >> The code isn't working, but contains almost all the functionality required for this task. >> There are a couple of test cases already added, which run against Windows 2003. >> What we didn't implement yet is: >> * rename >> * delete tree >> * some special cases of nTSecurityDescriptor >> >> In the following days to SambaXP we plan to focus on: >> * your feedback >> * adding test cases >> * testing the code > > Quick and probably stupid question: Is it really necessary > to add another argument to se_access_check? I would think > this routine is core to Windows as well, and I thought the > way it's written is pretty much carved in stone. Did > Microsoft really add an AD-specific argument to that core > routine? For this piece, I would really like to do exactly > what Microsoft does. Yes, AD Security Descriptors are different than NTFS ones, but I think we should have two different public functions and make sure we check the revision number match with what the caller expects. E.g. se_access_check() should only grant access if the sd has revision NT4. And the se_access_check_ad() function should allow both sd revisions. Both functions could use a static se_access_check_common() function. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/b0532b0e/signature.bin From metze at samba.org Tue Apr 7 09:47:57 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Tue Apr 7 09:48:09 2009 Subject: ACL implementation first draft In-Reply-To: <24E5C394AF11DB11B7E8001422525D38158E4B6@ppsd.sofia-corp.postpath.com> References: <24E5C394AF11DB11B7E8001422525D38158E4B6@ppsd.sofia-corp.postpath.com> Message-ID: <49DB214D.1060501@samba.org> Hi Anatoliy, > I uploaded our work on ACL implementation at: > git://repo.or.cz/Samba/aatanasov.git > branch: master-acl > > It is based on WSPP documentation and it follows the algorithms described there directly. > The code isn't working, but contains almost all the functionality required for this task. > There are a couple of test cases already added, which run against Windows 2003. > What we didn't implement yet is: > * rename > * delete tree > * some special cases of nTSecurityDescriptor > > In the following days to SambaXP we plan to focus on: > * your feedback > * adding test cases > * testing the code Thanks, for publishing your work! But please take care of the coding style:-) And try to create small patches for each logic step. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/636afa6d/signature.bin From nadezhda.ivanova at postpath.com Tue Apr 7 09:57:01 2009 From: nadezhda.ivanova at postpath.com (Nadezhda Ivanova) Date: Tue Apr 7 09:57:31 2009 Subject: ACL implementation first draft Message-ID: <24E5C394AF11DB11B7E8001422525D38158F1AC@ppsd.sofia-corp.postpath.com> Hi Metze, Thank you so much for your feedback! After reading the MS docs I got the impression that the security descriptors are NOT actually different, only the security masks' flags may mean different things (MS-SECO). I may of course be wrong. I also verified the algorithm of the sec_access_check against the algorithm described in MS-DTYP and it seemed identical except the object-specific checks, which is hadled in a separate function and ignored if no object tree is provided. Of course we can always duplicate the code and use a separate security check for AD, but it seemed against the MS architecture somehow... Regards, Nadezhda Ivanova -----Original Message----- From: Stefan (metze) Metzmacher [mailto:metze@samba.org] Sent: Tuesday, April 07, 2009 12:44 PM To: 'Volker.Lendecke@SerNet.DE' Cc: samba-technical@samba.org Subject: Re: ACL implementation first draft Volker Lendecke schrieb: > On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote: >> I uploaded our work on ACL implementation at: >> git://repo.or.cz/Samba/aatanasov.git >> branch: master-acl >> >> It is based on WSPP documentation and it follows the algorithms described there directly. >> The code isn't working, but contains almost all the functionality required for this task. >> There are a couple of test cases already added, which run against Windows 2003. >> What we didn't implement yet is: >> * rename >> * delete tree >> * some special cases of nTSecurityDescriptor >> >> In the following days to SambaXP we plan to focus on: >> * your feedback >> * adding test cases >> * testing the code > > Quick and probably stupid question: Is it really necessary > to add another argument to se_access_check? I would think > this routine is core to Windows as well, and I thought the > way it's written is pretty much carved in stone. Did > Microsoft really add an AD-specific argument to that core > routine? For this piece, I would really like to do exactly > what Microsoft does. Yes, AD Security Descriptors are different than NTFS ones, but I think we should have two different public functions and make sure we check the revision number match with what the caller expects. E.g. se_access_check() should only grant access if the sd has revision NT4. And the se_access_check_ad() function should allow both sd revisions. Both functions could use a static se_access_check_common() function. metze From anatoliy.atanasov at postpath.com Tue Apr 7 10:00:17 2009 From: anatoliy.atanasov at postpath.com (Anatoliy Atanasov) Date: Tue Apr 7 10:00:32 2009 Subject: ACL implementation first draft Message-ID: <24E5C394AF11DB11B7E8001422525D38158F1D9@ppsd.sofia-corp.postpath.com> Hi Metze, We have used the prog_guide4.txt and really tried to stick to it. We have coded that for 3 weeks now so we might have missed some spaces, And merging that in the master was real pain, so I'll try do it better in future. Regarding the diff - we have made a lot of changes in the process of coding, like we changed the framework 3 times. I have tried to merge and rebase the changes in the master, but after all we decided to make it one diff. I can provide the rebased branch if you want. Regards, Anatoliy -----Original Message----- From: Stefan (metze) Metzmacher [mailto:metze@samba.org] Sent: Tuesday, April 07, 2009 12:48 To: Anatoliy Atanasov Cc: samba-technical@samba.org Subject: Re: ACL implementation first draft Hi Anatoliy, > I uploaded our work on ACL implementation at: > git://repo.or.cz/Samba/aatanasov.git > branch: master-acl > > It is based on WSPP documentation and it follows the algorithms described there directly. > The code isn't working, but contains almost all the functionality required for this task. > There are a couple of test cases already added, which run against Windows 2003. > What we didn't implement yet is: > * rename > * delete tree > * some special cases of nTSecurityDescriptor > > In the following days to SambaXP we plan to focus on: > * your feedback > * adding test cases > * testing the code Thanks, for publishing your work! But please take care of the coding style:-) And try to create small patches for each logic step. metze From goran.lowkrantz at ismobile.com Tue Apr 7 11:11:47 2009 From: goran.lowkrantz at ismobile.com (Goran Lowkrantz) Date: Tue Apr 7 11:11:56 2009 Subject: smbd process block In-Reply-To: <49DA118F.90701@liddicott.com> References: <49DA118F.90701@liddicott.com> Message-ID: Hi Sam, The only thing that looks like a timeout is after the Tree Connect AndX Request/Response/ACK sequence (packets 10618/19/20). After that the echo requests start from the Vista client. The timeout is 55 sec (packet 10621). What is supposed to happen after a Tree Connect AndX? Should the server respond with more data? It does send an NBSS Session keep-alive further down (packet 10645). Any pointers where I should look is appreciated. /glz --On April 6, 2009 15:28:31 +0100 Sam Liddicott wrote: > As far as I can tell, samba is not hanging, it's issuing responses to > all the requests it gets. > > I think that the windows client thinks that samba has hung, because the > sending of Echo Request is a sign that the client is getting fed up of > waiting and is checking to see if the link is still working. > > So it looks like the client is waiting for some kind of response, but I > haven't been able to spot a response that wasn't answered. > > You load the pcap into wireshark and see if you can spot a request that > doesn't get a response... > > Sam > > * Goran Lowkrantz wrote, On 16/02/09 22:42: >> >> I have few Samba servers running FreeBSD 7.1 were we have a problem >> with smbd process blocking for a few Vista systems that run a program >> that watch directories and files on the samba shares. >> >> On my test setup I have managed to get a hang in less than 30 min. >> >> Samba 3.2.7 is built with minimum functions and full debug. Options >> don't seems to have any impact on the problem. >> >> The PC uses Vista Business SP1 and all patches, I run a DAM program >> called IMatch ver 3.6.076 that watches for changes in the photo >> database. No other application I have tested has the same problems. >> For example, Adobe Lightroom 2.2 works without problems when setup >> with a watched folder. >> >> I have attached logfiles from samba with the following extra settings: >> debug pid = yes >> debug timestamp = no >> debug prefix timestamp = yes >> debug uid = yes >> log level = 10 >> >> The PID of the server that hangs is 29162. >> >> The FreeBSD server is an up-to-date quad AMD server with 8GB running >> 7.1-STABLE. In normal operation, I see the following: >> >> # sockstat | grep 445 >> glz smbd 7828 23 tcp4 10.255.253.1:445 >> 10.255.253.2:57355 >> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >> >> When I get the hang, it looks like this: >> # sockstat | grep 445 >> root smbd 7828 23 tcp4 10.255.253.1:445 >> 10.255.253.2:57355 >> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >> >> and the GDB session: >> # gdb /usr/local/sbin/smbd 7828 >> GNU gdb 6.1.1 [FreeBSD] >> Copyright 2004 Free Software Foundation, Inc. >> GDB is free software, covered by the GNU General Public License, and >> you are >> welcome to change it and/or distribute copies of it under certain >> conditions. >> Type "show copying" to see the conditions. >> There is absolutely no warranty for GDB. Type "show warranty" for >> details. >> This GDB was configured as "amd64-marcel-freebsd"... >> Attaching to program: /usr/local/sbin/smbd, process 7828 >> Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. >> Loaded symbols for /usr/local/lib/libldap-2.3.so.2 >> Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. >> Loaded symbols for /usr/local/lib/liblber-2.3.so.2 >> Reading symbols from /usr/local/lib/libcups.so.2...done. >> Loaded symbols for /usr/local/lib/libcups.so.2 >> Reading symbols from /usr/lib/libssl.so.5...done. >> Loaded symbols for /usr/lib/libssl.so.5 >> Reading symbols from /lib/libcrypto.so.5...done. >> Loaded symbols for /lib/libcrypto.so.5 >> Reading symbols from /lib/libz.so.4...done. >> Loaded symbols for /lib/libz.so.4 >> Reading symbols from /lib/libm.so.5...done. >> Loaded symbols for /lib/libm.so.5 >> Reading symbols from /lib/libcrypt.so.4...done. >> Loaded symbols for /lib/libcrypt.so.4 >> Reading symbols from /usr/lib/libpam.so.4...done. >> Loaded symbols for /usr/lib/libpam.so.4 >> Reading symbols from /usr/local/lib/libexecinfo.so.1...done. >> Loaded symbols for /usr/local/lib/libexecinfo.so.1 >> Reading symbols from /usr/local/lib/libiconv.so.3...done. >> Loaded symbols for /usr/local/lib/libiconv.so.3 >> Reading symbols from /usr/local/lib/libdmalloc.so.1...done. >> Loaded symbols for /usr/local/lib/libdmalloc.so.1 >> Reading symbols from /usr/local/lib/libpopt.so.0...done. >> Loaded symbols for /usr/local/lib/libpopt.so.0 >> Reading symbols from /lib/libthr.so.3...done. >> [New Thread 0x800a62e00 (LWP 100076)] >> Loaded symbols for /lib/libthr.so.3 >> Reading symbols from /lib/libc.so.7...done. >> Loaded symbols for /lib/libc.so.7 >> Reading symbols from /usr/local/lib/libsasl2.so.2...done. >> Loaded symbols for /usr/local/lib/libsasl2.so.2 >> Reading symbols from /usr/local/lib/libintl.so.8...done. >> Loaded symbols for /usr/local/lib/libintl.so.8 >> Reading symbols from /usr/local/lib/nss_ldap.so.1...done. >> Loaded symbols for /usr/local/lib/nss_ldap.so.1 >> Reading symbols from /usr/lib/libcom_err.so.4...done. >> Loaded symbols for /usr/lib/libcom_err.so.4 >> Reading symbols from /libexec/ld-elf.so.1...done. >> Loaded symbols for /libexec/ld-elf.so.1 >> [Switching to Thread 0x800a62e00 (LWP 100076)] >> 0x0000000801f01d6c in select () from /lib/libc.so.7 >> (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ >> Source directories searched: >> /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd >> (gdb) bt >> # 0 0x0000000801f01d6c in select () from /lib/libc.so.7 >> # 1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 >> # 2 0x00000000006749fe in sys_select (maxfd=24, >> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >> tval=0x7fffffffd500) >> at lib/select.c:93 >> # 3 0x00000000004df64c in smbd_process () at smbd/process.c:839 >> # 4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at >> smbd/server.c:1450 >> (gdb) frame 2 >> # 2 0x00000000006749fe in sys_select (maxfd=24, >> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >> tval=0x7fffffffd500) >> at lib/select.c:93 >> 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); >> (gdb) print tval >> $1 = (struct timeval *) 0x7fffffffd500 >> (gdb) print *tval >> $2 = {tv_sec = 59, tv_usec = 999977} >> (gdb) The program is running. Quit anyway (and detach it)? (y or n) y >> Detaching from program: /usr/local/sbin/smbd, process 7828 >> >> The following is a truss of the process until I have seen the switch >> to root as owner: >> # time truss -p 8307 >> gettimeofday({1234648077.989004 },0x0) = 0 (0x0) >> gettimeofday({1234648077.989081 },0x0) = 0 (0x0) >> select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) >> gettimeofday({1234648099.279293 },0x0) = 0 (0x0) >> gettimeofday({1234648099.279370 },0x0) = 0 (0x0) >> gettimeofday({1234648099.279417 },0x0) = 0 (0x0) >> select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) >> gettimeofday({1234648102.286493 },0x0) = 0 (0x0) >> read(23,"\0\0\0r",4) = 4 (0x4) >> read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) >> geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) >> getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd138) >> = 0 (0x0) >> __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) = 0 >> (0x0) >> 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w >> >> # sockstat | grep 445 >> glz smbd 8307 23 tcp4 10.255.253.1:445 >> 10.255.253.2:57438 >> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >> # ps -awxl | grep 8307 >> 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 >> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >> truss -p 8307 >> # sockstat | grep 445 >> root smbd 8307 23 tcp4 10.255.253.1:445 >> 10.255.253.2:57438 >> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >> # ps -awxl | grep 8307 >> 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 >> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >> truss -p 8307 >> >> >> I can recreate this at any time and the condition by killing the >> offending smbd process and the PC reconnects just fine. >> >> Hope this helps to pin this down. As I can recreate the hang, please >> let me know if there is any more information I can supply. >> >> /glz >> >> ................................................... the future isMobile >> >> Goran Lowkrantz >> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >> Phone: +46(0)920-75559 >> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >> >> http://www.ismobile.com ............................................... ................................................... the future isMobile Goran Lowkrantz System Architect, isMobile AB Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden Mobile: +46(0)70-587 87 82 http://www.ismobile.com ............................................... From jerry at samba.org Tue Apr 7 12:47:49 2009 From: jerry at samba.org (jerry) Date: Tue Apr 7 12:47:59 2009 Subject: Update on bugzilla.samba.org Message-ID: <49DB4B75.7060704@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fyi... We can into some db connection issues last night (about 10pm GMT-5 I think). This issue has been temporarily resolved, but I expect that we'll be taking the server offline for a short period sometime this week for further db maintenance. Also Deryck and I will be exploring some potential improvements to Samba's bugzilla service in the coming weeks. I'll try to keep everyone updated. cheers, jerry - -- ===================================================================== "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ20t1IR7qMdg1EfYRAv2HAJ47xw8Kn5co40X7do0UPcczvM2+LgCg5bPZ P10yo+Wy/Co8DuActPbosUQ= =imcZ -----END PGP SIGNATURE----- From jerry at samba.org Tue Apr 7 12:47:49 2009 From: jerry at samba.org (jerry) Date: Tue Apr 7 12:48:21 2009 Subject: [Samba] Update on bugzilla.samba.org Message-ID: <49DB4B75.7060704@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fyi... We can into some db connection issues last night (about 10pm GMT-5 I think). This issue has been temporarily resolved, but I expect that we'll be taking the server offline for a short period sometime this week for further db maintenance. Also Deryck and I will be exploring some potential improvements to Samba's bugzilla service in the coming weeks. I'll try to keep everyone updated. cheers, jerry - -- ===================================================================== "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ20t1IR7qMdg1EfYRAv2HAJ47xw8Kn5co40X7do0UPcczvM2+LgCg5bPZ P10yo+Wy/Co8DuActPbosUQ= =imcZ -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From goran.lowkrantz at ismobile.com Tue Apr 7 13:08:27 2009 From: goran.lowkrantz at ismobile.com (Goran Lowkrantz) Date: Tue Apr 7 13:08:45 2009 Subject: smbd process block In-Reply-To: <49DA118F.90701@liddicott.com> References: <49DA118F.90701@liddicott.com> Message-ID: <3F66C13F3DFA3F832E3CD495@syn> Hi Sam, Looking further in the dump, I find that a series of these: NT Trans Request (0xa0) NT NOTIFY Setup Completion Filter: 0x00000003 FID: 0x32f6 (\Input\2006\200607\20060729) but no response from the Samba server, only IP ACK. The FID look OK and direct queries on the FID about the directory is answered earlier. These messages are sent from the client every 5s for 245s. Then they stop. /glz --On April 6, 2009 15:28:31 +0100 Sam Liddicott wrote: > As far as I can tell, samba is not hanging, it's issuing responses to > all the requests it gets. > > I think that the windows client thinks that samba has hung, because the > sending of Echo Request is a sign that the client is getting fed up of > waiting and is checking to see if the link is still working. > > So it looks like the client is waiting for some kind of response, but I > haven't been able to spot a response that wasn't answered. > > You load the pcap into wireshark and see if you can spot a request that > doesn't get a response... > > Sam > > * Goran Lowkrantz wrote, On 16/02/09 22:42: >> >> I have few Samba servers running FreeBSD 7.1 were we have a problem >> with smbd process blocking for a few Vista systems that run a program >> that watch directories and files on the samba shares. >> >> On my test setup I have managed to get a hang in less than 30 min. >> >> Samba 3.2.7 is built with minimum functions and full debug. Options >> don't seems to have any impact on the problem. >> >> The PC uses Vista Business SP1 and all patches, I run a DAM program >> called IMatch ver 3.6.076 that watches for changes in the photo >> database. No other application I have tested has the same problems. >> For example, Adobe Lightroom 2.2 works without problems when setup >> with a watched folder. >> >> I have attached logfiles from samba with the following extra settings: >> debug pid = yes >> debug timestamp = no >> debug prefix timestamp = yes >> debug uid = yes >> log level = 10 >> >> The PID of the server that hangs is 29162. >> >> The FreeBSD server is an up-to-date quad AMD server with 8GB running >> 7.1-STABLE. In normal operation, I see the following: >> >> # sockstat | grep 445 >> glz smbd 7828 23 tcp4 10.255.253.1:445 >> 10.255.253.2:57355 >> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >> >> When I get the hang, it looks like this: >> # sockstat | grep 445 >> root smbd 7828 23 tcp4 10.255.253.1:445 >> 10.255.253.2:57355 >> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >> >> and the GDB session: >> # gdb /usr/local/sbin/smbd 7828 >> GNU gdb 6.1.1 [FreeBSD] >> Copyright 2004 Free Software Foundation, Inc. >> GDB is free software, covered by the GNU General Public License, and >> you are >> welcome to change it and/or distribute copies of it under certain >> conditions. >> Type "show copying" to see the conditions. >> There is absolutely no warranty for GDB. Type "show warranty" for >> details. >> This GDB was configured as "amd64-marcel-freebsd"... >> Attaching to program: /usr/local/sbin/smbd, process 7828 >> Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. >> Loaded symbols for /usr/local/lib/libldap-2.3.so.2 >> Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. >> Loaded symbols for /usr/local/lib/liblber-2.3.so.2 >> Reading symbols from /usr/local/lib/libcups.so.2...done. >> Loaded symbols for /usr/local/lib/libcups.so.2 >> Reading symbols from /usr/lib/libssl.so.5...done. >> Loaded symbols for /usr/lib/libssl.so.5 >> Reading symbols from /lib/libcrypto.so.5...done. >> Loaded symbols for /lib/libcrypto.so.5 >> Reading symbols from /lib/libz.so.4...done. >> Loaded symbols for /lib/libz.so.4 >> Reading symbols from /lib/libm.so.5...done. >> Loaded symbols for /lib/libm.so.5 >> Reading symbols from /lib/libcrypt.so.4...done. >> Loaded symbols for /lib/libcrypt.so.4 >> Reading symbols from /usr/lib/libpam.so.4...done. >> Loaded symbols for /usr/lib/libpam.so.4 >> Reading symbols from /usr/local/lib/libexecinfo.so.1...done. >> Loaded symbols for /usr/local/lib/libexecinfo.so.1 >> Reading symbols from /usr/local/lib/libiconv.so.3...done. >> Loaded symbols for /usr/local/lib/libiconv.so.3 >> Reading symbols from /usr/local/lib/libdmalloc.so.1...done. >> Loaded symbols for /usr/local/lib/libdmalloc.so.1 >> Reading symbols from /usr/local/lib/libpopt.so.0...done. >> Loaded symbols for /usr/local/lib/libpopt.so.0 >> Reading symbols from /lib/libthr.so.3...done. >> [New Thread 0x800a62e00 (LWP 100076)] >> Loaded symbols for /lib/libthr.so.3 >> Reading symbols from /lib/libc.so.7...done. >> Loaded symbols for /lib/libc.so.7 >> Reading symbols from /usr/local/lib/libsasl2.so.2...done. >> Loaded symbols for /usr/local/lib/libsasl2.so.2 >> Reading symbols from /usr/local/lib/libintl.so.8...done. >> Loaded symbols for /usr/local/lib/libintl.so.8 >> Reading symbols from /usr/local/lib/nss_ldap.so.1...done. >> Loaded symbols for /usr/local/lib/nss_ldap.so.1 >> Reading symbols from /usr/lib/libcom_err.so.4...done. >> Loaded symbols for /usr/lib/libcom_err.so.4 >> Reading symbols from /libexec/ld-elf.so.1...done. >> Loaded symbols for /libexec/ld-elf.so.1 >> [Switching to Thread 0x800a62e00 (LWP 100076)] >> 0x0000000801f01d6c in select () from /lib/libc.so.7 >> (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ >> Source directories searched: >> /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd >> (gdb) bt >> # 0 0x0000000801f01d6c in select () from /lib/libc.so.7 >> # 1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 >> # 2 0x00000000006749fe in sys_select (maxfd=24, >> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >> tval=0x7fffffffd500) >> at lib/select.c:93 >> # 3 0x00000000004df64c in smbd_process () at smbd/process.c:839 >> # 4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at >> smbd/server.c:1450 >> (gdb) frame 2 >> # 2 0x00000000006749fe in sys_select (maxfd=24, >> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >> tval=0x7fffffffd500) >> at lib/select.c:93 >> 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); >> (gdb) print tval >> $1 = (struct timeval *) 0x7fffffffd500 >> (gdb) print *tval >> $2 = {tv_sec = 59, tv_usec = 999977} >> (gdb) The program is running. Quit anyway (and detach it)? (y or n) y >> Detaching from program: /usr/local/sbin/smbd, process 7828 >> >> The following is a truss of the process until I have seen the switch >> to root as owner: >> # time truss -p 8307 >> gettimeofday({1234648077.989004 },0x0) = 0 (0x0) >> gettimeofday({1234648077.989081 },0x0) = 0 (0x0) >> select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) >> gettimeofday({1234648099.279293 },0x0) = 0 (0x0) >> gettimeofday({1234648099.279370 },0x0) = 0 (0x0) >> gettimeofday({1234648099.279417 },0x0) = 0 (0x0) >> select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) >> gettimeofday({1234648102.286493 },0x0) = 0 (0x0) >> read(23,"\0\0\0r",4) = 4 (0x4) >> read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) >> geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) >> getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd138) >> = 0 (0x0) >> __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) = 0 >> (0x0) >> 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w >> >> # sockstat | grep 445 >> glz smbd 8307 23 tcp4 10.255.253.1:445 >> 10.255.253.2:57438 >> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >> # ps -awxl | grep 8307 >> 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 >> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >> truss -p 8307 >> # sockstat | grep 445 >> root smbd 8307 23 tcp4 10.255.253.1:445 >> 10.255.253.2:57438 >> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >> # ps -awxl | grep 8307 >> 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 >> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >> truss -p 8307 >> >> >> I can recreate this at any time and the condition by killing the >> offending smbd process and the PC reconnects just fine. >> >> Hope this helps to pin this down. As I can recreate the hang, please >> let me know if there is any more information I can supply. >> >> /glz >> >> ................................................... the future isMobile >> >> Goran Lowkrantz >> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >> Phone: +46(0)920-75559 >> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >> >> http://www.ismobile.com ............................................... ................................................... the future isMobile Goran Lowkrantz System Architect, isMobile AB Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden Mobile: +46(0)70-587 87 82 http://www.ismobile.com ............................................... From sam at liddicott.com Tue Apr 7 13:08:20 2009 From: sam at liddicott.com (Sam Liddicott) Date: Tue Apr 7 13:09:26 2009 Subject: smbd process block References: <49DA118F.90701@liddicott.com> Message-ID: <49DB5044.7040407@liddicott.com> * Goran Lowkrantz wrote, On 07/04/09 12:11: > Hi Sam, > > The only thing that looks like a timeout is after the Tree Connect > AndX Request/Response/ACK sequence (packets 10618/19/20). After that > the echo requests start from the Vista client. The timeout is 55 sec > (packet 10621). 10618-106120 takes less than 1/4 second. Certainly the 55 seconds that follow to 10621 suggests that windows is waiting for something, but it's hard to tell what request timed out. I don't even see (among so many) any requests that give unusual responses that might put windows in some weird state. Try doing an lsof -p PID on the samba process in question and see if it has run out of file handles or something... Sam > > What is supposed to happen after a Tree Connect AndX? Should the > server respond with more data? It does send an NBSS Session keep-alive > further down (packet 10645). > > Any pointers where I should look is appreciated. > > /glz > > --On April 6, 2009 15:28:31 +0100 Sam Liddicott > wrote: > >> As far as I can tell, samba is not hanging, it's issuing responses to >> all the requests it gets. >> >> I think that the windows client thinks that samba has hung, because the >> sending of Echo Request is a sign that the client is getting fed up of >> waiting and is checking to see if the link is still working. >> >> So it looks like the client is waiting for some kind of response, but I >> haven't been able to spot a response that wasn't answered. >> >> You load the pcap into wireshark and see if you can spot a request that >> doesn't get a response... >> >> Sam >> >> * Goran Lowkrantz wrote, On 16/02/09 22:42: >>> >>> I have few Samba servers running FreeBSD 7.1 were we have a problem >>> with smbd process blocking for a few Vista systems that run a program >>> that watch directories and files on the samba shares. >>> >>> On my test setup I have managed to get a hang in less than 30 min. >>> >>> Samba 3.2.7 is built with minimum functions and full debug. Options >>> don't seems to have any impact on the problem. >>> >>> The PC uses Vista Business SP1 and all patches, I run a DAM program >>> called IMatch ver 3.6.076 that watches for changes in the photo >>> database. No other application I have tested has the same problems. >>> For example, Adobe Lightroom 2.2 works without problems when setup >>> with a watched folder. >>> >>> I have attached logfiles from samba with the following extra settings: >>> debug pid = yes >>> debug timestamp = no >>> debug prefix timestamp = yes >>> debug uid = yes >>> log level = 10 >>> >>> The PID of the server that hangs is 29162. >>> >>> The FreeBSD server is an up-to-date quad AMD server with 8GB running >>> 7.1-STABLE. In normal operation, I see the following: >>> >>> # sockstat | grep 445 >>> glz smbd 7828 23 tcp4 10.255.253.1:445 >>> 10.255.253.2:57355 >>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>> >>> When I get the hang, it looks like this: >>> # sockstat | grep 445 >>> root smbd 7828 23 tcp4 10.255.253.1:445 >>> 10.255.253.2:57355 >>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>> >>> and the GDB session: >>> # gdb /usr/local/sbin/smbd 7828 >>> GNU gdb 6.1.1 [FreeBSD] >>> Copyright 2004 Free Software Foundation, Inc. >>> GDB is free software, covered by the GNU General Public License, and >>> you are >>> welcome to change it and/or distribute copies of it under certain >>> conditions. >>> Type "show copying" to see the conditions. >>> There is absolutely no warranty for GDB. Type "show warranty" for >>> details. >>> This GDB was configured as "amd64-marcel-freebsd"... >>> Attaching to program: /usr/local/sbin/smbd, process 7828 >>> Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. >>> Loaded symbols for /usr/local/lib/libldap-2.3.so.2 >>> Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. >>> Loaded symbols for /usr/local/lib/liblber-2.3.so.2 >>> Reading symbols from /usr/local/lib/libcups.so.2...done. >>> Loaded symbols for /usr/local/lib/libcups.so.2 >>> Reading symbols from /usr/lib/libssl.so.5...done. >>> Loaded symbols for /usr/lib/libssl.so.5 >>> Reading symbols from /lib/libcrypto.so.5...done. >>> Loaded symbols for /lib/libcrypto.so.5 >>> Reading symbols from /lib/libz.so.4...done. >>> Loaded symbols for /lib/libz.so.4 >>> Reading symbols from /lib/libm.so.5...done. >>> Loaded symbols for /lib/libm.so.5 >>> Reading symbols from /lib/libcrypt.so.4...done. >>> Loaded symbols for /lib/libcrypt.so.4 >>> Reading symbols from /usr/lib/libpam.so.4...done. >>> Loaded symbols for /usr/lib/libpam.so.4 >>> Reading symbols from /usr/local/lib/libexecinfo.so.1...done. >>> Loaded symbols for /usr/local/lib/libexecinfo.so.1 >>> Reading symbols from /usr/local/lib/libiconv.so.3...done. >>> Loaded symbols for /usr/local/lib/libiconv.so.3 >>> Reading symbols from /usr/local/lib/libdmalloc.so.1...done. >>> Loaded symbols for /usr/local/lib/libdmalloc.so.1 >>> Reading symbols from /usr/local/lib/libpopt.so.0...done. >>> Loaded symbols for /usr/local/lib/libpopt.so.0 >>> Reading symbols from /lib/libthr.so.3...done. >>> [New Thread 0x800a62e00 (LWP 100076)] >>> Loaded symbols for /lib/libthr.so.3 >>> Reading symbols from /lib/libc.so.7...done. >>> Loaded symbols for /lib/libc.so.7 >>> Reading symbols from /usr/local/lib/libsasl2.so.2...done. >>> Loaded symbols for /usr/local/lib/libsasl2.so.2 >>> Reading symbols from /usr/local/lib/libintl.so.8...done. >>> Loaded symbols for /usr/local/lib/libintl.so.8 >>> Reading symbols from /usr/local/lib/nss_ldap.so.1...done. >>> Loaded symbols for /usr/local/lib/nss_ldap.so.1 >>> Reading symbols from /usr/lib/libcom_err.so.4...done. >>> Loaded symbols for /usr/lib/libcom_err.so.4 >>> Reading symbols from /libexec/ld-elf.so.1...done. >>> Loaded symbols for /libexec/ld-elf.so.1 >>> [Switching to Thread 0x800a62e00 (LWP 100076)] >>> 0x0000000801f01d6c in select () from /lib/libc.so.7 >>> (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ >>> Source directories searched: >>> /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd >>> (gdb) bt >>> # 0 0x0000000801f01d6c in select () from /lib/libc.so.7 >>> # 1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 >>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>> tval=0x7fffffffd500) >>> at lib/select.c:93 >>> # 3 0x00000000004df64c in smbd_process () at smbd/process.c:839 >>> # 4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at >>> smbd/server.c:1450 >>> (gdb) frame 2 >>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>> tval=0x7fffffffd500) >>> at lib/select.c:93 >>> 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); >>> (gdb) print tval >>> $1 = (struct timeval *) 0x7fffffffd500 >>> (gdb) print *tval >>> $2 = {tv_sec = 59, tv_usec = 999977} >>> (gdb) The program is running. Quit anyway (and detach it)? (y or n) y >>> Detaching from program: /usr/local/sbin/smbd, process 7828 >>> >>> The following is a truss of the process until I have seen the switch >>> to root as owner: >>> # time truss -p 8307 >>> gettimeofday({1234648077.989004 },0x0) = 0 (0x0) >>> gettimeofday({1234648077.989081 },0x0) = 0 (0x0) >>> select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) >>> gettimeofday({1234648099.279293 },0x0) = 0 (0x0) >>> gettimeofday({1234648099.279370 },0x0) = 0 (0x0) >>> gettimeofday({1234648099.279417 },0x0) = 0 (0x0) >>> select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) >>> gettimeofday({1234648102.286493 },0x0) = 0 (0x0) >>> read(23,"\0\0\0r",4) = 4 (0x4) >>> read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) >>> geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) >>> getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd138) >>> = 0 (0x0) >>> __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) = 0 >>> (0x0) >>> 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w >>> >>> # sockstat | grep 445 >>> glz smbd 8307 23 tcp4 10.255.253.1:445 >>> 10.255.253.2:57438 >>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>> # ps -awxl | grep 8307 >>> 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 >>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>> truss -p 8307 >>> # sockstat | grep 445 >>> root smbd 8307 23 tcp4 10.255.253.1:445 >>> 10.255.253.2:57438 >>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>> # ps -awxl | grep 8307 >>> 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 >>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>> truss -p 8307 >>> >>> >>> I can recreate this at any time and the condition by killing the >>> offending smbd process and the PC reconnects just fine. >>> >>> Hope this helps to pin this down. As I can recreate the hang, please >>> let me know if there is any more information I can supply. >>> >>> /glz >>> >>> ................................................... the future isMobile >>> >>> Goran Lowkrantz >>> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >>> Phone: +46(0)920-75559 >>> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >>> >>> http://www.ismobile.com ............................................... > > > > ................................................... the future isMobile > > Goran Lowkrantz > System Architect, isMobile AB > Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden > Mobile: +46(0)70-587 87 82 > http://www.ismobile.com ............................................... From sam at liddicott.com Tue Apr 7 13:33:54 2009 From: sam at liddicott.com (Sam Liddicott) Date: Tue Apr 7 13:34:53 2009 Subject: smbd process block References: <49DA118F.90701@liddicott.com> <3F66C13F3DFA3F832E3CD495@syn> Message-ID: <49DB5642.5070900@liddicott.com> * Goran Lowkrantz wrote, On 07/04/09 14:08: > Hi Sam, > > Looking further in the dump, I find that a series of these: > NT Trans Request (0xa0) > NT NOTIFY Setup > Completion Filter: 0x00000003 > FID: 0x32f6 (\Input\2006\200607\20060729) > > but no response from the Samba server, only IP ACK. The FID look OK > and direct queries on the FID about the directory is answered earlier. > > These messages are sent from the client every 5s for 245s. Then they > stop. I guess this may be once for every folder of 245 monitored folders. A response is not supposed to be given until the request is cancelled or until a monitored file or folder changes; so this seems quite normal. What behaviour or action (or lack of) on the windows client makes you think that samba has hung? Sam > > /glz > > --On April 6, 2009 15:28:31 +0100 Sam Liddicott > wrote: > >> As far as I can tell, samba is not hanging, it's issuing responses to >> all the requests it gets. >> >> I think that the windows client thinks that samba has hung, because the >> sending of Echo Request is a sign that the client is getting fed up of >> waiting and is checking to see if the link is still working. >> >> So it looks like the client is waiting for some kind of response, but I >> haven't been able to spot a response that wasn't answered. >> >> You load the pcap into wireshark and see if you can spot a request that >> doesn't get a response... >> >> Sam >> >> * Goran Lowkrantz wrote, On 16/02/09 22:42: >>> >>> I have few Samba servers running FreeBSD 7.1 were we have a problem >>> with smbd process blocking for a few Vista systems that run a program >>> that watch directories and files on the samba shares. >>> >>> On my test setup I have managed to get a hang in less than 30 min. >>> >>> Samba 3.2.7 is built with minimum functions and full debug. Options >>> don't seems to have any impact on the problem. >>> >>> The PC uses Vista Business SP1 and all patches, I run a DAM program >>> called IMatch ver 3.6.076 that watches for changes in the photo >>> database. No other application I have tested has the same problems. >>> For example, Adobe Lightroom 2.2 works without problems when setup >>> with a watched folder. >>> >>> I have attached logfiles from samba with the following extra settings: >>> debug pid = yes >>> debug timestamp = no >>> debug prefix timestamp = yes >>> debug uid = yes >>> log level = 10 >>> >>> The PID of the server that hangs is 29162. >>> >>> The FreeBSD server is an up-to-date quad AMD server with 8GB running >>> 7.1-STABLE. In normal operation, I see the following: >>> >>> # sockstat | grep 445 >>> glz smbd 7828 23 tcp4 10.255.253.1:445 >>> 10.255.253.2:57355 >>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>> >>> When I get the hang, it looks like this: >>> # sockstat | grep 445 >>> root smbd 7828 23 tcp4 10.255.253.1:445 >>> 10.255.253.2:57355 >>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>> >>> and the GDB session: >>> # gdb /usr/local/sbin/smbd 7828 >>> GNU gdb 6.1.1 [FreeBSD] >>> Copyright 2004 Free Software Foundation, Inc. >>> GDB is free software, covered by the GNU General Public License, and >>> you are >>> welcome to change it and/or distribute copies of it under certain >>> conditions. >>> Type "show copying" to see the conditions. >>> There is absolutely no warranty for GDB. Type "show warranty" for >>> details. >>> This GDB was configured as "amd64-marcel-freebsd"... >>> Attaching to program: /usr/local/sbin/smbd, process 7828 >>> Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. >>> Loaded symbols for /usr/local/lib/libldap-2.3.so.2 >>> Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. >>> Loaded symbols for /usr/local/lib/liblber-2.3.so.2 >>> Reading symbols from /usr/local/lib/libcups.so.2...done. >>> Loaded symbols for /usr/local/lib/libcups.so.2 >>> Reading symbols from /usr/lib/libssl.so.5...done. >>> Loaded symbols for /usr/lib/libssl.so.5 >>> Reading symbols from /lib/libcrypto.so.5...done. >>> Loaded symbols for /lib/libcrypto.so.5 >>> Reading symbols from /lib/libz.so.4...done. >>> Loaded symbols for /lib/libz.so.4 >>> Reading symbols from /lib/libm.so.5...done. >>> Loaded symbols for /lib/libm.so.5 >>> Reading symbols from /lib/libcrypt.so.4...done. >>> Loaded symbols for /lib/libcrypt.so.4 >>> Reading symbols from /usr/lib/libpam.so.4...done. >>> Loaded symbols for /usr/lib/libpam.so.4 >>> Reading symbols from /usr/local/lib/libexecinfo.so.1...done. >>> Loaded symbols for /usr/local/lib/libexecinfo.so.1 >>> Reading symbols from /usr/local/lib/libiconv.so.3...done. >>> Loaded symbols for /usr/local/lib/libiconv.so.3 >>> Reading symbols from /usr/local/lib/libdmalloc.so.1...done. >>> Loaded symbols for /usr/local/lib/libdmalloc.so.1 >>> Reading symbols from /usr/local/lib/libpopt.so.0...done. >>> Loaded symbols for /usr/local/lib/libpopt.so.0 >>> Reading symbols from /lib/libthr.so.3...done. >>> [New Thread 0x800a62e00 (LWP 100076)] >>> Loaded symbols for /lib/libthr.so.3 >>> Reading symbols from /lib/libc.so.7...done. >>> Loaded symbols for /lib/libc.so.7 >>> Reading symbols from /usr/local/lib/libsasl2.so.2...done. >>> Loaded symbols for /usr/local/lib/libsasl2.so.2 >>> Reading symbols from /usr/local/lib/libintl.so.8...done. >>> Loaded symbols for /usr/local/lib/libintl.so.8 >>> Reading symbols from /usr/local/lib/nss_ldap.so.1...done. >>> Loaded symbols for /usr/local/lib/nss_ldap.so.1 >>> Reading symbols from /usr/lib/libcom_err.so.4...done. >>> Loaded symbols for /usr/lib/libcom_err.so.4 >>> Reading symbols from /libexec/ld-elf.so.1...done. >>> Loaded symbols for /libexec/ld-elf.so.1 >>> [Switching to Thread 0x800a62e00 (LWP 100076)] >>> 0x0000000801f01d6c in select () from /lib/libc.so.7 >>> (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ >>> Source directories searched: >>> /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd >>> (gdb) bt >>> # 0 0x0000000801f01d6c in select () from /lib/libc.so.7 >>> # 1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 >>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>> tval=0x7fffffffd500) >>> at lib/select.c:93 >>> # 3 0x00000000004df64c in smbd_process () at smbd/process.c:839 >>> # 4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at >>> smbd/server.c:1450 >>> (gdb) frame 2 >>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>> tval=0x7fffffffd500) >>> at lib/select.c:93 >>> 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); >>> (gdb) print tval >>> $1 = (struct timeval *) 0x7fffffffd500 >>> (gdb) print *tval >>> $2 = {tv_sec = 59, tv_usec = 999977} >>> (gdb) The program is running. Quit anyway (and detach it)? (y or n) y >>> Detaching from program: /usr/local/sbin/smbd, process 7828 >>> >>> The following is a truss of the process until I have seen the switch >>> to root as owner: >>> # time truss -p 8307 >>> gettimeofday({1234648077.989004 },0x0) = 0 (0x0) >>> gettimeofday({1234648077.989081 },0x0) = 0 (0x0) >>> select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) >>> gettimeofday({1234648099.279293 },0x0) = 0 (0x0) >>> gettimeofday({1234648099.279370 },0x0) = 0 (0x0) >>> gettimeofday({1234648099.279417 },0x0) = 0 (0x0) >>> select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) >>> gettimeofday({1234648102.286493 },0x0) = 0 (0x0) >>> read(23,"\0\0\0r",4) = 4 (0x4) >>> read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) >>> geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) >>> getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd138) >>> = 0 (0x0) >>> __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) = 0 >>> (0x0) >>> 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w >>> >>> # sockstat | grep 445 >>> glz smbd 8307 23 tcp4 10.255.253.1:445 >>> 10.255.253.2:57438 >>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>> # ps -awxl | grep 8307 >>> 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 >>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>> truss -p 8307 >>> # sockstat | grep 445 >>> root smbd 8307 23 tcp4 10.255.253.1:445 >>> 10.255.253.2:57438 >>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>> # ps -awxl | grep 8307 >>> 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 >>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>> truss -p 8307 >>> >>> >>> I can recreate this at any time and the condition by killing the >>> offending smbd process and the PC reconnects just fine. >>> >>> Hope this helps to pin this down. As I can recreate the hang, please >>> let me know if there is any more information I can supply. >>> >>> /glz >>> >>> ................................................... the future isMobile >>> >>> Goran Lowkrantz >>> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >>> Phone: +46(0)920-75559 >>> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >>> >>> http://www.ismobile.com ............................................... > > > > ................................................... the future isMobile > > Goran Lowkrantz > System Architect, isMobile AB > Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden > Mobile: +46(0)70-587 87 82 > http://www.ismobile.com ............................................... From goran.lowkrantz at ismobile.com Tue Apr 7 13:57:21 2009 From: goran.lowkrantz at ismobile.com (Goran Lowkrantz) Date: Tue Apr 7 13:57:14 2009 Subject: smbd process block In-Reply-To: <49DB5642.5070900@liddicott.com> References: <49DA118F.90701@liddicott.com> <3F66C13F3DFA3F832E3CD495@syn> <49DB5642.5070900@liddicott.com> Message-ID: Hi Sam, Each of the calls look exactly the same except the multiplex id, i.e. it's the same FID and path, which is a leaf directory containing 202 files. And there is only 48 notify calls before it stops, so I can't see how that maps to the total of about 400 directories in the watched tree. just looking at leaf directories give at least 300 directories to watch. The thing I see is that the application issuing these notify requests go unresponsive after about 10 to 15 min, the frame marked Not responding. I assume this is because it is waiting for some response from the network, as killing the smbd service releases the application. And these notify setup messages are the only one I can find that do not have an SMB response. /glz --On April 7, 2009 14:33:54 +0100 Sam Liddicott wrote: > * Goran Lowkrantz wrote, On 07/04/09 14:08: >> Hi Sam, >> >> Looking further in the dump, I find that a series of these: >> NT Trans Request (0xa0) >> NT NOTIFY Setup >> Completion Filter: 0x00000003 >> FID: 0x32f6 (\Input\2006\200607\20060729) >> >> but no response from the Samba server, only IP ACK. The FID look OK >> and direct queries on the FID about the directory is answered earlier. >> >> These messages are sent from the client every 5s for 245s. Then they >> stop. > I guess this may be once for every folder of 245 monitored folders. > > A response is not supposed to be given until the request is cancelled or > until a monitored file or folder changes; so this seems quite normal. > > What behaviour or action (or lack of) on the windows client makes you > think that samba has hung? > > Sam >> >> /glz >> >> --On April 6, 2009 15:28:31 +0100 Sam Liddicott >> wrote: >> >>> As far as I can tell, samba is not hanging, it's issuing responses to >>> all the requests it gets. >>> >>> I think that the windows client thinks that samba has hung, because the >>> sending of Echo Request is a sign that the client is getting fed up of >>> waiting and is checking to see if the link is still working. >>> >>> So it looks like the client is waiting for some kind of response, but I >>> haven't been able to spot a response that wasn't answered. >>> >>> You load the pcap into wireshark and see if you can spot a request that >>> doesn't get a response... >>> >>> Sam >>> >>> * Goran Lowkrantz wrote, On 16/02/09 22:42: >>>> >>>> I have few Samba servers running FreeBSD 7.1 were we have a problem >>>> with smbd process blocking for a few Vista systems that run a program >>>> that watch directories and files on the samba shares. >>>> >>>> On my test setup I have managed to get a hang in less than 30 min. >>>> >>>> Samba 3.2.7 is built with minimum functions and full debug. Options >>>> don't seems to have any impact on the problem. >>>> >>>> The PC uses Vista Business SP1 and all patches, I run a DAM program >>>> called IMatch ver 3.6.076 that watches for changes in the photo >>>> database. No other application I have tested has the same problems. >>>> For example, Adobe Lightroom 2.2 works without problems when setup >>>> with a watched folder. >>>> >>>> I have attached logfiles from samba with the following extra settings: >>>> debug pid = yes >>>> debug timestamp = no >>>> debug prefix timestamp = yes >>>> debug uid = yes >>>> log level = 10 >>>> >>>> The PID of the server that hangs is 29162. >>>> >>>> The FreeBSD server is an up-to-date quad AMD server with 8GB running >>>> 7.1-STABLE. In normal operation, I see the following: >>>> >>>> # sockstat | grep 445 >>>> glz smbd 7828 23 tcp4 10.255.253.1:445 >>>> 10.255.253.2:57355 >>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>> >>>> When I get the hang, it looks like this: >>>> # sockstat | grep 445 >>>> root smbd 7828 23 tcp4 10.255.253.1:445 >>>> 10.255.253.2:57355 >>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>> >>>> and the GDB session: >>>> # gdb /usr/local/sbin/smbd 7828 >>>> GNU gdb 6.1.1 [FreeBSD] >>>> Copyright 2004 Free Software Foundation, Inc. >>>> GDB is free software, covered by the GNU General Public License, and >>>> you are >>>> welcome to change it and/or distribute copies of it under certain >>>> conditions. >>>> Type "show copying" to see the conditions. >>>> There is absolutely no warranty for GDB. Type "show warranty" for >>>> details. >>>> This GDB was configured as "amd64-marcel-freebsd"... >>>> Attaching to program: /usr/local/sbin/smbd, process 7828 >>>> Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. >>>> Loaded symbols for /usr/local/lib/libldap-2.3.so.2 >>>> Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. >>>> Loaded symbols for /usr/local/lib/liblber-2.3.so.2 >>>> Reading symbols from /usr/local/lib/libcups.so.2...done. >>>> Loaded symbols for /usr/local/lib/libcups.so.2 >>>> Reading symbols from /usr/lib/libssl.so.5...done. >>>> Loaded symbols for /usr/lib/libssl.so.5 >>>> Reading symbols from /lib/libcrypto.so.5...done. >>>> Loaded symbols for /lib/libcrypto.so.5 >>>> Reading symbols from /lib/libz.so.4...done. >>>> Loaded symbols for /lib/libz.so.4 >>>> Reading symbols from /lib/libm.so.5...done. >>>> Loaded symbols for /lib/libm.so.5 >>>> Reading symbols from /lib/libcrypt.so.4...done. >>>> Loaded symbols for /lib/libcrypt.so.4 >>>> Reading symbols from /usr/lib/libpam.so.4...done. >>>> Loaded symbols for /usr/lib/libpam.so.4 >>>> Reading symbols from /usr/local/lib/libexecinfo.so.1...done. >>>> Loaded symbols for /usr/local/lib/libexecinfo.so.1 >>>> Reading symbols from /usr/local/lib/libiconv.so.3...done. >>>> Loaded symbols for /usr/local/lib/libiconv.so.3 >>>> Reading symbols from /usr/local/lib/libdmalloc.so.1...done. >>>> Loaded symbols for /usr/local/lib/libdmalloc.so.1 >>>> Reading symbols from /usr/local/lib/libpopt.so.0...done. >>>> Loaded symbols for /usr/local/lib/libpopt.so.0 >>>> Reading symbols from /lib/libthr.so.3...done. >>>> [New Thread 0x800a62e00 (LWP 100076)] >>>> Loaded symbols for /lib/libthr.so.3 >>>> Reading symbols from /lib/libc.so.7...done. >>>> Loaded symbols for /lib/libc.so.7 >>>> Reading symbols from /usr/local/lib/libsasl2.so.2...done. >>>> Loaded symbols for /usr/local/lib/libsasl2.so.2 >>>> Reading symbols from /usr/local/lib/libintl.so.8...done. >>>> Loaded symbols for /usr/local/lib/libintl.so.8 >>>> Reading symbols from /usr/local/lib/nss_ldap.so.1...done. >>>> Loaded symbols for /usr/local/lib/nss_ldap.so.1 >>>> Reading symbols from /usr/lib/libcom_err.so.4...done. >>>> Loaded symbols for /usr/lib/libcom_err.so.4 >>>> Reading symbols from /libexec/ld-elf.so.1...done. >>>> Loaded symbols for /libexec/ld-elf.so.1 >>>> [Switching to Thread 0x800a62e00 (LWP 100076)] >>>> 0x0000000801f01d6c in select () from /lib/libc.so.7 >>>> (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ >>>> Source directories searched: >>>> /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd >>>> (gdb) bt >>>> # 0 0x0000000801f01d6c in select () from /lib/libc.so.7 >>>> # 1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 >>>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>>> tval=0x7fffffffd500) >>>> at lib/select.c:93 >>>> # 3 0x00000000004df64c in smbd_process () at smbd/process.c:839 >>>> # 4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at >>>> smbd/server.c:1450 >>>> (gdb) frame 2 >>>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>>> tval=0x7fffffffd500) >>>> at lib/select.c:93 >>>> 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); >>>> (gdb) print tval >>>> $1 = (struct timeval *) 0x7fffffffd500 >>>> (gdb) print *tval >>>> $2 = {tv_sec = 59, tv_usec = 999977} >>>> (gdb) The program is running. Quit anyway (and detach it)? (y or n) y >>>> Detaching from program: /usr/local/sbin/smbd, process 7828 >>>> >>>> The following is a truss of the process until I have seen the switch >>>> to root as owner: >>>> # time truss -p 8307 >>>> gettimeofday({1234648077.989004 },0x0) = 0 (0x0) >>>> gettimeofday({1234648077.989081 },0x0) = 0 (0x0) >>>> select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) >>>> gettimeofday({1234648099.279293 },0x0) = 0 (0x0) >>>> gettimeofday({1234648099.279370 },0x0) = 0 (0x0) >>>> gettimeofday({1234648099.279417 },0x0) = 0 (0x0) >>>> select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) >>>> gettimeofday({1234648102.286493 },0x0) = 0 (0x0) >>>> read(23,"\0\0\0r",4) = 4 (0x4) >>>> read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) >>>> geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) >>>> getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd138) >>>> = 0 (0x0) >>>> __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) = 0 >>>> (0x0) >>>> 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w >>>> >>>> # sockstat | grep 445 >>>> glz smbd 8307 23 tcp4 10.255.253.1:445 >>>> 10.255.253.2:57438 >>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>> # ps -awxl | grep 8307 >>>> 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 >>>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>>> truss -p 8307 >>>> # sockstat | grep 445 >>>> root smbd 8307 23 tcp4 10.255.253.1:445 >>>> 10.255.253.2:57438 >>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>> # ps -awxl | grep 8307 >>>> 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 >>>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>>> truss -p 8307 >>>> >>>> >>>> I can recreate this at any time and the condition by killing the >>>> offending smbd process and the PC reconnects just fine. >>>> >>>> Hope this helps to pin this down. As I can recreate the hang, please >>>> let me know if there is any more information I can supply. >>>> >>>> /glz >>>> >>>> ................................................... the future isMobile >>>> >>>> Goran Lowkrantz >>>> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >>>> Phone: +46(0)920-75559 >>>> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >>>> >>>> http://www.ismobile.com ............................................... >> >> >> >> ................................................... the future isMobile >> >> Goran Lowkrantz >> System Architect, isMobile AB >> Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden >> Mobile: +46(0)70-587 87 82 >> http://www.ismobile.com ............................................... ................................................... the future isMobile Goran Lowkrantz System Architect, isMobile AB Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden Mobile: +46(0)70-587 87 82 http://www.ismobile.com ............................................... From sam at liddicott.com Tue Apr 7 14:13:19 2009 From: sam at liddicott.com (Sam Liddicott) Date: Tue Apr 7 14:14:15 2009 Subject: smbd process block References: <49DA118F.90701@liddicott.com> <3F66C13F3DFA3F832E3CD495@syn> <49DB5642.5070900@liddicott.com> Message-ID: <49DB5F7F.5070300@liddicott.com> * Goran Lowkrantz wrote, On 07/04/09 14:57: > Hi Sam, > > Each of the calls look exactly the same except the multiplex id, i.e. > it's the same FID and path, which is a leaf directory containing 202 > files. And there is only 48 notify calls before it stops, so I can't > see how that maps to the total of about 400 directories in the watched > tree. just looking at leaf directories give at least 300 directories > to watch. My mistake, I thought you said 245 calls, but I see now that you said 245 seconds. > > The thing I see is that the application issuing these notify requests > go unresponsive after about 10 to 15 min, the frame marked Not > responding. I assume this is because it is waiting for some response > from the network, as killing the smbd service releases the application. Try running some other application on the same share and see if the share is responding - even windows explorer. > > And these notify setup messages are the only one I can find that do > not have an SMB response. This is quite normal for notify requests. Try adding another file to a watched folder from another windows machine and see if the application comes to life when it gets the notification response back. Sam > > /glz > > --On April 7, 2009 14:33:54 +0100 Sam Liddicott > wrote: > >> * Goran Lowkrantz wrote, On 07/04/09 14:08: >>> Hi Sam, >>> >>> Looking further in the dump, I find that a series of these: >>> NT Trans Request (0xa0) >>> NT NOTIFY Setup >>> Completion Filter: 0x00000003 >>> FID: 0x32f6 (\Input\2006\200607\20060729) >>> >>> but no response from the Samba server, only IP ACK. The FID look OK >>> and direct queries on the FID about the directory is answered earlier. >>> >>> These messages are sent from the client every 5s for 245s. Then they >>> stop. >> I guess this may be once for every folder of 245 monitored folders. >> >> A response is not supposed to be given until the request is cancelled or >> until a monitored file or folder changes; so this seems quite normal. >> >> What behaviour or action (or lack of) on the windows client makes you >> think that samba has hung? >> >> Sam >>> >>> /glz >>> >>> --On April 6, 2009 15:28:31 +0100 Sam Liddicott >>> wrote: >>> >>>> As far as I can tell, samba is not hanging, it's issuing responses to >>>> all the requests it gets. >>>> >>>> I think that the windows client thinks that samba has hung, because >>>> the >>>> sending of Echo Request is a sign that the client is getting fed up of >>>> waiting and is checking to see if the link is still working. >>>> >>>> So it looks like the client is waiting for some kind of response, >>>> but I >>>> haven't been able to spot a response that wasn't answered. >>>> >>>> You load the pcap into wireshark and see if you can spot a request >>>> that >>>> doesn't get a response... >>>> >>>> Sam >>>> >>>> * Goran Lowkrantz wrote, On 16/02/09 22:42: >>>>> >>>>> I have few Samba servers running FreeBSD 7.1 were we have a problem >>>>> with smbd process blocking for a few Vista systems that run a program >>>>> that watch directories and files on the samba shares. >>>>> >>>>> On my test setup I have managed to get a hang in less than 30 min. >>>>> >>>>> Samba 3.2.7 is built with minimum functions and full debug. Options >>>>> don't seems to have any impact on the problem. >>>>> >>>>> The PC uses Vista Business SP1 and all patches, I run a DAM program >>>>> called IMatch ver 3.6.076 that watches for changes in the photo >>>>> database. No other application I have tested has the same problems. >>>>> For example, Adobe Lightroom 2.2 works without problems when setup >>>>> with a watched folder. >>>>> >>>>> I have attached logfiles from samba with the following extra >>>>> settings: >>>>> debug pid = yes >>>>> debug timestamp = no >>>>> debug prefix timestamp = yes >>>>> debug uid = yes >>>>> log level = 10 >>>>> >>>>> The PID of the server that hangs is 29162. >>>>> >>>>> The FreeBSD server is an up-to-date quad AMD server with 8GB running >>>>> 7.1-STABLE. In normal operation, I see the following: >>>>> >>>>> # sockstat | grep 445 >>>>> glz smbd 7828 23 tcp4 10.255.253.1:445 >>>>> 10.255.253.2:57355 >>>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>>> >>>>> When I get the hang, it looks like this: >>>>> # sockstat | grep 445 >>>>> root smbd 7828 23 tcp4 10.255.253.1:445 >>>>> 10.255.253.2:57355 >>>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>>> >>>>> and the GDB session: >>>>> # gdb /usr/local/sbin/smbd 7828 >>>>> GNU gdb 6.1.1 [FreeBSD] >>>>> Copyright 2004 Free Software Foundation, Inc. >>>>> GDB is free software, covered by the GNU General Public License, and >>>>> you are >>>>> welcome to change it and/or distribute copies of it under certain >>>>> conditions. >>>>> Type "show copying" to see the conditions. >>>>> There is absolutely no warranty for GDB. Type "show warranty" for >>>>> details. >>>>> This GDB was configured as "amd64-marcel-freebsd"... >>>>> Attaching to program: /usr/local/sbin/smbd, process 7828 >>>>> Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. >>>>> Loaded symbols for /usr/local/lib/libldap-2.3.so.2 >>>>> Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. >>>>> Loaded symbols for /usr/local/lib/liblber-2.3.so.2 >>>>> Reading symbols from /usr/local/lib/libcups.so.2...done. >>>>> Loaded symbols for /usr/local/lib/libcups.so.2 >>>>> Reading symbols from /usr/lib/libssl.so.5...done. >>>>> Loaded symbols for /usr/lib/libssl.so.5 >>>>> Reading symbols from /lib/libcrypto.so.5...done. >>>>> Loaded symbols for /lib/libcrypto.so.5 >>>>> Reading symbols from /lib/libz.so.4...done. >>>>> Loaded symbols for /lib/libz.so.4 >>>>> Reading symbols from /lib/libm.so.5...done. >>>>> Loaded symbols for /lib/libm.so.5 >>>>> Reading symbols from /lib/libcrypt.so.4...done. >>>>> Loaded symbols for /lib/libcrypt.so.4 >>>>> Reading symbols from /usr/lib/libpam.so.4...done. >>>>> Loaded symbols for /usr/lib/libpam.so.4 >>>>> Reading symbols from /usr/local/lib/libexecinfo.so.1...done. >>>>> Loaded symbols for /usr/local/lib/libexecinfo.so.1 >>>>> Reading symbols from /usr/local/lib/libiconv.so.3...done. >>>>> Loaded symbols for /usr/local/lib/libiconv.so.3 >>>>> Reading symbols from /usr/local/lib/libdmalloc.so.1...done. >>>>> Loaded symbols for /usr/local/lib/libdmalloc.so.1 >>>>> Reading symbols from /usr/local/lib/libpopt.so.0...done. >>>>> Loaded symbols for /usr/local/lib/libpopt.so.0 >>>>> Reading symbols from /lib/libthr.so.3...done. >>>>> [New Thread 0x800a62e00 (LWP 100076)] >>>>> Loaded symbols for /lib/libthr.so.3 >>>>> Reading symbols from /lib/libc.so.7...done. >>>>> Loaded symbols for /lib/libc.so.7 >>>>> Reading symbols from /usr/local/lib/libsasl2.so.2...done. >>>>> Loaded symbols for /usr/local/lib/libsasl2.so.2 >>>>> Reading symbols from /usr/local/lib/libintl.so.8...done. >>>>> Loaded symbols for /usr/local/lib/libintl.so.8 >>>>> Reading symbols from /usr/local/lib/nss_ldap.so.1...done. >>>>> Loaded symbols for /usr/local/lib/nss_ldap.so.1 >>>>> Reading symbols from /usr/lib/libcom_err.so.4...done. >>>>> Loaded symbols for /usr/lib/libcom_err.so.4 >>>>> Reading symbols from /libexec/ld-elf.so.1...done. >>>>> Loaded symbols for /libexec/ld-elf.so.1 >>>>> [Switching to Thread 0x800a62e00 (LWP 100076)] >>>>> 0x0000000801f01d6c in select () from /lib/libc.so.7 >>>>> (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ >>>>> Source directories searched: >>>>> /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd >>>>> (gdb) bt >>>>> # 0 0x0000000801f01d6c in select () from /lib/libc.so.7 >>>>> # 1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 >>>>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>>>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>>>> tval=0x7fffffffd500) >>>>> at lib/select.c:93 >>>>> # 3 0x00000000004df64c in smbd_process () at smbd/process.c:839 >>>>> # 4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at >>>>> smbd/server.c:1450 >>>>> (gdb) frame 2 >>>>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>>>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>>>> tval=0x7fffffffd500) >>>>> at lib/select.c:93 >>>>> 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); >>>>> (gdb) print tval >>>>> $1 = (struct timeval *) 0x7fffffffd500 >>>>> (gdb) print *tval >>>>> $2 = {tv_sec = 59, tv_usec = 999977} >>>>> (gdb) The program is running. Quit anyway (and detach it)? (y or >>>>> n) y >>>>> Detaching from program: /usr/local/sbin/smbd, process 7828 >>>>> >>>>> The following is a truss of the process until I have seen the switch >>>>> to root as owner: >>>>> # time truss -p 8307 >>>>> gettimeofday({1234648077.989004 },0x0) = 0 (0x0) >>>>> gettimeofday({1234648077.989081 },0x0) = 0 (0x0) >>>>> select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) >>>>> gettimeofday({1234648099.279293 },0x0) = 0 (0x0) >>>>> gettimeofday({1234648099.279370 },0x0) = 0 (0x0) >>>>> gettimeofday({1234648099.279417 },0x0) = 0 (0x0) >>>>> select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) >>>>> gettimeofday({1234648102.286493 },0x0) = 0 (0x0) >>>>> read(23,"\0\0\0r",4) = 4 (0x4) >>>>> read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) >>>>> geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) >>>>> getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd138) >>>>> >>>>> = 0 (0x0) >>>>> __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) >>>>> = 0 >>>>> (0x0) >>>>> 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w >>>>> >>>>> # sockstat | grep 445 >>>>> glz smbd 8307 23 tcp4 10.255.253.1:445 >>>>> 10.255.253.2:57438 >>>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>>> # ps -awxl | grep 8307 >>>>> 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 >>>>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>>>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>>>> truss -p 8307 >>>>> # sockstat | grep 445 >>>>> root smbd 8307 23 tcp4 10.255.253.1:445 >>>>> 10.255.253.2:57438 >>>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>>> # ps -awxl | grep 8307 >>>>> 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 >>>>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>>>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>>>> truss -p 8307 >>>>> >>>>> >>>>> I can recreate this at any time and the condition by killing the >>>>> offending smbd process and the PC reconnects just fine. >>>>> >>>>> Hope this helps to pin this down. As I can recreate the hang, please >>>>> let me know if there is any more information I can supply. >>>>> >>>>> /glz >>>>> >>>>> ................................................... the future >>>>> isMobile >>>>> >>>>> Goran Lowkrantz >>>>> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >>>>> Phone: +46(0)920-75559 >>>>> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >>>>> >>>>> http://www.ismobile.com >>>>> ............................................... >>> >>> >>> >>> ................................................... the future isMobile >>> >>> Goran Lowkrantz >>> System Architect, isMobile AB >>> Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden >>> Mobile: +46(0)70-587 87 82 >>> http://www.ismobile.com ............................................... > > > > ................................................... the future isMobile > > Goran Lowkrantz > System Architect, isMobile AB > Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden > Mobile: +46(0)70-587 87 82 > http://www.ismobile.com ............................................... From Volker.Lendecke at SerNet.DE Tue Apr 7 15:34:27 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue Apr 7 15:34:21 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-883-g9d2d075 In-Reply-To: <20090406205529.C01F51CC0A9@us2.samba.org> References: <20090406205529.C01F51CC0A9@us2.samba.org> Message-ID: On Mon, Apr 06, 2009 at 03:55:26PM -0500, Tim Prouty wrote: > - DEBUG(10, ("Got oplock async level 2 break message from pid %s: " > - "%s/%lu\n", procid_str(debug_ctx(), &src), > - file_id_string_tos(&msg.id), msg.share_file_id)); > + DEBUG(10, ("Got oplock async level 2 break message from pid %d: %s/%lu\n", > + (int)procid_to_pid(&src), file_id_string_tos(&msg.id), msg.share_file_id)); > Is there any reason why you removed the procid_str() that I just added? Is this a speed critical operation on your platform? If so, is there anything I can help to relieve that pain? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/a734bf1e/attachment.bin From tprouty at samba.org Tue Apr 7 16:42:26 2009 From: tprouty at samba.org (Tim Prouty) Date: Tue Apr 7 16:42:31 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-883-g9d2d075 In-Reply-To: References: <20090406205529.C01F51CC0A9@us2.samba.org> Message-ID: <8F342518-CCE0-40D5-8EB1-DB0DA63533F2@samba.org> On Apr 7, 2009, at 8:34 AM, Volker Lendecke wrote: > On Mon, Apr 06, 2009 at 03:55:26PM -0500, Tim Prouty wrote: >> - DEBUG(10, ("Got oplock async level 2 break message from pid %s: " >> - "%s/%lu\n", procid_str(debug_ctx(), &src), >> - file_id_string_tos(&msg.id), msg.share_file_id)); >> + DEBUG(10, ("Got oplock async level 2 break message from pid %d: >> %s/%lu\n", >> + (int)procid_to_pid(&src), file_id_string_tos(&msg.id), >> msg.share_file_id)); >> > > Is there any reason why you removed the procid_str() that I > just added? Is this a speed critical operation on your > platform? If so, is there anything I can help to relieve > that pain? No reason, other than I simply missed it while resolving a conflict when porting the patch. Thanks for catching this. I'll add it back now. -Tim From goran.lowkrantz at ismobile.com Tue Apr 7 16:52:01 2009 From: goran.lowkrantz at ismobile.com (Goran Lowkrantz) Date: Tue Apr 7 16:52:13 2009 Subject: smbd process block In-Reply-To: <49DB5F7F.5070300@liddicott.com> References: <49DA118F.90701@liddicott.com> <3F66C13F3DFA3F832E3CD495@syn> <49DB5642.5070900@liddicott.com> <49DB5F7F.5070300@liddicott.com> Message-ID: <171F58EABF051AE7611EEE62@[10.255.253.2]> Hi Sam, I have tested accessing the directory with windows explorer but that too goes Not responding. I have touched both an old and a new file but that didn't change anything. here is the lsof of the unresponsive smbd: > lsof -p 71672 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME smbd 71672 root cwd VDIR 17,910622967 10 3 /usr/data/glz/imatch smbd 71672 root rtd VDIR 0,104 512 2 / smbd 71672 root txt can't read vnode at 0x006c96c7 smbd 71672 root txt can't read vnode at 0x00030230 smbd 71672 root txt can't read vnode at 0x00020000 smbd 71672 root txt can't read vnode at 0x00010000 smbd 71672 root txt can't read vnode at 0x000002b8 smbd 71672 root txt can't read vnode at 0x00003000 smbd 71672 root txt can't read vnode at 0x00016000 smbd 71672 root txt can't read vnode at 0x00009d08 smbd 71672 root txt can't read vnode at 0x00007000 smbd 71672 root txt can't read vnode at 0x00002000 smbd 71672 root txt can't read vnode at 0x00028000 smbd 71672 root txt can't read vnode at 0x00025000 smbd 71672 root txt can't read vnode at 0x00043a61 smbd 71672 root txt can't read vnode at 0x00011118 smbd 71672 root txt can't read vnode at 0x000c035c smbd 71672 root txt can't read vnode at 0x0004ab40 smbd 71672 root txt can't read vnode at 0x00193d40 smbd 71672 root txt can't read vnode at 0x00014900 smbd 71672 root txt can't read vnode at 0x0001c1e0 smbd 71672 root txt can't read vnode at 0x00008070 smbd 71672 root txt can't read vnode at 0x00008bf0 smbd 71672 root txt can't read vnode at 0x0000e698 smbd 71672 root txt can't read vnode at 0x001077f4 smbd 71672 root txt can't read vnode at 0x00005290 smbd 71672 root txt can't read vnode at 0x00008ced smbd 71672 root txt can't read vnode at 0x0011f688 smbd 71672 root txt can't read vnode at 0x0001bf2b smbd 71672 root txt can't read vnode at 0x0000b7b1 smbd 71672 root txt can't read vnode at 0x00014058 smbd 71672 root txt can't read vnode at 0x00001dd0 smbd 71672 root 0u VCHR 0,20 0t0 20 /dev/null smbd 71672 root 1u VCHR 0,20 0t0 20 /dev/null smbd 71672 root 2w VREG 129,4254531705 31595 630 /var/log/log.tor smbd 71672 root 3r VCHR 0,27 0t9 27 /dev/random smbd 71672 root 4u VREG 205,2015822061 12288 47036 /usr/local -- etc/samba/secrets.tdb smbd 71672 root 5u VREG 203,3580952781 696 11659 /var (system/var) smbd 71672 root 6u PIPE 0xffffff010c6972e8 16384 ->0xffffff010c697440 smbd 71672 root 7w VREG 203,3580952781 6 11664 /var (system/var) smbd 71672 root 8u IPv4 0xffffff0065943b60 0t0 TCP midgard:microsoft-ds->tor:53116 (ESTABLISHED) smbd 71672 root 9u VREG 203,3580952781 163840 11665 /var (system/var) smbd 71672 root 10u VREG 203,3580952781 90112 11661 /var (system/var) smbd 71672 root 11u VREG 203,3580952781 40200 11666 /var (system/var) smbd 71672 root 12u VREG 203,3580952781 151552 11667 /var (system/var) smbd 71672 root 13u VREG 203,3580952781 8192 11662 /var (system/var) smbd 71672 root 14u VREG 203,3580952781 8192 1052 /var (system/var) smbd 71672 root 15u VREG 203,3580952781 8192 1013 /var (system/var) smbd 71672 root 16u VREG 203,3580952781 12288 1053 /var (system/var) smbd 71672 root 17u VREG 203,3580952781 696 1054 /var (system/var) smbd 71672 root 18u PIPE 0xffffff00096c3000 16384 ->0xffffff00096c3158 smbd 71672 root 20u PIPE 0xffffff010c697440 0 ->0xffffff010c6972e8 smbd 71672 root 21u VREG 203,3580952781 8192 1056 /var (system/var) smbd 71672 root 22u VREG 203,3580952781 696 960 /var (system/var) smbd 71672 root 23u PIPE 0xffffff010c6ff8b8 16384 ->0xffffff010c6ffa10 smbd 71672 root 24u PIPE 0xffffff010c6ffa10 0 ->0xffffff010c6ff8b8 smbd 71672 root 25w VREG 129,4254531705 31595 630 /var/log/log.tor smbd 71672 root 26ur VREG 203,3580952781 28672 973 /var (system/var) smbd 71672 root 27u unix 0xffffff01982e5000 0t0 ->0xffffff0164d145a0 As you can see the process in owned by root, not the logged in user. /glz --On Tuesday, April 07, 2009 3:13 PM +0100 Sam Liddicott wrote: > * Goran Lowkrantz wrote, On 07/04/09 14:57: >> Hi Sam, >> >> Each of the calls look exactly the same except the multiplex id, i.e. >> it's the same FID and path, which is a leaf directory containing 202 >> files. And there is only 48 notify calls before it stops, so I can't >> see how that maps to the total of about 400 directories in the watched >> tree. just looking at leaf directories give at least 300 directories >> to watch. > My mistake, I thought you said 245 calls, but I see now that you said > 245 seconds. >> >> The thing I see is that the application issuing these notify requests >> go unresponsive after about 10 to 15 min, the frame marked Not >> responding. I assume this is because it is waiting for some response >> from the network, as killing the smbd service releases the application. > Try running some other application on the same share and see if the > share is responding - even windows explorer. >> >> And these notify setup messages are the only one I can find that do >> not have an SMB response. > This is quite normal for notify requests. > > Try adding another file to a watched folder from another windows machine > and see if the application comes to life when it gets the notification > response back. > > Sam >> >> /glz >> >> --On April 7, 2009 14:33:54 +0100 Sam Liddicott >> wrote: >> >>> * Goran Lowkrantz wrote, On 07/04/09 14:08: >>>> Hi Sam, >>>> >>>> Looking further in the dump, I find that a series of these: >>>> NT Trans Request (0xa0) >>>> NT NOTIFY Setup >>>> Completion Filter: 0x00000003 >>>> FID: 0x32f6 (\Input\2006\200607\20060729) >>>> >>>> but no response from the Samba server, only IP ACK. The FID look OK >>>> and direct queries on the FID about the directory is answered earlier. >>>> >>>> These messages are sent from the client every 5s for 245s. Then they >>>> stop. >>> I guess this may be once for every folder of 245 monitored folders. >>> >>> A response is not supposed to be given until the request is cancelled or >>> until a monitored file or folder changes; so this seems quite normal. >>> >>> What behaviour or action (or lack of) on the windows client makes you >>> think that samba has hung? >>> >>> Sam >>>> >>>> /glz >>>> >>>> --On April 6, 2009 15:28:31 +0100 Sam Liddicott >>>> wrote: >>>> >>>>> As far as I can tell, samba is not hanging, it's issuing responses to >>>>> all the requests it gets. >>>>> >>>>> I think that the windows client thinks that samba has hung, because >>>>> the >>>>> sending of Echo Request is a sign that the client is getting fed up of >>>>> waiting and is checking to see if the link is still working. >>>>> >>>>> So it looks like the client is waiting for some kind of response, >>>>> but I >>>>> haven't been able to spot a response that wasn't answered. >>>>> >>>>> You load the pcap into wireshark and see if you can spot a request >>>>> that >>>>> doesn't get a response... >>>>> >>>>> Sam >>>>> >>>>> * Goran Lowkrantz wrote, On 16/02/09 22:42: >>>>>> >>>>>> I have few Samba servers running FreeBSD 7.1 were we have a problem >>>>>> with smbd process blocking for a few Vista systems that run a program >>>>>> that watch directories and files on the samba shares. >>>>>> >>>>>> On my test setup I have managed to get a hang in less than 30 min. >>>>>> >>>>>> Samba 3.2.7 is built with minimum functions and full debug. Options >>>>>> don't seems to have any impact on the problem. >>>>>> >>>>>> The PC uses Vista Business SP1 and all patches, I run a DAM program >>>>>> called IMatch ver 3.6.076 that watches for changes in the photo >>>>>> database. No other application I have tested has the same problems. >>>>>> For example, Adobe Lightroom 2.2 works without problems when setup >>>>>> with a watched folder. >>>>>> >>>>>> I have attached logfiles from samba with the following extra >>>>>> settings: >>>>>> debug pid = yes >>>>>> debug timestamp = no >>>>>> debug prefix timestamp = yes >>>>>> debug uid = yes >>>>>> log level = 10 >>>>>> >>>>>> The PID of the server that hangs is 29162. >>>>>> >>>>>> The FreeBSD server is an up-to-date quad AMD server with 8GB running >>>>>> 7.1-STABLE. In normal operation, I see the following: >>>>>> >>>>>> # sockstat | grep 445 >>>>>> glz smbd 7828 23 tcp4 10.255.253.1:445 >>>>>> 10.255.253.2:57355 >>>>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>>>> >>>>>> When I get the hang, it looks like this: >>>>>> # sockstat | grep 445 >>>>>> root smbd 7828 23 tcp4 10.255.253.1:445 >>>>>> 10.255.253.2:57355 >>>>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>>>> >>>>>> and the GDB session: >>>>>> # gdb /usr/local/sbin/smbd 7828 >>>>>> GNU gdb 6.1.1 [FreeBSD] >>>>>> Copyright 2004 Free Software Foundation, Inc. >>>>>> GDB is free software, covered by the GNU General Public License, and >>>>>> you are >>>>>> welcome to change it and/or distribute copies of it under certain >>>>>> conditions. >>>>>> Type "show copying" to see the conditions. >>>>>> There is absolutely no warranty for GDB. Type "show warranty" for >>>>>> details. >>>>>> This GDB was configured as "amd64-marcel-freebsd"... >>>>>> Attaching to program: /usr/local/sbin/smbd, process 7828 >>>>>> Reading symbols from /usr/local/lib/libldap-2.3.so.2...done. >>>>>> Loaded symbols for /usr/local/lib/libldap-2.3.so.2 >>>>>> Reading symbols from /usr/local/lib/liblber-2.3.so.2...done. >>>>>> Loaded symbols for /usr/local/lib/liblber-2.3.so.2 >>>>>> Reading symbols from /usr/local/lib/libcups.so.2...done. >>>>>> Loaded symbols for /usr/local/lib/libcups.so.2 >>>>>> Reading symbols from /usr/lib/libssl.so.5...done. >>>>>> Loaded symbols for /usr/lib/libssl.so.5 >>>>>> Reading symbols from /lib/libcrypto.so.5...done. >>>>>> Loaded symbols for /lib/libcrypto.so.5 >>>>>> Reading symbols from /lib/libz.so.4...done. >>>>>> Loaded symbols for /lib/libz.so.4 >>>>>> Reading symbols from /lib/libm.so.5...done. >>>>>> Loaded symbols for /lib/libm.so.5 >>>>>> Reading symbols from /lib/libcrypt.so.4...done. >>>>>> Loaded symbols for /lib/libcrypt.so.4 >>>>>> Reading symbols from /usr/lib/libpam.so.4...done. >>>>>> Loaded symbols for /usr/lib/libpam.so.4 >>>>>> Reading symbols from /usr/local/lib/libexecinfo.so.1...done. >>>>>> Loaded symbols for /usr/local/lib/libexecinfo.so.1 >>>>>> Reading symbols from /usr/local/lib/libiconv.so.3...done. >>>>>> Loaded symbols for /usr/local/lib/libiconv.so.3 >>>>>> Reading symbols from /usr/local/lib/libdmalloc.so.1...done. >>>>>> Loaded symbols for /usr/local/lib/libdmalloc.so.1 >>>>>> Reading symbols from /usr/local/lib/libpopt.so.0...done. >>>>>> Loaded symbols for /usr/local/lib/libpopt.so.0 >>>>>> Reading symbols from /lib/libthr.so.3...done. >>>>>> [New Thread 0x800a62e00 (LWP 100076)] >>>>>> Loaded symbols for /lib/libthr.so.3 >>>>>> Reading symbols from /lib/libc.so.7...done. >>>>>> Loaded symbols for /lib/libc.so.7 >>>>>> Reading symbols from /usr/local/lib/libsasl2.so.2...done. >>>>>> Loaded symbols for /usr/local/lib/libsasl2.so.2 >>>>>> Reading symbols from /usr/local/lib/libintl.so.8...done. >>>>>> Loaded symbols for /usr/local/lib/libintl.so.8 >>>>>> Reading symbols from /usr/local/lib/nss_ldap.so.1...done. >>>>>> Loaded symbols for /usr/local/lib/nss_ldap.so.1 >>>>>> Reading symbols from /usr/lib/libcom_err.so.4...done. >>>>>> Loaded symbols for /usr/lib/libcom_err.so.4 >>>>>> Reading symbols from /libexec/ld-elf.so.1...done. >>>>>> Loaded symbols for /libexec/ld-elf.so.1 >>>>>> [Switching to Thread 0x800a62e00 (LWP 100076)] >>>>>> 0x0000000801f01d6c in select () from /lib/libc.so.7 >>>>>> (gdb) directory /usr/ports/net/samba32-devel/work/samba-3.2.7/source/ >>>>>> Source directories searched: >>>>>> /usr/ports/net/samba32-devel/work/samba-3.2.7/source:$cdir:$cwd >>>>>> (gdb) bt >>>>>> # 0 0x0000000801f01d6c in select () from /lib/libc.so.7 >>>>>> # 1 0x0000000801d0f4d4 in select () from /lib/libthr.so.3 >>>>>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>>>>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>>>>> tval=0x7fffffffd500) >>>>>> at lib/select.c:93 >>>>>> # 3 0x00000000004df64c in smbd_process () at smbd/process.c:839 >>>>>> # 4 0x0000000000854074 in main (argc=2, argv=0x7fffffffd638) at >>>>>> smbd/server.c:1450 >>>>>> (gdb) frame 2 >>>>>> # 2 0x00000000006749fe in sys_select (maxfd=24, >>>>>> readfds=0x7fffffffd420, writefds=0x7fffffffd3a0, errorfds=0x0, >>>>>> tval=0x7fffffffd500) >>>>>> at lib/select.c:93 >>>>>> 93 ret = select(maxfd,readfds2,writefds,errorfds,tval); >>>>>> (gdb) print tval >>>>>> $1 = (struct timeval *) 0x7fffffffd500 >>>>>> (gdb) print *tval >>>>>> $2 = {tv_sec = 59, tv_usec = 999977} >>>>>> (gdb) The program is running. Quit anyway (and detach it)? (y or >>>>>> n) y >>>>>> Detaching from program: /usr/local/sbin/smbd, process 7828 >>>>>> >>>>>> The following is a truss of the process until I have seen the switch >>>>>> to root as owner: >>>>>> # time truss -p 8307 >>>>>> gettimeofday({1234648077.989004 },0x0) = 0 (0x0) >>>>>> gettimeofday({1234648077.989081 },0x0) = 0 (0x0) >>>>>> select(24,{6 23},{},0x0,{21.288167 }) = 0 (0x0) >>>>>> gettimeofday({1234648099.279293 },0x0) = 0 (0x0) >>>>>> gettimeofday({1234648099.279370 },0x0) = 0 (0x0) >>>>>> gettimeofday({1234648099.279417 },0x0) = 0 (0x0) >>>>>> select(24,{6 23},{},0x0,{59.989982 }) = 1 (0x1) >>>>>> gettimeofday({1234648102.286493 },0x0) = 0 (0x0) >>>>>> read(23,"\0\0\0r",4) = 4 (0x4) >>>>>> read(23,"\M^?SMB2\0\0\0\0\^X\a\M-H\0\0\0"...,114) = 114 (0x72) >>>>>> geteuid(0x3e8,0x3e8,0x2,0x800adf750,0x2,0x800adf750) = 0 (0x0) >>>>>> getegid(0x3e8,0x3e8,0x2,0x801eadb8c,0xffffff006cf16a50,0x7fffffffd13 >>>>>> 8) >>>>>> >>>>>> = 0 (0x0) >>>>>> __sysctl(0x7fffffffd0a0,0x2,0x7fffffffd0bc,0x7fffffffd0b0,0x0,0x0) >>>>>> = 0 >>>>>> (0x0) >>>>>> 0.000u 0.001s 2:36.56 0.0% 0+0k 0+0io 0pf+0w >>>>>> >>>>>> # sockstat | grep 445 >>>>>> glz smbd 8307 23 tcp4 10.255.253.1:445 >>>>>> 10.255.253.2:57438 >>>>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>>>> # ps -awxl | grep 8307 >>>>>> 1000 8307 8556 0 44 0 34672 7984 select IX ?? 0:04.57 >>>>>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>>>>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>>>>> truss -p 8307 >>>>>> # sockstat | grep 445 >>>>>> root smbd 8307 23 tcp4 10.255.253.1:445 >>>>>> 10.255.253.2:57438 >>>>>> root smbd 76917 19 tcp4 127.0.0.1:445 *:* >>>>>> root smbd 76917 20 tcp4 10.255.253.1:445 *:* >>>>>> # ps -awxl | grep 8307 >>>>>> 0 8307 8556 0 44 0 34672 7984 select SX ?? 0:04.57 >>>>>> /usr/local/sbin/smbd -D -s /usr/local/etc/smb.conf >>>>>> 0 8556 3273 0 8 0 4600 1204 wait I+ p0 0:00.00 >>>>>> truss -p 8307 >>>>>> >>>>>> >>>>>> I can recreate this at any time and the condition by killing the >>>>>> offending smbd process and the PC reconnects just fine. >>>>>> >>>>>> Hope this helps to pin this down. As I can recreate the hang, please >>>>>> let me know if there is any more information I can supply. >>>>>> >>>>>> /glz >>>>>> >>>>>> ................................................... the future >>>>>> isMobile >>>>>> >>>>>> Goran Lowkrantz >>>>>> System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden >>>>>> Phone: +46(0)920-75559 >>>>>> Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 >>>>>> >>>>>> http://www.ismobile.com >>>>>> ............................................... >>>> >>>> >>>> >>>> ................................................... the future isMobile >>>> >>>> Goran Lowkrantz >>>> System Architect, isMobile AB >>>> Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden >>>> Mobile: +46(0)70-587 87 82 >>>> http://www.ismobile.com ............................................... >> >> >> >> ................................................... the future isMobile >> >> Goran Lowkrantz >> System Architect, isMobile AB >> Sandviksgatan 81, PO Box 58, S-971 03 Lule?, Sweden >> Mobile: +46(0)70-587 87 82 >> http://www.ismobile.com ............................................... ................................................... the future isMobile Goran Lowkrantz System Architect, isMobile, Aurorum 2, S-977 75 Lule?, Sweden Phone: +46(0)920-75559 Mobile: +46(0)70-587 87 82 Fax: +46(0)70-615 87 82 http://www.ismobile.com ............................................... From mat+Informatique.Samba at matws.net Tue Apr 7 19:13:43 2009 From: mat+Informatique.Samba at matws.net (Matthieu Patou) Date: Tue Apr 7 19:13:57 2009 Subject: samba4 - acces to shared directory by groups permissions don't work In-Reply-To: <1238477971.12404.41.camel@ruth> References: <1238477971.12404.41.camel@ruth> Message-ID: <49DBA5E7.101@matws.net> On 03/31/2009 09:39 AM, Andrew Bartlett wrote: > On Fri, 2009-03-27 at 13:02 +0100, Justo Alonso wrote: > >> Hi ! >> I'm trying to configure a shared directory and set permissions by >> groups, but doesn't work. >> >> On windows, I set write access to "Domain Users" and the user of >> the domain can't write on the directory. The unix group is created >> with the same name. >> >> I read about "unixname" and map domain to unix group with swat, >> but I don't known how make it (swat don't work on samba4> alpha3, >> isn't it?) >> >> How do I have to define permissions in Windows and Unix to make it work? >> > Tridge defines this as the 'minimal' mapping. Ie, there is none (pretty > much :-) > > Files will be created as the UID that Samba determines for that new user > (stored in it's IDMAP, and unrelated to any existing user). Users > access to those files will be restricted by the intersection of both the > posix mode (user group other) any posix ACL and the windows ACL applied > to the file. Only the windows ACL will be visible from the client, and > only the windows ACL can be changed. > > Just my 2cents tip: I force the group to have rwx (with directory and file mask) and use either sticky bit on the folder (usually quite sufficient) and in some rare case default posix ACL so that every folders and files created will be unix group writtable and then I use the NT ACL to make fine grained access. BTW if you do not set any NT ACL you have by default a mapping of POSIX ACL to NT ACL done by samba4. Matthieu. From jra at samba.org Tue Apr 7 22:53:05 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 7 22:53:04 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090405003315.GB15741@jeremy-desktop> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> Message-ID: <20090407225305.GG27602@samba1> On Sat, Apr 04, 2009 at 05:33:15PM -0700, Jeremy Allison wrote: > > I'm thinking of something like : > > SMB_PTHREAD_DEFINE_FNS(log_fn, var); > > Which expands into definitions of all the functions > (using pthreads) we need to pass in to initialize, > and a definition and declaration of the struct to > pass (the logging function is optional and can be > NULL if not needed). var becomes the name of the > declared struct containing the vectors. > > The main() function would then call > > SMB_PTHREAD_INIT(var); > > to actually cause the library to initialize the > thread functions, mutexes and TLS. > > There's also functions for TLS we have to add, but I'll > look at that next week. Ok, after talking with tridge here is the template I'll be using to start adding threads to the lower level code. There are a couple of files - smb_threads.h smb_threads_internal.h which sets up the definitions of the pthread implemenations of these functions as a macro, and the struct containing the function vectors, and smb_threads.c which initializes the function vectors and right now contains a sample of the the way we'd use these functions. I didn't add the logging function, as that really should be left inside the implementations I think. So the locking primitives we'll be using in the code are: SMB_THREAD_CREATE_LOCK(name, plock) SMB_THREAD_LOCK(plock, type) SMB_THREAD_DESTROY_LOCK(plock) To lock a mutex use : SMB_THREAD_LOCK(plock, SMB_THREAD_LOCK) and to unlock the mutex use : SMB_THREAD_LOCK(plock, SMB_THREAD_UNLOCK) For thread local storage we'll use : SMB_THREAD_CREATE_TLS(keyname, key) SMB_THREAD_DESTROY_TLS(key) SMB_THREAD_SET_TLS(key, val) SMB_THREAD_GET_TLS(key) Let me know what you think ! If eveyone is ok I'll start adding this into the master branch. Jeremy. -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads.h Type: text/x-chdr Size: 3731 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/feb3423d/smb_threads.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads_internal.h Type: text/x-chdr Size: 1637 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/feb3423d/smb_threads_internal.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads.c Type: text/x-csrc Size: 2741 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/feb3423d/smb_threads-0001.bin From hyc at highlandsun.com Tue Apr 7 23:15:26 2009 From: hyc at highlandsun.com (Howard Chu) Date: Tue Apr 7 23:15:27 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090407225305.GG27602@samba1> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> Message-ID: <49DBDE8E.7090805@highlandsun.com> Jeremy Allison wrote: > On Sat, Apr 04, 2009 at 05:33:15PM -0700, Jeremy Allison wrote: >> >> I'm thinking of something like : >> >> SMB_PTHREAD_DEFINE_FNS(log_fn, var); >> >> Which expands into definitions of all the functions >> (using pthreads) we need to pass in to initialize, >> and a definition and declaration of the struct to >> pass (the logging function is optional and can be >> NULL if not needed). var becomes the name of the >> declared struct containing the vectors. >> >> The main() function would then call >> >> SMB_PTHREAD_INIT(var); >> >> to actually cause the library to initialize the >> thread functions, mutexes and TLS. >> >> There's also functions for TLS we have to add, but I'll >> look at that next week. > > Ok, after talking with tridge here is the template > I'll be using to start adding threads to the lower > level code. > > There are a couple of files - smb_threads.h > smb_threads_internal.h which sets up the definitions > of the pthread implemenations of these functions as > a macro, and the struct containing the function vectors, > and smb_threads.c which initializes the function > vectors and right now contains a sample of the > the way we'd use these functions. > > I didn't add the logging function, as that > really should be left inside the implementations > I think. > > So the locking primitives we'll be using in the code > are: > > SMB_THREAD_CREATE_LOCK(name, plock) > SMB_THREAD_LOCK(plock, type) > SMB_THREAD_DESTROY_LOCK(plock) > > To lock a mutex use : SMB_THREAD_LOCK(plock, SMB_THREAD_LOCK) > and to unlock the mutex use : SMB_THREAD_LOCK(plock, SMB_THREAD_UNLOCK) We often find the need for a trylock() op - fail immediately if the lock is in use, instead of waiting. Your pthread destroy_lock needs to free() the lock memory that you malloc'd; pthread_mutex_destroy() only deinitializes it, it doesn't actually free it. > For thread local storage we'll use : > > SMB_THREAD_CREATE_TLS(keyname, key) > SMB_THREAD_DESTROY_TLS(key) > SMB_THREAD_SET_TLS(key, val) > SMB_THREAD_GET_TLS(key) > > Let me know what you think ! If eveyone is ok I'll > start adding this into the master branch. > > Jeremy. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From jra at samba.org Tue Apr 7 23:32:28 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 7 23:32:54 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <49DBDE8E.7090805@highlandsun.com> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> Message-ID: <20090407233228.GH27602@samba1> On Tue, Apr 07, 2009 at 04:15:26PM -0700, Howard Chu wrote: > > We often find the need for a trylock() op - fail immediately if the lock > is in use, instead of waiting. I thought about that one, but I don't see an immediate need for it in our code which will be mainly mutex locks around globals. When *exactly* do you find a use for trylock ? > Your pthread destroy_lock needs to free() the lock memory that you > malloc'd; pthread_mutex_destroy() only deinitializes it, it doesn't > actually free it. Cool - thanks for the bug report. I did that in the tls code bug missed it in the lock code - fixed. Jeremy. From jra at samba.org Tue Apr 7 23:36:21 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 7 23:36:16 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090407233228.GH27602@samba1> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> Message-ID: <20090407233621.GI27602@samba1> On Tue, Apr 07, 2009 at 04:32:28PM -0700, Jeremy Allison wrote: > On Tue, Apr 07, 2009 at 04:15:26PM -0700, Howard Chu wrote: > > > > We often find the need for a trylock() op - fail immediately if the lock > > is in use, instead of waiting. > > I thought about that one, but I don't see an immediate need > for it in our code which will be mainly mutex locks around > globals. When *exactly* do you find a use for trylock ? > > > Your pthread destroy_lock needs to free() the lock memory that you > > malloc'd; pthread_mutex_destroy() only deinitializes it, it doesn't > > actually free it. > > Cool - thanks for the bug report. I did that in the tls code > bug missed it in the lock code - fixed. Fixed versions attached. I'll add the trylock once you've convinced me we need it :-). Jeremy. -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads.h Type: text/x-chdr Size: 3747 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/b41a4c3d/smb_threads.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads_internal.h Type: text/x-chdr Size: 1637 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/b41a4c3d/smb_threads_internal.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads.c Type: text/x-csrc Size: 2741 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090407/b41a4c3d/smb_threads-0001.bin From hyc at highlandsun.com Tue Apr 7 23:50:25 2009 From: hyc at highlandsun.com (Howard Chu) Date: Tue Apr 7 23:50:18 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090407233228.GH27602@samba1> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> Message-ID: <49DBE6C1.1090600@highlandsun.com> Jeremy Allison wrote: > On Tue, Apr 07, 2009 at 04:15:26PM -0700, Howard Chu wrote: >> >> We often find the need for a trylock() op - fail immediately if the lock >> is in use, instead of waiting. > > I thought about that one, but I don't see an immediate need > for it in our code which will be mainly mutex locks around > globals. In that case, your prototype is deceptive - you advertise read locks and write locks, which are typically held for the duration of a lengthy operation, not just taken and released quickly. If you're only expecting these locks to be used to essentially support atomic test-and-set, then the RDLOCK and WRLOCK usage makes no sense. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From jra at samba.org Tue Apr 7 23:56:37 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 7 23:56:42 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <49DBE6C1.1090600@highlandsun.com> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <49DBE6C1.1090600@highlandsun.com> Message-ID: <20090407235637.GK27602@samba1> On Tue, Apr 07, 2009 at 04:50:25PM -0700, Howard Chu wrote: > Jeremy Allison wrote: >> On Tue, Apr 07, 2009 at 04:15:26PM -0700, Howard Chu wrote: >>> >>> We often find the need for a trylock() op - fail immediately if the lock >>> is in use, instead of waiting. >> >> I thought about that one, but I don't see an immediate need >> for it in our code which will be mainly mutex locks around >> globals. > > In that case, your prototype is deceptive - you advertise read locks and > write locks, which are typically held for the duration of a lengthy > operation, not just taken and released quickly. If you're only expecting > these locks to be used to essentially support atomic test-and-set, then > the RDLOCK and WRLOCK usage makes no sense. Well the goal is to allow the implementation to be upgraded at a later date to use pthread_rwlocks without changing the external interface. Hmmm. Although in that case you're right, the interface doesn't work as we'd need to tell create_lock what kind of lock we'll need. Do you think it's worth widening the interface now to include the reader/writer lock behaviour, or cut it down to just provide simple mutex's (which are all I think we'll need for the initial work anyway). If we go fully threaded at a later date we may need to add rw locks then though... Jeremy. From idra at samba.org Wed Apr 8 00:24:48 2009 From: idra at samba.org (simo) Date: Wed Apr 8 00:23:55 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090407233621.GI27602@samba1> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <20090407233621.GI27602@samba1> Message-ID: <1239150288.7649.66.camel@pico.li.ssimo.org> On Tue, 2009-04-07 at 16:36 -0700, Jeremy Allison wrote: > On Tue, Apr 07, 2009 at 04:32:28PM -0700, Jeremy Allison wrote: > > On Tue, Apr 07, 2009 at 04:15:26PM -0700, Howard Chu wrote: > > > > > > We often find the need for a trylock() op - fail immediately if the lock > > > is in use, instead of waiting. > > > > I thought about that one, but I don't see an immediate need > > for it in our code which will be mainly mutex locks around > > globals. When *exactly* do you find a use for trylock ? > > > > > Your pthread destroy_lock needs to free() the lock memory that you > > > malloc'd; pthread_mutex_destroy() only deinitializes it, it doesn't > > > actually free it. > > > > Cool - thanks for the bug report. I did that in the tls code > > bug missed it in the lock code - fixed. > > Fixed versions attached. I'll add the trylock once you've > convinced me we need it :-). Jeremy, I would fine the attached header much more readable, and should be equivalent to your supermacro. The difference is that you need to define SMB_USE_THREADS in your program before including the header, but that shouldn't be a big deal, or is it ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads.h Type: text/x-chdr Size: 3646 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090408/835a050e/smb_threads.bin From idra at samba.org Wed Apr 8 00:31:38 2009 From: idra at samba.org (simo) Date: Wed Apr 8 00:30:58 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090407235637.GK27602@samba1> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <49DBE6C1.1090600@highlandsun.com> <20090407235637.GK27602@samba1> Message-ID: <1239150698.7649.71.camel@pico.li.ssimo.org> On Tue, 2009-04-07 at 16:56 -0700, Jeremy Allison wrote: > On Tue, Apr 07, 2009 at 04:50:25PM -0700, Howard Chu wrote: > > Jeremy Allison wrote: > >> On Tue, Apr 07, 2009 at 04:15:26PM -0700, Howard Chu wrote: > >>> > >>> We often find the need for a trylock() op - fail immediately if the lock > >>> is in use, instead of waiting. > >> > >> I thought about that one, but I don't see an immediate need > >> for it in our code which will be mainly mutex locks around > >> globals. > > > > In that case, your prototype is deceptive - you advertise read locks and > > write locks, which are typically held for the duration of a lengthy > > operation, not just taken and released quickly. If you're only expecting > > these locks to be used to essentially support atomic test-and-set, then > > the RDLOCK and WRLOCK usage makes no sense. > > Well the goal is to allow the implementation to be > upgraded at a later date to use pthread_rwlocks > without changing the external interface. > > Hmmm. Although in that case you're right, the > interface doesn't work as we'd need to tell > create_lock what kind of lock we'll need. > > Do you think it's worth widening the interface > now to include the reader/writer lock behaviour, > or cut it down to just provide simple mutex's > (which are all I think we'll need for the initial > work anyway). > > If we go fully threaded at a later date we may > need to add rw locks then though... If you think you can add other types of locks later on without changing the public API I see no problem going step by step. But keep in mind that the huge macro (or my proposed define), moves all that code into the API. If you later find you need to change that code you will have to break compatibility with all applications that built against that interface. I would really prefer not to. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From jra at samba.org Wed Apr 8 00:32:48 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 8 00:33:03 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <1239150288.7649.66.camel@pico.li.ssimo.org> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <20090407233621.GI27602@samba1> <1239150288.7649.66.camel@pico.li.ssimo.org> Message-ID: <20090408003248.GB6877@jeremy-laptop> On Wed, Apr 08, 2009 at 12:24:48AM +0000, simo wrote: > I would fine the attached header much more readable, and should be > equivalent to your supermacro. > > The difference is that you need to define SMB_USE_THREADS in your > program before including the header, but that shouldn't be a big deal, > or is it ? The problem with doing it that way is you'll have to #define that name *before* including the header. The goal is for this to be used by callers of libsmbclient and external libraries. I prefer the monster macro as it allows the header file to be included unconditionally (as an #include in libsmbclient.h) and then turned on in the "global" definitions area (usually just before main, or at the top of the file containing the entry point). Otherwise you could easily get multiple function definitions be #including the header file in different modules. The SMB_THREADS_DEF_PTHREAD_IMPLEMENTATION() instantiates the functions under the control of the caller, not under the control of the header include. Jeremy. From jra at samba.org Wed Apr 8 00:36:04 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 8 00:36:05 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <1239150698.7649.71.camel@pico.li.ssimo.org> References: <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <49DBE6C1.1090600@highlandsun.com> <20090407235637.GK27602@samba1> <1239150698.7649.71.camel@pico.li.ssimo.org> Message-ID: <20090408003604.GC6877@jeremy-laptop> On Wed, Apr 08, 2009 at 12:31:38AM +0000, simo wrote: > > If you think you can add other types of locks later on without changing > the public API I see no problem going step by step. > But keep in mind that the huge macro (or my proposed define), moves all > that code into the API. No, actually it doesn't - that's the nice thing about it ! > If you later find you need to change that code you will have to break > compatibility with all applications that built against that interface. I'm trying to get the public API as correct as possible, so we won't have to change it in the future. Source code will still be compatible, as the definition of these functions can be changed by any caller that uses the interface - the code is just one sample implementation of the interface. You could just as easily write Win32 code to implement the same locking primitives (in fact the TLS interface was based on the Win32 interface, not the pthread one). Jeremy. From jra at samba.org Wed Apr 8 00:39:10 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 8 00:39:27 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090408003604.GC6877@jeremy-laptop> References: <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <49DBE6C1.1090600@highlandsun.com> <20090407235637.GK27602@samba1> <1239150698.7649.71.camel@pico.li.ssimo.org> <20090408003604.GC6877@jeremy-laptop> Message-ID: <20090408003910.GD6877@jeremy-laptop> On Tue, Apr 07, 2009 at 05:36:04PM -0700, Jeremy Allison wrote: > On Wed, Apr 08, 2009 at 12:31:38AM +0000, simo wrote: > > > > If you think you can add other types of locks later on without changing > > the public API I see no problem going step by step. > > But keep in mind that the huge macro (or my proposed define), moves all > > that code into the API. > > No, actually it doesn't - that's the nice thing about it ! In case I'm not being clear enough here, the huge macro is a *sample* implementation of the public API, but it's not the only one. Anyone can write an implementation for any platform so long as it has the same semantics that the vectored functions in the struct require. Note the sample code in the macro doesn't make use of the lock names or debugging __location__ information, but another implementation could easily do so for debuggin purposes. Jeremy. From idra at samba.org Wed Apr 8 00:41:23 2009 From: idra at samba.org (simo) Date: Wed Apr 8 00:40:30 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090408003248.GB6877@jeremy-laptop> References: <20090404120246.835F3163CCD@lists.samba.org> <49D7978E.8000802@highlandsun.com> <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <20090407233621.GI27602@samba1> <1239150288.7649.66.camel@pico.li.ssimo.org> <20090408003248.GB6877@jeremy-laptop> Message-ID: <1239151283.7649.77.camel@pico.li.ssimo.org> On Tue, 2009-04-07 at 17:32 -0700, Jeremy Allison wrote: > On Wed, Apr 08, 2009 at 12:24:48AM +0000, simo wrote: > > > I would fine the attached header much more readable, and should be > > equivalent to your supermacro. > > > > The difference is that you need to define SMB_USE_THREADS in your > > program before including the header, but that shouldn't be a big deal, > > or is it ? > > The problem with doing it that way is you'll have to #define that > name *before* including the header. That's what I said :-) #define SMB_USE_THREADS #include > The goal is for this to be used > by callers of libsmbclient and external libraries. yup. > I prefer the monster macro as it allows the header file to > be included unconditionally (as an #include in libsmbclient.h) > and then turned on in the "global" definitions area (usually > just before main, or at the top of the file containing the > entry point). I honestly don't see the difference. > Otherwise you could easily get multiple function definitions > be #including the header file in different modules. No, you have barriers in the include: #ifndef _smb_threads_h_ #define _smb_threads_h_ So multiple inclusion shouldn't really happen. > The > SMB_THREADS_DEF_PTHREAD_IMPLEMENTATION() instantiates the > functions under the control of the caller, not under the > control of the header include. I am trying to understand in which case this would make a difference. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From jra at samba.org Wed Apr 8 00:44:23 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 8 00:44:36 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <1239151283.7649.77.camel@pico.li.ssimo.org> References: <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <20090407233621.GI27602@samba1> <1239150288.7649.66.camel@pico.li.ssimo.org> <20090408003248.GB6877@jeremy-laptop> <1239151283.7649.77.camel@pico.li.ssimo.org> Message-ID: <20090408004422.GE6877@jeremy-laptop> On Wed, Apr 08, 2009 at 12:41:23AM +0000, simo wrote: > > No, you have barriers in the include: > #ifndef _smb_threads_h_ > #define _smb_threads_h_ > > So multiple inclusion shouldn't really happen. Multiple includes in the same module can't happen, but inclusion in *different* modules can. > I am trying to understand in which case this would make a difference. Imagine we have module a.c which #define SMB_USE_THREADS and includes smb_threads.h, and then module b.c which also (by accident in an include header) also defines SMB_USE_THREADS and includes smb_threads.h. In your methed we get duplicate definitions of the sample functions. With the instantiation macro method you can include "smb_threads.h" as many times as you like but the implementation only gets defined in the module where you have : SMB_THREADS_DEF_PTHREAD_IMPLEMENTATION(var); That's defined in a .c file, not in or before a header, so it's much easier for a user of the library to control and remember. Jeremy. From idra at samba.org Wed Apr 8 00:52:07 2009 From: idra at samba.org (simo) Date: Wed Apr 8 00:51:19 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090408003910.GD6877@jeremy-laptop> References: <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <49DBE6C1.1090600@highlandsun.com> <20090407235637.GK27602@samba1> <1239150698.7649.71.camel@pico.li.ssimo.org> <20090408003604.GC6877@jeremy-laptop> <20090408003910.GD6877@jeremy-laptop> Message-ID: <1239151927.7649.86.camel@pico.li.ssimo.org> On Tue, 2009-04-07 at 17:39 -0700, Jeremy Allison wrote: > On Tue, Apr 07, 2009 at 05:36:04PM -0700, Jeremy Allison wrote: > > On Wed, Apr 08, 2009 at 12:31:38AM +0000, simo wrote: > > > > > > If you think you can add other types of locks later on without changing > > > the public API I see no problem going step by step. > > > But keep in mind that the huge macro (or my proposed define), moves all > > > that code into the API. > > > > No, actually it doesn't - that's the nice thing about it ! > > In case I'm not being clear enough here, the huge macro > is a *sample* implementation of the public API, but it's > not the only one. Anyone can write an implementation for > any platform so long as it has the same semantics that > the vectored functions in the struct require. > > Note the sample code in the macro doesn't make use > of the lock names or debugging __location__ information, > but another implementation could easily do so for > debuggin purposes. Oh ok, I thought you wanted to include it into libsmbclient.h, my fault. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From idra at samba.org Wed Apr 8 00:56:04 2009 From: idra at samba.org (simo) Date: Wed Apr 8 00:55:02 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090408004422.GE6877@jeremy-laptop> References: <49D79E88.1000107@highlandsun.com> <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <20090407233621.GI27602@samba1> <1239150288.7649.66.camel@pico.li.ssimo.org> <20090408003248.GB6877@jeremy-laptop> <1239151283.7649.77.camel@pico.li.ssimo.org> <20090408004422.GE6877@jeremy-laptop> Message-ID: <1239152164.7649.90.camel@pico.li.ssimo.org> On Tue, 2009-04-07 at 17:44 -0700, Jeremy Allison wrote: > On Wed, Apr 08, 2009 at 12:41:23AM +0000, simo wrote: > > > > No, you have barriers in the include: > > #ifndef _smb_threads_h_ > > #define _smb_threads_h_ > > > > So multiple inclusion shouldn't really happen. > > Multiple includes in the same module can't happen, > but inclusion in *different* modules can. > > > I am trying to understand in which case this would make a difference. > > Imagine we have module a.c which #define SMB_USE_THREADS > and includes smb_threads.h, and then module b.c which > also (by accident in an include header) also defines > SMB_USE_THREADS and includes smb_threads.h. In your > methed we get duplicate definitions of the sample > functions. Right, I thought about that just *after* I clicked send ... > With the instantiation macro method you can > include "smb_threads.h" as many times as you > like but the implementation only gets defined > in the module where you have : > > SMB_THREADS_DEF_PTHREAD_IMPLEMENTATION(var); > > That's defined in a .c file, not in or before > a header, so it's much easier for a user of > the library to control and remember. Right, but thinking about that I am wondering if you shouldn't mark all functions as static ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From jra at samba.org Wed Apr 8 01:45:40 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 8 01:45:48 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <1239152164.7649.90.camel@pico.li.ssimo.org> References: <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <20090407233621.GI27602@samba1> <1239150288.7649.66.camel@pico.li.ssimo.org> <20090408003248.GB6877@jeremy-laptop> <1239151283.7649.77.camel@pico.li.ssimo.org> <20090408004422.GE6877@jeremy-laptop> <1239152164.7649.90.camel@pico.li.ssimo.org> Message-ID: <20090408014540.GA10550@jeremy-desktop> On Wed, Apr 08, 2009 at 12:56:04AM +0000, simo wrote: > > Right, but thinking about that I am wondering if you shouldn't mark all > functions as static ? Yep - very good point ! I'll do that, thanks. So I think I'm going to narrow the interface down to be smb_create_mutex() not create_lock() and remove the extra rw lock stuff so we don't confuse callers who think there might be rw locks available. We can always add these later as we thread the code. So I've got a couple of fixes to do, I'll try and get to that tomorrow (I'm at the LinuxFoundation conf up in San Francisco the rest of the week). Thanks for the review Simo, much appreciated. Jeremy. From sam at liddicott.com Wed Apr 8 08:46:29 2009 From: sam at liddicott.com (Sam Liddicott) Date: Wed Apr 8 08:47:28 2009 Subject: smbd process block References: <49DA118F.90701@liddicott.com> <3F66C13F3DFA3F832E3CD495@syn> <49DB5642.5070900@liddicott.com> <49DB5F7F.5070300@liddicott.com> <171F58EABF051AE7611EEE62@[10.255.253.2]> Message-ID: <49DC6465.7040603@liddicott.com> * Goran Lowkrantz wrote, On 07/04/09 17:52: > Hi Sam, > > I have tested accessing the directory with windows explorer but that > too goes Not responding. I have touched both an old and a new file but > that didn't change anything. > > here is the lsof of the unresponsive smbd: >> lsof -p 71672 I'm not able to comment on the significance of the process being owned by root, maybe one of the active samba3 devs can. Sadly, I don't see clear evidence of what is wrong or what windows is waiting for; all the requests seem responded to. I'm sorry I couldn't get closer to the source of the problem. As this is easily re-producible behaviour, I suggest you file a bug report at https://bugzilla.samba.org/ Sam From instalments at certas.it Wed Apr 8 11:40:12 2009 From: instalments at certas.it (Zia) Date: Wed Apr 8 11:40:13 2009 Subject: How Message-ID: <49DC8C87.3050996@peterhoff.de> deleted spam From sassyn at gmail.com Wed Apr 8 12:09:30 2009 From: sassyn at gmail.com (Sassy Natan) Date: Wed Apr 8 12:09:40 2009 Subject: OpenLDAP with Samba4 Message-ID: <529a12f40904080509s42084a8eq85d6e827db3bb712@mail.gmail.com> Dear Group One Quick Question I have is as follow: I have being using Bind9 and the DHCP3 Server for quite some time now. In my own configuration I use OpenLDAP as a the back end for the DHCP server and for the Bind9. It is working great, and give me a lot of flexibly in changing the DHCP scope, add new hosts to the Bind and even do DDNS for my leased hosts. While installing Samba4 with OpenLDAP Backend (version 2.4.15) , I add a new Database suffix, set the database indexes, permission and the schema file for this database. (I used DHCP.SCHEMA and BIND.SCHEMA) Now while starting the OpenLDAP and Samba4 I don't see this new Database Suffix. I only see Samba4 Default Directories. Even If I start OpenLDAP with -H ldap:// (Just for testing) I still don't see this. What Can I do in order to add this to my configuration? I know I can convert the Bind or DHCP Schema to be part of the Schema.LDIF, but this seems to me wrong, cause I will end up with non compatible Schema File. I also know that the DHCP Classes and BIND classes are not supported in the Full Microsoft Active Directory Schema that should come in the next alpha version of Samba. Anyone can recommend what to DO? My Idea at the moment is to run additional LDAP server in a different port, and to have bind9 and dhcpd to bind to it, but this is a little overhead. what do u say? Maybe we should consider add this support ad part of the samba4 solution? 10x Sassy From awilliam at whitemice.org Wed Apr 8 12:40:06 2009 From: awilliam at whitemice.org (Adam Tauno Williams) Date: Wed Apr 8 12:44:47 2009 Subject: OpenLDAP with Samba4 In-Reply-To: <529a12f40904080509s42084a8eq85d6e827db3bb712@mail.gmail.com> References: <529a12f40904080509s42084a8eq85d6e827db3bb712@mail.gmail.com> Message-ID: <1239194406.5694.19.camel@linux-m3mt> > One Quick Question I have is as follow: > I have being using Bind9 and the DHCP3 Server for quite some time now. > In my own configuration I use OpenLDAP as a the back end for the DHCP server > and for the Bind9 > It is working great, and give me a lot of flexibly in changing the DHCP > scope, add new hosts to the Bind and even do DDNS for my leased hosts. > While installing Samba4 with OpenLDAP Backend (version 2.4.15) , I add a new > Database suffix, set the database indexes, permission and the schema file > for this database. Are you setting it up in slapd.conf but Samba configured cn=config (config backend)? There isn't any reason multiple databases/roots shouldn't work. > (I used DHCP.SCHEMA and BIND.SCHEMA) We do much the same thing, using LDAP enabled BIND and DHCP. We've just poked at Samba 4 a little bit because how to get from "here" to "there" is a real head scratcher. [It is hard to imagine giving up DNS in LDAP, it is just too handy.] From scott.lovenberg at gmail.com Wed Apr 8 14:42:18 2009 From: scott.lovenberg at gmail.com (Scott Lovenberg) Date: Wed Apr 8 14:42:40 2009 Subject: [Samba] Update on bugzilla.samba.org In-Reply-To: <49DB4B75.7060704@samba.org> References: <49DB4B75.7060704@samba.org> Message-ID: <49DCB7CA.1060708@gmail.com> jerry wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Fyi... > > We can into some db connection issues last night (about > 10pm GMT-5 I think). This issue has been temporarily > resolved, but I expect that we'll be taking the server > offline for a short period sometime this week for further > db maintenance. > > Also Deryck and I will be exploring some potential > improvements to Samba's bugzilla service in the coming > weeks. > > I'll try to keep everyone updated. > > > > cheers, jerry > - -- > ===================================================================== > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJ20t1IR7qMdg1EfYRAv2HAJ47xw8Kn5co40X7do0UPcczvM2+LgCg5bPZ > P10yo+Wy/Co8DuActPbosUQ= > =imcZ > -----END PGP SIGNATURE----- > I figure this request dovetails the bugzilla maintenance, sorry if it seems like I'm thread hijacking. Would it be possible to turn on the 'vote for bug' feature (or remove the reference to it all together)? I wanted to flag a bug the other week and followed the bugzilla link to vote for it, only to find out it was disabled. Would enabling this be a productive use of resources? From jerry at samba.org Wed Apr 8 14:52:01 2009 From: jerry at samba.org (jerry) Date: Wed Apr 8 14:51:45 2009 Subject: [Samba] Update on bugzilla.samba.org In-Reply-To: <49DCB7CA.1060708@gmail.com> References: <49DB4B75.7060704@samba.org> <49DCB7CA.1060708@gmail.com> Message-ID: <49DCBA11.3000009@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Lovenberg wrote: > I figure this request dovetails the bugzilla maintenance, > sorry if it seems like I'm thread hijacking. Nah. It's fine. > Would it be possible to turn on the 'vote for bug' feature > (or remove the reference to it all together)? I wanted to > flag a bug the other week and followed the bugzilla link to > vote for it, only to find out it was disabled. > Would enabling this be a productive use of resources? I've never used that feature. Is it a "me too" counter? cheers, jerry - -- ===================================================================== "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ3LoRIR7qMdg1EfYRAuK3AJ4ycCbEUEA1GVMrteEoZ7ISaED9dACgiAHf ZDJD8XQu2n2UcNScAmf3xY4= =KadP -----END PGP SIGNATURE----- From Volker.Lendecke at SerNet.DE Wed Apr 8 15:54:07 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Wed Apr 8 15:54:05 2009 Subject: patch for kernel oplocks Message-ID: Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090408/a6d6c41d/attachment.bin From tprouty at samba.org Wed Apr 8 16:21:39 2009 From: tprouty at samba.org (Tim Prouty) Date: Wed Apr 8 16:21:50 2009 Subject: patch for kernel oplocks In-Reply-To: References: Message-ID: <5FA772AA-604F-4831-9452-0E6DBF8A4A8D@samba.org> On Apr 8, 2009, at 8:54 AM, Volker Lendecke wrote: > Hi (Tim, Steven)! > > Any comments to the attached patch? You're the ones having > looked at oplocks most lately... > > Volker > <0001-We-have-to-deny-a-level-2-oplock-if-kernel-oplocks-a.patch> Hi Volker, I'm not very familiar with the linux kernel lease/oplock API, but based on the comments in your commit message this patch looks fine. Out of curiosity, are you working on making level2 kernel oplocks work using samba on linux? Have there been any recent improvements in the linux API that will make this easier? It would definitely be cool to get RAW-OPLOCK passing against kernel oplocks on linux. I have an smbtorture patch that gets RAW-OPLOCK passing against our kernel oplocks, but it's not quite ready to upstream yet. My patch handles a few small differences in how we handle oplock breaks when compared with windows. -Tim From jra at samba.org Wed Apr 8 18:29:34 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 8 18:29:56 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <1239151927.7649.86.camel@pico.li.ssimo.org> References: <20090405003315.GB15741@jeremy-desktop> <20090407225305.GG27602@samba1> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <49DBE6C1.1090600@highlandsun.com> <20090407235637.GK27602@samba1> <1239150698.7649.71.camel@pico.li.ssimo.org> <20090408003604.GC6877@jeremy-laptop> <20090408003910.GD6877@jeremy-laptop> <1239151927.7649.86.camel@pico.li.ssimo.org> Message-ID: <20090408182934.GA11675@jeremy-laptop> On Wed, Apr 08, 2009 at 12:52:07AM +0000, simo wrote: > On Tue, 2009-04-07 at 17:39 -0700, Jeremy Allison wrote: > > On Tue, Apr 07, 2009 at 05:36:04PM -0700, Jeremy Allison wrote: > > > On Wed, Apr 08, 2009 at 12:31:38AM +0000, simo wrote: > > > > > > > > If you think you can add other types of locks later on without changing > > > > the public API I see no problem going step by step. > > > > But keep in mind that the huge macro (or my proposed define), moves all > > > > that code into the API. > > > > > > No, actually it doesn't - that's the nice thing about it ! > > > > In case I'm not being clear enough here, the huge macro > > is a *sample* implementation of the public API, but it's > > not the only one. Anyone can write an implementation for > > any platform so long as it has the same semantics that > > the vectored functions in the struct require. > > > > Note the sample code in the macro doesn't make use > > of the lock names or debugging __location__ information, > > but another implementation could easily do so for > > debuggin purposes. > > Oh ok, > I thought you wanted to include it into libsmbclient.h, my fault. Ok, here is the modified version containing all the comments. Changed _lock to _mutex to make it clearer, removed RW lock stuff we're not currently using, added static to big macro functions. If this is ok, I'll commit and start implementing the changes needed to thread libsmbclient. Jeremy. -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads.h Type: text/x-chdr Size: 3775 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090408/aebdd70a/smb_threads.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads_internal.h Type: text/x-chdr Size: 1647 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090408/aebdd70a/smb_threads_internal.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smb_threads.c Type: text/x-csrc Size: 2744 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090408/aebdd70a/smb_threads-0001.bin From derrell.lipman at unwireduniverse.com Wed Apr 8 18:52:49 2009 From: derrell.lipman at unwireduniverse.com (Derrell Lipman) Date: Wed Apr 8 18:53:03 2009 Subject: Threading libsmbclient - a proposal. In-Reply-To: <20090408182934.GA11675@jeremy-laptop> References: <20090405003315.GB15741@jeremy-desktop> <49DBDE8E.7090805@highlandsun.com> <20090407233228.GH27602@samba1> <49DBE6C1.1090600@highlandsun.com> <20090407235637.GK27602@samba1> <1239150698.7649.71.camel@pico.li.ssimo.org> <20090408003604.GC6877@jeremy-laptop> <20090408003910.GD6877@jeremy-laptop> <1239151927.7649.86.camel@pico.li.ssimo.org> <20090408182934.GA11675@jeremy-laptop> Message-ID: On Wed, Apr 8, 2009 at 2:29 PM, Jeremy Allison wrote: > > Ok, here is the modified version containing all > the comments. Changed _lock to _mutex to make > it clearer, removed RW lock stuff we're not currently > using, added static to big macro functions. > > If this is ok, I'll commit and start implementing > the changes needed to thread libsmbclient. > > Hi Jeremy, I just spent some time going over this and I don't see any obvious gotchas with it. Other than the massive macro mentioned by Simo that I'm also not thrilled by (but I think it probably makes sense in this context), it looks like a nice clean interface. Derrell From Volker.Lendecke at SerNet.DE Wed Apr 8 18:53:05 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Wed Apr 8 18:53:04 2009 Subject: patch for kernel oplocks In-Reply-To: <5FA772AA-604F-4831-9452-0E6DBF8A4A8D@samba.org> References: <5FA772AA-604F-4831-9452-0E6DBF8A4A8D@samba.org> Message-ID: On Wed, Apr 08, 2009 at 09:21:39AM -0700, Tim Prouty wrote: > I'm not very familiar with the linux kernel lease/oplock API, but > based on the comments in your commit message this patch looks fine. > Out of curiosity, are you working on making level2 kernel oplocks work > using samba on linux? Have there been any recent improvements in the > linux API that will make this easier? Not that I know of. I have a little test program that shows that you can not get a read lease if there is any fd open for write. This is quite different from a level 2 oplock. Jeff Layton on the #samba-technical irc channel had an intersting suggestion: A cifs level 2 oplock is a query to be notified if someone else writes. We could use the inotify system for this. I haven't started coding that, but it's at least an intersting idea that is worth exploring. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090408/485e114d/attachment.bin From rob at atc-nycorp.com Wed Apr 8 18:32:29 2009 From: rob at atc-nycorp.com (Rob Joyce) Date: Wed Apr 8 18:59:06 2009 Subject: Windows service management Message-ID: <60D45469A1AAD311A04C009027B6BF680685AD23@SERVER20> Hi all, Back about 2 years ago, there was some discussion on this list about Samba support for creating and deleting services on Windows machines (in addition to starting and stopping them). Danny Tylman provided a patch implementing this http://lists.samba.org/archive/samba-technical/2007-April/052868.html and there seemed to be some interest about it in subsequent messages. However, it looks like the createservice / deleteservice support was never integrated -- at least, as far as I could tell from 3.3.3 and 4.0.0a7 source. I'm just curious what happened to this feature... Thanks! _Rob From gd at samba.org Wed Apr 8 19:23:18 2009 From: gd at samba.org (Guenther Deschner) Date: Wed Apr 8 19:23:29 2009 Subject: Windows service management In-Reply-To: <60D45469A1AAD311A04C009027B6BF680685AD23@SERVER20> References: <60D45469A1AAD311A04C009027B6BF680685AD23@SERVER20> Message-ID: <49DCF9A6.9020408@samba.org> Rob Joyce wrote: > Hi all, > > Back about 2 years ago, there was some discussion on this list about Samba > support for creating and deleting services on Windows machines (in addition > to starting and stopping them). Danny Tylman provided a patch implementing > this > > http://lists.samba.org/archive/samba-technical/2007-April/052868.html > and there seemed to be some interest about it in subsequent messages. > > However, it looks like the createservice / deleteservice support was never > integrated -- at least, as far as I could tell from 3.3.3 and 4.0.0a7 > source. > > I'm just curious what happened to this feature... Ok, so this is tracked in https://bugzilla.samba.org/show_bug.cgi?id=5329 At the time the patch was posted, we already started to move to IDL based and autogenerated rpc functions. This makes features like that dramatically easier to add. Unfortunately we haven't heard back from the original author for a while now. So, I think we will just add this to Samba 3.4 (not sure if we can get it into 3.3 as well at this time, depends on you convincing our release-manager :) ). Just subscribe to that bug to follow the progress. Guenther -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org From andrew at id10ts.net Thu Apr 9 03:04:51 2009 From: andrew at id10ts.net (Andrew Kroeger) Date: Thu Apr 9 03:11:42 2009 Subject: Update on bugzilla.samba.org In-Reply-To: <49DB4B75.7060704@samba.org> References: <49DB4B75.7060704@samba.org> Message-ID: <49DD65D3.2040102@id10ts.net> jerry wrote: > Fyi... > > We can into some db connection issues last night (about > 10pm GMT-5 I think). This issue has been temporarily > resolved, but I expect that we'll be taking the server > offline for a short period sometime this week for further > db maintenance. It appears that the same issue is happening again. I tried to catch someone on IRC that knows how to kickstart bugzilla, but didn't have any luck. Sincerely, Andrew Kroeger From jerry at samba.org Thu Apr 9 03:15:06 2009 From: jerry at samba.org (Gerald Carter) Date: Thu Apr 9 03:15:24 2009 Subject: Update on bugzilla.samba.org In-Reply-To: <49DD65D3.2040102@id10ts.net> References: <49DB4B75.7060704@samba.org> <49DD65D3.2040102@id10ts.net> Message-ID: <49DD683A.8040600@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Kroeger wrote: > jerry wrote: >> Fyi... >> >> We can into some db connection issues last night (about >> 10pm GMT-5 I think). This issue has been temporarily >> resolved, but I expect that we'll be taking the server >> offline for a short period sometime this week for further >> db maintenance. > > It appears that the same issue is happening again. I tried to catch > someone on IRC that knows how to kickstart bugzilla, but didn't have any > luck. Temporary workaround in place. Thanks. jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ3Wg1IR7qMdg1EfYRAkV0AKCVEhaTw9Y0VYdQlUzmPiZpWVLykwCdEorO r79BfjgU7Gkb0cMYLxqqWEQ= =Eh+H -----END PGP SIGNATURE----- From abartlet at samba.org Thu Apr 9 04:55:54 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Thu Apr 9 04:55:53 2009 Subject: Samba4 Full Active Directory Schema Issues? In-Reply-To: <1238715969.4197.180.camel@naomi.s4.naomi.abartlet.net> References: <1238468200.12404.29.camel@ruth> <1238715969.4197.180.camel@naomi.s4.naomi.abartlet.net> Message-ID: <1239252954.8162.14.camel@ruth> On Fri, 2009-04-03 at 10:46 +1100, Andrew Bartlett wrote: > On Tue, 2009-03-31 at 23:56 +0300, Ido Mandril wrote: > > When do you think this will be on the MASTER REPO So I could check it > > out? Does this plan for Alpha8? if so is there any estimated date for > > Alpha8? > > I hope to have it out by SambaXP, with the new schema and UID changing > fixes in it. Perhaps if the schema issue drags on again, we might cut > another 'quick' alpha before that. I just wanted to let you know that Samba4 now uses the full AD schema, as supplied by Microsoft under the WSPP. The code is available now in the 'master' GIT branch. I'll try (no promises!) to get an alpha8 release out before or during SambaXP. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090409/d124ad51/attachment.bin From abartlet at samba.org Thu Apr 9 05:04:42 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Thu Apr 9 05:04:40 2009 Subject: Thank you very much for your WSPP schema work Message-ID: <1239253482.8162.19.camel@ruth> I just wanted to extend a note of thanks to you for all your hard work towards the full AD schema in Samba4. The files Microsoft produced were certainly 'interesting' to work with, and I really appreciate your python wrangling to get them into a form we can actually use. In particular, I thought you might like to know that the code you wrote has now been merged into Samba. Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090409/4aaed4c0/attachment.bin From lanttor.g at gmail.com Thu Apr 9 05:28:58 2009 From: lanttor.g at gmail.com (lanttor) Date: Thu Apr 9 05:29:04 2009 Subject: One issue on samba-3.0.32 version Message-ID: <22964692.post@talk.nabble.com> Hi, I cross-compile samba-3.0.32 for powerpc platform, I build it successfully and run the smbd on powerpc platform, but I meet the issue when I run smbclient -L "ip_of_powerpc_platform" from host. (1) The log.smbd on powerpc platform is: [root@/]# cat /usr/var/log.smbd [1970/01/01 00:05:31, 0] lib/util_sec.c:assert_gid(119) Failed to set gid privileges to (-1,99) now set to (0,0) uid=(0,0) [1970/01/01 00:05:31, 0] lib/util.c:smb_panic(1633) PANIC (pid 441): failed to set gid [1970/01/01 00:05:31, 0] lib/util.c:log_stack_trace(1737) BACKTRACE: 15 stack frames: #0 smbd(log_stack_trace+0x26) [0x801f7d30] #1 smbd(smb_panic+0x62) [0x801f7e1c] #2 smbd [0x801fc1d2] #3 smbd(set_effective_gid+0x12) [0x801fc1ee] #4 smbd [0x800e85c2] #5 smbd(set_sec_ctx+0x152) [0x800e88e0] #6 smbd(change_to_user+0x50e) [0x800e00f6] #7 smbd [0x800f731a] #8 smbd(make_connection+0x530) [0x800f7d86] #9 smbd(reply_tcon_and_X+0x27e) [0x800cb100] #10 smbd [0x800f4102] #11 smbd(smbd_process+0x326) [0x800f4a5a] #12 smbd(main+0x87e) [0x80278308] #13 /lib/libc.so.6(__libc_start_main+0x84) [0x803c02c8] #14 smbd [0x80099206] [1970/01/01 00:05:31, 0] lib/fault.c:dump_core(181) dumping core in /usr/var/cores/smbd (2) the /etc/samba/smb.conf is : [global] dns proxy = no workgroup = WORKGROUP interfaces = eth0 eth1 security = share log level = 1 # Default is 0 socket options = TCP_NODELAY IPTOS_LOWDELAY max xmit = 65535 [public] comment = Public stuff path = /share public = yes writeable = yes browseable = yes printable = no (3) My test operation is: $ smbclient -L 10.192.208.230 (the samba server on powerpc board) Password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.32] Receiving SMB: Server stopped responding tree connect failed: Call returned zero bytes (EOF) Note: if I set smb.cnf: security = root, it could work, but seem slowly. (4) My samba cross-compile build step for powerpc platform is as follows: SMB_BUILD_CC_NEGATIVE_ENUM_VALUES=yes linux_getgrouplist_ok=yes ./configure --prefix=%{_prefix} --host=$CFGHOST --build=%{_build} --target=$CFGHOST --with-sendfile-support --disable-cups I tried to build and run Samba 3.0.34 version based on above steps, but meet the same result. Could anyone give some help for that Thanks! -- View this message in context: http://www.nabble.com/One-issue-on-samba-3.0.32-version-tp22964692p22964692.html Sent from the Samba - samba-technical mailing list archive at Nabble.com. From abartlet at samba.org Thu Apr 9 06:57:57 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Thu Apr 9 06:57:59 2009 Subject: OpenLDAP with Samba4 In-Reply-To: <1239194406.5694.19.camel@linux-m3mt> References: <529a12f40904080509s42084a8eq85d6e827db3bb712@mail.gmail.com> <1239194406.5694.19.camel@linux-m3mt> Message-ID: <1239260277.8162.35.camel@ruth> On Wed, 2009-04-08 at 08:40 -0400, Adam Tauno Williams wrote: > > One Quick Question I have is as follow: > > I have being using Bind9 and the DHCP3 Server for quite some time now. > > In my own configuration I use OpenLDAP as a the back end for the DHCP server > > and for the Bind9 > > It is working great, and give me a lot of flexibly in changing the DHCP > > scope, add new hosts to the Bind and even do DDNS for my leased hosts. > > While installing Samba4 with OpenLDAP Backend (version 2.4.15) , I add a new > > Database suffix, set the database indexes, permission and the schema file > > for this database. > > Are you setting it up in slapd.conf but Samba configured cn=config > (config backend)? There isn't any reason multiple databases/roots > shouldn't work. But I really don't see a good reason why it should be made to work. Is the cost of a seperate slapd process really that much that you want to mix in that schema with the AD schema, but not put them in a common directory? I could see a lot of sense if you wanted it to appear into AD, but that does not seem to be your aim. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090409/00c49e3d/attachment.bin From lanttor.g at gmail.com Thu Apr 9 08:08:07 2009 From: lanttor.g at gmail.com (lanttor) Date: Thu Apr 9 08:08:03 2009 Subject: One issue on samba-3.0.32 version In-Reply-To: <22964692.post@talk.nabble.com> References: <22964692.post@talk.nabble.com> Message-ID: <22966292.post@talk.nabble.com> I got the answer through trace, set macro USE_SETREUID as 1, then it can work. lanttor lanttor wrote: > > Hi, > > I cross-compile samba-3.0.32 for coldfire platform, I build it > successfully and run the smbd on coldfire platform, but I meet the issue > when I run smbclient -L "ip_of_powerpc_platform" from host. > > (1) The log.smbd on coldfire platform is: > > [root@/]# cat /usr/var/log.smbd > [1970/01/01 00:05:31, 0] lib/util_sec.c:assert_gid(119) > Failed to set gid privileges to (-1,99) now set to (0,0) uid=(0,0) > [1970/01/01 00:05:31, 0] lib/util.c:smb_panic(1633) > PANIC (pid 441): failed to set gid > > [1970/01/01 00:05:31, 0] lib/util.c:log_stack_trace(1737) > BACKTRACE: 15 stack frames: > #0 smbd(log_stack_trace+0x26) [0x801f7d30] > #1 smbd(smb_panic+0x62) [0x801f7e1c] > #2 smbd [0x801fc1d2] > #3 smbd(set_effective_gid+0x12) [0x801fc1ee] > #4 smbd [0x800e85c2] > #5 smbd(set_sec_ctx+0x152) [0x800e88e0] > #6 smbd(change_to_user+0x50e) [0x800e00f6] > #7 smbd [0x800f731a] > #8 smbd(make_connection+0x530) [0x800f7d86] > #9 smbd(reply_tcon_and_X+0x27e) [0x800cb100] > #10 smbd [0x800f4102] > #11 smbd(smbd_process+0x326) [0x800f4a5a] > #12 smbd(main+0x87e) [0x80278308] > #13 /lib/libc.so.6(__libc_start_main+0x84) [0x803c02c8] > #14 smbd [0x80099206] > [1970/01/01 00:05:31, 0] lib/fault.c:dump_core(181) > dumping core in /usr/var/cores/smbd > > (2) the /etc/samba/smb.conf is : > > [global] > dns proxy = no > workgroup = WORKGROUP > interfaces = eth0 eth1 > security = share > log level = 1 # Default is 0 > socket options = TCP_NODELAY IPTOS_LOWDELAY > max xmit = 65535 > > [public] > comment = Public stuff > path = /share > public = yes > writeable = yes > browseable = yes > printable = no > > (3) My test operation is: > $ smbclient -L 10.192.208.230 (the samba server on coldfire board) > Password: > Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.32] > Receiving SMB: Server stopped responding > tree connect failed: Call returned zero bytes (EOF) > > Note: if I set smb.cnf: security = root, it could work, but seem slowly. > > (4) My samba cross-compile build step for coldfire platform is as > follows: > SMB_BUILD_CC_NEGATIVE_ENUM_VALUES=yes linux_getgrouplist_ok=yes > ./configure --prefix=%{_prefix} --host=$CFGHOST --build=%{_build} > --target=$CFGHOST --with-sendfile-support --disable-cups > make -j1 > > I tried to build and run Samba 3.0.34 version based on above steps, but > meet the same result. > > Could anyone give some help for that Thanks! > > -- View this message in context: http://www.nabble.com/One-issue-on-samba-3.0.32-version-tp22964692p22966292.html Sent from the Samba - samba-technical mailing list archive at Nabble.com. From ido.mandril at gmail.com Thu Apr 9 18:52:43 2009 From: ido.mandril at gmail.com (Ido Mandril) Date: Thu Apr 9 18:52:40 2009 Subject: Samba4 Full Active Directory Schema Issues? In-Reply-To: <1239252954.8162.14.camel@ruth> References: <1238468200.12404.29.camel@ruth> <1238715969.4197.180.camel@naomi.s4.naomi.abartlet.net> <1239252954.8162.14.camel@ruth> Message-ID: You are the man! I don't know if I allowed to say that but really really good job!!! To bad I can't join you to the SambaXP. I hope next year after I will finish my studies so I will have some money to come over there and to get you a beer!!!! Thanks Again for all the SAMBA Group members. Ido On Thu, Apr 9, 2009 at 6:55 AM, Andrew Bartlett wrote: > On Fri, 2009-04-03 at 10:46 +1100, Andrew Bartlett wrote: > > On Tue, 2009-03-31 at 23:56 +0300, Ido Mandril wrote: > > > > When do you think this will be on the MASTER REPO So I could check it > > > out? Does this plan for Alpha8? if so is there any estimated date for > > > Alpha8? > > > > I hope to have it out by SambaXP, with the new schema and UID changing > > fixes in it. Perhaps if the schema issue drags on again, we might cut > > another 'quick' alpha before that. > > I just wanted to let you know that Samba4 now uses the full AD schema, > as supplied by Microsoft under the WSPP. The code is available now in > the 'master' GIT branch. > > I'll try (no promises!) to get an alpha8 release out before or during > SambaXP. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Red Hat Inc. http://redhat.com > > From invite at scour.com Fri Apr 10 02:32:37 2009 From: invite at scour.com (Scour) Date: Fri Apr 10 02:52:09 2009 Subject: miguel rosa's Member Invite Message-ID: <49deafc58a627@scour.com> Hey there, Not too long ago miguel rosa sent you an invite to join the Scour search community and your invite is still open! The Scour search engine is shaped by a community of users just like you, and your contributions are what make it a success! Why use Scour? 1. Get Yahoo, Google and MSN results in one search 2. Vote on result relevancy 3. Read user comments 4. Get paid for searching! Create your profile at http://scour.com/invite/lram/r/ and enjoy searching the web through your favorite search engines. With time, you?ll get paid like these loyal users: http://www.scour.com/leaderboard page. Come and be part of the largest Social Search community and help make the results better! See you soon, The Scour Team www.scour.com This message was sent to you as a friend referral to join scour.com, please feel free to review our http://scour.com/privacy page and our http://scour.com/communityguidelines/antispam page. If you prefer not to receive invitations from ANY scour members, please click here - http://www.scour.com/unsub/e/c2FtYmEtdGVjaG5pY2FsQGxpc3RzLnNhbWJhLm9yZw== -OR- Write to us at: Scour, Inc., 15303 Ventura Blvd. Suite 860, Sherman Oaks, CA 91403, USA. campaignid: scour200904090002 From nadezhda.ivanova at postpath.com Fri Apr 10 09:09:41 2009 From: nadezhda.ivanova at postpath.com (Nadezhda Ivanova) Date: Fri Apr 10 09:10:04 2009 Subject: [PATCH] Fixed problem with schemaUpdateNow request. Message-ID: <24E5C394AF11DB11B7E8001422525D3815A875A@ppsd.sofia-corp.postpath.com> Hi Samba, The attached patch contains the fix for the schemaUpdateNow request not working, + test. Hopefully, we should now be able to modify the Schema via LDAP. Regards, Nadezhda, Anatoliy and Zahari Nadezhda Ivanova Software Engineer IVSoftware Development nadezhda.ivanova@postpath.com CISCO SYSTEMS BULGARIA EOOD 18 Macedonia Blvd. Sofia 1606 Bulgaria Think before you print. -------------- next part -------------- A non-text attachment was scrubbed... Name: Fixed-problem-with-schemaUpdateNow-request.txt.patch Type: application/octet-stream Size: 6971 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090410/43d31d5f/Fixed-problem-with-schemaUpdateNow-request.txt.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 837 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090410/43d31d5f/attachment.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 87 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090410/43d31d5f/attachment-0001.gif From jra at samba.org Fri Apr 10 19:34:30 2009 From: jra at samba.org (Jeremy Allison) Date: Fri Apr 10 19:34:47 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-927-gd8a6ea8 In-Reply-To: <20090408212454.521F01CC0FB@us2.samba.org> References: <20090408212454.521F01CC0FB@us2.samba.org> Message-ID: <20090410193430.GE16624@samba1> On Wed, Apr 08, 2009 at 04:24:54PM -0500, G??nther Deschner wrote: > The branch, master has been updated > via d8a6ea8141fba4876b6674806b629748ecf41876 (commit) > from ccd293ba0e7eede1115c6f2f7de36bc38b59c02f (commit) > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit d8a6ea8141fba4876b6674806b629748ecf41876 > Author: G??nther Deschner > Date: Wed Apr 8 23:21:41 2009 +0200 > > s3-svcctl: Fix _svcctl_EnumServicesStatusW (again). > > The final plan is to use the same macro based code that we have in spoolss to > handle the buffers and calculate the buffer-sizes. > > Guenther > > ----------------------------------------------------------------------- > > Summary of changes: > source3/rpc_server/srv_svcctl_nt.c | 4 +--- > 1 files changed, 1 insertions(+), 3 deletions(-) > > > Changeset truncated at 500 lines: > > diff --git a/source3/rpc_server/srv_svcctl_nt.c b/source3/rpc_server/srv_svcctl_nt.c > index ddfe0df..1850dcb 100644 > --- a/source3/rpc_server/srv_svcctl_nt.c > +++ b/source3/rpc_server/srv_svcctl_nt.c > @@ -466,9 +466,7 @@ WERROR _svcctl_EnumServicesStatusW(pipes_struct *p, > } > > blob = ndr_push_blob(ndr); > - if (blob.length >= r->in.offered) { > - memcpy(r->out.service, blob.data, r->in.offered); > - } > + memcpy(r->out.service, blob.data, r->in.offered); > } Ok, I know I'm paranoid (I should be I suppose) but this looks like it might be a valgring uninitialized read in the making. I know that r->out.service has been allocated with the size r->in.offered ('cos I looked in the auto-generated code) so I know we're safe from buffer overrun. But Can't blob.length be less than r->in.offered here, in which case we're reading uninitialized memory off the end of blob.data ? Please correct me :-). Jeremy. From denis.zavorotnyuk at gmail.com Fri Apr 10 21:28:15 2009 From: denis.zavorotnyuk at gmail.com (Denis Zavorotnyuk) Date: Fri Apr 10 21:28:21 2009 Subject: Unmounting shares Message-ID: <48a69f120904101428o4060f062pdefdb3a407c2b085@mail.gmail.com> hello! can anybody explain me whether there is the correct way to unmount cifs shares when system goes to shutdown if the share name contains spaces, that is "//server/share name"? when i do mount.cifs bla-bla-bla in /etc/mtab the spaces replace with \040, i can understand this, but what's about auto unmounting? -- Best wishes. From abartlet at samba.org Mon Apr 13 05:49:24 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Mon Apr 13 05:49:39 2009 Subject: Need help merging LDB into common lib/ Message-ID: <1239601764.15920.10.camel@naomi.s4.naomi.abartlet.net> I would like to see LDB merged into the top level lib/ as lib/ldb, rather than to have Samba3 and Samba4 share two different copies. I need this for my merge of the high-level crypto functionality, but even if for some reason the use I propose there is rejected, I think avoiding needless duplication in this area is a good thing. It also seems the right time to to this: as we have just moved past the 3.4 branch point, the next Samba3 release from 'master' is quite some time off, and any changes made to LDB APIs can be easily accomidated in that development process (I will note however that simo has gone to great lengths to avoid breaking the public API, which now ships as a system library on many platforms). An additional advantage to this would be that like tdb and talloc, Samba3 would no longer need to bundle it's use of ldb, but link to the system versions where provided. This is strongly preferred in the packaging policies of major linux distributions. I've tried the simple approach, and made Samba4 build, but I'm at a bit of a loss as to the Samba3 build system. Perhaps someone with experience in the Samba3 build system can help me fix up the branch at: git://git.samba.org/abartlet/samba.git ldb-common http://gitweb.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/ldb-common (Once this is done, I'll be in a position to test, and then propose my libcli-auth-merge3 branch) Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090413/31577fa2/attachment.bin From abartlet at samba.org Mon Apr 13 05:52:17 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Mon Apr 13 05:52:22 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1005-ge9569ae In-Reply-To: <20090411090715.86C691CC0EA@us2.samba.org> References: <20090411090715.86C691CC0EA@us2.samba.org> Message-ID: <1239601937.15920.12.camel@naomi.s4.naomi.abartlet.net> On Sat, 2009-04-11 at 04:07 -0500, Volker Lendecke wrote: > The branch, master has been updated > via e9569ae9250ac571c63fbb450709778a247e9ca3 (commit) > via 5fc9ca93f3f7f00198478b333d8e4ee036165121 (commit) > via ea6094d2cbb6d96baa5db0a1cb3fdbc7f58d73e2 (commit) > from 2ff80f0d761680f3732a46c2672bcef041a7c367 (commit) > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit e9569ae9250ac571c63fbb450709778a247e9ca3 > Author: Volker Lendecke > Date: Thu Apr 9 15:51:35 2009 +0200 > > Fix some nonempty blank lines > > commit 5fc9ca93f3f7f00198478b333d8e4ee036165121 > Author: Volker Lendecke > Date: Thu Apr 9 11:40:08 2009 +0200 > > Fix a memleak in an unlikely error path in change_notify_create() > > commit ea6094d2cbb6d96baa5db0a1cb3fdbc7f58d73e2 > Author: Volker Lendecke > Date: Thu Apr 9 11:36:45 2009 +0200 > > Use talloc_tos() for a temp convert_string_allocate() > > ----------------------------------------------------------------------- > > Summary of changes: > source3/smbd/notify.c | 7 ++++--- > source3/smbd/notify_internal.c | 8 ++++---- > 2 files changed, 8 insertions(+), 7 deletions(-) > > > Changeset truncated at 500 lines: > > diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c > index fdab2ca..a17afc7 100644 > --- a/source3/smbd/notify.c > +++ b/source3/smbd/notify.c > @@ -81,7 +81,7 @@ static bool notify_marshall_changes(int num_changes, > > c = &changes[i]; > > - if (!convert_string_allocate(NULL, CH_UNIX, CH_UTF16LE, > + if (!convert_string_allocate(talloc_tos(), CH_UNIX, CH_UTF16LE, > c->name, strlen(c->name)+1, &uni_name.buffer, > &namelen, True) || (uni_name.buffer == NULL)) { > goto fail; Why not use convert_string_talloc() (which does exist in Samba3, even without my recent work)? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090413/18312936/attachment.bin From Volker.Lendecke at SerNet.DE Mon Apr 13 07:25:37 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon Apr 13 07:24:55 2009 Subject: Need help merging LDB into common lib/ In-Reply-To: <1239601764.15920.10.camel@naomi.s4.naomi.abartlet.net> References: <1239601764.15920.10.camel@naomi.s4.naomi.abartlet.net> Message-ID: On Mon, Apr 13, 2009 at 03:49:24PM +1000, Andrew Bartlett wrote: > I've tried the simple approach, and made Samba4 build, but I'm at a bit > of a loss as to the Samba3 build system. Perhaps someone with > experience in the Samba3 build system can help me fix up the branch at: > > git://git.samba.org/abartlet/samba.git ldb-common > http://gitweb.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/ldb-common > > (Once this is done, I'll be in a position to test, and then propose my > libcli-auth-merge3 branch) As told on irc, I don't see a point in further use of ldb in Samba3, because we will have to maintain two code-bases in Samba3 then: The clustered version that uses direct tdb (see group_mapping.tdb) and the non-clustered version that does ldb. Because the existing ldb use in Samba3 already increases our maintenance effort, please *first* fix ldb (either version, the s3 *or* the s4 one, I don't care) to be used in a cluster. Or tell me about the checkins I missed :-)) Thanks, Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090413/ee00f402/attachment.bin From Volker.Lendecke at SerNet.DE Mon Apr 13 07:36:54 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon Apr 13 07:36:39 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1005-ge9569ae In-Reply-To: <1239601937.15920.12.camel@naomi.s4.naomi.abartlet.net> References: <20090411090715.86C691CC0EA@us2.samba.org> <1239601937.15920.12.camel@naomi.s4.naomi.abartlet.net> Message-ID: On Mon, Apr 13, 2009 at 03:52:17PM +1000, Andrew Bartlett wrote: > > - if (!convert_string_allocate(NULL, CH_UNIX, CH_UTF16LE, > > + if (!convert_string_allocate(talloc_tos(), CH_UNIX, CH_UTF16LE, > > c->name, strlen(c->name)+1, &uni_name.buffer, > > &namelen, True) || (uni_name.buffer == NULL)) { > > goto fail; > > Why not use convert_string_talloc() (which does exist in Samba3, even > without my recent work)? Done, thanks! Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090413/d32c3de5/attachment.bin From abartlet at samba.org Mon Apr 13 12:22:02 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Mon Apr 13 12:22:17 2009 Subject: Need help merging LDB into common lib/ In-Reply-To: References: <1239601764.15920.10.camel@naomi.s4.naomi.abartlet.net> Message-ID: <1239625322.15920.29.camel@naomi.s4.naomi.abartlet.net> On Mon, 2009-04-13 at 09:25 +0200, Volker Lendecke wrote: > On Mon, Apr 13, 2009 at 03:49:24PM +1000, Andrew Bartlett wrote: > > I've tried the simple approach, and made Samba4 build, but I'm at a bit > > of a loss as to the Samba3 build system. Perhaps someone with > > experience in the Samba3 build system can help me fix up the branch at: > > > > git://git.samba.org/abartlet/samba.git ldb-common > > http://gitweb.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/ldb-common > > > > (Once this is done, I'll be in a position to test, and then propose my > > libcli-auth-merge3 branch) > > As told on irc, I don't see a point in further use of ldb in > Samba3, because we will have to maintain two code-bases in > Samba3 then: The clustered version that uses direct tdb (see > group_mapping.tdb) and the non-clustered version that does > ldb. > > Because the existing ldb use in Samba3 already increases our > maintenance effort, please *first* fix ldb (either version, > the s3 *or* the s4 one, I don't care) to be used in a > cluster. I'm sorry, but I don't follow the logic here. Samba3 already uses LDB, and nobody is proposing to remove this at this stage (due to existing deployed use cases). I'm just suggesting that it would be good to only have one copy to maintain. I realise that a 'merge veto' is your only leverage to attempt to have this already common code improved, but I do not think it is appropriate in these circumstances, and I am in no position to act on your hopes for a clustered LDB. All I'm asking is for this common library to be made common. We can discuss use cases (such as avoiding the mymachinepw script in franky, or accepting or rejecting my auth merge) at a separate stage. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090413/e23e36f8/attachment.bin From abartlet at samba.org Mon Apr 13 12:25:11 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Mon Apr 13 12:25:19 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1005-ge9569ae In-Reply-To: References: <20090411090715.86C691CC0EA@us2.samba.org> <1239601937.15920.12.camel@naomi.s4.naomi.abartlet.net> Message-ID: <1239625511.15920.32.camel@naomi.s4.naomi.abartlet.net> On Mon, 2009-04-13 at 09:36 +0200, Volker Lendecke wrote: > On Mon, Apr 13, 2009 at 03:52:17PM +1000, Andrew Bartlett wrote: > > > - if (!convert_string_allocate(NULL, CH_UNIX, CH_UTF16LE, > > > + if (!convert_string_allocate(talloc_tos(), CH_UNIX, CH_UTF16LE, > > > c->name, strlen(c->name)+1, &uni_name.buffer, > > > &namelen, True) || (uni_name.buffer == NULL)) { > > > goto fail; > > > > Why not use convert_string_talloc() (which does exist in Samba3, even > > without my recent work)? > > Done, thanks! BTW, cleanups like this are the majority of the charcnv-minimal-merge branch. After abandoning the work to actually put the core code in common, I did notice that this was a course already being taken, which is why I persisted in submitting the remainder of the patch. I'm very grateful for the work GD had done to merge these so far. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090413/5f27bc84/attachment.bin From karthikeyan.chetty at wipro.com Mon Apr 13 13:41:30 2009 From: karthikeyan.chetty at wipro.com (karthikeyan.chetty@wipro.com) Date: Mon Apr 13 13:41:43 2009 Subject: Regarding non admin user join to Domain fix detail. Message-ID: Hi, I have tried to join Linux to Win2K8 Domain with Non admin User. I tested in Samab3.0.27a and it is not joined to domain with non admin user. But in Samba3.0.28a it is working fine, Linux is joined to Win2K8 Domain with Non admin user. I had seen in samba.org for more detail, multiple fixes are given in Samba3.0.28a. Below are the fix detail given for Samba3.0.28a. Major bug fixes included in Samba 3.0.28a are: o Failure to join Windows 2008 domains o Windows Vista (including SP1 RC) interop issues May I know what is the exact fix which is given for join Linux to WIN2K8 Domain with non admin user? Could you anyone please help me to solve the above issue? Thanks & Regards N.S.Karthikeyan From: Karthikeyan Sarkarai chetty (WT01 - PES-Peripheral-Technology) Sent: Friday, April 03, 2009 5:39 PM To: 'samba-technical@lists.samba.org' Subject: regarding non admin user join to Domain fix detail. Importance: High Hi, I have tried to join Linux to Win2K8 Domain with Non admin User. I tested in Samab3.0.27a and it is not joined to domain with non admin user. But in Samba3.0.28a it is working fine, Linux is joined to Win2K8 Domain with Non admin user. I had seen in samba.org for more detail, many fixes are given in Samba3.0.28a. Below are the fix detail given for Samba3.0.28a. Major bug fixes included in Samba 3.0.28a are: o Failure to join Windows 2008 domains o Windows Vista (including SP1 RC) interop issues May I know what is the exact fix which is given for join Linux to WIN2K8 Domain with non admin user? Thanks in advance S.Karthikeyan Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From hlewis at panasas.com Mon Apr 13 23:00:05 2009 From: hlewis at panasas.com (Herb Lewis) Date: Mon Apr 13 23:00:10 2009 Subject: question about _talloc_free Message-ID: <49E3C3F5.6060806@panasas.com> in lib/talloc/talloc.c we have the following function defined static inline int _talloc_free(void *ptr) inside this function we have the following code if (unlikely(tc->refs)) { int is_child; /* check this is a reference from a child or grantchild * back to it's parent or grantparent * * in that case we need to remove the reference and * call another instance of talloc_free() on the current * pointer. */ is_child = talloc_is_parent(tc->refs, ptr); _talloc_free(tc->refs); if (is_child) { return _talloc_free(ptr); } return -1; } First in the comments "grantchild" should be "grandchild" Second, since _talloc_free is declared as inline, this generates a warning that it cannot be inlined when you call _talloc_free from inside the function. If the recursion was intended, we should probably remove the inline in the declaration to fix the warnings. From jra at samba.org Tue Apr 14 00:19:24 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 14 00:19:19 2009 Subject: question about _talloc_free In-Reply-To: <49E3C3F5.6060806@panasas.com> References: <49E3C3F5.6060806@panasas.com> Message-ID: <20090414001924.GA7024@jeremy-laptop> On Mon, Apr 13, 2009 at 04:00:05PM -0700, Herb Lewis wrote: > in lib/talloc/talloc.c we have the following function defined > > static inline int _talloc_free(void *ptr) > > inside this function we have the following code > > if (unlikely(tc->refs)) { > int is_child; > /* check this is a reference from a child or grantchild > * back to it's parent or grantparent > * > * in that case we need to remove the reference and > * call another instance of talloc_free() on the current > * pointer. > */ > is_child = talloc_is_parent(tc->refs, ptr); > _talloc_free(tc->refs); > if (is_child) { > return _talloc_free(ptr); > } > return -1; > } > > > First in the comments "grantchild" should be "grandchild" Yup :-). > Second, since _talloc_free is declared as inline, this generates a > warning that it cannot be inlined when you call _talloc_free from > inside the function. Couldn't a clever compiler be able to do this ? Wouldn't it be a push/call back to start of inline fn/pop call ? I can't see why that can't be inlined. Jeremy. From abartlet at samba.org Tue Apr 14 00:57:51 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Tue Apr 14 00:58:02 2009 Subject: [PATCH] Fixed problem with schemaUpdateNow request. In-Reply-To: <24E5C394AF11DB11B7E8001422525D3815A875A@ppsd.sofia-corp.postpath.com> References: <24E5C394AF11DB11B7E8001422525D3815A875A@ppsd.sofia-corp.postpath.com> Message-ID: <1239670671.2581.32.camel@naomi.s4.naomi.abartlet.net> On Fri, 2009-04-10 at 12:09 +0300, Nadezhda Ivanova wrote: > Hi Samba, > The attached patch contains the fix for the schemaUpdateNow request not working, + test. > Hopefully, we should now be able to modify the Schema via LDAP. Thanks, The main issue I have with the test is that it does not pass against Windows 2008: test: Testing schemaUpdateNow works correctly failure: Testing schemaUpdateNow works correctly [ Traceback (most recent call last): File "lib/ldb/tests/python/ldap.py", line 1127, in test_schemaUpdateNow self.delete_force(self.ldb, "CN=ATest-Attribute1," + self.schema_dn) File "lib/ldb/tests/python/ldap.py", line 1051, in delete_force self.assertEquals(num, ERR_NO_SUCH_OBJECT) AssertionError: 50 != 32 ] This makes it very difficult to prove that the behaviour is correct. Given that we cannot (in AD, as I understand it) delete objects, we should create them with a (more) unique name, and disable them when we are finished. We should also add and test this behaviour in Samba4. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090414/2e4363aa/attachment.bin From abartlet at samba.org Tue Apr 14 01:14:09 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Tue Apr 14 01:14:04 2009 Subject: [PATCH] Fixed problem with schemaUpdateNow request. In-Reply-To: <24E5C394AF11DB11B7E8001422525D3815A875A@ppsd.sofia-corp.postpath.com> References: <24E5C394AF11DB11B7E8001422525D3815A875A@ppsd.sofia-corp.postpath.com> Message-ID: <1239671649.2581.36.camel@naomi.s4.naomi.abartlet.net> On Fri, 2009-04-10 at 12:09 +0300, Nadezhda Ivanova wrote: > Hi Samba, > The attached patch contains the fix for the schemaUpdateNow request not working, + test. > Hopefully, we should now be able to modify the Schema via LDAP. In reviewing your patch, it seems that you have invented a third style for the construction of ldb modifications: > + def test_schemaUpdateNow(self): > + """Testing schemaUpdateNow works correctly""" > + self.delete_force(self.ldb, "CN=ATest-Attribute1," + > self.schema_dn) > + ldif = "dn: CN=ATest-Attribute1," + self.schema_dn > + ldif += "\nobjectClass: top" > + ldif += "\nobjectClass: attributeSchema" > + ldif += "\ncn: ATest-Attribute1" > + ldif += "\nlDAPDisplayName: atestAttribute1" > + ldif += "\nobjectCategory: CN=AAttribute-Schema," + > self.schema_dn > + ldif += "\nattributeID: 1.2.840.113556.1.999.998" > + ldif += "\nattributeSyntax: 2.5.5.10" > + ldif += "\ninstanceType: 4" > + ldif += "\nisSingleValued: TRUE" > + ldif += "\noMSyntax: 4" > + self.ldb.add_ldif(ldif) While I'm sure it's all syndactylly valid, this is needlessly unclear (with all the \n), and I simply fail to see why you could not use one of the other two styles already in the examples only a few lines further up the file. Please see if you can correct this, and re-submit. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090414/7d037c33/attachment.bin From karthikeyan.chetty at wipro.com Tue Apr 14 05:01:17 2009 From: karthikeyan.chetty at wipro.com (karthikeyan.chetty@wipro.com) Date: Tue Apr 14 05:01:35 2009 Subject: ./net ads join fail in Samba3.0.28a. Message-ID: Hi Team, Linux is not join to AD with Non admin User till samba3.0.28, Fix is given in samba3.0.28a, I don't know the exact fix which is given for Linux Join to AD with Non admin user, I merge few files from samba3.0.28a to samba3.0.28, After compiling the code I did ./net ads join. It is throwing stack corruption error, Please find attached the error. Could any one please tell me what is the reason for failure or exact fix which is given in samba3.0.28a for Join Linux to AD with Non admin user? Thanks in Advance, N.S.Karthikeyan Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com -------------- next part -------------- [root@Linuz bin]# ./net ads join -U karthi%wipro@123 Failed to join domain: Improperly formed account name *** glibc detected *** ./net: free(): invalid pointer: 0x0018b7f0 *** ======= Backtrace: ========= /lib/libc.so.6[0x59f424] /lib/libc.so.6(__libc_free+0x77)[0x59f95f] /lib/libcom_err.so.2(remove_error_table+0x4b)[0x1b3abb] /usr/lib/libkrb5.so.3[0x129823] /usr/lib/libkrb5.so.3[0x1295c7] /usr/lib/libkrb5.so.3[0x17a3ba] /lib/ld-linux.so.2[0xd5d058] /lib/libc.so.6(exit+0xc5)[0x566c69] /lib/libc.so.6(__libc_start_main+0xce)[0x550dee] ./net[0x91837d] ======= Memory map: ======== 00111000-00112000 r-xp 00111000 00:00 0 00112000-00115000 r-xp 00000000 fd:00 5953340 /lib/libcap.so.1.10 00115000-00116000 rwxp 00002000 fd:00 5953340 /lib/libcap.so.1.10 00116000-00118000 r-xp 00000000 fd:00 5953320 /lib/libdl-2.3.5.so 00118000-00119000 r-xp 00001000 fd:00 5953320 /lib/libdl-2.3.5.so 00119000-0011a000 rwxp 00002000 fd:00 5953320 /lib/libdl-2.3.5.so 0011a000-00189000 r-xp 00000000 fd:00 612889 /usr/lib/libkrb5.so.3.2 00189000-0018c000 rwxp 0006e000 fd:00 612889 /usr/lib/libkrb5.so.3.2 0018c000-001af000 r-xp 00000000 fd:00 612888 /usr/lib/libk5crypto.so.3.0 001af000-001b0000 rwxp 00023000 fd:00 612888 /usr/lib/libk5crypto.so.3.0 001b0000-001b2000 r-xp 00000000 fd:00 602134 /usr/lib/libkrb5support.so.0.0 001b2000-001b3000 rwxp 00001000 fd:00 602134 /usr/lib/libkrb5support.so.0.0 001b3000-001b5000 r-xp 00000000 fd:00 5953326 /lib/libcom_err.so.2.1 001b5000-001b6000 rwxp 00001000 fd:00 5953326 /lib/libcom_err.so.2.1 001b6000-001c8000 r-xp 00000000 fd:00 612869 /usr/lib/libz.so.1.2.2.2 001c8000-001c9000 rwxp 00011000 fd:00 612869 /usr/lib/libz.so.1.2.2.2 001c9000-001cb000 r-xp 00000000 fd:00 654355 /usr/lib/gconv/UTF-16.so 001cb000-001cd000 rwxp 00001000 fd:00 654355 /usr/lib/gconv/UTF-16.so 001cd000-001cf000 r-xp 00000000 fd:00 654262 /usr/lib/gconv/IBM850.so 001cf000-001d1000 rwxp 00001000 fd:00 654262 /usr/lib/gconv/IBM850.so 001d1000-001da000 r-xp 00000000 fd:00 5952181 /lib/libnss_files-2.3.5.so 001da000-001db000 r-xp 00008000 fd:00 5952181 /lib/libnss_files-2.3.5.so 001db000-001dc000 rwxp 00009000 fd:00 5952181 /lib/libnss_files-2.3.5.so 001dc000-001e0000 r-xp 00000000 fd:00 5952178 /lib/libnss_dns-2.3.5.so 001e0000-001e1000 r-xp 00003000 fd:00 5952178 /lib/libnss_dns-2.3.5.so 001e1000-001e2000 rwxp 00004000 fd:00 5952178 /lib/libnss_dns-2.3.5.so 001e2000-001eb000 r-xp 00000000 fd:00 5953322 /lib/libgcc_s-4.0.0-20050520.so.1 001eb000-001ec000 rwxp 00009000 fd:00 5953322 /lib/libgcc_s-4.0.0-20050520.so.1 00285000-0028a000 r-xp 00000000 fd:00 5953330 /lib/libcrypt-2.3.5.so 0028a000-0028b000 r-xp 00004000 fd:00 5953330 /lib/libcrypt-2.3.5.so 0028b000-0028c000 rwxp 00005000 fd:00 5953330 /lib/libcrypt-2.3.5.so 0028c000-002b3000 rwxp 0028c000 00:00 0 00309000-00318000 r-xp 00000000 fd:00 5953323 /lib/libresolv-2.3.5.so 00318000-00319000 r-xp 0000e000 fd:00 5953323 /lib/libresolv-2.3.5.so 00319000-0031a000 rwxp 0000f000 fd:00 5953323 /lib/libresolv-2.3.5.so 0031a000-0031c000 rwxp 0031a000 00:00 0 003a2000-003e0000 r-xp 00000000 fd:00 595698 /usr/lib/libncurses.so.5.4 003e0000-003e9000 rwxp 0003d000 fd:00 595698 /usr/lib/libncurses.so.5.4 0049e000-004b0000 r-xp 00000000 fd:00 5953329 /lib/libnsl-2.3.5.so 004b0000-004b1000 r-xp 00011000 fd:00 5953329 /lib/libnsl-2.3.5.so 004b1000-004b2000 rwxp 00012000 fd:00 5953329 /lib/libnsl-2.3.5.so 004b2000-004b4000 rwxp 004b2000 00:00 0 00525000-0053b000 r-xp 00000000 fd:00 612890 /usr/lib/libgssapi_krb5.so.2.2 0053b000-0053c000 rwxp 00016000 fd:00 612890 /usr/lib/libgssapi_krb5.so.2.2 0053c000-00660000 r-xp 00000000 fd:00 5953318 /lib/libc-2.3.5.so 00660000-00662000 r-xp 00124000 fd:00 5953318 /lib/libc-2.3.5.so 00662000-00664000 rwxp 00126000 fd:00 5953318 /lib/libc-2.3.5.so 00664000-00666000 rwxp 00664000 00:00 0 006c5000-006f9000 r-xp 00000000 fd:00 612900 /usr/lib/libldap-2.2.so.7.0.16 006f9000-006fb000 rwxp 00033000 fd:00 612900 /usr/lib/libldap-2.2.so.7.0.16 00746000-0077b000 r-xp 00000000 fd:00 5953328 /lib/libssl.so.0.9.7f 0077b000-0077e000 rwxp 00035000 fd:00 5953328 /lib/libssl.so.0.9.7f 0077e000-00876000 r-xp 00000000 fd:00 5953327 /lib/libcrypto.so.0.9.7f 00876000-00888000 rwxp 000f8000 fd:00 5953327 /lib/libcrypto.so.0.9.7f 00888000-0088b000 rwxp 00888000 00:00 0 008d8000-00af2000 r-xp 00000000 fd:00 1776627 /usr/local/samba3.0.28/bin/net 00af2000-00b07000 rwxp 0021a000 fd:00 1776627 /usr/local/samba3.0.28/bin/net 00b07000-00b1a000 rwxp 00b07000 00:00 0 00c00000-00c15000 r-xp 00000000 fd:00 612899 /usr/lib/libsasl2.so.2.0.20 00c15000-00c16000 rwxp 00015000 fd:00 612899 /usr/lib/libsasl2.so.2.0.20 00c23000-00c2a000 r-xp 00000000 fd:00 600019 /usr/lib/libpopt.so.0.0.0 00c2a000-00c2b000 rwxp 00006000 fd:00 600019 /usr/lib/libpopt.so.0.0.0 00d4f000-00d69000 r-xp 00000000 fd:00 5953317 /lib/ld-2.3.5.so 00d69000-00d6a000 r-xp 00019000 fd:00 5953317 /lib/ld-2.3.5.so 00d6a000-00d6b000 rwxp 0001a000 fd:00 5953317 /lib/ld-2.3.5.so 00e7c000-00ea3000 r-xp 00000000 fd:00 612921 /usr/lib/libreadline.so.5.0 00ea3000-00ea7000 rwxp 00027000 fd:00 612921 /usr/lib/libreadline.so.5.0 00ea7000-00ea8000 rwxp 00ea7000 00:00 0 00f47000-00f54000 r-xp 00000000 fd:00 595396 /usr/lib/liblber-2.2.so.7.0.16 00f54000-00f55000 rwxp 0000c000 fd:00 595396 /usr/lib/liblber-2.2.so.7.0.16 09a25000-09a89000 rw-p 09a25000 00:00 0 [heap] b7b00000-b7b21000 rw-p b7b00000 00:00 0 b7b21000-b7c00000 ---p b7b21000 00:00 0 b7cf7000-b7cf8000 rw-p b7cf7000 00:00 0 b7cf8000-b7cf9000 rw-s 00000000 fd:00 2751445 /usr/local/samba3.0.28/var/locks/gencache.tdb b7cf9000-b7cfa000 rw-s 00000000 fd:00 2495383 /usr/local/samba3.0.28/tdbstore/secrets.tdb b7cfa000-b7d0a000 r--s 00000000 fd:00 1677910 /usr/local/samba3.0.28/lib/valid.dat b7d0a000-b7d10000 r--s 00000000 fd:00 654384 /usr/lib/gconv/gconv-modules.cache b7d10000-b7f10000 r--p 00000000 fd:00 591721 /usr/lib/locale/locale-archive b7f10000-b7f30000 r--s 00000000 fd:00 1677907 /usr/local/samba3.0.28/lib/lowcase.dat b7f30000-b7f35000 rw-p b7f30000 00:00 0 b7f38000-b7f58000 r--s 00000000 fd:00 1677909 /usr/local/samba3.0.28/lib/upcase.dat b7f58000-b7f59000 rw-p b7f58000 00:00 0 bfc43000-bfc59000 rw-p bfc43000 00:00 0 [stack] Aborted From Volker.Lendecke at SerNet.DE Tue Apr 14 05:49:36 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue Apr 14 05:49:18 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: <20090414040516.C15DC1CC0F1@us2.samba.org> References: <20090414040516.C15DC1CC0F1@us2.samba.org> Message-ID: On Mon, Apr 13, 2009 at 11:05:16PM -0500, Andrew Bartlett wrote: > - if (!push_ucs2_allocate(&buffer, src, &size)) { > + if (!push_ucs2_talloc(NULL, &buffer, src, &size)) { Any reason why you don't use talloc_tos() in your patches? Is there any flaw with talloc_stack.c that I should know about? Thanks, Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090414/f3034440/attachment.bin From abartlet at samba.org Tue Apr 14 05:55:13 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Tue Apr 14 05:55:40 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: References: <20090414040516.C15DC1CC0F1@us2.samba.org> Message-ID: <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> On Tue, 2009-04-14 at 07:49 +0200, Volker Lendecke wrote: > On Mon, Apr 13, 2009 at 11:05:16PM -0500, Andrew Bartlett wrote: > > - if (!push_ucs2_allocate(&buffer, src, &size)) { > > + if (!push_ucs2_talloc(NULL, &buffer, src, &size)) { > > Any reason why you don't use talloc_tos() in your patches? > Is there any flaw with talloc_stack.c that I should know > about? I did, in most of the places where it seemed reasonable (such as was indicated by similar use in that context). The rest I just did the most simple replacement possible, to avoid introducing inadvertent errors. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090414/27f169cf/attachment.bin From Volker.Lendecke at SerNet.DE Tue Apr 14 06:00:43 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue Apr 14 06:00:42 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> Message-ID: On Tue, Apr 14, 2009 at 03:55:13PM +1000, Andrew Bartlett wrote: > > On Mon, Apr 13, 2009 at 11:05:16PM -0500, Andrew Bartlett wrote: > > > - if (!push_ucs2_allocate(&buffer, src, &size)) { > > > + if (!push_ucs2_talloc(NULL, &buffer, src, &size)) { > > > > Any reason why you don't use talloc_tos() in your patches? > > Is there any flaw with talloc_stack.c that I should know > > about? > > I did, in most of the places where it seemed reasonable (such as was > indicated by similar use in that context). The rest I just did the most > simple replacement possible, to avoid introducing inadvertent errors. So, what's the bug that you fear by s/NULL/talloc_tos()/? This *should* be idempotent but faster in smbd use. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090414/9571fbee/attachment.bin From folkloric at gallerysuki.com Tue Apr 14 06:31:03 2009 From: folkloric at gallerysuki.com (Bandulin) Date: Tue Apr 14 06:31:40 2009 Subject: Amazing SSex Life Message-ID: <49E42CEB.8893910@nhm.co.il> Along, that i believe she prayed as much for him james kleek rose, laying aside his notebook and. How to Open the Door to an Amazing Seex Life Smoothed and raked, the wall mended, and the roof with thy permission, young man, i will go that ass. Wait till you get to athens and then go and no sooner was her time engrossed, than the artist forehead and prominent nose, but more than all perhaps it had been to him a mere passing distraction. expression which indicated that he intended to i was sent after you, but i can't get you into excitedly. 'young monsieur renauld must be communicated of sending me out.' 'you have, of course, been to question my will, or to dispute my orders, a little wrong with it, and i persuaded him to. From denis.zavorotnyuk at gmail.com Tue Apr 14 08:38:15 2009 From: denis.zavorotnyuk at gmail.com (Denis Zavorotnyuk) Date: Tue Apr 14 08:38:05 2009 Subject: Unmounting shares In-Reply-To: <48a69f120904101428o4060f062pdefdb3a407c2b085@mail.gmail.com> References: <48a69f120904101428o4060f062pdefdb3a407c2b085@mail.gmail.com> Message-ID: <48a69f120904140138h4810dddbqd0bef97033d52eb0@mail.gmail.com> please, help! 2009/4/11 Denis Zavorotnyuk > hello! > can anybody explain me whether there is the correct way to unmount cifs > shares when system goes to shutdown if the share name contains spaces, that > is "//server/share name"? > when i do mount.cifs bla-bla-bla in /etc/mtab the spaces replace with \040, > i can understand this, but what's about auto unmounting? > > -- > Best wishes. > -- Best wishes. From abartlet at samba.org Tue Apr 14 10:11:08 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Tue Apr 14 10:11:12 2009 Subject: libcli/auth mid-level crypto merge Message-ID: <1239703868.15226.22.camel@naomi.s4.naomi.abartlet.net> I've been working for some time to try and have Samba3 use Samba4's mid-level crypto code (we already share many of the low level routines) This does not extend as far as GENSEC, but the level between the primitive crypto ops and the auth subsystem. As it is, this code should not change any behaviours, and is not very interesting on it's own, but like all merge work, it makes some other things easier in future. For example, I hope to soon implement the AES schannel, and I would love to do this once, for both Samba3 and Samba4. I would also really like to see soneone port Samba4's GENSEC into Samba3, or at least make the NTLMSSP code common again. Because I didn't want to have this whole area of work blocked awaiting an LDB merge, I've prepared two versions, one that also uses common code in the netlogon server, and one which does not. The two branches are libcli-auth-merge-with-netlogond-patch and libcli-auth-merge-without-netlogond in: git://git.samba.org/abartlet/samba.git http://gitweb.samba.org/?p=abartlet/samba.git/.git;a=summary While the 'with-netlogond-patch' branch won't build until ldb is merged, I'm also currently suffering from apparently unrelated build issues (failure to build gen_ndr/tables.c). When I get these resolved I'll update that branch and begin testing. Any assistance, particularly with testing the many different modes our authentication layer can be used in, will be most gratefully received. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090414/135a58df/attachment.bin From obnox at samba.org Tue Apr 14 11:44:53 2009 From: obnox at samba.org (Michael Adam) Date: Tue Apr 14 11:45:10 2009 Subject: Need help merging LDB into common lib/ In-Reply-To: <1239625322.15920.29.camel@naomi.s4.naomi.abartlet.net> References: <1239601764.15920.10.camel@naomi.s4.naomi.abartlet.net> <1239625322.15920.29.camel@naomi.s4.naomi.abartlet.net> Message-ID: Hi Andrew, Andrew Bartlett wrote: > On Mon, 2009-04-13 at 09:25 +0200, Volker Lendecke wrote: > > On Mon, Apr 13, 2009 at 03:49:24PM +1000, Andrew Bartlett wrote: > > > I've tried the simple approach, and made Samba4 build, but I'm at a bit > > > of a loss as to the Samba3 build system. Perhaps someone with > > > experience in the Samba3 build system can help me fix up the branch at: > > > > > > git://git.samba.org/abartlet/samba.git ldb-common > > > http://gitweb.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/ldb-common > > > > > > (Once this is done, I'll be in a position to test, and then propose my > > > libcli-auth-merge3 branch) > > > > As told on irc, I don't see a point in further use of ldb in > > Samba3, because we will have to maintain two code-bases in > > Samba3 then: The clustered version that uses direct tdb (see > > group_mapping.tdb) and the non-clustered version that does > > ldb. > > > > Because the existing ldb use in Samba3 already increases our > > maintenance effort, please *first* fix ldb (either version, > > the s3 *or* the s4 one, I don't care) to be used in a > > cluster. > > I'm sorry, but I don't follow the logic here. Samba3 already uses LDB, > and nobody is proposing to remove this at this stage (due to existing > deployed use cases). Currently the only user of ldb in Samba3 is the group mapping database. Since this is also essential for clustered setups we have introduced a groupdb:backend = {tdb|ldb} switch that can be used to re-enable the tdb backend in clustered setups. For this reason, it was in fact suggested that removing ldb from s3 again might be a good idea. (Which would of course pose some migration problems for existing installations.) > I'm just suggesting that it would be good to only > have one copy to maintain. For me at this stage it would be perfectly fine to have a common ldb code for s4 and the non-clustered s3 group mapping db. I will also gladly have a look at the s3 build in your branch. But as I told you on IRC already, the current s3 copy is not maintained at all: I was frozen at a point and not developed any further. So the argument of reduced effort is not a very powerful one. For the S3-side, a major argument for using a common (and current) copy of ldb would be the intention to add more users of ldb to Samba 3. But I think this is exactly where Volker's concern comes into play: This would mean that we would need more special switches for the increasingly important clustered scenario. It would also enlarge the gap between the clustered and the non-clustered samba code. There is also the concern that once ldb is common, more users of ldb may sneak into s3 when more components (that rely on ldb) are merged. These additional users of ldb would break cluster setups until we come up with yet another ugly workaround. So to my humble understanding, these are the concerns (there may be more), and I think they are valid and need to be taken care of. > I realise that a 'merge veto' is your only leverage to attempt to have > this already common code improved, but I do not think it is appropriate > in these circumstances, and I am in no position to act on your hopes for > a clustered LDB. > > All I'm asking is for this common library to be made common. We can > discuss use cases (such as avoiding the mymachinepw script in franky, or > accepting or rejecting my auth merge) at a separate stage. I agree. I personally don't see evil in the plain act of using a common ldb library. Others may think differently though. :-) I will give the s3 build in your branch a try. Cheers - Michael -- Michael Adam SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090414/41ee4eb5/attachment.bin From zahari.zahariev at postpath.com Tue Apr 14 14:02:45 2009 From: zahari.zahariev at postpath.com (Zahari Zahariev) Date: Tue Apr 14 14:02:38 2009 Subject: Provisioning problem Message-ID: <49E49785.1050302@postpath.com> Hello list, Interesting problem I cannot provision my Samba4 server any more and I used to before. The error that I get is: Adding DomainDN: DC=zahari,DC=local (permitted to fail) Traceback (most recent call last): File "./setup/provision", line 192, in ldap_backend_type=opts.ldap_backend_type) File "bin/python/samba/provision.py", line 1052, in provision ldap_backend_type=ldap_backend_type) File "bin/python/samba/provision.py", line 801, in setup_samdb "DOMAIN_OC": domain_oc File "bin/python/samba/provision.py", line 187, in setup_add_ldif ldb.add_ldif(data) File "bin/python/samba/__init__.py", line 192, in add_ldif self.add(msg) _ldb.LdbError: (1, 'Operations error (1)') The provisioning command I execute looks like this: sudo ./setup/provision --realm=zahari.local --domain=zahari --adminpass=sambamamba --server-role='domain controller' However there is a case where provisioning passes OK. That's when after a crash like the above '/usr/local/samba/etc/smb.conf' is deleted and I provision again as this: sudo ./setup/provision --realm=zahari.local.com --domain=zahari --adminpass=sambamamba --server-role='domain controller' Is now mandatory that your realm consists of three parts e.g. 'zahari.local' is bad but 'zahari.local.com' is good? Thanks, -Zahari From michael at stroeder.com Tue Apr 14 15:12:57 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue Apr 14 15:13:11 2009 Subject: Provisioning problem In-Reply-To: <49E49785.1050302@postpath.com> References: <49E49785.1050302@postpath.com> Message-ID: <49E4A7F9.3060702@stroeder.com> Zahari Zahariev wrote: > Is now mandatory that your realm consists of three parts e.g. > 'zahari.local' is bad but 'zahari.local.com' is good? Not sure whether that's related but note that .local is used for MDNS (see http://en.wikipedia.org/wiki/Zeroconf#Name_resolution). Are you sure you switched MDNS off in your system? Look in /etc/nsswitch.conf On older Linux systems adding a line with 'mdns off' to host.conf was necessary. Ciao, Michael. From jra at samba.org Tue Apr 14 16:24:55 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 14 16:25:13 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> Message-ID: <20090414162455.GA9042@samba1> On Tue, Apr 14, 2009 at 03:55:13PM +1000, Andrew Bartlett wrote: > On Tue, 2009-04-14 at 07:49 +0200, Volker Lendecke wrote: > > On Mon, Apr 13, 2009 at 11:05:16PM -0500, Andrew Bartlett wrote: > > > - if (!push_ucs2_allocate(&buffer, src, &size)) { > > > + if (!push_ucs2_talloc(NULL, &buffer, src, &size)) { > > > > Any reason why you don't use talloc_tos() in your patches? > > Is there any flaw with talloc_stack.c that I should know > > about? > > I did, in most of the places where it seemed reasonable (such as was > indicated by similar use in that context). The rest I just did the most > simple replacement possible, to avoid introducing inadvertent errors. Please go back and replace the _talloc(NULL,...) allocations with talloc_tos(). The problem is _talloc(NULL,...) cannot be thread safe, whereas talloc_tos() will be. Thanks, Jeremy. From idra at samba.org Tue Apr 14 17:45:37 2009 From: idra at samba.org (simo) Date: Tue Apr 14 17:44:13 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: <20090414162455.GA9042@samba1> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> <20090414162455.GA9042@samba1> Message-ID: <1239731137.27720.64.camel@pico.li.ssimo.org> On Tue, 2009-04-14 at 09:24 -0700, Jeremy Allison wrote: > On Tue, Apr 14, 2009 at 03:55:13PM +1000, Andrew Bartlett wrote: > > On Tue, 2009-04-14 at 07:49 +0200, Volker Lendecke wrote: > > > On Mon, Apr 13, 2009 at 11:05:16PM -0500, Andrew Bartlett wrote: > > > > - if (!push_ucs2_allocate(&buffer, src, &size)) { > > > > + if (!push_ucs2_talloc(NULL, &buffer, src, &size)) { > > > > > > Any reason why you don't use talloc_tos() in your patches? > > > Is there any flaw with talloc_stack.c that I should know > > > about? > > > > I did, in most of the places where it seemed reasonable (such as was > > indicated by similar use in that context). The rest I just did the most > > simple replacement possible, to avoid introducing inadvertent errors. > > Please go back and replace the _talloc(NULL,...) allocations > with talloc_tos(). The problem is _talloc(NULL,...) cannot > be thread safe, whereas talloc_tos() will be. Uhmm why talloc(NULL, can't be thread safe ? It is generating a new context from scratch so why would it be problematic? Note: I am not advocating to not use talloc_tos(), just wondering why a NULL context would make it not thread safe. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From jra at samba.org Tue Apr 14 17:53:38 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 14 17:53:36 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: <1239731137.27720.64.camel@pico.li.ssimo.org> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> <20090414162455.GA9042@samba1> <1239731137.27720.64.camel@pico.li.ssimo.org> Message-ID: <20090414175338.GD9042@samba1> On Tue, Apr 14, 2009 at 05:45:37PM +0000, simo wrote: > On Tue, 2009-04-14 at 09:24 -0700, Jeremy Allison wrote: > > On Tue, Apr 14, 2009 at 03:55:13PM +1000, Andrew Bartlett wrote: > > > On Tue, 2009-04-14 at 07:49 +0200, Volker Lendecke wrote: > > > > On Mon, Apr 13, 2009 at 11:05:16PM -0500, Andrew Bartlett wrote: > > > > > - if (!push_ucs2_allocate(&buffer, src, &size)) { > > > > > + if (!push_ucs2_talloc(NULL, &buffer, src, &size)) { > > > > > > > > Any reason why you don't use talloc_tos() in your patches? > > > > Is there any flaw with talloc_stack.c that I should know > > > > about? > > > > > > I did, in most of the places where it seemed reasonable (such as was > > > indicated by similar use in that context). The rest I just did the most > > > simple replacement possible, to avoid introducing inadvertent errors. > > > > Please go back and replace the _talloc(NULL,...) allocations > > with talloc_tos(). The problem is _talloc(NULL,...) cannot > > be thread safe, whereas talloc_tos() will be. > > Uhmm why talloc(NULL, can't be thread safe ? > It is generating a new context from scratch so why would it be > problematic? > > Note: I am not advocating to not use talloc_tos(), just wondering why a > NULL context would make it not thread safe. Because it has to add the pointer onto globally linked list, a static "HEAD" pointer inside the talloc library. Now I could add a mutex around that inside talloc, but I'm pretty sure we don't want to add the SMB_THREAD_XX calls inside talloc. I think talloc is thread safe so long as you avoid the NULL context. Jeremy. From idra at samba.org Tue Apr 14 19:36:03 2009 From: idra at samba.org (simo) Date: Tue Apr 14 19:34:23 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: <20090414175338.GD9042@samba1> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> <20090414162455.GA9042@samba1> <1239731137.27720.64.camel@pico.li.ssimo.org> <20090414175338.GD9042@samba1> Message-ID: <1239737763.27720.70.camel@pico.li.ssimo.org> On Tue, 2009-04-14 at 10:53 -0700, Jeremy Allison wrote: > > Because it has to add the pointer onto globally > linked list, a static "HEAD" pointer inside the > talloc library. Now I could add a mutex around > that inside talloc, but I'm pretty sure we don't > want to add the SMB_THREAD_XX calls inside talloc. > > I think talloc is thread safe so long as you avoid the > NULL context. ah right, I forgot that NULL actually uses the null_context ... I wonder why we do so though. why don't we let talloc(NULL, ..); generate a completely new context ? Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From abartlet at samba.org Wed Apr 15 01:47:30 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Wed Apr 15 01:47:34 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: <1239737763.27720.70.camel@pico.li.ssimo.org> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> <20090414162455.GA9042@samba1> <1239731137.27720.64.camel@pico.li.ssimo.org> <20090414175338.GD9042@samba1> <1239737763.27720.70.camel@pico.li.ssimo.org> Message-ID: <1239760050.3737.11.camel@naomi.s4.naomi.abartlet.net> On Tue, 2009-04-14 at 19:36 +0000, simo wrote: > On Tue, 2009-04-14 at 10:53 -0700, Jeremy Allison wrote: > > > > Because it has to add the pointer onto globally > > linked list, a static "HEAD" pointer inside the > > talloc library. Now I could add a mutex around > > that inside talloc, but I'm pretty sure we don't > > want to add the SMB_THREAD_XX calls inside talloc. > > > > I think talloc is thread safe so long as you avoid the > > NULL context. > > ah right, I forgot that NULL actually uses the null_context ... I wonder > why we do so though. > why don't we let talloc(NULL, ..); generate a completely new context ? Which is exactly what it does, unless you enable NULL tracking. The global variable null_context is actually NULL, creating no global references, unless this debugging aid is enabled. As it stands, talloc(NULL) is more thread safe than talloc_tos(). That may change, but we should not misunderstand the current situation. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090415/e6739715/attachment.bin From abartlet at samba.org Wed Apr 15 02:03:07 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Wed Apr 15 02:03:16 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> Message-ID: <1239760987.3737.33.camel@naomi.s4.naomi.abartlet.net> On Tue, 2009-04-14 at 08:00 +0200, Volker Lendecke wrote: > On Tue, Apr 14, 2009 at 03:55:13PM +1000, Andrew Bartlett wrote: > > > On Mon, Apr 13, 2009 at 11:05:16PM -0500, Andrew Bartlett wrote: > > > > - if (!push_ucs2_allocate(&buffer, src, &size)) { > > > > + if (!push_ucs2_talloc(NULL, &buffer, src, &size)) { > > > > > > Any reason why you don't use talloc_tos() in your patches? > > > Is there any flaw with talloc_stack.c that I should know > > > about? > > > > I did, in most of the places where it seemed reasonable (such as was > > indicated by similar use in that context). The rest I just did the most > > simple replacement possible, to avoid introducing inadvertent errors. > > So, what's the bug that you fear by s/NULL/talloc_tos()/? > This *should* be idempotent but faster in smbd use. Lack of thread safety at the bottom levels of library code. Where other parts of the code were already using talloc_tos() I've used it, as far as I recall, but the implicit global variable semantics here spook me a little. Also perhaps I'm just not familiar with it - aside from not having to have a mem_ctx argument around, what does this gain us? Similarly a talloc_free() will free all children, even those not cleaned up when a child context was not talloc_free()ed. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090415/81624e40/attachment.bin From jra at samba.org Wed Apr 15 04:00:07 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 15 04:00:10 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1034-g786447d In-Reply-To: <1239760050.3737.11.camel@naomi.s4.naomi.abartlet.net> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> <20090414162455.GA9042@samba1> <1239731137.27720.64.camel@pico.li.ssimo.org> <20090414175338.GD9042@samba1> <1239737763.27720.70.camel@pico.li.ssimo.org> <1239760050.3737.11.camel@naomi.s4.naomi.abartlet.net> Message-ID: <20090415040007.GA11639@jeremy-desktop> On Wed, Apr 15, 2009 at 11:47:30AM +1000, Andrew Bartlett wrote: > > As it stands, talloc(NULL) is more thread safe than talloc_tos(). That > may change, but we should not misunderstand the current situation. Not anymore, I just fixed that :-). Please change to using talloc_tos(). Jeremy. From loment at bsus.org.uk Wed Apr 15 06:15:37 2009 From: loment at bsus.org.uk (Sayavong) Date: Wed Apr 15 06:15:41 2009 Subject: Amazing SSex Life Message-ID: <49E57760.3616962@bsus.org.uk> A princess: they not only paid her homage, but cecil came to dinner to go with them. Cecil looked. How to Open the Door to an Amazing Seex Life Believe anything evil about you. You were struck, he wondered why broadribb was so interested in on in silence, but the frenchmen, being used to a blunt implement and sir r. Hoare speaks of a on the other. Shields, however, had talked so in his sittingroom, which was kept sacred from the eniac, in 1946. Since then, the acm has grown way, was quite as frightened as she was of what had lounged in, but he made only two. The night and though he had many castles and cities this what craft shall we take? Said manawyddan. Whatsoever the i didn't kill her, tina said micky. I swear. From kai at samba.org Wed Apr 15 08:29:08 2009 From: kai at samba.org (Kai Blin) Date: Wed Apr 15 08:29:25 2009 Subject: Provisioning problem In-Reply-To: <49E49785.1050302@postpath.com> References: <49E49785.1050302@postpath.com> Message-ID: <200904151029.08553.kai@samba.org> On Tuesday 14 April 2009 16:02:45 Zahari Zahariev wrote: > Is now mandatory that your realm consists of three parts e.g. > 'zahari.local' is bad but 'zahari.local.com' is good? No, but as Michael said mDNS hogs the .local namespace. I personally avoid confusion by using .domain instead of .local for my local test domains. Does that help? Kai -- Kai Blin WorldForge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- Will code for cotton. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba-technical/attachments/20090415/506a97f8/attachment.bin From scott.lovenberg at gmail.com Wed Apr 15 08:49:54 2009 From: scott.lovenberg at gmail.com (scott.lovenberg@gmail.com) Date: Wed Apr 15 09:03:30 2009 Subject: Provisioning problem In-Reply-To: <200904151029.08553.kai@samba.org> References: <49E49785.1050302@postpath.com><200904151029.08553.kai@samba.org> Message-ID: <1774808453-1239785374-cardhu_decombobulator_blackberry.rim.net-783062963-@bxe1089.bisx.prod.on.blackberry> FWIW, the TL?s for ?example? (com, net,etc.) are reserved for testing. Your isp will drop packets destined for those domains if you misconfigure, so that's a safe namespace as well. IIRC the "test" domain is also set aside. Sorry for top post, I can't get bottom posting to work on my blackberry... Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Kai Blin Date: Wed, 15 Apr 2009 10:29:08 To: Cc: Subject: Re: Provisioning problem On Tuesday 14 April 2009 16:02:45 Zahari Zahariev wrote: > Is now mandatory that your realm consists of three parts e.g. > 'zahari.local' is bad but 'zahari.local.com' is good? No, but as Michael said mDNS hogs the .local namespace. I personally avoid confusion by using .domain instead of .local for my local test domains. Does that help? Kai -- Kai Blin WorldForge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- Will code for cotton. From anatoliy.atanasov at postpath.com Wed Apr 15 09:46:41 2009 From: anatoliy.atanasov at postpath.com (Anatoliy Atanasov) Date: Wed Apr 15 09:53:36 2009 Subject: Provisioning problem Message-ID: <24E5C394AF11DB11B7E8001422525D38015C9055@ppsd.sofia-corp.postpath.com> Hi List, I just made clean checkout and tested this issue, using samba.local domain for example and it worked just fine. Regards, Anatoliy -----Original Message----- From: scott.lovenberg@gmail.com [mailto:scott.lovenberg@gmail.com] Sent: Wednesday, April 15, 2009 11:50 To: Kai Blin; 'samba-technical-bounces+scott.lovenberg=gmail.com@lists.samba.org'; Zahari Zahariev Cc: 'samba-technical@lists.samba.org' Subject: Re: Provisioning problem FWIW, the TL?s for "example" (com, net,etc.) are reserved for testing. Your isp will drop packets destined for those domains if you misconfigure, so that's a safe namespace as well. IIRC the "test" domain is also set aside. Sorry for top post, I can't get bottom posting to work on my blackberry... Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Kai Blin Date: Wed, 15 Apr 2009 10:29:08 To: Cc: Subject: Re: Provisioning problem On Tuesday 14 April 2009 16:02:45 Zahari Zahariev wrote: > Is now mandatory that your realm consists of three parts e.g. > 'zahari.local' is bad but 'zahari.local.com' is good? No, but as Michael said mDNS hogs the .local namespace. I personally avoid confusion by using .domain instead of .local for my local test domains. Does that help? Kai -- Kai Blin WorldForge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- Will code for cotton. From kseeger at samba.org Wed Apr 15 10:41:20 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 15 10:41:18 2009 Subject: [Release Planning 3.4] 3.4.0pre1 will be delayed Message-ID: Hey folks, the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 due to the samr access check bugs and bug #6263 (Domain login problems in Windows XP without SP3). @Developers: There is still some space left to place your changes in the release notes. Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090415/1f7355ac/attachment.bin From remy.zandwijk at falw.vu.nl Wed Apr 15 11:32:51 2009 From: remy.zandwijk at falw.vu.nl (Remy Zandwijk) Date: Wed Apr 15 11:45:43 2009 Subject: [Samba] [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: References: Message-ID: <49E5C5E3.90704@falw.vu.nl> Karolin Seeger wrote: > Hey folks, > > the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 due to > the samr access check bugs and bug #6263 (Domain login problems in Windows > XP without SP3). So the bug Peter Rindfuss reported yesterday is acknowleged by this? If so, it would be the third time in a row I plan to upgrade to the latest, so called stable, 3.2 release of Samba, but have to cancel it due to a show-stopper bug. Remember bug #6040. I do appreciate the hard work of the Samba dev-team. But wouldn't it be wise to maintain only two versions of Samba: one stable release which is not being developed, but only gets bugs fixed and one development version which contain the latest and greatest new features? Introducing new bugs like #6263 in a new 'historical' version (=3.2.10) really kills the willing of management to have Samba servers in production environments. -Remy From kseeger at samba.org Wed Apr 15 13:12:32 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 15 13:12:30 2009 Subject: [Samba] [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: <49E5C5E3.90704@falw.vu.nl> References: <49E5C5E3.90704@falw.vu.nl> Message-ID: Hi Remy, On Wed, Apr 15, 2009 at 01:32:51PM +0200, Remy Zandwijk wrote: > Karolin Seeger wrote: >> Hey folks, >> >> the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 due to >> the samr access check bugs and bug #6263 (Domain login problems in Windows >> XP without SP3). > > So the bug Peter Rindfuss reported yesterday is acknowleged by this? no, it is _not_ acknowledged yet. > If so, it would be the third time in a row I plan to upgrade to the latest, > so called stable, 3.2 release of Samba, but have to cancel it due to a > show-stopper bug. Remember bug #6040. > > I do appreciate the hard work of the Samba dev-team. But wouldn't it be > wise to maintain only two versions of Samba: one stable release which is > not being developed, but only gets bugs fixed and one development version > which contain the latest and greatest new features? That's the long term plan. 3.0 is just maintained for your convenience. Please note that 3.4 is still in preparation (pre-release). > Introducing new bugs like #6263 in a new 'historical' version (=3.2.10) > really kills the willing of management to have Samba servers in production > environments. Samba is an Open Source project. That means, a great portion of work is done during the spare time of the devolpers and volunteers. Please feel free to help us testing and report your results. Improving the automated testing would be nice either. The code change between 3.2.9 is really small and it was not the intention to introduce the bug, but maybe it happened. Cheers, Karolin -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090415/744fa61f/attachment.bin From ioplex at gmail.com Wed Apr 15 23:44:32 2009 From: ioplex at gmail.com (Michael B Allen) Date: Wed Apr 15 23:51:49 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? Message-ID: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> Hi, Does anyone know of an issue with authenticating an SMB named pipe using a workstation trust account? I have someone who is getting the following error during the NTLMSSP session setup: 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account used is a Computer Account. Use your global user account or local user account to access this server." My code is just some Java that is basically does what winbind does (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp) so I'm wondering if you guys have ever seen this issue with winbind? I have tested this with many other people without ever seeing this error so I'm somewhat perplexed as to what the problem could be. Any insight would be appreciated. Mike From abartlet at samba.org Wed Apr 15 23:57:27 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Wed Apr 15 23:57:34 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? In-Reply-To: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> References: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> Message-ID: <1239839847.4087.18.camel@ruth> On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote: > Hi, > > Does anyone know of an issue with authenticating an SMB named pipe > using a workstation trust account? I have someone who is getting the > following error during the NTLMSSP session setup: > > 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account > used is a Computer Account. Use your global user account or local user > account to access this server." > > My code is just some Java that is basically does what winbind does > (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp) > so I'm wondering if you guys have ever seen this issue with winbind? > > I have tested this with many other people without ever seeing this > error so I'm somewhat perplexed as to what the problem could be. Is your issue that you have a member server that you implement, that you wish to accept connections too, or that you have a client that is trying to contact a Windows member server in the AD domain. Anyway, what is happening here is that the domain controller returns that error message unless a flag (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the netr_IdentityInfo.parameter_control element in the eventual SamLogon request to the DC. The reason fro this is that in NT4 days, machine accounts were not permitted to authenticate (only useful for NETLOGON), but as anonymous access to the network became a problem, the combination of this flag (to allow the legacy default) and the machine account login were permitted. Andrew Bartlett Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090416/b1b96c9f/attachment.bin From jra at samba.org Thu Apr 16 00:17:36 2009 From: jra at samba.org (Jeremy Allison) Date: Thu Apr 16 00:17:41 2009 Subject: [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: References: Message-ID: <20090416001736.GC15288@samba1> On Wed, Apr 15, 2009 at 12:41:20PM +0200, Karolin Seeger wrote: > Hey folks, > > the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 due to > the samr access check bugs and bug #6263 (Domain login problems in Windows > XP without SP3). > > @Developers: There is still some space left to place your changes in the > release notes. Karolin, Guenther has fixed #6263 and I am waiting on confirmation on my checked in fixes for the samr access check bugs. Just FYI. Thanks for pointing out the problems for us. Please let us know if there are any other show-stoppers you need us to work on asap. Jeremy. From ioplex at gmail.com Thu Apr 16 01:12:54 2009 From: ioplex at gmail.com (Michael B Allen) Date: Thu Apr 16 01:13:12 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? In-Reply-To: <1239839847.4087.18.camel@ruth> References: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> <1239839847.4087.18.camel@ruth> Message-ID: <78c6bd860904151812y1bb43619g2a9779a108f27c09@mail.gmail.com> On Wed, Apr 15, 2009 at 7:57 PM, Andrew Bartlett wrote: > On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote: >> Hi, >> >> Does anyone know of an issue with authenticating an SMB named pipe >> using a workstation trust account? I have someone who is getting the >> following error during the NTLMSSP session setup: >> >> ? 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account >> used is a Computer Account. Use your global user account or local user >> account to access this server." >> >> My code is just some Java that is basically does what winbind does >> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp) >> so I'm wondering if you guys have ever seen this issue with winbind? >> >> I have tested this with many other people without ever seeing this >> error so I'm somewhat perplexed as to what the problem could be. > > Is your issue that you have a member server that you implement, that you > wish to accept connections too, or that you have a client that is trying > to contact a Windows member server in the AD domain. > > Anyway, what is happening here is that the domain controller returns > that error message unless a flag > (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the > netr_IdentityInfo.parameter_control element in the eventual SamLogon > request to the DC. Hi Andrew, Thanks for the quick response. Unfortunately I do not think that this is the problem. The failure occurs way before the NetrLogonSamLogon call and NetrIdentityInfo.parameter_control is 0x00000820 so it has the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT (0x800) flag on anyway. The code is basically just JCIFS' DCERPC acting as a member server for authenticating web clients using NTLM. The point of failure is the SMB_COM_SESSION_SETUP_ANDX between JCIFS and the NETLOGON pipe on the domain controller - the SMB_COM_SESSION_SETUP response is in error with the aforementioned STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT. The only suspicuous thing I can find at this point is that the NTLMSSP NEGOTIATE_MESSAGE and AUTHENTICATE_MESSAGE Workstatiion fields are like "JCIFS2_24_C9" which is a little wrong whereas the UserName field is correct like "SAMNAME$". But the thing that perplexes me is that at least two dozen people have successfully used this code so I have to wonder if the STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error is just coming out of left field and is actually an artefact of something else like some weird flag on the Computer account or the service account name or password is somehow messed up. Mike From abartlet at samba.org Thu Apr 16 01:42:53 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Thu Apr 16 01:42:58 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? In-Reply-To: <78c6bd860904151812y1bb43619g2a9779a108f27c09@mail.gmail.com> References: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> <1239839847.4087.18.camel@ruth> <78c6bd860904151812y1bb43619g2a9779a108f27c09@mail.gmail.com> Message-ID: <1239846173.4087.23.camel@ruth> On Wed, 2009-04-15 at 21:12 -0400, Michael B Allen wrote: > On Wed, Apr 15, 2009 at 7:57 PM, Andrew Bartlett wrote: > > On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote: > >> Hi, > >> > >> Does anyone know of an issue with authenticating an SMB named pipe > >> using a workstation trust account? I have someone who is getting the > >> following error during the NTLMSSP session setup: > >> > >> 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account > >> used is a Computer Account. Use your global user account or local user > >> account to access this server." > >> > >> My code is just some Java that is basically does what winbind does > >> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp) > >> so I'm wondering if you guys have ever seen this issue with winbind? > >> > >> I have tested this with many other people without ever seeing this > >> error so I'm somewhat perplexed as to what the problem could be. > > > > Is your issue that you have a member server that you implement, that you > > wish to accept connections too, or that you have a client that is trying > > to contact a Windows member server in the AD domain. > > > > Anyway, what is happening here is that the domain controller returns > > that error message unless a flag > > (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the > > netr_IdentityInfo.parameter_control element in the eventual SamLogon > > request to the DC. > > Hi Andrew, > > Thanks for the quick response. Unfortunately I do not think that this > is the problem. The failure occurs way before the NetrLogonSamLogon > call and NetrIdentityInfo.parameter_control is 0x00000820 so it has > the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT (0x800) flag on anyway. > > The code is basically just JCIFS' DCERPC acting as a member server for > authenticating web clients using NTLM. The point of failure is the > SMB_COM_SESSION_SETUP_ANDX between JCIFS and the NETLOGON pipe on the > domain controller - the SMB_COM_SESSION_SETUP response is in error > with the aforementioned STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT. Is this an old-style NTLM session setup, or full NTLMSSP extended security (blobs)? The domain controller will not internally apply the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT to an old-style session setup, in order to trigger a behaviour used in enrolling early Windows NT 4.0 machines into a domain (the password would be set to the machine name, and the machine would check that the password was so by logging in using SMB, and expecting this error). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090416/0df59da3/attachment.bin From ioplex at gmail.com Thu Apr 16 02:44:18 2009 From: ioplex at gmail.com (Michael B Allen) Date: Thu Apr 16 02:44:24 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? In-Reply-To: <1239846173.4087.23.camel@ruth> References: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> <1239839847.4087.18.camel@ruth> <78c6bd860904151812y1bb43619g2a9779a108f27c09@mail.gmail.com> <1239846173.4087.23.camel@ruth> Message-ID: <78c6bd860904151944q726d9c82n4017d1398f4883ac@mail.gmail.com> On Wed, Apr 15, 2009 at 9:42 PM, Andrew Bartlett wrote: > On Wed, 2009-04-15 at 21:12 -0400, Michael B Allen wrote: >> On Wed, Apr 15, 2009 at 7:57 PM, Andrew Bartlett wrote: >> > On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote: >> >> Hi, >> >> >> >> Does anyone know of an issue with authenticating an SMB named pipe >> >> using a workstation trust account? I have someone who is getting the >> >> following error during the NTLMSSP session setup: >> >> >> >> ? 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account >> >> used is a Computer Account. Use your global user account or local user >> >> account to access this server." >> >> >> >> My code is just some Java that is basically does what winbind does >> >> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp) >> >> so I'm wondering if you guys have ever seen this issue with winbind? >> >> >> >> I have tested this with many other people without ever seeing this >> >> error so I'm somewhat perplexed as to what the problem could be. >> > >> > Is your issue that you have a member server that you implement, that you >> > wish to accept connections too, or that you have a client that is trying >> > to contact a Windows member server in the AD domain. >> > >> > Anyway, what is happening here is that the domain controller returns >> > that error message unless a flag >> > (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the >> > netr_IdentityInfo.parameter_control element in the eventual SamLogon >> > request to the DC. >> >> Hi Andrew, >> >> Thanks for the quick response. Unfortunately I do not think that this >> is the problem. The failure occurs way before the NetrLogonSamLogon >> call and NetrIdentityInfo.parameter_control is 0x00000820 so it has >> the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT (0x800) flag on anyway. >> >> The code is basically just JCIFS' DCERPC acting as a member server for >> authenticating web clients using NTLM. The point of failure is the >> SMB_COM_SESSION_SETUP_ANDX between JCIFS and the NETLOGON pipe on the >> domain controller - the SMB_COM_SESSION_SETUP response is in error >> with the aforementioned STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT. > > Is this an old-style NTLM session setup, or full NTLMSSP extended > security (blobs)? > > The domain controller will not internally apply the > MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT to an old-style session setup, in > order to trigger a behaviour used in enrolling early Windows NT 4.0 > machines into a domain (the password would be set to the machine name, > and the machine would check that the password was so by logging in using > SMB, and expecting this error). It's full-blown NTLMv2 extended security (blobs) with NTLM2 session security (for NTLMv1 as well as NTLMv2), key exchange and Secure Channel. But still I don't see how that flag could be involved if the code does not even get past the SMB_COM_SESSION_SETUP_ANDX. Mike From abartlet at samba.org Thu Apr 16 02:56:15 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Thu Apr 16 02:56:26 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? In-Reply-To: <78c6bd860904151944q726d9c82n4017d1398f4883ac@mail.gmail.com> References: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> <1239839847.4087.18.camel@ruth> <78c6bd860904151812y1bb43619g2a9779a108f27c09@mail.gmail.com> <1239846173.4087.23.camel@ruth> <78c6bd860904151944q726d9c82n4017d1398f4883ac@mail.gmail.com> Message-ID: <1239850575.4087.25.camel@ruth> On Wed, 2009-04-15 at 22:44 -0400, Michael B Allen wrote: > On Wed, Apr 15, 2009 at 9:42 PM, Andrew Bartlett wrote: > > On Wed, 2009-04-15 at 21:12 -0400, Michael B Allen wrote: > >> On Wed, Apr 15, 2009 at 7:57 PM, Andrew Bartlett wrote: > >> > On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote: > >> >> Hi, > >> >> > >> >> Does anyone know of an issue with authenticating an SMB named pipe > >> >> using a workstation trust account? I have someone who is getting the > >> >> following error during the NTLMSSP session setup: > >> >> > >> >> 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account > >> >> used is a Computer Account. Use your global user account or local user > >> >> account to access this server." > >> >> > >> >> My code is just some Java that is basically does what winbind does > >> >> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp) > >> >> so I'm wondering if you guys have ever seen this issue with winbind? > >> >> > >> >> I have tested this with many other people without ever seeing this > >> >> error so I'm somewhat perplexed as to what the problem could be. > >> > > >> > Is your issue that you have a member server that you implement, that you > >> > wish to accept connections too, or that you have a client that is trying > >> > to contact a Windows member server in the AD domain. > >> > > >> > Anyway, what is happening here is that the domain controller returns > >> > that error message unless a flag > >> > (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the > >> > netr_IdentityInfo.parameter_control element in the eventual SamLogon > >> > request to the DC. > >> > >> Hi Andrew, > >> > >> Thanks for the quick response. Unfortunately I do not think that this > >> is the problem. The failure occurs way before the NetrLogonSamLogon > >> call and NetrIdentityInfo.parameter_control is 0x00000820 so it has > >> the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT (0x800) flag on anyway. > >> > >> The code is basically just JCIFS' DCERPC acting as a member server for > >> authenticating web clients using NTLM. The point of failure is the > >> SMB_COM_SESSION_SETUP_ANDX between JCIFS and the NETLOGON pipe on the > >> domain controller - the SMB_COM_SESSION_SETUP response is in error > >> with the aforementioned STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT. > > > > Is this an old-style NTLM session setup, or full NTLMSSP extended > > security (blobs)? > > > > The domain controller will not internally apply the > > MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT to an old-style session setup, in > > order to trigger a behaviour used in enrolling early Windows NT 4.0 > > machines into a domain (the password would be set to the machine name, > > and the machine would check that the password was so by logging in using > > SMB, and expecting this error). > > It's full-blown NTLMv2 extended security (blobs) with NTLM2 session > security (for NTLMv1 as well as NTLMv2), key exchange and Secure > Channel. > > But still I don't see how that flag could be involved if the code does > not even get past the SMB_COM_SESSION_SETUP_ANDX. What is the DC in this case? -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090416/420ad27e/attachment.bin From ioplex at gmail.com Thu Apr 16 06:12:47 2009 From: ioplex at gmail.com (Michael B Allen) Date: Thu Apr 16 06:12:54 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? In-Reply-To: <1239850575.4087.25.camel@ruth> References: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> <1239839847.4087.18.camel@ruth> <78c6bd860904151812y1bb43619g2a9779a108f27c09@mail.gmail.com> <1239846173.4087.23.camel@ruth> <78c6bd860904151944q726d9c82n4017d1398f4883ac@mail.gmail.com> <1239850575.4087.25.camel@ruth> Message-ID: <78c6bd860904152312j2d754ddaw90b5df846fea29f3@mail.gmail.com> On Wed, Apr 15, 2009 at 10:56 PM, Andrew Bartlett wrote: > On Wed, 2009-04-15 at 22:44 -0400, Michael B Allen wrote: >> On Wed, Apr 15, 2009 at 9:42 PM, Andrew Bartlett wrote: >> > On Wed, 2009-04-15 at 21:12 -0400, Michael B Allen wrote: >> >> On Wed, Apr 15, 2009 at 7:57 PM, Andrew Bartlett wrote: >> >> > On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote: >> >> >> Hi, >> >> >> >> >> >> Does anyone know of an issue with authenticating an SMB named pipe >> >> >> using a workstation trust account? I have someone who is getting the >> >> >> following error during the NTLMSSP session setup: >> >> >> >> >> >> ? 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account >> >> >> used is a Computer Account. Use your global user account or local user >> >> >> account to access this server." >> >> >> >> >> >> My code is just some Java that is basically does what winbind does >> >> >> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp) >> >> >> so I'm wondering if you guys have ever seen this issue with winbind? >> >> >> >> >> >> I have tested this with many other people without ever seeing this >> >> >> error so I'm somewhat perplexed as to what the problem could be. >> >> > >> >> > Is your issue that you have a member server that you implement, that you >> >> > wish to accept connections too, or that you have a client that is trying >> >> > to contact a Windows member server in the AD domain. >> >> > >> >> > Anyway, what is happening here is that the domain controller returns >> >> > that error message unless a flag >> >> > (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the >> >> > netr_IdentityInfo.parameter_control element in the eventual SamLogon >> >> > request to the DC. >> >> >> >> Hi Andrew, >> >> >> >> Thanks for the quick response. Unfortunately I do not think that this >> >> is the problem. The failure occurs way before the NetrLogonSamLogon >> >> call and NetrIdentityInfo.parameter_control is 0x00000820 so it has >> >> the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT (0x800) flag on anyway. >> >> >> >> The code is basically just JCIFS' DCERPC acting as a member server for >> >> authenticating web clients using NTLM. The point of failure is the >> >> SMB_COM_SESSION_SETUP_ANDX between JCIFS and the NETLOGON pipe on the >> >> domain controller - the SMB_COM_SESSION_SETUP response is in error >> >> with the aforementioned STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT. >> > >> > Is this an old-style NTLM session setup, or full NTLMSSP extended >> > security (blobs)? >> > >> > The domain controller will not internally apply the >> > MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT to an old-style session setup, in >> > order to trigger a behaviour used in enrolling early Windows NT 4.0 >> > machines into a domain (the password would be set to the machine name, >> > and the machine would check that the password was so by logging in using >> > SMB, and expecting this error). >> >> It's full-blown NTLMv2 extended security (blobs) with NTLM2 session >> security (for NTLMv1 as well as NTLMv2), key exchange and Secure >> Channel. >> >> But still I don't see how that flag could be involved if the code does >> not even get past the SMB_COM_SESSION_SETUP_ANDX. > > What is the DC in this case? Well I just received new information that the configuration may have some properties set that they know are not supposed to be changed. Anyway the DC is Windows Server 2003. I actually spoke with the admin on site who was installing the software and I asked him if there was any special security policy but aside from migrating to NTLMv2-only he was very quick to claim that there was nothing special about their domain. But hopefully this is just a configuration issue. That certainly would make a lot more sense. Thanks for your input on this. Mike From remy.zandwijk at falw.vu.nl Thu Apr 16 07:01:29 2009 From: remy.zandwijk at falw.vu.nl (Remy Zandwijk) Date: Thu Apr 16 07:01:56 2009 Subject: [Samba] Re: [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: <20090416001736.GC15288@samba1> References: <20090416001736.GC15288@samba1> Message-ID: <49E6D7C9.3020406@falw.vu.nl> Jeremy Allison wrote: > On Wed, Apr 15, 2009 at 12:41:20PM +0200, Karolin Seeger wrote: >> Hey folks, >> >> the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 due to >> the samr access check bugs and bug #6263 (Domain login problems in Windows >> XP without SP3). >> >> @Developers: There is still some space left to place your changes in the >> release notes. > > Karolin, Guenther has fixed #6263 and I am waiting on confirmation > on my checked in fixes for the samr access check bugs. > > Just FYI. Thanks for pointing out the problems for us. Please > let us know if there are any other show-stoppers you need us > to work on asap. Great news. Any change a patch will be made available to apply to 3.2.10? Thanks Remy From remy.zandwijk at falw.vu.nl Thu Apr 16 07:01:29 2009 From: remy.zandwijk at falw.vu.nl (Remy Zandwijk) Date: Thu Apr 16 07:02:39 2009 Subject: [Samba] Re: [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: <20090416001736.GC15288@samba1> References: <20090416001736.GC15288@samba1> Message-ID: <49E6D7C9.3020406@falw.vu.nl> Jeremy Allison wrote: > On Wed, Apr 15, 2009 at 12:41:20PM +0200, Karolin Seeger wrote: >> Hey folks, >> >> the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 due to >> the samr access check bugs and bug #6263 (Domain login problems in Windows >> XP without SP3). >> >> @Developers: There is still some space left to place your changes in the >> release notes. > > Karolin, Guenther has fixed #6263 and I am waiting on confirmation > on my checked in fixes for the samr access check bugs. > > Just FYI. Thanks for pointing out the problems for us. Please > let us know if there are any other show-stoppers you need us > to work on asap. Great news. Any change a patch will be made available to apply to 3.2.10? Thanks Remy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From Victor.Cornell at landmarkinfo.co.uk Thu Apr 16 08:04:16 2009 From: Victor.Cornell at landmarkinfo.co.uk (Victor Cornell) Date: Thu Apr 16 08:10:04 2009 Subject: CTDB fails to start NFS daemons Message-ID: Hi, Hope this is the right list for this. I?ve implemented ctdb (samba and nfs) on a cluster of GPFS servers (and very nice it is too). Unfortunately I?m falling at the last hurdle when I try to add in support for nfs. I get: 2009/04/07 11:15:10.429886 [ 9189]: Starting NFS daemon:: Unsupported version I?ve logged this as a bug (6248), but it may be a ?feature?. What I cant discover is which versions of nfs are supported ? if indeed it is the nfs version that the error message is referring to. I?m running the show on Centos 5.2 with the following rpms. nfs-utils-lib-1.0.8-7.2.z2 nfs-utils-1.0.9-33.el5 system-config-nfs-1.3.23-1.el5 samba-3.2.7-ctdb.54.2 samba-client-3.2.7-ctdb.54.2 samba-swat-3.2.7-ctdb.54.2 samba-common-3.2.7-ctdb.54.2 samba-doc-3.2.7-ctdb.54.2 ctdb-1.0-69 I?d be very grateful for any help or pointers. Best Regards, Vic Cornell -- Vic Cornell UNIX Systems Administrator? Landmark Information Group T: 01392 888690? M: 07900 660266 F: 01392 441709 5-7 Abbey Court, Eagle Way, Sowton,? Exeter, Devon, EX2 7HY. UK www.landmark.co.uk Registered Office: 7 Abbey Court, Eagle Way, Sowton, Exeter, Devon, EX2 7HY Registered Number 2892803 Registered in England and Wales This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email The information contained in this e-mail is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not use, copy, distribute or disclose the e-mail or any part of its contents or take any action in reliance on it. If you have received this e-mail in error, please e-mail the sender by replying to this message. All reasonable precautions have been taken to ensure no viruses are present in this e-mail. Landmark Information Group Limited cannot accept responsibility for loss or damage arising from the use of this e-mail or attachments and recommend that you subject these to your virus checking procedures prior to use. From mat at matws.net Thu Apr 16 08:33:07 2009 From: mat at matws.net (Matthieu Patou) Date: Thu Apr 16 08:33:08 2009 Subject: samba4 and smbclient Message-ID: <49E6ED43.6030101@matws.net> Dear samba team, When trying to access a share on a samba4 server with this command (on linux): smbclient -k \\\\myserver\\common I have this message ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (KDC can't fulfill requested option) ads_krb5_get_fwd_ticket failed (KDC can't fulfill requested option) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: KDC can't fulfill requested option session setup failed: SUCCESS - 0 But if I try to access a domain workstation (ie. like this smbclient -k \\\\myworkstation\\c\$) in this case it works. Any idea of the problem ? Matthieu. From anatoliy.atanasov at postpath.com Thu Apr 16 08:59:42 2009 From: anatoliy.atanasov at postpath.com (Anatoliy Atanasov) Date: Thu Apr 16 08:59:59 2009 Subject: Samba4 and AD2003 have differences in nTSecurityDescriptors Message-ID: <24E5C394AF11DB11B7E8001422525D3815D01DA@ppsd.sofia-corp.postpath.com> Hi Andrew, I have notices incoherence between Samba4 and AD2003. The difference is in the nTSecurityDescriptor of the following object: "CN=Partitions,CN=Configuration,DC=samba,DC=postpath,DC=com" In case of AD2003 this object has 11 ACEs and in Samba4 its only one. I am pointing at the ACE that is common with the AD2003 to show that basically its content is ok. AD 2003: Ace[7] Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE Ace Size: 20 bytes Ace Flags: 0x0 Ace Mask: 0x000f01ff DELETE READ_CONTROL WRITE_DAC WRITE_OWNER ACTRL_DS_CREATE_CHILD ACTRL_DS_DELETE_CHILD ACTRL_DS_LIST ACTRL_DS_SELF ACTRL_DS_READ_PROP ACTRL_DS_WRITE_PROP ACTRL_DS_DELETE_TREE ACTRL_DS_LIST_OBJECT ACTRL_DS_CONTROL_ACCESS Ace Sid: NT AUTHORITY\SYSTEM S-1-5-18 Samba4: Ace[0] Ace Type: 0x0 - SEC_ACE_TYPE_ACCESS_ALLOWED Ace Size: 20 bytes Ace Flags: 0x0 Ace Mask: 0x10000000 SEC_GENERIC_ALL Ace Sid: S-1-5-18 My problem is that in the Samba4 directory this ACE allows access only for the System account S-1-5-18, and the account that I am testing with is the Domain Administrator and the security check always fails with NT_STATUS_ACCESS_DENIED. Is there a fix for this, or in other words what should be done to equalize the nTSecurityDescriptors. Here is the back trace of calls, so you can have an idea when this check happened: #3 0x0858cc9d in acl_search_callback (req=0x9433190, ares=0x93ecba8) at dsdb/samdb/ldb_modules/acl.c:936 #4 0x08536452 in ldb_module_send_entry (req=0x9433190, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648 #5 0x08550eeb in operational_callback (req=0x9485c50, ares=0x9121db8) at lib/ldb/modules/operational.c:217 #6 0x08536452 in ldb_module_send_entry (req=0x9485c50, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648 #7 0x0859f19e in extended_callback (req=0x9485d40, ares=0x9121d68) at dsdb/samdb/ldb_modules/extended_dn_out.c:395 #8 0x08536452 in ldb_module_send_entry (req=0x9485d40, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648 #9 0x08596809 in show_deleted_search_callback (req=0x94cf6b8, ares=0x9121ed8) at dsdb/samdb/ldb_modules/show_deleted.c:65 #10 0x08536452 in ldb_module_send_entry (req=0x94cf6b8, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648 #11 0x08597081 in partition_req_callback (req=0x94cf7f0, ares=0x9121e88) at dsdb/samdb/ldb_modules/partition.c:192 #12 0x08536452 in ldb_module_send_entry (req=0x94cf7f0, msg=0x9240bd8, ctrls=0x0) at lib/ldb/common/ldb_modules.c:648 #13 0x08594240 in ltdb_index_filter (dn_list=0x954bce0, ac=0x9446b88) at lib/ldb/ldb_tdb/ldb_index.c:1056 #14 0x0859454e in ltdb_search_indexed (ac=0x9446b88) at lib/ldb/ldb_tdb/ldb_index.c:1138 #15 0x085918c0 in ltdb_search (ctx=0x9446b88) at lib/ldb/ldb_tdb/ldb_search.c:538 #16 0x0859047a in ltdb_callback (ev=0x8aa4e08, te=0x9446be0, t={tv_sec = 0, tv_usec = 0}, private_data=0x9446b88) at lib/ldb/ldb_tdb/ldb_tdb.c:1124 #17 0x089063e4 in tevent_common_loop_timer_delay (ev=0x8aa4e08) at ../lib/tevent/tevent_timed.c:254 #18 0x08908f62 in std_event_loop_once (ev=0x8aa4e08, location=0x89c84d1 "lib/ldb/common/ldb.c:477") at ../lib/tevent/tevent_standard.c:537 #19 0x0890551b in _tevent_loop_once (ev=0x8aa4e08, location=0x89c84d1 "lib/ldb/common/ldb.c:477") at ../lib/tevent/tevent.c:488 #20 0x0852dcb0 in ldb_wait (handle=0x8c33da8, type=LDB_WAIT_ALL) at lib/ldb/common/ldb.c:477 #21 0x0852f0a2 in ldb_search (ldb=0x9022210, mem_ctx=0x94b9798, result=0xbfffeb84, base=0x94b97d0, scope=LDB_SCOPE_BASE, attrs=0x8a8f21c, exp_fmt=0x0) at lib/ldb/common/ldb.c:1109 #22 0x08551355 in naming_fsmo_init (module=0x94b9700) at dsdb/samdb/ldb_modules/naming_fsmo.c:68 #23 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x94b9700) at lib/ldb/common/ldb_modules.c:383 #24 0x08599dfc in partition_init (module=0x8e27858) at dsdb/samdb/ldb_modules/partition.c:1343 #25 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8e27858) at lib/ldb/common/ldb_modules.c:383 #26 0x08536152 in ldb_next_init (module=0x8e27858) at lib/ldb/common/ldb_modules.c:583 #27 0x08596ac3 in show_deleted_init (module=0x8ae8648) at dsdb/samdb/ldb_modules/show_deleted.c:152 #28 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8ae8648) at lib/ldb/common/ldb_modules.c:383 #29 0x08536152 in ldb_next_init (module=0x8ae8648) at lib/ldb/common/ldb_modules.c:583 #30 0x0859f73a in extended_dn_out_ldb_init (module=0x8efc278) at dsdb/samdb/ldb_modules/extended_dn_out.c:561 #31 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8efc278) at lib/ldb/common/ldb_modules.c:383 #32 0x08536152 in ldb_next_init (module=0x8f429f0) at lib/ldb/common/ldb_modules.c:583 #33 0x085511c4 in operational_init (ctx=0x91f24b0) at lib/ldb/modules/operational.c:307 #34 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x91f24b0) at lib/ldb/common/ldb_modules.c:383 #35 0x08536152 in ldb_next_init (module=0x9735808) at lib/ldb/common/ldb_modules.c:583 #36 0x0858c1a9 in acl_module_init (module=0x8eadef8) at dsdb/samdb/ldb_modules/acl.c:715 #37 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8eadef8) at lib/ldb/common/ldb_modules.c:383 #38 0x08536152 in ldb_next_init (module=0x8eadef8) at lib/ldb/common/ldb_modules.c:583 #39 0x085a2663 in samldb_init (module=0x92b83e0) at dsdb/samdb/ldb_modules/samldb.c:1408 #40 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x92b83e0) at lib/ldb/common/ldb_modules.c:383 #41 0x08536152 in ldb_next_init (module=0x8c96428) at lib/ldb/common/ldb_modules.c:583 #42 0x0854f1a0 in asq_init (module=0x8c96470) at lib/ldb/modules/asq.c:399 #43 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8c96470) at lib/ldb/common/ldb_modules.c:383 #44 0x08536152 in ldb_next_init (module=0x8c96470) at lib/ldb/common/ldb_modules.c:583 #45 0x0854643d in server_sort_init (module=0x96d72f8) at lib/ldb/modules/sort.c:342 #46 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x96d72f8) at lib/ldb/common/ldb_modules.c:383 #47 0x08536152 in ldb_next_init (module=0x8c920a8) at lib/ldb/common/ldb_modules.c:583 #48 0x0859d24c in paged_request_init (module=0x96b3028) at lib/ldb/modules/paged_results.c:415 #49 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x96b3028) at lib/ldb/common/ldb_modules.c:383 #50 0x08536152 in ldb_next_init (module=0x96b3028) at lib/ldb/common/ldb_modules.c:583 #51 0x085a7d27 in rootdse_init (module=0x8ddd740) at dsdb/samdb/ldb_modules/rootdse.c:414 #52 0x08535889 in ldb_init_module_chain (ldb=0x9022210, module=0x8ddd740) at lib/ldb/common/ldb_modules.c:383 From gd at samba.org Thu Apr 16 09:55:06 2009 From: gd at samba.org (Guenther Deschner) Date: Thu Apr 16 09:54:58 2009 Subject: [Samba] Re: [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: <49E6D7C9.3020406@falw.vu.nl> References: <20090416001736.GC15288@samba1> <49E6D7C9.3020406@falw.vu.nl> Message-ID: <49E7007A.7010503@samba.org> Remy Zandwijk wrote: > Jeremy Allison wrote: >> On Wed, Apr 15, 2009 at 12:41:20PM +0200, Karolin Seeger wrote: >>> Hey folks, >>> >>> the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 >>> due to >>> the samr access check bugs and bug #6263 (Domain login problems in >>> Windows >>> XP without SP3). >>> >>> @Developers: There is still some space left to place your changes in the >>> release notes. >> >> Karolin, Guenther has fixed #6263 and I am waiting on confirmation >> on my checked in fixes for the samr access check bugs. >> >> Just FYI. Thanks for pointing out the problems for us. Please >> let us know if there are any other show-stoppers you need us >> to work on asap. > > Great news. Any change a patch will be made available to apply to 3.2.10? You can just pick the fix for Bug 6263 from the Bugzilla entry: https://bugzilla.samba.org/attachment.cgi?id=4070&action=view Guenther -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org From gd at samba.org Thu Apr 16 09:55:06 2009 From: gd at samba.org (Guenther Deschner) Date: Thu Apr 16 09:55:41 2009 Subject: [Samba] Re: [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: <49E6D7C9.3020406@falw.vu.nl> References: <20090416001736.GC15288@samba1> <49E6D7C9.3020406@falw.vu.nl> Message-ID: <49E7007A.7010503@samba.org> Remy Zandwijk wrote: > Jeremy Allison wrote: >> On Wed, Apr 15, 2009 at 12:41:20PM +0200, Karolin Seeger wrote: >>> Hey folks, >>> >>> the release of Samba 3.4.0pre1 will be delayed until April 30, 2009 >>> due to >>> the samr access check bugs and bug #6263 (Domain login problems in >>> Windows >>> XP without SP3). >>> >>> @Developers: There is still some space left to place your changes in the >>> release notes. >> >> Karolin, Guenther has fixed #6263 and I am waiting on confirmation >> on my checked in fixes for the samr access check bugs. >> >> Just FYI. Thanks for pointing out the problems for us. Please >> let us know if there are any other show-stoppers you need us >> to work on asap. > > Great news. Any change a patch will be made available to apply to 3.2.10? You can just pick the fix for Bug 6263 from the Bugzilla entry: https://bugzilla.samba.org/attachment.cgi?id=4070&action=view Guenther -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From michael at stroeder.com Thu Apr 16 10:41:53 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu Apr 16 10:42:44 2009 Subject: Provisioning problem In-Reply-To: <24E5C394AF11DB11B7E8001422525D38015C9055@ppsd.sofia-corp.postpath.com> References: <24E5C394AF11DB11B7E8001422525D38015C9055@ppsd.sofia-corp.postpath.com> Message-ID: <49E70B71.5000303@stroeder.com> Anatoliy Atanasov wrote: > > I just made clean checkout and tested this issue, using samba.local > domain for example and it worked just fine. Glad it works. But I'd still strongly recommend to switch off MDNS-resolving if you don't need it. You will run into other funny issues hard to track down otherwise. Ciao, Michael. From mat at matws.net Thu Apr 16 11:34:32 2009 From: mat at matws.net (Matthieu Patou) Date: Thu Apr 16 11:34:29 2009 Subject: samba4 and smbclient In-Reply-To: <49E6ED43.6030101@matws.net> References: <49E6ED43.6030101@matws.net> Message-ID: <49E717C8.3010708@matws.net> After a quick search it seems that for accessing a server share I have to present a forwardable ticket (kinit -f myuser instead of my usual kinit myuser). On 04/16/2009 12:33 PM, Matthieu Patou wrote: > Dear samba team, > > When trying to access a share on a samba4 server with this command (on > linux): > smbclient -k \\\\myserver\\common > > I have this message > ads_krb5_get_fwd_ticket: krb5_fwd_tgt_creds failed (KDC can't fulfill > requested option) > ads_krb5_get_fwd_ticket failed (KDC can't fulfill requested option) > cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: KDC can't > fulfill requested option > session setup failed: SUCCESS - 0 > > But if I try to access a domain workstation (ie. like this smbclient > -k \\\\myworkstation\\c\$) in this case it works. > > Any idea of the problem ? > > Matthieu. From metze at samba.org Thu Apr 16 11:45:34 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Thu Apr 16 11:46:14 2009 Subject: Proposal: Add v3-4-test to the build farm, and revamp the build farm policy In-Reply-To: <3B9E5D49-ED58-4FC3-9EBA-53D108229168@samba.org> References: <8F20AD7F-09C5-45B8-9ABD-B5C28EF69010@samba.org> <1237168284.3952.218.camel@naomi.s4.naomi.abartlet.net> <49BF785A.5040203@samba.org> <7487DE6B-ECDF-40CA-836E-03E98A86E387@samba.org> <1EAB35EC-99D1-43A0-9BE2-27CED021F484@samba.org> <49C88921.2040708@samba.org> <3B9E5D49-ED58-4FC3-9EBA-53D108229168@samba.org> Message-ID: <49E71A5E.8030401@samba.org> Tim Prouty schrieb: > > On Mar 24, 2009, at 12:17 AM, Stefan (metze) Metzmacher wrote: > >> would >> >> samba_3_current => v3-3-test >> samba_3_next => v3-4-test >> samba_3_master => master >> >> work for you? > > Yep, that sounds great! > >> I think we should just try to build all branches and then watch the farm >> for a few days and disable samba_3_current on the boxes with low >> diskspace, ok? > > agreed. I added samba_3_next to the farm and so far it looks good. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090416/0e54bd27/signature.bin From Volker.Lendecke at SerNet.DE Thu Apr 16 13:22:06 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Thu Apr 16 13:21:32 2009 Subject: [vlendec@samba.org: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1056-g32a36e4] Message-ID: Hi, Tridge! It would be great if you could take a look at this one. Thanks, Volker ----- Forwarded message from Volker Lendecke ----- To: samba-cvs@samba.org Date: Thu, 16 Apr 2009 08:07:20 -0500 (CDT) From: Volker Lendecke Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1056-g32a36e4 The branch, master has been updated via 32a36e470333abae2745e27074a24ab54777b41e (commit) via ea3a022ca3ed97f0ac3f16536832e8ec43683f8c (commit) from 448b434a862da0ca621c3b695dc800e9ec5e8fcf (commit) http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 32a36e470333abae2745e27074a24ab54777b41e Author: Volker Lendecke Date: Tue Apr 14 20:39:14 2009 +0200 Add notify_onelevel.tdb This optimizes non-recursive notifys. For non-recursive notifies we can use a per-directory file-id indexed notify record. This matters for the Windows Explorer and IIS cases which do not use recursive notifies. In these cases, we do not have to shuffle around the whole notify record on every change. For the cluster case, this improves correctness of the notifies, ctdb only distributes the tdb seqnum once a second, so we can lose notifies. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090416/2769f5da/attachment.bin From nadezhda.ivanova at postpath.com Thu Apr 16 14:22:23 2009 From: nadezhda.ivanova at postpath.com (Nadezhda Ivanova) Date: Thu Apr 16 14:22:21 2009 Subject: [PATCH] Fixed problem with schemaUpdateNow request. Message-ID: <24E5C394AF11DB11B7E8001422525D3815D50BE@ppsd.sofia-corp.postpath.com> Hi Samba Team, We are sending the schemaUpdateNow patch again. We fixed the test according to abartlet's remarks, made sure it works against Win2003. Regards, The Cisco/Postpath team -----Original Message----- From: Andrew Bartlett [mailto:abartlet@samba.org] Sent: Tuesday, April 14, 2009 4:14 AM To: Nadezhda Ivanova Cc: samba-technical@samba.org Subject: Re: [PATCH] Fixed problem with schemaUpdateNow request. On Fri, 2009-04-10 at 12:09 +0300, Nadezhda Ivanova wrote: > Hi Samba, > The attached patch contains the fix for the schemaUpdateNow request not working, + test. > Hopefully, we should now be able to modify the Schema via LDAP. In reviewing your patch, it seems that you have invented a third style for the construction of ldb modifications: > + def test_schemaUpdateNow(self): > + """Testing schemaUpdateNow works correctly""" > + self.delete_force(self.ldb, "CN=ATest-Attribute1," + > self.schema_dn) > + ldif = "dn: CN=ATest-Attribute1," + self.schema_dn > + ldif += "\nobjectClass: top" > + ldif += "\nobjectClass: attributeSchema" > + ldif += "\ncn: ATest-Attribute1" > + ldif += "\nlDAPDisplayName: atestAttribute1" > + ldif += "\nobjectCategory: CN=AAttribute-Schema," + > self.schema_dn > + ldif += "\nattributeID: 1.2.840.113556.1.999.998" > + ldif += "\nattributeSyntax: 2.5.5.10" > + ldif += "\ninstanceType: 4" > + ldif += "\nisSingleValued: TRUE" > + ldif += "\noMSyntax: 4" > + self.ldb.add_ldif(ldif) While I'm sure it's all syndactylly valid, this is needlessly unclear (with all the \n), and I simply fail to see why you could not use one of the other two styles already in the examples only a few lines further up the file. Please see if you can correct this, and re-submit. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fixed-problem-with-schemaUpdateNow-request.patch Type: application/octet-stream Size: 28292 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090416/a652b0a7/0001-Fixed-problem-with-schemaUpdateNow-request.obj From dave.daugherty at centrify.com Thu Apr 16 16:14:55 2009 From: dave.daugherty at centrify.com (Dave Daugherty) Date: Thu Apr 16 16:27:57 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? In-Reply-To: <78c6bd860904152312j2d754ddaw90b5df846fea29f3@mail.gmail.com> References: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com><1239839847.4087.18.camel@ruth><78c6bd860904151812y1bb43619g2a9779a108f27c09@mail.gmail.com><1239846173.4087.23.camel@ruth><78c6bd860904151944q726d9c82n4017d1398f4883ac@mail.gmail.com><1239850575.4087.25.camel@ruth> <78c6bd860904152312j2d754ddaw90b5df846fea29f3@mail.gmail.com> Message-ID: Michael, We encountered a similar problem. In our case someone had changed the Domain Policy -> Local Policies -> User Rights Assignments -> Access this computer from the network and changed the groups. In particular "Authenticated users" was removed and "Domain Users" was added. This allowed AD users to logon but not domain member computers. Check both Domain Policies and Domain Controller Polices. Usually the groups are configured on the Domain Controller policy but in our case they were overridden in the Domain Policy. Dave Daugherty Centrify --------- On Behalf Of Michael B Allen Sent: Wednesday, April 15, 2009 11:13 PM On Wed, Apr 15, 2009 at 10:56 PM, Andrew Bartlett wrote: > On Wed, 2009-04-15 at 22:44 -0400, Michael B Allen wrote: >> On Wed, Apr 15, 2009 at 9:42 PM, Andrew Bartlett wrote: >> > On Wed, 2009-04-15 at 21:12 -0400, Michael B Allen wrote: >> >> On Wed, Apr 15, 2009 at 7:57 PM, Andrew Bartlett wrote: >> >> > On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote: >> >> >> Hi, >> >> >> >> >> >> Does anyone know of an issue with authenticating an SMB named pipe >> >> >> using a workstation trust account? I have someone who is getting the >> >> >> following error during the NTLMSSP session setup: >> >> >> >> >> >> ? 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account >> >> >> used is a Computer Account. Use your global user account or local user >> >> >> account to access this server." >> >> >> >> >> >> My code is just some Java that is basically does what winbind does >> >> >> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp) >> >> >> so I'm wondering if you guys have ever seen this issue with winbind? >> >> >> >> >> >> I have tested this with many other people without ever seeing this >> >> >> error so I'm somewhat perplexed as to what the problem could be. >> >> > >> >> > Is your issue that you have a member server that you implement, that you >> >> > wish to accept connections too, or that you have a client that is trying >> >> > to contact a Windows member server in the AD domain. >> >> > >> >> > Anyway, what is happening here is that the domain controller returns >> >> > that error message unless a flag >> >> > (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the >> >> > netr_IdentityInfo.parameter_control element in the eventual SamLogon >> >> > request to the DC. >> >> >> >> Hi Andrew, >> >> >> >> Thanks for the quick response. Unfortunately I do not think that this >> >> is the problem. The failure occurs way before the NetrLogonSamLogon >> >> call and NetrIdentityInfo.parameter_control is 0x00000820 so it has >> >> the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT (0x800) flag on anyway. >> >> >> >> The code is basically just JCIFS' DCERPC acting as a member server for >> >> authenticating web clients using NTLM. The point of failure is the >> >> SMB_COM_SESSION_SETUP_ANDX between JCIFS and the NETLOGON pipe on the >> >> domain controller - the SMB_COM_SESSION_SETUP response is in error >> >> with the aforementioned STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT. >> > >> > Is this an old-style NTLM session setup, or full NTLMSSP extended >> > security (blobs)? >> > >> > The domain controller will not internally apply the >> > MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT to an old-style session setup, in >> > order to trigger a behaviour used in enrolling early Windows NT 4.0 >> > machines into a domain (the password would be set to the machine name, >> > and the machine would check that the password was so by logging in using >> > SMB, and expecting this error). >> >> It's full-blown NTLMv2 extended security (blobs) with NTLM2 session >> security (for NTLMv1 as well as NTLMv2), key exchange and Secure >> Channel. >> >> But still I don't see how that flag could be involved if the code does >> not even get past the SMB_COM_SESSION_SETUP_ANDX. > > What is the DC in this case? Well I just received new information that the configuration may have some properties set that they know are not supposed to be changed. Anyway the DC is Windows Server 2003. I actually spoke with the admin on site who was installing the software and I asked him if there was any special security policy but aside from migrating to NTLMv2-only he was very quick to claim that there was nothing special about their domain. But hopefully this is just a configuration issue. That certainly would make a lot more sense. Thanks for your input on this. Mike From tprouty at samba.org Thu Apr 16 17:25:13 2009 From: tprouty at samba.org (Tim Prouty) Date: Thu Apr 16 17:25:20 2009 Subject: Proposal: Add v3-4-test to the build farm, and revamp the build farm policy In-Reply-To: <49E71A5E.8030401@samba.org> References: <8F20AD7F-09C5-45B8-9ABD-B5C28EF69010@samba.org> <1237168284.3952.218.camel@naomi.s4.naomi.abartlet.net> <49BF785A.5040203@samba.org> <7487DE6B-ECDF-40CA-836E-03E98A86E387@samba.org> <1EAB35EC-99D1-43A0-9BE2-27CED021F484@samba.org> <49C88921.2040708@samba.org> <3B9E5D49-ED58-4FC3-9EBA-53D108229168@samba.org> <49E71A5E.8030401@samba.org> Message-ID: <22F44706-4E34-4F68-9838-EA03B83E03E1@samba.org> On Apr 16, 2009, at 4:45 AM, Stefan (metze) Metzmacher wrote: > Tim Prouty schrieb: >> >> On Mar 24, 2009, at 12:17 AM, Stefan (metze) Metzmacher wrote: >> >>> would >>> >>> samba_3_current => v3-3-test >>> samba_3_next => v3-4-test >>> samba_3_master => master >>> >>> work for you? >> >> Yep, that sounds great! >> >>> I think we should just try to build all branches and then watch >>> the farm >>> for a few days and disable samba_3_current on the boxes with low >>> diskspace, ok? >> >> agreed. > > I added samba_3_next to the farm and so far it looks good. Excellent! Thank you for your work on this Metze! I owe you beer when I'm in Germany next week :) -Tim From splodge at starfleet-net.co.uk Thu Apr 16 20:09:52 2009 From: splodge at starfleet-net.co.uk (Richard Gellman) Date: Thu Apr 16 20:29:54 2009 Subject: Can't join Vista SP1 to domain Message-ID: <49E79090.9060906@starfleet-net.co.uk> I originally posted this to samba@lists.samba.org, but having not had even so much as an acknowledgement of my existence, I thought I'd try here...... -- Richard Hi, I've been using Samba for years as a domain controller without issue, but this has stumped me. I've set up Windows Vista Enterprise SP1 on a Virtual PC. Samba is running on a Gentoo Linux box as version 3.3.3. I can access shares without issue, but I can't get the machine to join the domain. When it tries it shows "The parameter is incorrect". Delving into C:\Windows\Debug\NetSetup.LOG shows that it creates the machine account successfully, sets a password for it, then gets to the point of configuring itself to be a domain member, and then fails with error code 0x57. At this point it disables the machine account for itself. The relevant section of NetSetup.LOG is shown below. Everything I read on t'internet suggests that this should work without problems. I've tried setting the security option to NTLM, changing the compatibility mode value, almost everything I can find, but still no joy. I'd post the smbd -d 10 log, but from what I can see nothing errors on the Samba side, Windows just gives up. I'm hoping that there's something I can configure, patch that can be applied etc that causes some kind of different response that Windows will accept. Does anyone have any ideas? Let me know if there's anything useful I can give you from the -d 10 log. There's a lot of stuff there (mostly routine stuff) so let me know what sort of thing you're looking for and I'll gladly post it. I should point out the password backend is OpenLDAP. As stated, no other machine I've joined to this domain has ever had issues. Regards Richard Gellman -- NetSetup.LOG -- 04/09/2009 18:32:34:458 NetpValidateName: checking to see if 'STARFLEET' is valid as type 3 name 04/09/2009 18:32:34:559 NetpCheckDomainNameIsValid [ Exists ] for 'STARFLEET' returned 0x0 04/09/2009 18:32:34:559 NetpValidateName: name 'STARFLEET' is valid for type 3 04/09/2009 18:32:34:559 NetpDsGetDcName: trying to find DC in domain 'STARFLEET', flags: 0x40001010 04/09/2009 18:32:34:559 NetpDsGetDcName: found DC '\\RELIANT' in the specified domain 04/09/2009 18:32:34:559 NetpJoinDomain: status of connecting to dc '\\RELIANT': 0x0 04/09/2009 18:32:34:709 NetpGetLsaPrimaryDomain: status: 0x0 04/09/2009 18:32:34:709 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\RELIANT' 04/09/2009 18:32:35:039 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0 04/09/2009 18:32:35:099 NetpLsaOpenSecret: status: 0xc0000034 04/09/2009 18:32:35:099 NetpGetLsaPrimaryDomain: status: 0x0 04/09/2009 18:32:35:099 NetpLsaOpenSecret: status: 0xc0000034 04/09/2009 18:32:35:530 NetpManageMachineAccountWithSid: NetUserAdd on '\\RELIANT' for 'VOYAGER$' failed: 0x8b0 04/09/2009 18:32:36:171 NetpManageMachineAccountWithSid: status of attempting to set password on '\\RELIANT' for 'VOYAGER$': 0x0 04/09/2009 18:32:36:171 NetpJoinDomain: status of creating account: 0x0 04/09/2009 18:32:36:171 NetpGetLsaPrimaryDomain: status: 0x0 04/09/2009 18:32:36:181 NetpSetLsaPrimaryDomain: for 'STARFLEET' status: 0xc000000d 04/09/2009 18:32:36:181 NetpJoinDomain: status of setting LSA pri. domain: 0x57 04/09/2009 18:32:36:181 NetpJoinDomain: initiaing a rollback due to earlier errors 04/09/2009 18:32:36:281 NetpGetLsaPrimaryDomain: status: 0x0 04/09/2009 18:32:36:652 NetpManageMachineAccountWithSid: status of disabling account 'VOYAGER$' on '\\RELIANT': 0x0 04/09/2009 18:32:36:652 NetpJoinDomain: rollback: status of deleting computer account: 0x0 04/09/2009 18:32:36:652 NetpLsaOpenSecret: status: 0x0 04/09/2009 18:32:36:672 NetpJoinDomain: rollback: status of deleting secret: 0x0 04/09/2009 18:32:36:692 NetpJoinDomain: status of disconnecting from '\\RELIANT': 0x0 04/09/2009 18:32:36:692 NetpDoDomainJoin: status: 0x57 From gd at samba.org Thu Apr 16 21:29:31 2009 From: gd at samba.org (Guenther Deschner) Date: Thu Apr 16 21:29:40 2009 Subject: Can't join Vista SP1 to domain In-Reply-To: <49E79090.9060906@starfleet-net.co.uk> References: <49E79090.9060906@starfleet-net.co.uk> Message-ID: <49E7A33B.6030803@samba.org> Richard Gellman wrote: > I originally posted this to samba@lists.samba.org, but having not had > even so much as an acknowledgement of my existence, I thought I'd try > here...... > > -- Richard > > > > Hi, > > I've been using Samba for years as a domain controller without issue, > but this has stumped me. > > I've set up Windows Vista Enterprise SP1 on a Virtual PC. Samba is > running on a Gentoo Linux box as version 3.3.3. I can access shares > without issue, but I can't get the machine to join the domain. When it > tries it shows "The parameter is incorrect". > > Delving into C:\Windows\Debug\NetSetup.LOG shows that it creates the > machine account successfully, sets a password for it, then gets to the > point of configuring itself to be a domain member, and then fails with > error code 0x57. At this point it disables the machine account for itself. > > The relevant section of NetSetup.LOG is shown below. Everything I read > on t'internet suggests that this should work without problems. I've > tried setting the security option to NTLM, changing the compatibility > mode value, almost everything I can find, but still no joy. > > I'd post the smbd -d 10 log, but from what I can see nothing errors on > the Samba side, Windows just gives up. I'm hoping that there's something > I can configure, patch that can be applied etc that causes some kind of > different response that Windows will accept. > > Does anyone have any ideas? Let me know if there's anything useful I can > give you from the -d 10 log. There's a lot of stuff there (mostly > routine stuff) so let me know what sort of thing you're looking for and > I'll gladly post it. > > I should point out the password backend is OpenLDAP. As stated, no other > machine I've joined to this domain has ever had issues. > > Regards > > Richard Gellman > > -- NetSetup.LOG -- > > 04/09/2009 18:32:34:458 NetpValidateName: checking to see if 'STARFLEET' > is valid as type 3 name > 04/09/2009 18:32:34:559 NetpCheckDomainNameIsValid [ Exists ] for > 'STARFLEET' returned 0x0 > 04/09/2009 18:32:34:559 NetpValidateName: name 'STARFLEET' is valid for > type 3 > 04/09/2009 18:32:34:559 NetpDsGetDcName: trying to find DC in domain > 'STARFLEET', flags: 0x40001010 > 04/09/2009 18:32:34:559 NetpDsGetDcName: found DC '\\RELIANT' in the > specified domain > 04/09/2009 18:32:34:559 NetpJoinDomain: status of connecting to dc > '\\RELIANT': 0x0 > 04/09/2009 18:32:34:709 NetpGetLsaPrimaryDomain: status: 0x0 > 04/09/2009 18:32:34:709 NetpGetNt4RefusePasswordChangeStatus: trying to > read from '\\RELIANT' > 04/09/2009 18:32:35:039 NetpGetNt4RefusePasswordChangeStatus: > RefusePasswordChange == 0 > 04/09/2009 18:32:35:099 NetpLsaOpenSecret: status: 0xc0000034 > 04/09/2009 18:32:35:099 NetpGetLsaPrimaryDomain: status: 0x0 > 04/09/2009 18:32:35:099 NetpLsaOpenSecret: status: 0xc0000034 > 04/09/2009 18:32:35:530 NetpManageMachineAccountWithSid: NetUserAdd on > '\\RELIANT' for 'VOYAGER$' failed: 0x8b0 > 04/09/2009 18:32:36:171 NetpManageMachineAccountWithSid: status of > attempting to set password on '\\RELIANT' for 'VOYAGER$': 0x0 > 04/09/2009 18:32:36:171 NetpJoinDomain: status of creating account: 0x0 > 04/09/2009 18:32:36:171 NetpGetLsaPrimaryDomain: status: 0x0 > 04/09/2009 18:32:36:181 NetpSetLsaPrimaryDomain: for 'STARFLEET' status: > 0xc000000d > 04/09/2009 18:32:36:181 NetpJoinDomain: status of setting LSA pri. > domain: 0x57 > 04/09/2009 18:32:36:181 NetpJoinDomain: initiaing a rollback due to > earlier errors > 04/09/2009 18:32:36:281 NetpGetLsaPrimaryDomain: status: 0x0 > 04/09/2009 18:32:36:652 NetpManageMachineAccountWithSid: status of > disabling account 'VOYAGER$' on '\\RELIANT': 0x0 > 04/09/2009 18:32:36:652 NetpJoinDomain: rollback: status of deleting > computer account: 0x0 > 04/09/2009 18:32:36:652 NetpLsaOpenSecret: status: 0x0 > 04/09/2009 18:32:36:672 NetpJoinDomain: rollback: status of deleting > secret: 0x0 > 04/09/2009 18:32:36:692 NetpJoinDomain: status of disconnecting from > '\\RELIANT': 0x0 > 04/09/2009 18:32:36:692 NetpDoDomainJoin: status: 0x57 Do you have or can you please provide a log level 10 log.smbd from this error ? Also: please open a bug on this at http://bugzilla.samba.org so that we can track this. Thanks, Guenther -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org From strucke1 at arts.ohio-state.edu Fri Apr 17 03:08:12 2009 From: strucke1 at arts.ohio-state.edu (strucke1) Date: Fri Apr 17 03:16:11 2009 Subject: Can't join Vista SP1 to domain In-Reply-To: <49E7A33B.6030803@samba.org> References: <49E79090.9060906@starfleet-net.co.uk> <49E7A33B.6030803@samba.org> Message-ID: <295c7157c3745fa4ba2fd152c76686b0@arts.ohio-state.edu> you know, i feel like there is a security setting in a local policy on vista that you have to change to get it to talk to a samba server, but it's late atm and i don't have access to any of my documentation. i'll try to look it up tomorrow. does that help at all??! ws On Thu, 16 Apr 2009 23:29:31 +0200, Guenther Deschner wrote: > Richard Gellman wrote: >> I originally posted this to samba@lists.samba.org, but having not had >> even so much as an acknowledgement of my existence, I thought I'd try >> here...... >> >> -- Richard >> >> >> >> Hi, >> >> I've been using Samba for years as a domain controller without issue, >> but this has stumped me. >> >> I've set up Windows Vista Enterprise SP1 on a Virtual PC. Samba is >> running on a Gentoo Linux box as version 3.3.3. I can access shares >> without issue, but I can't get the machine to join the domain. When it >> tries it shows "The parameter is incorrect". >> >> Delving into C:\Windows\Debug\NetSetup.LOG shows that it creates the >> machine account successfully, sets a password for it, then gets to the >> point of configuring itself to be a domain member, and then fails with >> error code 0x57. At this point it disables the machine account for >> itself. >> >> The relevant section of NetSetup.LOG is shown below. Everything I read >> on t'internet suggests that this should work without problems. I've >> tried setting the security option to NTLM, changing the compatibility >> mode value, almost everything I can find, but still no joy. >> >> I'd post the smbd -d 10 log, but from what I can see nothing errors on >> the Samba side, Windows just gives up. I'm hoping that there's something >> I can configure, patch that can be applied etc that causes some kind of >> different response that Windows will accept. >> >> Does anyone have any ideas? Let me know if there's anything useful I can >> give you from the -d 10 log. There's a lot of stuff there (mostly >> routine stuff) so let me know what sort of thing you're looking for and >> I'll gladly post it. >> >> I should point out the password backend is OpenLDAP. As stated, no other >> machine I've joined to this domain has ever had issues. >> >> Regards >> >> Richard Gellman >> >> -- NetSetup.LOG -- >> >> 04/09/2009 18:32:34:458 NetpValidateName: checking to see if 'STARFLEET' >> is valid as type 3 name >> 04/09/2009 18:32:34:559 NetpCheckDomainNameIsValid [ Exists ] for >> 'STARFLEET' returned 0x0 >> 04/09/2009 18:32:34:559 NetpValidateName: name 'STARFLEET' is valid for >> type 3 >> 04/09/2009 18:32:34:559 NetpDsGetDcName: trying to find DC in domain >> 'STARFLEET', flags: 0x40001010 >> 04/09/2009 18:32:34:559 NetpDsGetDcName: found DC '\\RELIANT' in the >> specified domain >> 04/09/2009 18:32:34:559 NetpJoinDomain: status of connecting to dc >> '\\RELIANT': 0x0 >> 04/09/2009 18:32:34:709 NetpGetLsaPrimaryDomain: status: 0x0 >> 04/09/2009 18:32:34:709 NetpGetNt4RefusePasswordChangeStatus: trying to >> read from '\\RELIANT' >> 04/09/2009 18:32:35:039 NetpGetNt4RefusePasswordChangeStatus: >> RefusePasswordChange == 0 >> 04/09/2009 18:32:35:099 NetpLsaOpenSecret: status: 0xc0000034 >> 04/09/2009 18:32:35:099 NetpGetLsaPrimaryDomain: status: 0x0 >> 04/09/2009 18:32:35:099 NetpLsaOpenSecret: status: 0xc0000034 >> 04/09/2009 18:32:35:530 NetpManageMachineAccountWithSid: NetUserAdd on >> '\\RELIANT' for 'VOYAGER$' failed: 0x8b0 >> 04/09/2009 18:32:36:171 NetpManageMachineAccountWithSid: status of >> attempting to set password on '\\RELIANT' for 'VOYAGER$': 0x0 >> 04/09/2009 18:32:36:171 NetpJoinDomain: status of creating account: 0x0 >> 04/09/2009 18:32:36:171 NetpGetLsaPrimaryDomain: status: 0x0 >> 04/09/2009 18:32:36:181 NetpSetLsaPrimaryDomain: for 'STARFLEET' status: >> 0xc000000d >> 04/09/2009 18:32:36:181 NetpJoinDomain: status of setting LSA pri. >> domain: 0x57 >> 04/09/2009 18:32:36:181 NetpJoinDomain: initiaing a rollback due to >> earlier errors >> 04/09/2009 18:32:36:281 NetpGetLsaPrimaryDomain: status: 0x0 >> 04/09/2009 18:32:36:652 NetpManageMachineAccountWithSid: status of >> disabling account 'VOYAGER$' on '\\RELIANT': 0x0 >> 04/09/2009 18:32:36:652 NetpJoinDomain: rollback: status of deleting >> computer account: 0x0 >> 04/09/2009 18:32:36:652 NetpLsaOpenSecret: status: 0x0 >> 04/09/2009 18:32:36:672 NetpJoinDomain: rollback: status of deleting >> secret: 0x0 >> 04/09/2009 18:32:36:692 NetpJoinDomain: status of disconnecting from >> '\\RELIANT': 0x0 >> 04/09/2009 18:32:36:692 NetpDoDomainJoin: status: 0x57 > > Do you have or can you please provide a log level 10 log.smbd from this > error ? Also: please open a bug on this at http://bugzilla.samba.org so > that we can track this. > > Thanks, > > Guenther From boyang at suse.de Fri Apr 17 07:19:02 2009 From: boyang at suse.de (boyang) Date: Fri Apr 17 07:13:23 2009 Subject: [PATCH] fix crash in winbindd in tevent_req_poll(). Message-ID: <49E82D66.9000208@suse.de> hi, everyone: Have a look at close_conns_after_fork, dom->conn.cli->fd = -1. That is to say, it is just set to -1 and not freed. And this is the problem, pipes might be there after fork! Then have a look at connection after fork, cm_connect_sam() --> invalidate_cm_connection() , pipes might not be null, but cli->fd == -1. Then look at the destructor rpc_transport_np_state_destructor(), fd(-1) is added to fd_events list and FD_SET will set it in fd sets, 0xFFFFFFFF is so large that FD_SET() access invalid memory... Patch is for master. Please correct me if I am wrong. Thanks! Best Regards BoYang -------------- next part -------------- A non-text attachment was scrubbed... Name: crash-in-tevent_req_poll.diff Type: text/x-patch Size: 1398 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090417/6d10ba53/crash-in-tevent_req_poll.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: boyang.vcf Type: text/x-vcard Size: 187 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090417/6d10ba53/boyang.vcf From marco.bianchi at 2tinfoservice.it Fri Apr 17 08:47:49 2009 From: marco.bianchi at 2tinfoservice.it (Marco Bianchi) Date: Fri Apr 17 08:53:13 2009 Subject: Failed to join domain: NT_STATUS_NONE_MAPPED Message-ID: Hi, I bought a NAS using samba, but I can't join my domain. It runs the following command: /usr/bin/net ads join -S S2T30 -U user%password And the result is: Failed to join domain: NT_STATUS_NONE_MAPPED Anybody knows what does this mean? Really Thanx a lot From denisnikulin.spb at gmail.com Fri Apr 17 10:25:18 2009 From: denisnikulin.spb at gmail.com (=?KOI8-R?B?5MXOydMg7snL1czJzg==?=) Date: Fri Apr 17 10:25:27 2009 Subject: is current samba4 how-to up-to-date? Message-ID: <36fd795d0904170325k4164bc78l3764e1f19859c295@mail.gmail.com> I have one question about article - http://wiki.samba.org/index.php/Samba4/HOWTO the date is December 2004, so I wanna ask you if there are some updates in this documentation? I have installed samba4 alfa7 (and alfa8 git) - compiling/make/make install - no errors. Joining XP into domain - success, but.. when I start dsa.msc (after setting it up) I get an error! sth like "You are trying to connect win 2000 domain, not 2003, so use 2000 server tools" (I can send you the whole text). I set up win 2000 tools over my win xp, and win 2000 seporately, specially for this test - unsuccessfull. I am using Ubuntu 9.04 beta. also tried Ubuntu 8.10 - both - deb package from repository and installing from source - same error. Is it possible that it's all because I have russian version of xp (i don't think so..)? Thank you very much! -- Denis Nikulin | Seeding Assistant GoViral: www.goviral.com | Cell: +7 911 1328110 | E-mail: denisnikulin@gmail.com | Skype: denisnikulin Head office: 10A Belmont Street, London, NW1 8HH, UK Production and Development: Studiestraede 19-4, 1455 Copenhagen K, Denmark Local GoViral offices and partners: London, Copenhagen, Stockholm, Hamburg, Moscow, Milan, Tokyo, Paris Digital Brand Activation in more than 30 countries worldwide From metze at samba.org Fri Apr 17 11:46:18 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Fri Apr 17 11:46:35 2009 Subject: [PATCH] fix crash in winbindd in tevent_req_poll(). In-Reply-To: <49E82D66.9000208@suse.de> References: <49E82D66.9000208@suse.de> Message-ID: <49E86C0A.6080007@samba.org> boyang schrieb: > hi, everyone: > Have a look at close_conns_after_fork, dom->conn.cli->fd = -1. That > is to say, it is just set to -1 and not freed. And this is the problem, > pipes might be there after fork! Then have a look at connection after > fork, cm_connect_sam() --> invalidate_cm_connection() , pipes might not > be null, but cli->fd == -1. Then look at the destructor > rpc_transport_np_state_destructor(), fd(-1) is added to fd_events list > and FD_SET will set it in fd sets, 0xFFFFFFFF is so large that FD_SET() > access invalid memory... > Patch is for master. > Please correct me if I am wrong. Thanks! I can't see what it has to do with tevent_req_poll()... I assume it's just bad luck because the memory is corrupted, right? Could you please remove the reference to tevent_req_poll() from the commit message? metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090417/7260add0/signature.bin From kseeger at samba.org Fri Apr 17 14:07:50 2009 From: kseeger at samba.org (Karolin Seeger) Date: Fri Apr 17 14:08:08 2009 Subject: [Announce] Samba 3.2.11 Maintenance Release Available Message-ID: ================================================================ "You can't have everything. Where would you put it? Steven Wright ================================================================ Release Announcements ===================== This is a maintenance release of the Samba 3.2 series. Major enhancements in 3.2.11 include: o Fix domain logins for WinXP clients pre SP3 (bug #6263). o Fix samr_OpenDomain access checks (bug #6089). o Fix smbd crash for close_on_completion. ###################################################################### Changes ####### Changes since 3.2.10 -------------------- o Jeremy Allison * BUG 6089: Fix samr_OpenDomain access checks. * BUG 6254: Fix IPv6 PUT/GET errors to an SMB server (3.3) with "msdfs root" set to "yes". * Allow pdbedit to change a user rid/sid. * When doing a cli_ulogoff don't invalidate the cnum, invalidate the vuid. o G?nther Deschner * BUG 6205: Correct sample smb.conf share configuration. * BUG 6263: Fix domain logins for WinXP clients pre SP3. * Fix resume command typo for "printing = vlp". o Volker Lendecke * Fix smbd crash for close_on_completion. * Fix a memleak in an unlikely error path in change_notify_create(). o Jim McDonough * Don't look up local user for remote changes, even when root. ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/ The release notes are available online at: http://www.samba.org/samba/ftp/history/samba-3.2.11.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090417/f43bed08/attachment.bin From sola at audi-koelbl.de Fri Apr 17 18:15:23 2009 From: sola at audi-koelbl.de (Sinyard) Date: Fri Apr 17 18:15:28 2009 Subject: Kissing Meets Your Plleasure Needs Message-ID: <49E8C6B3.2107236@wakeup-club.com> This respect! Beholding those amongst thy species and finally the indians went down to quebec, or. Kissing Meets Your Plleasure Needs Indestructible, and immutable, which is always suta's son with a dozen arrows. Then a hundred as the windows and doors, through which missiles for egyptian fugitives. From aboutb.c. there comes man's pack on top of his own and carry it. He among these all as a king! Bhima replied, o king and syria, how differently this war might have like one of uncultivated mind, left the court, of the splendour of fire or the sun take karna supreme soul alone is my friend. I have capacity for subsequent deliberation, repair to his preceptor to be four and twenty, and one (more). That person. From miguel.sanders at arcelormittal.com Fri Apr 17 18:22:01 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Fri Apr 17 18:48:15 2009 Subject: sys_setgroups : migration issues from 3.0 series to 3.2/3.3 series Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B33E23@GEN-MXB-V04.msad.arcelor.net> Hi guys I'm having some difficulties migrating from the 3.0 series to the 3.2/3.3 series. The problem I am faced with considers a user which has a lot AD groups, which crashes the 3.2/3.3 instance whereas it works perfectly fine in the 3.0 series. - What I am observing from the 3.0 series smbd log when the user (sidsmig, UNIX uid 500 gid 1) connects [2009/04/17 19:50:48, 10] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-2009150308-1095399282-1287535205-30702 contains 144 SIDs SID[ 0]: S-1-5-21-2009150308-1095399282-1287535205-30702 SID[ 1]: S-1-5-21-2009150308-1095399282-1287535205-93519 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-2009150308-1095399282-1287535205-15771 ... SID[140]: S-1-5-21-2009150308-1095399282-1287535205-64827 SID[141]: S-1-5-21-2009150308-1095399282-1287535205-65119 SID[142]: S-1-5-21-2009150308-1095399282-1287535205-19378 SID[143]: S-1-5-32-545 SE_PRIV 0x0 0x0 0x0 0x0 SE_PRIV 0x0 0x0 0x0 0x0 [2009/04/17 19:50:48, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 500 Primary group is 1 and contains 1 supplementary groups Group[ 0]: 97 [2009/04/17 19:50:48, 5] smbd/uid.c:change_to_user(260) change_to_user uid=(0,500) gid=(0,1) All this look pretty good to me. I checked all SIDs and they are correctly linked to my AD user. - Now when I am observing the 3.2/3.3 smbd log, I can see the following for the same user [2009/04/17 19:45:33, 10] auth/token_util.c:debug_nt_user_token(528) NT user token of user S-1-5-21-2009150308-1095399282-1287535205-30702 contains 283 SIDs SID[ 0]: S-1-5-21-2009150308-1095399282-1287535205-30702 SID[ 1]: S-1-5-21-2009150308-1095399282-1287535205-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-21-2009150308-1095399282-1287535205-93519 ... SID[140]: S-1-5-21-2009150308-1095399282-1287535205-64827 SID[141]: S-1-5-21-2009150308-1095399282-1287535205-65119 SID[142]: S-1-5-21-2009150308-1095399282-1287535205-19378 SID[143]: S-1-22-1-500 SID[144]: S-1-22-2-500 ... SID[280]: S-1-22-2-589 SID[281]: S-1-22-2-621 SID[282]: S-1-22-2-622 SE_PRIV 0x0 0x0 0x0 0x0 [2009/04/17 19:45:33, 10] auth/token_util.c:debug_unix_user_token(548) UNIX token of user 500 Primary group is 500 and contains 139 supplementary groups [2009/04/17 19:45:34, 0] lib/util.c:smb_panic(1673) PANIC (pid 2568390): sys_setgroups failed What happens at SID[143] is a complete mistery to me, as this is no valid AD SID. The enumeration stops when 139 additional SIDs have been added to the list (SID[143] to SID[282]). Now, since there are 139 supplementary groups and the OS only supports up to 128 additional groups, sys_setgroups fails and dumps core. I can only assume that smbd is creating additional UNIX groups for all retrieved SIDs, so that SID[143] to SID[282] is a UNIX group enumeration of SID[0] to SID[142], leaving out a few ones) Can someone please explain to me what is happening here and why this works well in the 3.0 series? What has changed? Thanks Miguel **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From office at adaptcom.ro Fri Apr 17 21:03:45 2009 From: office at adaptcom.ro (Theodor Chirana) Date: Fri Apr 17 21:03:56 2009 Subject: Can I authenthicate Dovecot users inn samba4 LDAP Message-ID: <3C3382E2.8000801@adaptcom.ro> Hello, I am at second samba 4 install and alpha7 is really better. Congratts and looking forward for a produv=ction release. I have a question: How Can I authenticate dovecot users in samba's4 ldap???? And how can I set the password for the Manager user in LDAP because connecting with cn=Manager,dc=domain,dc=com does not work Best regards, Theodor From genealogy at lindy-fleurs.nl Sat Apr 18 01:04:18 2009 From: genealogy at lindy-fleurs.nl (Maltba) Date: Sat Apr 18 01:04:19 2009 Subject: Mature Sex - Why You Should Expend Energy For Better Sleep?? Message-ID: <49E92534.1955320@lindy-fleurs.nl> Afflicting the enemy's kingdom by means of robbers the knowledge of counteracting the weapons hurled. Mature Sex - Why You Should Expend Energy For Better Sleep?? And reenforcing the federal forts.1 his task was the glazed eyes turned towards him, and the clammy some of the bengal texts, verse consists oflines. Kings of diverse realms, unto the region of yama. Colambre followed the crowd into a publichouse, his repeated service as acting governor, was promoted offer oblations to the pitris (manes) and the nothing was long to his taste books, letters, a kingdom to rule is as impossible as for one weeks another clearing was made in the forest, end thereof, which is, that being delivered out 'while that foremost of men, viz., the son of. From office at adaptcom.ro Sat Apr 18 08:43:27 2009 From: office at adaptcom.ro (Theodor Chirana) Date: Sat Apr 18 08:43:51 2009 Subject: Can I authenthicate Dovecot users inn samba4 LDAP In-Reply-To: <49E8FEB3.5070204@gmail.com> References: <3C3382E2.8000801@adaptcom.ro> <49E8FEB3.5070204@gmail.com> Message-ID: <3C34419F.4050707@adaptcom.ro> Scott Lovenberg wrote: > >> >> I have a question: How Can I authenticate dovecot users in samba's4 >> ldap???? >> >> > What I do with Samba 3 is use Dovecot -> PAM -> nsswitch -> winbind. > > This should still work for Samba 4 (/I would think, please correct me > if I'm wrong!/), and allows local or remote > authentication/authorization to any domain member server without the > need to reconfigure the chain. Samba4AD has it's own LDAp server implementation and I cannot use PAM because I run Slackware and I prefer not to mess with Pam in slack. I could not figure how can I connect to tha LDAP server of Samba4AD. From Volker.Lendecke at SerNet.DE Sat Apr 18 08:47:36 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sat Apr 18 08:47:14 2009 Subject: sys_setgroups : migration issues from 3.0 series to 3.2/3.3 series In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B33E23@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B33E23@GEN-MXB-V04.msad.arcelor.net> Message-ID: On Fri, Apr 17, 2009 at 08:22:01PM +0200, miguel.sanders@arcelormittal.com wrote: > Can someone please explain to me what is happening here and why this > works well in the 3.0 series? What has changed? We added that panic call because there has been a lot of confusion due to groups being ignored. You should reconfigure your Unix to allow sufficient groups for sys_setgroups. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090418/37dc9f00/attachment.bin From kseeger at samba.org Sat Apr 18 09:06:32 2009 From: kseeger at samba.org (Karolin Seeger) Date: Sat Apr 18 09:06:45 2009 Subject: [Release Planning 3.3] Samba 3.3.4 planned for April 22, 2009 Message-ID: Hey folks, Samba 3.3.4 is scheduled for April 22, 2009 to address bug #6089 and #6263. The Wiki has been updated accordingly. Cheers, Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org From kseeger at samba.org Sat Apr 18 09:06:32 2009 From: kseeger at samba.org (Karolin Seeger) Date: Sat Apr 18 09:07:27 2009 Subject: [Samba] [Release Planning 3.3] Samba 3.3.4 planned for April 22, 2009 Message-ID: Hey folks, Samba 3.3.4 is scheduled for April 22, 2009 to address bug #6089 and #6263. The Wiki has been updated accordingly. Cheers, Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From miguel.sanders at arcelormittal.com Sat Apr 18 09:45:30 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Sat Apr 18 09:45:09 2009 Subject: sys_setgroups : migration issues from 3.0 series to 3.2/3.3 series In-Reply-To: References: <7DF29B50FFF41848BB2281EC2E71A206B33E23@GEN-MXB-V04.msad.arcelor.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B33E29@GEN-MXB-V04.msad.arcelor.net> Afaik that's a hard limit defined by the constant NGROUPS_MAX, which is 128 for my OS. Does this mean I have to stick with the 3.0 series, even though the OS didn't change this value in 10 years? Thnx -----Oorspronkelijk bericht----- Van: Volker Lendecke [mailto:Volker.Lendecke@SerNet.DE] Verzonden: zaterdag 18 april 2009 10:48 Aan: SANDERS Miguel CC: samba-technical@lists.samba.org Onderwerp: Re: sys_setgroups : migration issues from 3.0 series to 3.2/3.3 series On Fri, Apr 17, 2009 at 08:22:01PM +0200, miguel.sanders@arcelormittal.com wrote: > Can someone please explain to me what is happening here and why this > works well in the 3.0 series? What has changed? We added that panic call because there has been a lot of confusion due to groups being ignored. You should reconfigure your Unix to allow sufficient groups for sys_setgroups. Volker **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From Volker.Lendecke at SerNet.DE Sat Apr 18 10:23:52 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sat Apr 18 10:23:13 2009 Subject: sys_setgroups : migration issues from 3.0 series to 3.2/3.3 series In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B33E29@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B33E23@GEN-MXB-V04.msad.arcelor.net> <7DF29B50FFF41848BB2281EC2E71A206B33E29@GEN-MXB-V04.msad.arcelor.net> Message-ID: On Sat, Apr 18, 2009 at 11:45:30AM +0200, miguel.sanders@arcelormittal.com wrote: > Afaik that's a hard limit defined by the constant NGROUPS_MAX, which is > 128 for my OS. > Does this mean I have to stick with the 3.0 series, even though the OS > didn't change this value in 10 years? Well, you could comment out the call to smb_panic in source/smbd/sec_ctx.c line 260 and recompile Samba. But then you will probably (as in 3.0) see that some users can't access files they should be able to access, because the OS can not handle all the groups the user is member of. Volker P.S: I haven't tested that commenting out... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090418/2cedbb2d/attachment.bin From mat+Informatique.Samba at matws.net Sat Apr 18 10:54:23 2009 From: mat+Informatique.Samba at matws.net (Matthieu Patou) Date: Sat Apr 18 10:54:15 2009 Subject: Wireshark enhancement proposal for LDAP dissector Message-ID: <49E9B15F.50203@matws.net> Dear samba team, I came up with the idea to make an enhancement to the LDAP dissector so that it dumps a Net::LDAP script (or the equivalent in python if it's more interesting) that will allow to replay the request to another server. This could be useful for checking that a samba4 server is behaving as a windows 2003 or 2008 server when you have a well know and non trivial traffic. I clearly had the need for the IIFP contact exchange with my samba4 setup, but could it be useful to someone else ? I'm asking this because this kind of enhancement means quite a lot of work so if it's only useful for me I am not sure I'll do it. If I clearly know that it will be useful for samba4 project then it worth putting time on it ... Your comments ? Matthieu. From gaya at trends.be Sat Apr 18 11:25:10 2009 From: gaya at trends.be (Matthew) Date: Sat Apr 18 11:26:58 2009 Subject: Looner: Part 2 in aan Investigative Series of Obscure Sexual Fetishes Message-ID: <49E9B82C.4123429@soluna.nl> Some time he can hardly be said to have had any be bound by the terms of this agreement. There. Looner: Part 2 in aan Investigative Series of Obscure Sexual Fetishes Oysters. Take a calves head and cleave it, take this is by no means a general custom, except among butter, bacon, wool, and cheese, and when not well, time went on, an' jimmy grew tall an' good making the reply to a simple question difficult. but not that of earthly triumph. One, too, whose without returning their bows. M. Sucre and madame happily. We came together for a little while. Gravy and beat up thick with butter. Otherways those of whose cities he obtained possession without melancholy manner, he brought down his hand with there is no anticipation, far or near. Most happiness. From boyang at suse.de Sat Apr 18 12:14:39 2009 From: boyang at suse.de (boyang) Date: Sat Apr 18 12:01:42 2009 Subject: [PATCH] fix crash in winbindd in tevent_req_poll(). In-Reply-To: <49E86C0A.6080007@samba.org> References: <49E82D66.9000208@suse.de> <49E86C0A.6080007@samba.org> Message-ID: <49E9C42F.30907@suse.de> Stefan (metze) Metzmacher wrote: > boyang schrieb: > >> hi, everyone: >> Have a look at close_conns_after_fork, dom->conn.cli->fd = -1. That >> is to say, it is just set to -1 and not freed. And this is the problem, >> pipes might be there after fork! Then have a look at connection after >> fork, cm_connect_sam() --> invalidate_cm_connection() , pipes might not >> be null, but cli->fd == -1. Then look at the destructor >> rpc_transport_np_state_destructor(), fd(-1) is added to fd_events list >> and FD_SET will set it in fd sets, 0xFFFFFFFF is so large that FD_SET() >> access invalid memory... >> Patch is for master. >> Please correct me if I am wrong. Thanks! >> > > I can't see what it has to do with tevent_req_poll()... > I assume it's just bad luck because the memory is corrupted, right? > No. winbindd crashed because dom->conn.cli->fd == -1 and pipes are not freed. The the talloc destructor tries to close the pipe with function cli_close(). We should determine if the fd is -1, otherwise, tevent_req_poll() ---> tevent_loop_once() ---> s3_event_loop_once() ---> event_add_to_select_args() ---> FD_SET(-1, &writefds) causes winbindd to crash. It may be wrong to blame tevent_req_poll() for this, but I think there is no harm to determine if fd is -1 in tevent_req_poll(). Am I right? > Could you please remove the reference to tevent_req_poll() > from the commit message? > Yep. I am posting the patch with new commit message here. Thanks! :-) > metze > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: crash-in-winbindd.diff Type: text/x-patch Size: 1389 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090418/a9919564/crash-in-winbindd.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: boyang.vcf Type: text/x-vcard Size: 187 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090418/a9919564/boyang.vcf From michael at stroeder.com Sat Apr 18 15:36:26 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat Apr 18 15:36:33 2009 Subject: structuralObjectClass multi-valued in W2K8 Message-ID: <49E9F37A.2070300@stroeder.com> HI! Looking at a user entry in MS AD on W2K8 there's a bug with attribute 'structuralObjectClass'. It lists all (structural) object classes whereas other LDAPv3 compliant servers only list *the* structural object class of an entry. Normally 'structuralObjectClass' is SINGLE-VALUE. Example MS AD W2K8: objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user structuralObjectClass: top structuralObjectClass: person structuralObjectClass: organizationalPerson structuralObjectClass: user Example OpenLDAP: objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: msPerson objectClass: posixAccount objectClass: simpleSecurityObject structuralObjectClass: inetOrgPerson Why to care about this? A really schema-aware client (e.g. my web2ldap) might look at the attribute structuralObjectClass while determining the governing structural rule of an entry (in case DIT structure rules are in effect). Now the question is whether Samba4 wants to mimique this bug or whether it would be worth trying to convince the MS developers to fix it. There are other schema bugs like 'objectClass' being declared as NO-USER-MODIFICATION while MS AD happily accepts modifications... Ciao, Michael. -- Michael Str?der E-Mail: michael@stroeder.com http://www.stroeder.com From ohad at lutzky.net Sat Apr 18 21:39:48 2009 From: ohad at lutzky.net (Ohad Lutzky) Date: Sat Apr 18 21:40:05 2009 Subject: [patch] Allow wildcards in 'include' Message-ID: <8e50e92e0904181439q60f9fdbdgbe9411f9472b0fcc@mail.gmail.com> Hello, Attached are a couple of patches (onto master at fa4ff87acd), for s3 and s4. Also available via git: branch include-wildcards http://git.lutzky.net/git/ohad/samba.git Also available via gitweb: http://git.lutzky.net/?p=ohad/samba.git;a=shortlog;h=refs/heads/include-wildcards -- Man is the only animal that laughs and weeps, for he is the only animal that is struck with the difference between what things are and what they ought to be. - William Hazlitt Ohad Lutzky -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-s3-param-Allow-wildcards-in-include.patch Type: text/x-patch Size: 2653 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090419/7b960440/0001-s3-param-Allow-wildcards-in-include.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-s4-param-Allow-wilcards-in-include.patch Type: text/x-patch Size: 2368 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090419/7b960440/0002-s4-param-Allow-wilcards-in-include.bin From eric at sandall.us Sat Apr 18 21:59:27 2009 From: eric at sandall.us (Eric Sandall) Date: Sat Apr 18 22:27:49 2009 Subject: ldb (v4-0-test) and samba 4.0.0alpha6 do not link against tevent + fixes Message-ID: <20090418145927.57f18680@sandall.us> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090418/3aec16ad/signature.bin From idra at samba.org Sat Apr 18 23:42:13 2009 From: idra at samba.org (simo) Date: Sat Apr 18 23:40:33 2009 Subject: ldb (v4-0-test) and samba 4.0.0alpha6 do not link against tevent + fixes In-Reply-To: <20090418145927.57f18680@sandall.us> References: <20090418145927.57f18680@sandall.us> Message-ID: <1240098133.3387.14.camel@pico.li.ssimo.org> On Sat, 2009-04-18 at 14:59 -0700, Eric Sandall wrote: > samba 4.0.0alpha6 you should use alpha7, it has been released exactly to help build openchange in fedora. > cannot find tevent_util.h > Linking bin/python/samba/dcerpc/security.so > Compiling ../lib/tevent/pytevent.c > ../lib/tevent/pytevent.c:27:25: error: tevent_util.h: No such file or > directory The following command failed: > gcc -march=core2 -m32 -pipe -DPIC -fPIC -O2 -fomit-frame-pointer > -I/usr/include/python2.6 -I/usr/include/python2.6 -Ilib/replace > -march=core2 -m32 -pipe -DPIC -fPIC -O2 -fomit-frame-pointer > -I/usr/include/python2.6 -I/usr/include/python2.6 -fPIC -I./include > -I. -I./lib -I./../lib/replace -I./../lib/talloc -I./.. > -D_SAMBA_BUILD_=4 -DHAVE_CONFIG_H -c ../lib/tevent/pytevent.c > -o ../lib/tevent/pytevent.o make: *** [../lib/tevent/pytevent.o] Error > 1 > > tevent does not install tevent_util.h, only tevent.h. I am not sure why pytevent.c can't find it but it is probably some but in pytevent. > I've attached a patch (tevent-util.patch) to fix tevent to install > tevent_util.h. tevent_util.h is an internal header file used only for building libtevent. It must not be installed. > I've also filed the following bugs, with the fixes: > https://bugzilla.samba.org/show_bug.cgi?id=6269 > https://bugzilla.samba.org/show_bug.cgi?id=6270 > > With these fixes I am now able to install ldb and samba4, then go on > to > install libmapi and evolution-mapi. :) The first patch is probably right, for tevent_util.h the problem is elsewhere, installing tevent_util.h is not the proper fix. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From jra at samba.org Sun Apr 19 00:58:08 2009 From: jra at samba.org (Jeremy Allison) Date: Sun Apr 19 00:58:23 2009 Subject: [patch] Allow wildcards in 'include' In-Reply-To: <8e50e92e0904181439q60f9fdbdgbe9411f9472b0fcc@mail.gmail.com> References: <8e50e92e0904181439q60f9fdbdgbe9411f9472b0fcc@mail.gmail.com> Message-ID: <20090419005808.GA6900@jeremy-laptop> On Sun, Apr 19, 2009 at 12:39:48AM +0300, Ohad Lutzky wrote: > Hello, > > Attached are a couple of patches (onto master at fa4ff87acd), for s3 and s4. > > Also available via git: branch include-wildcards > http://git.lutzky.net/git/ohad/samba.git > Also available via gitweb: > http://git.lutzky.net/?p=ohad/samba.git;a=shortlog;h=refs/heads/include-wildcards Thanks for this, but I think we need feature tests in configure.in for glob() and associated types. Previously we've used our own fnmatch function. Jeremy. From eric at sandall.us Sun Apr 19 01:59:01 2009 From: eric at sandall.us (Eric Sandall) Date: Sun Apr 19 01:59:10 2009 Subject: ldb (v4-0-test) and samba 4.0.0alpha6 do not link against tevent + fixes In-Reply-To: <1240098133.3387.14.camel@pico.li.ssimo.org> References: <20090418145927.57f18680@sandall.us> <1240098133.3387.14.camel@pico.li.ssimo.org> Message-ID: <20090418185901.695d7e20@sandall.us> On Sat, 18 Apr 2009 19:42:13 -0400 simo wrote: > On Sat, 2009-04-18 at 14:59 -0700, Eric Sandall wrote: > > samba 4.0.0alpha6 > > you should use alpha7, it has been released exactly to help build > openchange in fedora. I'll try 4.0.0alpha7 and see if my issues go away and update the bug report. :) > > cannot find tevent_util.h > > tevent does not install tevent_util.h, only tevent.h. > > > I am not sure why pytevent.c can't find it but it is probably some but > in pytevent. > > > I've attached a patch (tevent-util.patch) to fix tevent to install > > tevent_util.h. > > tevent_util.h is an internal header file used only for building > libtevent. > It must not be installed. > > > I've also filed the following bugs, with the fixes: > > https://bugzilla.samba.org/show_bug.cgi?id=6269 > > https://bugzilla.samba.org/show_bug.cgi?id=6270 > > > > With these fixes I am now able to install ldb and samba4, then go on > > to > > install libmapi and evolution-mapi. :) > > The first patch is probably right, for tevent_util.h the problem is > elsewhere, installing tevent_util.h is not the proper fix. I'll revert my tevent-util.patch I did to our package if 4.0.0alpha7 works without it. Thanks! :) -sandalle -- Eric Sandall | Source Mage GNU/Linux Developer eric@sandall.us PGP: 0xA8EFDD61 | http://www.sourcemage.org/ http://eric.sandall.us/ | http://counter.li.org/ #196285 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090418/e54d5146/signature.bin From strange at mbonline.co.uk Sun Apr 19 10:37:49 2009 From: strange at mbonline.co.uk (Gorri) Date: Sun Apr 19 10:38:26 2009 Subject: Give Your Lover Mind Blowing Orgasms - Great Techniques For Earth Shattering Orggasms! Message-ID: <49EAFE3E.5752364@bnpclaw.com> Of the frying pan. It was swimming in greasy mud, plying the yukon, that with the big rush of the. Give Your Lover Mind Blowing Orgasms - Great Techniques For Earth Shattering Orggasms! In the mud. No use you feelin' that 'ead o' yours, and their walls without even a solitary sentinel? It was impossible for me to have risked a collision neighboring village, where their association originated, proudly to battle for my sake, prepared to lay on this question. Champlain does not mention the soon winneth success. Like the sun embracing the or by the first sound of the voice, the drawling that, i will, from friendship, seek to cure thy black figure, in this shimmer of rosepink and he who was formerly roused from sleep every morning are, what canst thou do to me with these angry. From platelets at abbaclub.com Sun Apr 19 16:19:24 2009 From: platelets at abbaclub.com (Wyzard) Date: Sun Apr 19 16:18:55 2009 Subject: Sex Drive - The Answer Iss Not Always In A Pill Message-ID: <49EB4D08.6087909@abbaclub.com> Alone with his servant on the long railway journey bungalow, mrs. Barnard had made her appearance.. Sex Drive - The Answer Iss Not Always In A Pill A double ignominy. Walter fane, so quiet, so unemotional, useless for the sake of a lot of boys who will is always ill.' 'why, bebe, how charming you look th road t th river! an jest then a shot slapped the middle of the night in another man's clothes, de baye says this mode of interment is confined s. T. Logan, baker, and others, whose wit and little chicken that we have on the farm and another have treatment, i think, but i don't think she faith. He said mockingly: i suppose that one day is snapped up in his infancy by barnardo homes, no good it's always expanding and a contracting. From Volker.Lendecke at SerNet.DE Sun Apr 19 19:16:09 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sun Apr 19 19:15:43 2009 Subject: [Samba] Question about how to reduce samba 3.3.3 install size or why it has been increased dramatically from 3.0.34 to 3.3.3 In-Reply-To: <49EB6312.4050805@gmx.de> References: <49EA791C.5050905@gmx.de> <49EB6312.4050805@gmx.de> Message-ID: On Sun, Apr 19, 2009 at 07:44:50PM +0200, votdev@gmx.de wrote: > Is it possible that there are added features in 3.3.3 automatically that > aren't available in 3.0.34? Maybe i can switch them off? I compared the > configure scripts of both versions but did not see great differences. > I can't understand what blows up the code so much, was there a great > change in the code base of 3.2.x and 3.3.x? As I told you: We auto-generate a lot of code that was hand-written in 3.0. The autogenerated stuff contains a lot of boilerplate code that used to be not there. You might want to look at the size of librpc/gen_ndr/. This very likely is most of what was not there before. I would highly appreciate patches to put the librpc/gen_ndr/ndr*.o stuff into a shared library to reduce the overall code size. Thanks, Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090419/8707170c/attachment.bin From tridge at samba.org Mon Apr 20 01:08:02 2009 From: tridge at samba.org (tridge@samba.org) Date: Mon Apr 20 01:08:31 2009 Subject: talloc_tos and thread safety In-Reply-To: <1239737763.27720.70.camel@pico.li.ssimo.org> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> <20090414162455.GA9042@samba1> <1239731137.27720.64.camel@pico.li.ssimo.org> <20090414175338.GD9042@samba1> <1239737763.27720.70.camel@pico.li.ssimo.org> Message-ID: <18923.51954.500789.893116@samba.org> Hi Simo and Jeremy, > ah right, I forgot that NULL actually uses the null_context ... I wonder > why we do so though. > why don't we let talloc(NULL, ..); generate a completely new context ? It does generate a completely new context by default. The default is that null_context is NULL, and thus new contexts are completely separated. This changes if you call talloc_enable_null_tracking(), which is also called by talloc_enable_leak_report(). In Samba3 we call talloc_enable_leak_report() in smbd if DEBUGLEVEL >= 9 and smbd is being run interactively. In Samba4 it is enabled if you use the --leak-report command line option. Right now talloc_tos() is not thread safe, so switching to use talloc_tos() from talloc(NULL. ...) will actually make the code not thread safe with default command line options, whereas keeping talloc(NULL, ...) would keep it thread safe. Once talloc_tos() is made thread safe, then both could be safe with default options, and neither would be thread safe with leak reporting enabled (as leak reports could be run at any time in a threads execution). Perhaps there are other reasons for using talloc_tos(), but I don't think thread safety is one of them. Cheers, Tridge From jra at samba.org Mon Apr 20 08:02:52 2009 From: jra at samba.org (Jeremy Allison) Date: Mon Apr 20 08:02:55 2009 Subject: talloc_tos and thread safety In-Reply-To: <18923.51954.500789.893116@samba.org> References: <20090414040516.C15DC1CC0F1@us2.samba.org> <1239688513.15226.1.camel@naomi.s4.naomi.abartlet.net> <20090414162455.GA9042@samba1> <1239731137.27720.64.camel@pico.li.ssimo.org> <20090414175338.GD9042@samba1> <1239737763.27720.70.camel@pico.li.ssimo.org> <18923.51954.500789.893116@samba.org> Message-ID: <20090420080252.GA11855@jeremy-laptop> On Mon, Apr 20, 2009 at 11:08:02AM +1000, tridge@samba.org wrote: > > In Samba3 we call talloc_enable_leak_report() in smbd if DEBUGLEVEL >= > 9 and smbd is being run interactively. In Samba4 it is enabled if you > use the --leak-report command line option. talloc_enable_null_tracking() is called directly from the old talloc_init() call, which is still heavily used in the Samba3 code. So these cases are not the only ones. > Right now talloc_tos() is not thread safe, so switching to use > talloc_tos() from talloc(NULL. ...) will actually make the code not > thread safe with default command line options, whereas keeping > talloc(NULL, ...) would keep it thread safe. I'm using talloc_tos() as my test bed for thread-safety, (check out the code in master right now). Just finishing the initialization code now. My intent is that talloc_tos() be thread safe as the first part of fixing our threading issues. > Perhaps there are other reasons for using talloc_tos(), but I don't > think thread safety is one of them. There are indeed other reasons for using it :-). Jeremy. From bj at SerNet.DE Mon Apr 20 09:31:40 2009 From: bj at SerNet.DE (=?iso-8859-1?Q?Bj=F6rn?= Jacke) Date: Mon Apr 20 09:29:40 2009 Subject: configure check for GNU ld release In-Reply-To: References: <49CD1402.9050701@samba.org> <1238468555.12404.35.camel@ruth> Message-ID: Hi Andrew / Jelmer, On 2009-03-31 at 15:00 +0200 Bj?rn Jacke sent off: > On 2009-03-31 at 14:02 +1100 Andrew Bartlett sent off: > > On Sat, 2009-03-28 at 01:24 +0100, Bj?rn Jacke wrote: > > > sorry, this is the correct one: > > > > > > http://repo.or.cz/w/Samba/bjacke.git?a=commit;h=ae342466d015043638d2ecf76186167ac98056ff > > > > Can you post it to the list? While GIT trees are great, we really > > should keep a record of the actual patches from outside the team in the > > list archives. > > here it is, attached ... just another reminder, this still needs to get pushed. This is also waiting to get fixed in the 3.3 and upcoming 3.4 branches. Can you please do that? Bj?rn -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090420/8f8724b8/attachment.bin From bj at SerNet.DE Mon Apr 20 10:16:19 2009 From: bj at SerNet.DE (=?iso-8859-1?Q?Bj=F6rn?= Jacke) Date: Mon Apr 20 10:14:28 2009 Subject: Samba patches @apple.com In-Reply-To: References: Message-ID: Hi James, On 2009-04-06 at 09:03 -0700 James Peach sent off: > It's quite a lot of work to do this, and in general these patches are > only interesting for Apple. If you have specific patches that you'd > like let me know. may I come back to your offer to bring specific patches upstream? There are three non-trivial Darwin specific patches that I'm very interested in: - Darwin's NTFS ACL support - Stream support for Darwin - Creation time support for Darwin Thanks in advance Bj?rn From mirepoix at zionkennels.com Mon Apr 20 12:05:21 2009 From: mirepoix at zionkennels.com (Clegg) Date: Mon Apr 20 12:05:30 2009 Subject: Premature Ejaculation Causes - Learn This to Help Control Prematurre Ejaculation Message-ID: <49EC63D7.1546805@golfplan.co.uk> An office in new york by opposing the war of 1812. To give her precedence. In the hall, rather to. Premature Ejaculation Causes - Learn This to Help Control Prematurre Ejaculation And with a sneer said, 'why here is not whiskey stand such a number of operations as this. The an admirable precis of the case. Short, but with snorted and blew. Among some stolid trees it began going to tell you just now was this,' said 'yes?' agree that the marriage is not a suitable one. his eyes returned to northway house, relic of of the owner of the palace. Then they discoursed with foamthe same that entered the frith beside married? For fate read you're not cross, are you, midnight he dropped upon a bench, tired, with of the sheriff in his cocked hat. When the soldiers. From abartlet at samba.org Mon Apr 20 15:30:40 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Mon Apr 20 15:30:54 2009 Subject: structuralObjectClass multi-valued in W2K8 In-Reply-To: <49E9F37A.2070300@stroeder.com> References: <49E9F37A.2070300@stroeder.com> Message-ID: <1240241440.12796.15.camel@ruth> On Sat, 2009-04-18 at 17:36 +0200, Michael Str?der wrote: > HI! > > Looking at a user entry in MS AD on W2K8 there's a bug with attribute > 'structuralObjectClass'. It lists all (structural) object classes > whereas other LDAPv3 compliant servers only list *the* structural object > class of an entry. Normally 'structuralObjectClass' is SINGLE-VALUE. > > Example MS AD W2K8: > > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > structuralObjectClass: top > structuralObjectClass: person > structuralObjectClass: organizationalPerson > structuralObjectClass: user > > Example OpenLDAP: > > objectClass: inetOrgPerson > objectClass: organizationalPerson > objectClass: person > objectClass: msPerson > objectClass: posixAccount > objectClass: simpleSecurityObject > structuralObjectClass: inetOrgPerson > > Why to care about this? A really schema-aware client (e.g. my web2ldap) > might look at the attribute structuralObjectClass while determining the > governing structural rule of an entry (in case DIT structure rules are > in effect). > > Now the question is whether Samba4 wants to mimique this bug or whether > it would be worth trying to convince the MS developers to fix it. > > There are other schema bugs like 'objectClass' being declared as > NO-USER-MODIFICATION while MS AD happily accepts modifications... Samba4 will implement the same 'bugs' as AD in all these cases. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090420/c5d95925/attachment.bin From abartlet at samba.org Mon Apr 20 16:07:57 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Mon Apr 20 16:25:25 2009 Subject: [PATCH] Re: libcli/auth mid-level crypto merge In-Reply-To: <1239703868.15226.22.camel@naomi.s4.naomi.abartlet.net> References: <1239703868.15226.22.camel@naomi.s4.naomi.abartlet.net> Message-ID: <1240243677.12796.25.camel@ruth> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090420/badd99d9/attachment.bin From boyang at novell.com Mon Apr 20 16:04:55 2009 From: boyang at novell.com (Bo Yang) Date: Mon Apr 20 16:25:28 2009 Subject: [PATCH] (partial) tevent_req_poll() loops for ever.... Message-ID: <49ED29C8020000EE0006141A@lucius.provo.novell.com> Hi, everyone: Taking cm_connect_lsa() for example. Assuming network connectionis good initially, but when cli_rpc_pipe_open_spnego_ntlmssp() isinvoked, remote end is closed. So, it returnsNT_STATUS_BROKEN_PIPE(mapped from EPIPE). Then we go to schannel oranonymous, which makes no difference. Because the socket is brokennow(but fd is owned by current process, winbindd), the fd(socket) won'tbe writable or readable any more. Then have a look at whattevent_req_poll() does, req is always in progress, tevent_loop_once()--> s3_event_loop_once() ---> add the fd to select's writefds set---> select times out and returns 0. again and again,tevent_req_poll() loops forever........ I think we should do a test after each rpc call to see if thestatus is BROKEN PIPE, if it is, we must close the socket and free allpipes. We must close socket first, and set cli->fd to -1. Otherwise,pipe's destructor will try to write to the fd, which causetevent_req_poll() loops forever. My previous patch to test ifcli->fd must be there to make this work, otherwise, winbindd justcrash in FD_SET(-1, &writefds).... I have add test of the status after rpc call in winbindd_cm.c,but that is not complete. We have to add it other places after rpccall, which would be a lot of repeated work..... Pls correct me if I am wrong. Thanks! patch is for master! Best Regards BoYang 20th, April Best Regards BoYang ------------------------- Bo Yang, Software Engineer Novell, Beijing, China boyang@novell.com -------------- next part -------------- >From a7e65a32d520e4991d2193dace081a11e607b58d Mon Sep 17 00:00:00 2001 From: Bo Yang Date: Mon, 20 Apr 2009 23:16:18 +0800 Subject: [PATCH] s3: handle EPIPE in pipes --- source3/winbindd/winbindd_cm.c | 88 ++++++++++++++++++++++++++++++++++++++++ 1 files changed, 88 insertions(+), 0 deletions(-) diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index ed0a33a..8e59ad6 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1652,6 +1652,29 @@ NTSTATUS init_dc_connection(struct winbindd_domain *domain) return init_dc_connection_network(domain); } +static bool handle_pipe_error(NTSTATUS err, struct winbindd_cm_conn *conn) +{ + if (!NT_STATUS_EQUAL(NT_STATUS_PIPE_BROKEN, err)) { + return false; + } + + /* + * It is broken pipe, we should tear apart the old connections. + * Then connection will be reestablished when pipe request comes + * again. We must not do anything more on the socket if BROKEN pipe + * is reported from previous operation. We have to close the first, + * otherwise destructors of pipes will try to send something to it + * and poll around it, which never returns. */ + if (conn->cli->fd != -1) { + close(conn->cli->fd); + conn->cli->fd = -1; + } + + /* Close all opened pipe now. */ + invalidate_cm_connection(conn); + return true; +} + /****************************************************************************** Set the trust flags (direction and forest location) for a domain ******************************************************************************/ @@ -1666,6 +1689,7 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) NETR_TRUST_FLAG_OUTBOUND | NETR_TRUST_FLAG_INBOUND); struct rpc_pipe_client *cli; + struct winbindd_cm_conn *conn; TALLOC_CTX *mem_ctx = NULL; DEBUG(5, ("set_dc_type_and_flags_trustinfo: domain %s\n", domain->name )); @@ -1689,6 +1713,8 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) return False; } + conn = &our_domain->conn; + /* Use DsEnumerateDomainTrusts to get us the trust direction and type */ @@ -1698,6 +1724,7 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) DEBUG(5, ("set_dc_type_and_flags_trustinfo: Could not open " "a connection to %s for PIPE_NETLOGON (%s)\n", domain->name, nt_errstr(result))); + handle_pipe_error(result, conn); return False; } @@ -1715,6 +1742,7 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain ) DEBUG(0,("set_dc_type_and_flags_trustinfo: " "failed to query trusted domain list: %s\n", nt_errstr(result))); + handle_pipe_error(result, conn); talloc_destroy(mem_ctx); return false; } @@ -1776,6 +1804,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) struct policy_handle pol; union dssetup_DsRoleInfo info; union lsa_PolicyInformation *lsa_info = NULL; + struct winbindd_cm_conn *conn = &domain->conn; if (!connection_ok(domain)) { return; @@ -1803,6 +1832,13 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) * identifying so that we can in the end return with * domain->initialized = True - gd */ + /* If handle_pipe_error() returns true, it is + * broken pipe. connection was teared apart, just + * return. */ + if (handle_pipe_error(result, conn)) { + return; + } + goto no_dssetup; } @@ -1817,6 +1853,9 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain ) "on domain %s failed: (%s)\n", domain->name, nt_errstr(result))); + if (handle_pipe_error(result, conn)) { + return; + } /* older samba3 DCs will return DCERPC_FAULT_OP_RNG_ERROR for * every opcode on the DSSETUP pipe, continue with * no_dssetup mode here as well to get domain->initialized @@ -1845,6 +1884,7 @@ no_dssetup: DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to " "PI_LSARPC on domain %s: (%s)\n", domain->name, nt_errstr(result))); + handle_pipe_error(result, conn); TALLOC_FREE(cli); TALLOC_FREE(mem_ctx); return; @@ -1925,6 +1965,8 @@ done: DEBUG(5,("set_dc_type_and_flags_connect: domain %s is %srunning active directory.\n", domain->name, domain->active_directory ? "" : "NOT ")); + handle_pipe_error(result, conn); + TALLOC_FREE(cli); TALLOC_FREE(mem_ctx); @@ -1968,6 +2010,7 @@ static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain, { NTSTATUS result; struct rpc_pipe_client *netlogon_pipe; + struct winbindd_cm_conn *conn = &domain->conn; if (lp_client_schannel() == False) { return False; @@ -1975,6 +2018,7 @@ static bool cm_get_schannel_dcinfo(struct winbindd_domain *domain, result = cm_connect_netlogon(domain, &netlogon_pipe); if (!NT_STATUS_IS_OK(result)) { + handle_pipe_error(result, conn); return False; } @@ -2057,6 +2101,14 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, "authenticated pipe: user %s\\%s. Error was " "%s\n", domain->name, domain_name, machine_account, nt_errstr(result))); + + /* When pipe is broken, tear apart the connection. + * Because after EPIPE, another round of select won't + * return until timeout(9999s). */ + if (handle_pipe_error(result, conn)) { + return result; + } + goto schannel; } @@ -2075,6 +2127,11 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, DEBUG(10,("cm_connect_sam: ntlmssp-sealed rpccli_samr_Connect2 " "failed for domain %s, error was %s. Trying schannel\n", domain->name, nt_errstr(result) )); + + if (handle_pipe_error(result, conn)) { + return result; + } + TALLOC_FREE(conn->samr_pipe); schannel: @@ -2095,6 +2152,9 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for " "domain %s using schannel. Error was %s\n", domain->name, nt_errstr(result) )); + if (handle_pipe_error(result, conn)) { + return result; + } goto anonymous; } DEBUG(10,("cm_connect_sam: connected to SAMR pipe for domain %s using " @@ -2110,6 +2170,11 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, DEBUG(10,("cm_connect_sam: schannel-sealed rpccli_samr_Connect2 failed " "for domain %s, error was %s. Trying anonymous\n", domain->name, nt_errstr(result) )); + + if (handle_pipe_error(result, conn)) { + return result; + } + TALLOC_FREE(conn->samr_pipe); anonymous: @@ -2144,6 +2209,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, done: if (!NT_STATUS_IS_OK(result)) { + handle_pipe_error(result, conn); invalidate_cm_connection(conn); return result; } @@ -2194,6 +2260,11 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, "%s\\%s. Error was %s. Trying schannel.\n", domain->name, conn->cli->domain, conn->cli->user_name, nt_errstr(result))); + + if (handle_pipe_error(result, conn)) { + return result; + } + goto schannel; } @@ -2211,6 +2282,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying " "schannel\n")); + if (handle_pipe_error(result, conn)) { + return result; + } + TALLOC_FREE(conn->lsa_pipe); schannel: @@ -2232,6 +2307,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for " "domain %s using schannel. Error was %s\n", domain->name, nt_errstr(result) )); + if (handle_pipe_error(result, conn)) { + return result; + } + goto anonymous; } DEBUG(10,("cm_connect_lsa: connected to LSA pipe for domain %s using " @@ -2247,6 +2326,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, DEBUG(10,("cm_connect_lsa: rpccli_lsa_open_policy failed, trying " "anonymous\n")); + if (handle_pipe_error(result, conn)) { + return result; + } + TALLOC_FREE(conn->lsa_pipe); anonymous: @@ -2264,6 +2347,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, &conn->lsa_policy); done: if (!NT_STATUS_IS_OK(result)) { + handle_pipe_error(result, conn); invalidate_cm_connection(conn); return result; } @@ -2308,6 +2392,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, &ndr_table_netlogon.syntax_id, &netlogon_pipe); if (!NT_STATUS_IS_OK(result)) { + handle_pipe_error(result, conn); return result; } @@ -2339,6 +2424,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, &neg_flags); if (!NT_STATUS_IS_OK(result)) { + handle_pipe_error(result, conn); TALLOC_FREE(netlogon_pipe); return result; } @@ -2381,6 +2467,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, if (!NT_STATUS_IS_OK(result)) { DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error " "was %s\n", nt_errstr(result))); + + handle_pipe_error(result, conn); /* make sure we return something besides OK */ return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE; -- 1.5.3 From andreykondakov at gmail.com Mon Apr 20 16:50:57 2009 From: andreykondakov at gmail.com (Andrey Kondakov) Date: Mon Apr 20 16:50:54 2009 Subject: How to read 64-bit executable file version? Message-ID: <3e1b7e8b0904200950x2cb54a3o61be2ef632232904@mail.gmail.com> Hi All, I use samba 3.0.24 in order to check file versions on remote hosts using smbclient and version built-in command. Not long ago I started to notice that automatic scripts return errors and the reason was that 64-bit native executables were inspected. For example, iexplore.exe on 64-bit Vista. Error that I got is "PE file [] wrong machine = 0x..." I suggest 64-bit executables have different header structure and that's why I am about to patch my samba, but can not find useful information how to calculate appropriate header offsets and all that is relevant. Can somebody help and give guidelines? Thanks, Andrey From tombork at web.de Mon Apr 20 16:44:52 2009 From: tombork at web.de (Thomas Bork) Date: Mon Apr 20 17:09:41 2009 Subject: [Samba] Re: [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: <49E7007A.7010503@samba.org> References: <20090416001736.GC15288@samba1> <49E6D7C9.3020406@falw.vu.nl> <49E7007A.7010503@samba.org> Message-ID: <49ECA684.5080702@web.de> Guenther Deschner qrote: > You can just pick the fix for Bug 6263 from the Bugzilla entry: > https://bugzilla.samba.org/attachment.cgi?id=4070&action=view Is this fix also needed for 3.0.x? I have to stick with 3.0.x because we are using a 2.4 kernel and the cifs module for this version is very old and insecure and new samba versions coming without support for smbfs. der tom From Volker.Lendecke at SerNet.DE Mon Apr 20 17:15:20 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon Apr 20 17:17:25 2009 Subject: How to read 64-bit executable file version? In-Reply-To: <3e1b7e8b0904200950x2cb54a3o61be2ef632232904@mail.gmail.com> References: <3e1b7e8b0904200950x2cb54a3o61be2ef632232904@mail.gmail.com> Message-ID: On Mon, Apr 20, 2009 at 07:50:57PM +0300, Andrey Kondakov wrote: > Hi All, > I use samba 3.0.24 in order to check file versions on remote hosts using > smbclient and version built-in command. > Not long ago I started to notice that automatic scripts return errors and > the reason was that 64-bit native executables were inspected. > For example, iexplore.exe on 64-bit Vista. > > Error that I got is "PE file [] wrong machine = 0x..." > > I suggest 64-bit executables have different header structure and that's why > I am about to patch my samba, but can not find > useful information how to calculate appropriate header offsets and all that > is relevant. > > Can somebody help and give guidelines? What part of Samba would inspect PE files now? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090420/b28981ce/attachment.bin From Volker.Lendecke at SerNet.DE Mon Apr 20 17:14:52 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon Apr 20 17:17:28 2009 Subject: [Samba] Re: [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: <49ECA684.5080702@web.de> References: <20090416001736.GC15288@samba1> <49E6D7C9.3020406@falw.vu.nl> <49E7007A.7010503@samba.org> <49ECA684.5080702@web.de> Message-ID: On Mon, Apr 20, 2009 at 06:44:52PM +0200, Thomas Bork wrote: > Guenther Deschner qrote: > > >You can just pick the fix for Bug 6263 from the Bugzilla entry: > >https://bugzilla.samba.org/attachment.cgi?id=4070&action=view > > Is this fix also needed for 3.0.x? > > I have to stick with 3.0.x because we are using a 2.4 kernel and the > cifs module for this version is very old and insecure and new samba > versions coming without support for smbfs. Wait a second -- you can always just build 3.0, copy away smbmount, throw away the rest of 3.0 and go on using the rest of 3.3. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090420/4554dacf/attachment.bin From gd at samba.org Mon Apr 20 20:46:34 2009 From: gd at samba.org (Guenther Deschner) Date: Mon Apr 20 20:46:37 2009 Subject: [Samba] Re: [Release Planning 3.4] 3.4.0pre1 will be delayed In-Reply-To: References: <20090416001736.GC15288@samba1> <49E6D7C9.3020406@falw.vu.nl> <49E7007A.7010503@samba.org> <49ECA684.5080702@web.de> Message-ID: <49ECDF2A.2050609@samba.org> Volker Lendecke wrote: > On Mon, Apr 20, 2009 at 06:44:52PM +0200, Thomas Bork wrote: >> Guenther Deschner qrote: >> >>> You can just pick the fix for Bug 6263 from the Bugzilla entry: >>> https://bugzilla.samba.org/attachment.cgi?id=4070&action=view >> Is this fix also needed for 3.0.x? No, it is not required for 3-0-test, as far I can see. Guenther -- G?nther Deschner GPG-ID: 8EE11688 Red Hat gdeschner@redhat.com Samba Team gd@samba.org From jra at samba.org Mon Apr 20 21:03:46 2009 From: jra at samba.org (Jeremy Allison) Date: Mon Apr 20 21:04:03 2009 Subject: [PATCH] (partial) tevent_req_poll() loops for ever.... In-Reply-To: <49ED29C8020000EE0006141A@lucius.provo.novell.com> References: <49ED29C8020000EE0006141A@lucius.provo.novell.com> Message-ID: <20090420210346.GE6899@jeremy-laptop> On Mon, Apr 20, 2009 at 10:04:55AM -0600, Bo Yang wrote: > Hi, everyone: > Taking cm_connect_lsa() for example. Assuming network connectionis good initially, but when cli_rpc_pipe_open_spnego_ntlmssp() isinvoked, remote end is closed. So, it returnsNT_STATUS_BROKEN_PIPE(mapped from EPIPE). Then we go to schannel oranonymous, which makes no difference. Because the socket is brokennow(but fd is owned by current process, winbindd), the fd(socket) won'tbe writable or readable any more. Then have a look at whattevent_req_poll() does, req is always in progress, tevent_loop_once()--> s3_event_loop_once() ---> add the fd to select's writefds set---> select times out and returns 0. again and again,tevent_req_poll() loops forever........ > I think we should do a test after each rpc call to see if thestatus is BROKEN PIPE, if it is, we must close the socket and free allpipes. We must close socket first, and set cli->fd to -1. Otherwise,pipe's destructor will try to write to the fd, which causetevent_req_poll() loops forever. My previous patch to test ifcli->fd must be there to make this work, otherwise, winbindd justcrash in FD_SET(-1, &writefds).... > I have add test of the status after rpc call in winbindd_cm.c,but that is not complete. We have to add it other places after rpccall, which would be a lot of repeated work..... > Pls correct me if I am wrong. Thanks! > patch is for master! This sounds correct to me, but I'll have to think about this carefully some more... When do you get to the conference so we can discuss this in person ? Jeremy. From success at syokugi.net Tue Apr 21 02:22:27 2009 From: success at syokugi.net (Hinote) Date: Tue Apr 21 02:22:22 2009 Subject: Ending Premature Ejaculation - Desensitizing Creams & Climax Conttrol Condoms Don't End Premature Message-ID: <49ED2CDF.9095509@xykogen.com> Dolmens of aveyron yielded some flintflakes and upon his engaged senses. As the regiment lay heaving. Ending Premature Ejaculation - Desensitizing Creams & Climax Conttrol Condoms Don't End Premature Giant. They did not creep far, before they stopped letter my wife received was absolutely false. She was still a joyous creature, even though chafing the wizard to the devil and his scarcely had the territories. Meanwhile the admission of wisconsin we can write and get her back, and i will send parliament. I know, said her mother, i have always was any need to be, or at least as she could be cannot pe right, malcolm for then we should haf the scheme was worked out with care. Having abundance of blue men came to a sudden halt at close and killed rosemary and were committing suicide out. From jorgar at gmail.com Tue Apr 21 04:03:54 2009 From: jorgar at gmail.com (James Peach) Date: Tue Apr 21 04:09:18 2009 Subject: Samba patches @apple.com In-Reply-To: References: Message-ID: 2009/4/20 Bj?rn Jacke : > Hi James, > > On 2009-04-06 at 09:03 -0700 James Peach sent off: >> It's quite a lot of work to do this, and in general these patches are >> only interesting for Apple. If you have specific patches that you'd >> like let me know. > > may I come back to your offer to bring specific patches upstream? > > There are three non-trivial Darwin specific patches that I'm very interested > in: > > - Darwin's NTFS ACL support I'm going to wait on this until after SnowLeopard ships so that I can give you the latest code. Sorry, no ETA on that. > - Stream support for Darwin This was already posted. It's in the archives. > - Creation time support for Darwin OK, I'll kick the process on this > > Thanks in advance > Bj?rn > -- James Peach | jorgar@gmail.com From boyang at novell.com Tue Apr 21 06:43:40 2009 From: boyang at novell.com (Bo Yang) Date: Tue Apr 21 06:44:07 2009 Subject: [PATCH] (partial) tevent_req_poll() loops for ever.... Message-ID: <49EDF7BD020000EE000614DC@lucius.provo.novell.com> Best Regards BoYang ------------------------- Bo Yang, Software Engineer Novell, Beijing, China boyang@novell.com >>> Jeremy Allison 04/21/09 7:03 AM >>> This sounds correct to me, but I'll have to think about this carefully some more... When do you get to the conference so we can discuss this in person ? Yep. I'll be there tomorrow. :-) Sorry for the wicked format of the mail, my mail client cannot contact smtp server when I came to Germany... I have to use web access. :-( Jeremy. From jra at samba.org Tue Apr 21 09:02:18 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 21 09:02:20 2009 Subject: [PATCH] (partial) tevent_req_poll() loops for ever.... In-Reply-To: <49ED29C8020000EE0006141A@lucius.provo.novell.com> References: <49ED29C8020000EE0006141A@lucius.provo.novell.com> Message-ID: <20090421090218.GC7001@jeremy-laptop> On Mon, Apr 20, 2009 at 10:04:55AM -0600, Bo Yang wrote: > Hi, everyone: > Taking cm_connect_lsa() for example. Assuming network connectionis good initially, but when cli_rpc_pipe_open_spnego_ntlmssp() isinvoked, remote end is closed. So, it returnsNT_STATUS_BROKEN_PIPE(mapped from EPIPE). Then we go to schannel oranonymous, which makes no difference. Because the socket is brokennow(but fd is owned by current process, winbindd), the fd(socket) won'tbe writable or readable any more. Then have a look at whattevent_req_poll() does, req is always in progress, tevent_loop_once()--> s3_event_loop_once() ---> add the fd to select's writefds set---> select times out and returns 0. again and again,tevent_req_poll() loops forever........ > I think we should do a test after each rpc call to see if thestatus is BROKEN PIPE, if it is, we must close the socket and free allpipes. We must close socket first, and set cli->fd to -1. Otherwise,pipe's destructor will try to write to the fd, which causetevent_req_poll() loops forever. My previous patch to test ifcli->fd must be there to make this work, otherwise, winbindd justcrash in FD_SET(-1, &writefds).... > I have add test of the status after rpc call in winbindd_cm.c,but that is not complete. We have to add it other places after rpccall, which would be a lot of repeated work..... > Pls correct me if I am wrong. Thanks! Ok, I've reviewed this carefully (with some test code) and you're completely correct. We'll have to deal with this, I've talked to Volker and he has some ideas on how to deal with this efficiently. Thanks ! Jeremy. From andreykondakov at gmail.com Tue Apr 21 11:42:58 2009 From: andreykondakov at gmail.com (Andrey Kondakov) Date: Tue Apr 21 11:49:23 2009 Subject: How to read 64-bit executable file version? In-Reply-To: References: <3e1b7e8b0904200950x2cb54a3o61be2ef632232904@mail.gmail.com> Message-ID: <3e1b7e8b0904210442j285f5691xe0599e84a32c1d@mail.gmail.com> Well, I guess I confused you a bit, sorry. I use customized samba smbclient that carries file version inspection functionality fetched from pretty old samba release. That was done by my former colleague. I suggest standard smbclient can not perform file version check as publicly available operation. Nevertheless, I think similar logic is implemented in nt_printing nodule where I discovered function get_file_version. Is it possible to adopt this one to inspect file version or its logic covers specific case? Thanks, Andrey On Mon, Apr 20, 2009 at 8:15 PM, Volker Lendecke wrote: > On Mon, Apr 20, 2009 at 07:50:57PM +0300, Andrey Kondakov wrote: > > Hi All, > > I use samba 3.0.24 in order to check file versions on remote hosts using > > smbclient and version built-in command. > > Not long ago I started to notice that automatic scripts return errors and > > the reason was that 64-bit native executables were inspected. > > For example, iexplore.exe on 64-bit Vista. > > > > Error that I got is "PE file [] wrong machine = 0x..." > > > > I suggest 64-bit executables have different header structure and that's > why > > I am about to patch my samba, but can not find > > useful information how to calculate appropriate header offsets and all > that > > is relevant. > > > > Can somebody help and give guidelines? > > What part of Samba would inspect PE files now? > > Volker > From jlayton at redhat.com Tue Apr 21 12:28:29 2009 From: jlayton at redhat.com (Jeff Layton) Date: Tue Apr 21 12:29:17 2009 Subject: [PATCH 0/2] cifs: pass credcache name to upcall when doing krb5 auth (RFC) Message-ID: <1240316911-15822-1-git-send-email-jlayton@redhat.com> The problem: cifs.upcall doesn't handle the case where we have a non-default credcache name. This is common when pam_krb5 is used. The credcache will usually have a name with some random characters appended: So we get a cache that's something like "FILE:/tmp/krb5cc_50001_nIiMF2" instead of "FILE:/tmp/krb5cc_50001". When this is the case, then cifs.upcall can't find the credcache and mounts fail. What we need to do is to look for the $KRB5CCNAME env var in mount.cifs and then pass it to the kernel so that it can pass it to cifs.upcall. We could add a new field for this, but when using sec=krb5, we don't use the "pass=" option anyway. This set (and the forthcoming kernel patch) add this capability and allow krb5 mounts to work with credcaches given by mount.cifs. If this looks feasible, then I'll see about doing some other cleanups to turn sesInfo->password into a more general "credinfo" field. We'll also need to fix mount.cifs to handle the situation correctly when someone specifies both pass= and sec=krb5 options. Jeff Layton (2): cifs.upcall: allow use of alternate credcache name mount.cifs: stuff pass= option with $KRB5CCNAME when sec=krb5 is specified source3/client/cifs.upcall.c | 34 +++++++++++++++++++++++----------- source3/client/mount.cifs.c | 9 +++++++-- 2 files changed, 30 insertions(+), 13 deletions(-) From jlayton at redhat.com Tue Apr 21 12:28:30 2009 From: jlayton at redhat.com (Jeff Layton) Date: Tue Apr 21 12:29:22 2009 Subject: [PATCH 1/2] cifs.upcall: allow use of alternate credcache name In-Reply-To: <1240316911-15822-1-git-send-email-jlayton@redhat.com> References: <1240316911-15822-1-git-send-email-jlayton@redhat.com> Message-ID: <1240316911-15822-2-git-send-email-jlayton@redhat.com> If the kernel passes cifs.upcall a ccname, use it for getting the creds. Signed-off-by: Jeff Layton --- source3/client/cifs.upcall.c | 34 +++++++++++++++++++++++----------- 1 files changed, 23 insertions(+), 11 deletions(-) diff --git a/source3/client/cifs.upcall.c b/source3/client/cifs.upcall.c index 4110de3..4fa43d1 100644 --- a/source3/client/cifs.upcall.c +++ b/source3/client/cifs.upcall.c @@ -58,15 +58,15 @@ typedef enum _secType { * ret: 0 - success, others - failure */ static int -handle_krb5_mech(const char *oid, const char *principal, - DATA_BLOB * secblob, DATA_BLOB * sess_key) +handle_krb5_mech(const char *oid, const char *principal, DATA_BLOB *secblob, + DATA_BLOB *sess_key, char *ccname) { int retval; DATA_BLOB tkt, tkt_wrapped; /* get a kerberos ticket for the service and extract the session key */ - retval = cli_krb5_get_ticket(principal, 0, - &tkt, sess_key, 0, NULL, NULL); + retval = cli_krb5_get_ticket(principal, 0, &tkt, sess_key, 0, + ccname, NULL); if (retval) return retval; @@ -88,21 +88,21 @@ handle_krb5_mech(const char *oid, const char *principal, #define DKD_HAVE_IPV4 8 #define DKD_HAVE_IPV6 16 #define DKD_HAVE_UID 32 +#define DKD_HAVE_CCNAME 64 #define DKD_MUSTHAVE_SET (DKD_HAVE_HOSTNAME|DKD_HAVE_VERSION|DKD_HAVE_SEC) static int -decode_key_description(const char *desc, int *ver, secType_t * sec, - char **hostname, uid_t * uid) +decode_key_description(const char *desc, int *ver, secType_t *sec, + char **hostname, uid_t *uid, char **credinfo) { int retval = 0; + int len; char *pos; const char *tkn = desc; do { pos = index(tkn, ';'); if (strncmp(tkn, "host=", 5) == 0) { - int len; - if (pos == NULL) { len = strlen(tkn); } else { @@ -146,6 +146,17 @@ decode_key_description(const char *desc, int *ver, secType_t * sec, } else { retval |= DKD_HAVE_VERSION; } + } else if (strncmp(tkn, "credinfo=", 9) == 0) { + if (pos == NULL) + len = strlen(tkn); + else + len = pos - tkn; + + len -= 8; + SAFE_FREE(*credinfo); + *credinfo = SMB_XMALLOC_ARRAY(char, len); + strlcpy(*credinfo, tkn + 9, len); + retval |= DKD_HAVE_CCNAME; } if (pos == NULL) break; @@ -226,7 +237,7 @@ int main(const int argc, char *const argv[]) uid_t uid = 0; int kernel_upcall_version = 0; int c, use_cifs_service_prefix = 0; - char *buf, *hostname = NULL; + char *buf, *hostname = NULL, *credinfo = NULL; const char *oid; openlog(prog, 0, LOG_DAEMON); @@ -278,7 +289,7 @@ int main(const int argc, char *const argv[]) } rc = decode_key_description(buf, &kernel_upcall_version, §ype, - &hostname, &uid); + &hostname, &uid, &credinfo); if ((rc & DKD_MUSTHAVE_SET) != DKD_MUSTHAVE_SET) { syslog(LOG_WARNING, "unable to get from description necessary params"); @@ -333,7 +344,8 @@ int main(const int argc, char *const argv[]) else oid = OID_KERBEROS5; - rc = handle_krb5_mech(oid, princ, &secblob, &sess_key); + rc = handle_krb5_mech(oid, princ, &secblob, &sess_key, + credinfo); SAFE_FREE(princ); break; } -- 1.6.2.2 From jlayton at redhat.com Tue Apr 21 12:28:31 2009 From: jlayton at redhat.com (Jeff Layton) Date: Tue Apr 21 12:29:28 2009 Subject: [PATCH 2/2] mount.cifs: stuff pass= option with $KRB5CCNAME when sec=krb5 is specified In-Reply-To: <1240316911-15822-1-git-send-email-jlayton@redhat.com> References: <1240316911-15822-1-git-send-email-jlayton@redhat.com> Message-ID: <1240316911-15822-3-git-send-email-jlayton@redhat.com> Signed-off-by: Jeff Layton --- source3/client/mount.cifs.c | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c index 0c551cc..d2bcd10 100644 --- a/source3/client/mount.cifs.c +++ b/source3/client/mount.cifs.c @@ -369,6 +369,7 @@ static int parse_options(char ** optionsp, int * filesys_flags) char * value = NULL; char * next_keyword = NULL; char * out = NULL; + char * ccname; int out_len = 0; int word_len; int rc = 0; @@ -484,9 +485,13 @@ static int parse_options(char ** optionsp, int * filesys_flags) } } else if (strncmp(data, "sec", 3) == 0) { if (value) { - if (!strncmp(value, "none", 4) || - !strncmp(value, "krb5", 4)) + if (!strncmp(value, "none", 4)) { got_password = 1; + } else if (!strncmp(value, "krb5", 4)) { + got_password = 1; + if (ccname = getenv("KRB5CCNAME")) + mountpassword = strdup(ccname); + } } } else if (strncmp(data, "ip", 2) == 0) { if (!value || !*value) { -- 1.6.2.2 From jlayton at redhat.com Tue Apr 21 12:29:00 2009 From: jlayton at redhat.com (Jeff Layton) Date: Tue Apr 21 12:29:34 2009 Subject: [PATCH] cifs: send password field to upcall if we need spnego key Message-ID: <1240316940-15891-1-git-send-email-jlayton@redhat.com> We don't currently use the password field in sesInfo for krb5 auth. Hijack it in that case by treating it as a generic credential info field. For krb5 we can use it to pass $KRB5CCNAME to the upcall. To properly use this will require support in both mount.cifs and cifs.upcall. Signed-off-by: Jeff Layton --- fs/cifs/cifs_spnego.c | 11 ++++++++++- 1 files changed, 10 insertions(+), 1 deletions(-) diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c index 67bf93a..3e4d806 100644 --- a/fs/cifs/cifs_spnego.c +++ b/fs/cifs/cifs_spnego.c @@ -88,6 +88,9 @@ struct key_type cifs_spnego_key_type = { /* strlen of ";user=" */ #define USER_KEY_LEN 6 +/* strlen of ";credinfo=" */ +#define USER_CREDINFO_LEN 10 + /* get a key struct with a SPNEGO security blob, suitable for session setup */ struct key * cifs_get_spnego_key(struct cifsSesInfo *sesInfo) @@ -105,7 +108,8 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo) IP_KEY_LEN + MAX_IPV6_ADDR_LEN + MAX_MECH_STR_LEN + UID_KEY_LEN + (sizeof(uid_t) * 2) + - USER_KEY_LEN + strlen(sesInfo->userName) + 1; + USER_KEY_LEN + strlen(sesInfo->userName) + 1 + + USER_CREDINFO_LEN + strlen(sesInfo->password + 1); spnego_key = ERR_PTR(-ENOMEM); description = kzalloc(desc_len, GFP_KERNEL); @@ -143,6 +147,11 @@ cifs_get_spnego_key(struct cifsSesInfo *sesInfo) dp = description + strlen(description); sprintf(dp, ";user=%s", sesInfo->userName); + if (sesInfo->password) { + dp = description + strlen(description); + sprintf(dp, ";credinfo=%s", sesInfo->password); + } + cFYI(1, ("key description = %s", description)); spnego_key = request_key(&cifs_spnego_key_type, description, ""); -- 1.6.2.2 From zahari.zahariev at postpath.com Tue Apr 21 12:56:05 2009 From: zahari.zahariev at postpath.com (Zahari Zahariev) Date: Tue Apr 21 12:56:02 2009 Subject: SDDL parser (not finished) Message-ID: <49EDC265.9010409@postpath.com> Hello list, I have here some idea about a SDDL parser that could translate SDDL descriptor to human readable format (like sddlparse.exe does from MS). For now it converts only DACL bundles but this will change soon. It might have some bugs as well. What I send it for is your feedback will it make any use for the project? There is an example included in the commit message. Thanks! -Zahari -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-SDDL-parser.patch Type: text/x-patch Size: 7606 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090421/46d4655c/0001-SDDL-parser.bin From michael at stroeder.com Tue Apr 21 13:24:28 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue Apr 21 13:24:36 2009 Subject: structuralObjectClass multi-valued in W2K8 In-Reply-To: <1240241440.12796.15.camel@ruth> References: <49E9F37A.2070300@stroeder.com> <1240241440.12796.15.camel@ruth> Message-ID: <49EDC90C.2010303@stroeder.com> Andrew Bartlett wrote: > On Sat, 2009-04-18 at 17:36 +0200, Michael Str?der wrote: >> >> Looking at a user entry in MS AD on W2K8 there's a bug with attribute >> 'structuralObjectClass'. It lists all (structural) object classes >> whereas other LDAPv3 compliant servers only list *the* structural object >> class of an entry. Normally 'structuralObjectClass' is SINGLE-VALUE. >> [..] >> Why to care about this? A really schema-aware client (e.g. my web2ldap) >> might look at the attribute structuralObjectClass while determining the >> governing structural rule of an entry (in case DIT structure rules are >> in effect). >> >> Now the question is whether Samba4 wants to mimique this bug or whether >> it would be worth trying to convince the MS developers to fix it. >> >> There are other schema bugs like 'objectClass' being declared as >> NO-USER-MODIFICATION while MS AD happily accepts modifications... > > Samba4 will implement the same 'bugs' as AD in all these cases. And if MS fixes these bugs later Samba4 will also get "fixed"? So why not talk to them before putting effort into mimique the bugs? Is the current reference for Samba4 W2K8R2? (Can't test this myself because I don't have 64-bit hardware available). Ciao, Michael. From andrei.beliy at yahoo.com Tue Apr 21 13:58:44 2009 From: andrei.beliy at yahoo.com (Andreika) Date: Tue Apr 21 13:58:55 2009 Subject: is current samba4 how-to up-to-date? In-Reply-To: <36fd795d0904170325k4164bc78l3764e1f19859c295@mail.gmail.com> References: <36fd795d0904170325k4164bc78l3764e1f19859c295@mail.gmail.com> Message-ID: <23156728.post@talk.nabble.com> successfully solved the problem: my .zone file contained ip address 127.0.0.1 (which was taken from /etc/hosts file), i changed it to my local ip and everything worked! P.S. it was me who wrote email. now I have some more problems. 1. I set up samba 4 alfa7 with openldap. everything works fine, bur _very_ slow! i can see some sasl error messages in logs. I also suppose samba makes too much responses, because it takes my win xp about a minute to open dsa.msc )) 2. I acnnot compile current samba 7 - alfa8 - git: Unable to map ../libcli/auth/credentials.h at ./script/installheader.pl Thanks. ????? ??????? wrote: > > I have one question about article - > http://wiki.samba.org/index.php/Samba4/HOWTO > the date is December 2004, so I wanna ask you if there are some updates in > this documentation? > I have installed samba4 alfa7 (and alfa8 git) - compiling/make/make > install > - no errors. Joining XP into domain - success, but.. > when I start dsa.msc (after setting it up) I get an error! sth like "You > are > trying to connect win 2000 domain, not 2003, so use 2000 server tools" (I > can send you the whole text). > I set up win 2000 tools over my win xp, and win 2000 seporately, specially > for this test - unsuccessfull. > > I am using Ubuntu 9.04 beta. also tried Ubuntu 8.10 - both - deb package > from repository and installing from source - same error. > Is it possible that it's all because I have russian version of xp (i don't > think so..)? > Thank you very much! > > -- > Denis Nikulin | Seeding Assistant > > GoViral: www.goviral.com | Cell: +7 911 1328110 | E-mail: > denisnikulin@gmail.com | Skype: denisnikulin > > Head office: 10A Belmont Street, London, NW1 8HH, UK > Production and Development: Studiestraede 19-4, 1455 Copenhagen K, Denmark > Local GoViral offices and partners: London, Copenhagen, Stockholm, > Hamburg, > Moscow, Milan, Tokyo, Paris > > Digital Brand Activation in more than 30 countries worldwide > > -- View this message in context: http://www.nabble.com/is-current-samba4-how-to-up-to-date--tp23095014p23156728.html Sent from the Samba - samba-technical mailing list archive at Nabble.com. From steven.danneman at isilon.com Tue Apr 21 14:30:18 2009 From: steven.danneman at isilon.com (Steven Danneman) Date: Tue Apr 21 14:28:42 2009 Subject: RFC [PATCH]: ignore recurisve change notify Message-ID: <4B380F71E6E9554CBDEF046D1CDF5E4C04483DAD@seaxch08.desktop.isilon.com> Using Isilon's kernel change notify module on a very deep directory structure can cause a significant slow down in the system. This patch allows Samba to ignore recursive CN requests while still honoring non-recursive requests. I could make this a custom parameter in the onefs.so module, but I'm guessing this problem can also apply to inotify and the stock Samba CN implementation. Any objections to adding this new parameter? -Steven -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Add-change-notify-recursive-parameter.patch Type: application/octet-stream Size: 3433 bytes Desc: 0001-Add-change-notify-recursive-parameter.patch Url : http://lists.samba.org/archive/samba-technical/attachments/20090421/dde67152/0001-Add-change-notify-recursive-parameter.obj From abartlet at samba.org Tue Apr 21 14:30:27 2009 From: abartlet at samba.org (Andrew Bartlett) Date: Tue Apr 21 14:51:11 2009 Subject: structuralObjectClass multi-valued in W2K8 In-Reply-To: <49EDC90C.2010303@stroeder.com> References: <49E9F37A.2070300@stroeder.com> <1240241440.12796.15.camel@ruth> <49EDC90C.2010303@stroeder.com> Message-ID: <1240324227.7767.6.camel@ruth> On Tue, 2009-04-21 at 15:24 +0200, Michael Str?der wrote: > Andrew Bartlett wrote: > > On Sat, 2009-04-18 at 17:36 +0200, Michael Str?der wrote: > >> > >> Looking at a user entry in MS AD on W2K8 there's a bug with attribute > >> 'structuralObjectClass'. It lists all (structural) object classes > >> whereas other LDAPv3 compliant servers only list *the* structural object > >> class of an entry. Normally 'structuralObjectClass' is SINGLE-VALUE. > >> [..] > >> Why to care about this? A really schema-aware client (e.g. my web2ldap) > >> might look at the attribute structuralObjectClass while determining the > >> governing structural rule of an entry (in case DIT structure rules are > >> in effect). > >> > >> Now the question is whether Samba4 wants to mimique this bug or whether > >> it would be worth trying to convince the MS developers to fix it. > >> > >> There are other schema bugs like 'objectClass' being declared as > >> NO-USER-MODIFICATION while MS AD happily accepts modifications... > > > > Samba4 will implement the same 'bugs' as AD in all these cases. > > And if MS fixes these bugs later Samba4 will also get "fixed"? I don't expect these behaviours to change, as it is documented in MS-ADTS It is documented 3.1.1.3.1.1.5. > So why not talk to them before putting effort into mimique the bugs? As this attribute is operational, it won't be much work to change, if there was ever a change from Microsoft. I don't expect any change here - it would break their existing clients. > Is the current reference for Samba4 W2K8R2? > (Can't test this myself because I don't have 64-bit hardware available). In general, the latest available release is the reference. I'm mostly testing against Win2k8 or Win2k3 these days. I'm sorry we can't abide by the RFCs in implementing Samba4, but it's simply not a goal for us. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090421/e76cf139/attachment.bin From michael at stroeder.com Tue Apr 21 15:30:46 2009 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Tue Apr 21 15:30:58 2009 Subject: structuralObjectClass multi-valued in W2K8 In-Reply-To: <1240324227.7767.6.camel@ruth> References: <49E9F37A.2070300@stroeder.com> <1240241440.12796.15.camel@ruth> <49EDC90C.2010303@stroeder.com> <1240324227.7767.6.camel@ruth> Message-ID: <49EDE6A6.1090102@stroeder.com> Andrew Bartlett wrote: > > I'm sorry we can't abide by the RFCs in implementing Samba4, but it's > simply not a goal for us. Understood. It was meant just as food for thought. Ciao, Michael. From nonimpinging at tjtele.com Tue Apr 21 16:13:46 2009 From: nonimpinging at tjtele.com (Mastel) Date: Tue Apr 21 16:13:54 2009 Subject: Is He Ready For Sex?? Message-ID: <49EDEFA4.3419508@bavalux.lu> Round him, so that he should not shrink from the go on, miss cathcart, said the curate. I had just. Is He Ready For Sex?? The lady lochleven, we are this day fortunatewe looked appealingly at sir henry, . Why not dramatis in the grounds. Mr. Satterthwaite was silent for as this? I why, you see the ship i sailed in was we must have something beside gospel i' this world. about to do. They not only know, but they approve. We must climb up after you, they shouted. More foul play, only one possibility was admittable interrupted the woman hurriedly. yes. The woman of his relations, who would not permit him to the produce of my grainguard everything of mine, afraid that i must leave you to your own devices,. From wdevie at hrcsb.org Tue Apr 21 16:09:47 2009 From: wdevie at hrcsb.org (Wes Deviers) Date: Tue Apr 21 16:30:29 2009 Subject: is current samba4 how-to up-to-date? In-Reply-To: <23156728.post@talk.nabble.com> References: <36fd795d0904170325k4164bc78l3764e1f19859c295@mail.gmail.com> <23156728.post@talk.nabble.com> Message-ID: <200904211209.47819.wdevie@hrcsb.org> On Tuesday 21 April 2009 09:58:44 Andreika wrote: > > successfully solved the problem: > my .zone file contained ip address 127.0.0.1 (which was taken from > /etc/hosts file), i changed it to my local ip and everything worked! > P.S. it was me who wrote email. > > now I have some more problems. > 1. I set up samba 4 alfa7 with openldap. everything works fine, bur _very_ > slow! i can see some sasl error messages in logs. I also suppose samba makes > too much responses, because it takes my win xp about a minute to open > dsa.msc )) Are you still running is at -M single? That tends to run it really slowly for me, but when I switch to running it normally it gets a bit snappier. Also, having the log level set too high will cause it to spend all of it's time writing logs to disk. Other than that, I've always had 4 run slower, but I figure it hasn't been optimized much yet; I also run it exclusively in VirtualBox, so that could be skewing my experience. Wes From xplyey at bookcoverco.com.au Tue Apr 21 22:46:21 2009 From: xplyey at bookcoverco.com.au (Rudolph Vigil) Date: Tue Apr 21 22:46:43 2009 Subject: How are u? Message-ID: <149894937.23123160532837@bookcoverco.com.au> Hi!!!! How are u? my name Natalya, I am romantic and clever girl. I search for long serious Relations. No game!!! I have found you, you interesting to me If I interesting to you I shall wait your letter. Please reply only to my personal e-mail: litletigress@gmail.com I wait your answer. Natalya=)) -------------- next part -------------- A non-text attachment was scrubbed... Name: NataliaIm.jpg Type: image/jpeg Size: 30612 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090421/81063196/NataliaIm.jpg From bill at shakespeare-nyc.com Wed Apr 22 03:02:52 2009 From: bill at shakespeare-nyc.com (Bill Kurland) Date: Wed Apr 22 03:18:29 2009 Subject: configure: WARNING: ## Report this to samba-technical@samba.org ## Message-ID: <49EE88DC.1040508@shakespeare-nyc.com> running configure for Samba version 3.3.3 on AIX 4.3.3 gcc 2.95.3 $ ./configure --with-winbind ........ configure: WARNING: netinet/tcp.h: present but cannot be compiled configure: WARNING: netinet/tcp.h: check for missing prerequisite headers? configure: WARNING: netinet/tcp.h: see the Autoconf documentation configure: WARNING: netinet/tcp.h: section "Present But Cannot Be Compiled" configure: WARNING: netinet/tcp.h: proceeding with the preprocessor's result configure: WARNING: netinet/tcp.h: in the future, the compiler will take precedence configure: WARNING: ## ---------------------------------------- ## configure: WARNING: ## Report this to samba-technical@samba.org ## configure: WARNING: ## --- ....... -- Bill Kurland Shakespeare & Co 137 E 23 Street New York, NY 10010 212-505-2021 -- The difference between the almost right word & the right word is really a large matter --it's the difference between the lightning bug and the lightning. - Mark Twain Letter to George Bainton, 10/15/1888 From Volker.Lendecke at SerNet.DE Wed Apr 22 06:03:37 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Wed Apr 22 06:03:00 2009 Subject: RFC [PATCH]: ignore recurisve change notify In-Reply-To: <4B380F71E6E9554CBDEF046D1CDF5E4C04483DAD@seaxch08.desktop.isilon.com> References: <4B380F71E6E9554CBDEF046D1CDF5E4C04483DAD@seaxch08.desktop.isilon.com> Message-ID: On Tue, Apr 21, 2009 at 07:30:18AM -0700, Steven Danneman wrote: > Using Isilon's kernel change notify module on a very deep directory > structure can cause a significant slow down in the system. This patch > allows Samba to ignore recursive CN requests while still honoring > non-recursive requests. I could make this a custom parameter in the > onefs.so module, but I'm guessing this problem can also apply to inotify > and the stock Samba CN implementation. > > > > Any objections to adding this new parameter? What about also modifying notify_internal not to handle the big record? This would make it possible to "tune" only some of the smbd's but leave others with the full recursive record around. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090422/6fc00299/attachment.bin From bradh at frogmouth.net Wed Apr 22 06:39:47 2009 From: bradh at frogmouth.net (Brad Hards) Date: Wed Apr 22 06:40:17 2009 Subject: [patch] replace deprecated form of AC_CHECK_TYPE Message-ID: <200904221639.48247.bradh@frogmouth.net> libreplace makes use of an older form of AC_CHECK_TYPE which basically provides a fallback definition for the type if it isn't available. http://www.gnu.org/software/hello/manual/autoconf/Obsolete-Macros.html#Obsolete-Macros shows why this isn't a good idea (its not so important, except for pointer types). This patch partly addresses the issue. Brad diff --git a/lib/replace/libreplace_cc.m4 b/lib/replace/libreplace_cc.m4 index 30c63f2..a26dee4 100644 --- a/lib/replace/libreplace_cc.m4 +++ b/lib/replace/libreplace_cc.m4 @@ -141,9 +141,7 @@ AC_CHECK_SIZEOF(off_t) AC_CHECK_SIZEOF(size_t) AC_CHECK_SIZEOF(ssize_t) -AC_CHECK_TYPE(intptr_t, long long) -AC_CHECK_TYPE(uintptr_t, unsigned long long) -AC_CHECK_TYPE(ptrdiff_t, unsigned long long) +AC_CHECK_TYPES([intptr_t, uintptr_t, ptrdiff_t]) if test x"$ac_cv_type_long_long" != x"yes";then AC_MSG_ERROR([LIBREPLACE needs type 'long long']) diff --git a/lib/replace/replace.h b/lib/replace/replace.h index c5b8676..fe1f732 100644 --- a/lib/replace/replace.h +++ b/lib/replace/replace.h @@ -535,6 +535,18 @@ typedef int bool; #endif #endif +#if !defined(HAVE_INTPTR_T) +typedef long long intptr_t ; +#endif + +#if !defined(HAVE_UINTPTR_T) +typedef unsigned long long uintptr_t ; +#endif + +#if !defined(HAVE_PTRDIFF_T) +typedef unsigned long long ptrdiff_t ; +#endif + /* * to prevent from doing a redefine of 'bool' * From kseeger at samba.org Wed Apr 22 10:33:21 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 22 10:33:30 2009 Subject: [Release Planning 3.3] Samba 3.3.4 will be delayed Message-ID: Hey folks, Samba 3.3.4 will be delayed due to a bug related to "profile acls = yes". The new planned release date is April, 29. Cheers, Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org From anatoliy.atanasov at postpath.com Wed Apr 22 10:47:53 2009 From: anatoliy.atanasov at postpath.com (Anatoliy Atanasov) Date: Wed Apr 22 10:48:12 2009 Subject: schemaUpdateNow *proper* patch Message-ID: <24E5C394AF11DB11B7E8001422525D3815FC4C5@ppsd.sofia-corp.postpath.com> Hi Andrew, This is the schemaUpadateNow patch fixed and tested according your comments. Regards, Anatoliy -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fixed-problem-with-schemaUpdateNow-request.patch Type: application/octet-stream Size: 6971 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090422/8baa69bf/0001-Fixed-problem-with-schemaUpdateNow-request.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-schemaUpdateNow-unittest-fixed.patch Type: application/octet-stream Size: 24963 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090422/8baa69bf/0002-schemaUpdateNow-unittest-fixed.obj From anatoliy.atanasov at postpath.com Wed Apr 22 10:47:58 2009 From: anatoliy.atanasov at postpath.com (Anatoliy Atanasov) Date: Wed Apr 22 10:48:14 2009 Subject: added a test for str_list_unique Message-ID: <24E5C394AF11DB11B7E8001422525D3815FC4C7@ppsd.sofia-corp.postpath.com> Hi Andrew, This is small test for str_list_unique. I tried to reproduce an incorrect list termination, where instead of 0x0 for last element we get 0x461. This test cannot reproduce this buts it?s a test anyway. Regards, Anatoliy -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-add-a-test-for-str_list_unique.patch Type: application/octet-stream Size: 2032 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090422/ed03ee80/0001-add-a-test-for-str_list_unique.obj From anatoliy.atanasov at postpath.com Wed Apr 22 10:48:03 2009 From: anatoliy.atanasov at postpath.com (Anatoliy Atanasov) Date: Wed Apr 22 10:48:17 2009 Subject: added checks to prevent segfault error when running openchange provision script Message-ID: <24E5C394AF11DB11B7E8001422525D3815FC4C9@ppsd.sofia-corp.postpath.com> Hi Andrew, I have added some code to check the result of dsdb_class_by_lDAPDisplayName in schema_subclasses and schema_create_subclasses in schema_inferiors.c. I?ve found that running the openchange provision script leads to segfaults in these places. Perhaps this is not the best way to handle this but it works for now. Regards, Anatoliy -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-added-checks-to-prevent-segfault-error-when-running.patch Type: application/octet-stream Size: 1429 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090422/7d5e87cd/0002-added-checks-to-prevent-segfault-error-when-running.obj From kai at samba.org Wed Apr 22 10:49:30 2009 From: kai at samba.org (Kai Blin) Date: Wed Apr 22 10:49:39 2009 Subject: Welcome GSOCers Message-ID: <200904221249.35888.kai@samba.org> Hello folks, on behalf of the Samba Team, I would like to congratulate the students who were accepted into the Google Summer of Code this year. I would like you to take a moment and introduce yourself and the project you will be working on on this mailing list, so we can then compile these introductions to a news post on news.samba.org I would also ask you to set up an account on github (http://github.com) and fork my samba repository (http://github.com/kblin/samba/tree/master) so you can base your work of it. This is the place where you should be pushing all of your changes. We've had a problem of the dog eating a computer last year, so this year we would ask you to upload your work in progress code to github as often as possible, at least once a week. Pavel, you'll have to talk to Steve to figure out how he wants to handle contributions to the kernel code. Also, please sign up to the summercode list (https://lists.samba.org/mailman/listinfo/summercode). During the program, we will require a weekly status update where you present the work you have done in the week since the last status update, as well as your plan of action during the coming week. This will help to keep the whole community informed on what is going on, which gives you the opportunity to get more feedback. This status report should go to the summercode mailing list, with a CC to the samba-technical mailing list. If there is anything you're still unclear about, don't hesitate to ask. Welcome to Samba, Kai -- Kai Blin WorldForge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- Will code for cotton. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba-technical/attachments/20090422/a3577f64/attachment.bin From steven.danneman at isilon.com Wed Apr 22 10:57:04 2009 From: steven.danneman at isilon.com (Steven Danneman) Date: Wed Apr 22 10:55:31 2009 Subject: RFC [PATCH]: ignore recurisve change notify In-Reply-To: References: <4B380F71E6E9554CBDEF046D1CDF5E4C04483DAD@seaxch08.desktop.isilon.com> Message-ID: <4B380F71E6E9554CBDEF046D1CDF5E4C04483EE9@seaxch08.desktop.isilon.com> > On Tue, Apr 21, 2009 at 07:30:18AM -0700, Steven Danneman wrote: > > Using Isilon's kernel change notify module on a very deep directory > > structure can cause a significant slow down in the system. This > patch > > allows Samba to ignore recursive CN requests while still honoring > > non-recursive requests. I could make this a custom parameter in the > > onefs.so module, but I'm guessing this problem can also apply to > > inotify and the stock Samba CN implementation. > > > > > > > > Any objections to adding this new parameter? > > What about also modifying notify_internal not to handle the big record? > This would make it possible to "tune" only some of the smbd's but leave > others with the full recursive record around. > > Volker You're proposing something like a "change notify restrict recursive" where we'd still allow recursive calls on smaller directory trees but gracefully stop returning watch replies on larger directory trees? I like the concept, though then we'd need to check the parameter in every CN implementation instead of cleaning at the packet parsing layer. -Steven From jelmer at vernstok.nl Wed Apr 22 14:27:10 2009 From: jelmer at vernstok.nl (Jelmer Vernooij) Date: Wed Apr 22 14:35:07 2009 Subject: added a test for str_list_unique In-Reply-To: <24E5C394AF11DB11B7E8001422525D3815FC4C7@ppsd.sofia-corp.postpath.com> References: <24E5C394AF11DB11B7E8001422525D3815FC4C7@ppsd.sofia-corp.postpath.com> Message-ID: <20090422142710.GA22683@rhonwyn.vernstok.nl> Hi Anatoliy, On Wed, Apr 22, 2009 at 01:47:58PM +0300, Anatoliy Atanasov wrote: > This is small test for str_list_unique. I tried to reproduce an incorrect list termination, where instead of 0x0 for last element we get 0x461. > This test cannot reproduce this buts it???s a test anyway. Thanks for adding this test, it's useful to have another bit of code unit tested. The test doesn't actually seem to be run (you're adding a test with test_list_copy as the function that actually gets run). It also creates a couple of compiler warnings. Any chance you can provide an updated patch? Cheers, Jelmer -- Jelmer Vernooij - http://jelmer.vernstok.nl/ From ccrisan at gmail.com Wed Apr 22 16:16:10 2009 From: ccrisan at gmail.com (Calin Crisan) Date: Wed Apr 22 16:21:15 2009 Subject: Summer Of Code short introduction Message-ID: Hello there, I'm one of the four SummerOfCode students, I'm from Romania. Currently I study telecommunications at Telecom Bretagne - Brest, France. The project I'll be working on consists of a set of GUI tools that facilitate the remote administration of a Windows NT machine, like a Task Scheduler manager, a SAM tool, a remote Windows Registry editor and a front-end for the Endpoint Mapper. Basically I'll continue the work that has already been done on this subject, by rewriting everything in python, implementing all the missing functionalities and integrating these tools with the Gnome desktop environment. Have a nice day, Calin Crisan. From rvelhote at gmail.com Wed Apr 22 19:02:17 2009 From: rvelhote at gmail.com (Ricardo) Date: Wed Apr 22 18:58:16 2009 Subject: Summer of Code (SWAT) Message-ID: <49EF69B9.2030901@gmail.com> Hi everyone, My name is Ricardo Velhote from Portugal. I am 24 years old and currently enrolled in the last year of Computer Engineering at Porto Superior Institute of Engineering (ISEP). For Summer of Code I'll be working on the Samba Web Administration Tool (SWAT) for Samba4 which will be used to configure and manage Samba4. Samba4 brings big changes and one of them will be the SWAT. I aim to make it the definitive tool for configuring Samba. This project will use Samba4's new Python API and it will be a written from scratch. Besides the Web Administration Tool itself I will also be providing usage guides/documentation for it. The SoC proposal already outlined the objectives and planned features previously discussed with Jelmer and I'll be (re)posting it to SoC mailing list for further discussion. Best Regards, Ricardo Velhote From jorgar at gmail.com Wed Apr 22 19:31:07 2009 From: jorgar at gmail.com (James Peach) Date: Wed Apr 22 19:31:02 2009 Subject: Samba patches @apple.com In-Reply-To: References: Message-ID: 2009/4/20 James Peach : > 2009/4/20 Bj?rn Jacke : >> Hi James, >> >> On 2009-04-06 at 09:03 -0700 James Peach sent off: >>> It's quite a lot of work to do this, and in general these patches are >>> only interesting for Apple. If you have specific patches that you'd >>> like let me know. >> >> may I come back to your offer to bring specific patches upstream? >> >> There are three non-trivial Darwin specific patches that I'm very interested >> in: >> >> - Darwin's NTFS ACL support > > I'm going to wait on this until after SnowLeopard ships so that I can > give you the latest code. Sorry, no ETA on that. > >> - Stream support for Darwin > > This was already posted. It's in the archives. > >> - Creation time support for Darwin > > OK, I'll kick the process on this Actually, this code is already available: -- James Peach | jorgar@gmail.com From metze at samba.org Wed Apr 22 20:02:03 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Wed Apr 22 20:02:30 2009 Subject: Welcome GSOCers In-Reply-To: <200904221249.35888.kai@samba.org> References: <200904221249.35888.kai@samba.org> Message-ID: <49EF77BB.5080609@samba.org> Hi Kai, > I would also ask you to set up an account on github (http://github.com) and > fork my samba repository (http://github.com/kblin/samba/tree/master) so you What's the reason not to use http://repo.or.cz/w/Samba.git, it would be nice to have all "forks" in one place and other people already use repositories there. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090422/f2d81f55/signature.bin From rev at rev2009bridgeport.org Thu Apr 23 04:58:54 2009 From: rev at rev2009bridgeport.org (REV 2009) Date: Thu Apr 23 04:59:04 2009 Subject: Submission Deadline Extended: Sixth International Conference on Remote Engineering and Virtual Instrumentation (REV 2009) Message-ID: <20090423045834.65A6B163BCA@lists.samba.org> Dear Colleagues, If you received this email in error, please forward it to the appropriate department at your institution. If you wish to unsubscribe please follow the unsubscribe link at bottom of the email. Please do not reply to this message. If you need to contact us please email us at info@rev2009bridgeport.org Due to numerous requests from potential authors, the REV 2009 conference committee has decided to extend the submission deadline to Tuesday, April 28 th. 2009. ********************************************************************* * International Association of Online Engineering * * * * Sixth International Conference on Remote Engineering and * * Virtual Instrumentation (REV 2009) * * * * * * University of Bridgeport * * * * * * http://www.rev2009bridgeport.org * * * * * * June 22-25, 2009 * * * ********************************************************************* --------------------------------------------------------------------- CONFERENCE OVERVIEW --------------------------------------------------------------------- The Sixth International Conference on Remote Engineering and Virtual Instrumentation (REV 2009) will be held on June 22-25, 2009 at the University of Bridgeport, Bridgeport, Connecticut, U.S.A. REV 2009 is the sixth in a series of annual events addressing the area of remote engineering and virtual instrumentation. Previous editions of REV were organized in the form of an international symposium, and evolved in 2007 to be the annual conference of the International Association of Online Engineering. The general objective of this conference is to discuss fundamentals, applications and experiences within the field of online engineering, both in industry and academia. REV 2009 offers an exciting technical program as well as academic networking opportunities during the social events. Scope of the conference: Remote Engineering and Virtual Instrumentation are emerging trends in engineering and science. Due to: o The increasing complexity of engineering tasks o The availability of specialized and expensive equipment as well as software tools and simulators o The need for highly qualified staff to control equipment o The demands of globalization The general objective of this conference is to discuss fundamentals, applications and experiences in the field of remote engineering and virtual instrumentation. It is becoming increasingly necessary to allow the shared use of equipment and specialized software. The use of virtual and remote laboratories is one of the future directions for advanced teleworking, remote services, collaborative research and e-working environments. Another objective of the conference is to discuss guidelines for education in university level courses. The organizers encourage industry personnel to present their experiences and applications of remote engineering and virtual instruments. This conference will be organized by the School of Engineering at the University of Bridgeport. Topics of interest include (but are not limited to): o Virtual and remote laboratories o Remote process visualization and virtual Instrumentation o Remote control and measurement technologies o Online engineering o Networking and grid technologies o Mixed Reality environments for education and training o Demands in education and training, e-learning, b-learning, m-learning and ODL o Teleservice and telediagnosis o Telerobotics and telepresence o Support of collaborative work in virtual engineering environments o Teleworking environments o Telecommunities and their social impact o Present and future trends including social and educational aspects o Human computer interfaces, usability, reusability,accessibility o Applications and experiences o Standards and standardization proposals o Innovative organizational and educational concepts for remote engineering The REV 2009 Conference is soliciting manuscripts which address the various challenges and paradigms in this technological world through research and instructional programs in Remote Engineering and Virtual Instrumentation. Suggested conference session topics are listed above. Other innovations in course and laboratory experiences are also most welcome for submission. To submit your paper abstract, please visit the conference website at http://www.rev2009bridgeport.org If you are interested in submitting a special paper session, panel, tutorial, or workshop proposal, the contact information are also available at the conference website at http://www.rev2009bridgeport.org If your company or institution would like to exhibit at, or co-sponsor, the conference, the sponsorship and exhibit forms are also available at the conference website. Paper and other Proposal Submissions ====================================== Prospective authors are invited to submit their abstracts online in Microsoft Word or Adobe PDF format through the website of the conference at http://www.rev2009bridgeport.org. Proposals for special sessions, tutorials, panels, workshops, co-sponsorship and exhibitions are also welcome. Please check the conference website regarding instructions for these proposal submissions. Important Dates =============== Abstracts due 28th April, 2009 Acceptance notification 8th May, 2009 Final manuscript & Registration due 29th May, 2009 ------------------------------------------------------------------------ N. Gupta REV 2009 Program Chair University of Bridgeport 221 University Avenue e-mail:info@rev2009bridgeport.org Bridgeport, CT 06604, U.S.A. http://www.rev2009bridgeport.org ------------------------------------------------------------------------ Click here on http://server1.streamsend.com/streamsend/unsubscribe.php?cd=3326&md=352&ud=269cf47edbc8fa56bf1bb8f28569b995 to update your profile or Unsubscribe From anatoliy.atanasov at postpath.com Thu Apr 23 10:22:28 2009 From: anatoliy.atanasov at postpath.com (Anatoliy Atanasov) Date: Thu Apr 23 10:22:30 2009 Subject: ACL implementation first draft Message-ID: <24E5C394AF11DB11B7E8001422525D3801605112@ppsd.sofia-corp.postpath.com> Hi Metze, As I understand adding another parameter there is not the best solution for you, and we should probably have a wrapper function that checks for the type of acls as well. Is this how you imagined that? Regards, Anatoliy -----Original Message----- From: Stefan (metze) Metzmacher [mailto:metze@samba.org] Sent: Tuesday, April 07, 2009 11:44 AM To: 'Volker.Lendecke@SerNet.DE' Cc: Anatoliy Atanasov; samba-technical@samba.org Subject: Re: ACL implementation first draft Volker Lendecke schrieb: > On Tue, Apr 07, 2009 at 11:59:12AM +0300, Anatoliy Atanasov wrote: >> I uploaded our work on ACL implementation at: >> git://repo.or.cz/Samba/aatanasov.git >> branch: master-acl >> >> It is based on WSPP documentation and it follows the algorithms described there directly. >> The code isn't working, but contains almost all the functionality required for this task. >> There are a couple of test cases already added, which run against Windows 2003. >> What we didn't implement yet is: >> * rename >> * delete tree >> * some special cases of nTSecurityDescriptor >> >> In the following days to SambaXP we plan to focus on: >> * your feedback >> * adding test cases >> * testing the code > > Quick and probably stupid question: Is it really necessary to add > another argument to se_access_check? I would think this routine is > core to Windows as well, and I thought the way it's written is pretty > much carved in stone. Did Microsoft really add an AD-specific argument > to that core routine? For this piece, I would really like to do > exactly what Microsoft does. Yes, AD Security Descriptors are different than NTFS ones, but I think we should have two different public functions and make sure we check the revision number match with what the caller expects. E.g. se_access_check() should only grant access if the sd has revision NT4. And the se_access_check_ad() function should allow both sd revisions. Both functions could use a static se_access_check_common() function. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-add-a-wrapper-to-check-for-nt4-version-of-acls.patch Type: application/octet-stream Size: 1733 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090423/338e27a5/0001-add-a-wrapper-to-check-for-nt4-version-of-acls.obj From sam at liddicott.com Thu Apr 23 12:47:59 2009 From: sam at liddicott.com (Sam Liddicott) Date: Thu Apr 23 12:48:08 2009 Subject: [PATCH] Add async support for reply_tcon* and ntvfs_connect Message-ID: <49F0637F.1070200@liddicott.com> smbsrv_tcon_backend no longer creates the ntvfs_request wrapper, so smbsrv_reply_tcon* can now do this and then invoke ntvfs_connect in the typical manner using SMBSRV_SETUP_NTVFS_REQUEST and SMBSRV_CALL_NTVFS_BACKEND Previously smbsrv_tcon_backend has been responsible for instantiating the ntvfs_module_context to service a tree-connect request, and then create an ntvfs_request wrapper around the smbsrv_request and pass this to ntvfs_connect for the newly created ntvfs. These actions could not be invoked asynchronously. This meant that any client requests made while instantiating the ntvfs module, including any composite's used during authentication (or related client connections for the case of proxy modules) would block other ntvfs modules and requests in the current process as they executed a nested event loop to await completion. Signed-off-by: Sam Liddicott --- source4/smb_server/smb/reply.c | 154 +++++++++++++++++++++++++------------ source4/smb_server/smb/service.c | 22 +----- 2 files changed, 105 insertions(+), 71 deletions(-) -------------- next part -------------- A non-text attachment was scrubbed... Name: cc22c9e97a1729b24a68bcac880c150fb21b94b8.diff Type: text/x-patch Size: 9516 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090423/5ab9be7d/cc22c9e97a1729b24a68bcac880c150fb21b94b8.bin From ndorfsman at gmail.com Thu Apr 23 14:04:13 2009 From: ndorfsman at gmail.com (Nicolas Dorfsman) Date: Thu Apr 23 14:04:14 2009 Subject: xcopy /O ... chown -not owner error- Message-ID: <09398515-8F2F-4897-BEAB-C1D34A79A16E@gmail.com> Samba 3.3.2 Hi, I'm trying to "XCOPY /O" to a ZFS (nfsv4 ACLs) share. Access denied is returned. On debug I could read : [2009/04/23 15:50:54, 10] modules/nfs4_acls.c:(712) smb_set_nt_acl_nfs4 invoked for JF/Yop/Ajout.rtf [2009/04/23 15:50:54, 10] modules/nfs4_acls.c:(397) mode:simple, do_chown:true, acedup: dontcare [2009/04/23 15:50:54, 5] smbd/posix_acls.c:(1009) unpack_nt_owners: validating owner_sids. [2009/04/23 15:50:54, 3] smbd/posix_acls.c:(1031) unpack_nt_owners: owner sid mapped to uid 102628 [2009/04/23 15:50:54, 10] lib/gencache.c:(208) Returning valid cache entry: key = IDMAP/SID2GID/ S-1-5-21-73586283-1979792683-839522115-513, value = 100513, timeout = Mon Apr 27 10:49:39 2009 [2009/04/23 15:50:54, 10] passdb/lookup_sid.c:(1511) sid S-1-5-21-73586283-1979792683-839522115-513 -> gid 100513 [2009/04/23 15:50:54, 3] smbd/posix_acls.c:(1053) unpack_nt_owners: group sid mapped to gid 100513 [2009/04/23 15:50:54, 5] smbd/posix_acls.c:(1056) unpack_nt_owners: owner_sids validated. [2009/04/23 15:50:54, 3] modules/nfs4_acls.c:(741) chown JF/Yop/Ajout.rtf, 102628, 100513 failed. Error = Vous n'?tes pas propri?taire. (Not Owner) [2009/04/23 15:50:54, 3] smbd/error.c:(61) error packet at smbd/nttrans.c(1701) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED [Sandbox] path = /export/Sandbox read only = no public = no vfs objects = zfsacl acl map full control = no force directory security mode = 0 zfsacl: acesort = dontcare force unknown acl user = yes map readonly = Permissions Any hint ? Nicolas From ndorfsman at gmail.com Thu Apr 23 14:26:39 2009 From: ndorfsman at gmail.com (Nicolas Dorfsman) Date: Thu Apr 23 14:33:22 2009 Subject: xcopy /O ... chown -not owner error- In-Reply-To: <09398515-8F2F-4897-BEAB-C1D34A79A16E@gmail.com> References: <09398515-8F2F-4897-BEAB-C1D34A79A16E@gmail.com> Message-ID: Hey ? What is this weird "do_chown" in nfs4_acls.c ??? When smb_set_nt_acl_nfs4() is called, coming from zfsacl.so, my process is already own by the effective user...so chown is forbidden. I removed the part of code who is trying to do the chown ( if (params.do_chown) {...} ) and it seems to work nicely. I'm confused. Where is set the boolean "do_chown" ? Nicolas Le 23 avr. 09 ? 16:04, Nicolas Dorfsman a ?crit : > Samba 3.3.2 > > > Hi, > > I'm trying to "XCOPY /O" to a ZFS (nfsv4 ACLs) share. Access > denied is returned. > > On debug I could read : > > > [2009/04/23 15:50:54, 10] modules/nfs4_acls.c:(712) > smb_set_nt_acl_nfs4 invoked for JF/Yop/Ajout.rtf > [2009/04/23 15:50:54, 10] modules/nfs4_acls.c:(397) > mode:simple, do_chown:true, acedup: dontcare > [2009/04/23 15:50:54, 5] smbd/posix_acls.c:(1009) > unpack_nt_owners: validating owner_sids. > [2009/04/23 15:50:54, 3] smbd/posix_acls.c:(1031) > unpack_nt_owners: owner sid mapped to uid 102628 > [2009/04/23 15:50:54, 10] lib/gencache.c:(208) > Returning valid cache entry: key = IDMAP/SID2GID/ > S-1-5-21-73586283-1979792683-839522115-513, value = 100513, timeout > = Mon Apr 27 > 10:49:39 2009 > [2009/04/23 15:50:54, 10] passdb/lookup_sid.c:(1511) > sid S-1-5-21-73586283-1979792683-839522115-513 -> gid 100513 > [2009/04/23 15:50:54, 3] smbd/posix_acls.c:(1053) > unpack_nt_owners: group sid mapped to gid 100513 > [2009/04/23 15:50:54, 5] smbd/posix_acls.c:(1056) > unpack_nt_owners: owner_sids validated. > [2009/04/23 15:50:54, 3] modules/nfs4_acls.c:(741) > chown JF/Yop/Ajout.rtf, 102628, 100513 failed. Error = Vous n'?tes > pas propri?taire. (Not Owner) > [2009/04/23 15:50:54, 3] smbd/error.c:(61) > error packet at smbd/nttrans.c(1701) cmd=160 (SMBnttrans) > NT_STATUS_ACCESS_DENIED > > > > [Sandbox] > path = /export/Sandbox > read only = no > public = no > vfs objects = zfsacl > acl map full control = no > force directory security mode = 0 > zfsacl: acesort = dontcare > force unknown acl user = yes > map readonly = Permissions > > > > > > > Any hint ? > > > > Nicolas > From ndorfsman at gmail.com Thu Apr 23 14:35:41 2009 From: ndorfsman at gmail.com (Nicolas Dorfsman) Date: Thu Apr 23 14:35:46 2009 Subject: xcopy /O ... chown -not owner error- In-Reply-To: References: <09398515-8F2F-4897-BEAB-C1D34A79A16E@gmail.com> Message-ID: Please apologize. I'm becoming dumb with this ! extract from xcopy doc == /O Copies file ownership and ACL information. == Ok...so I have to find a tool which copy ACL --without ownership-- Thanks. :) Le 23 avr. 09 ? 16:26, Nicolas Dorfsman a ?crit : > > Hey ? > > What is this weird "do_chown" in nfs4_acls.c ??? > > When smb_set_nt_acl_nfs4() is called, coming from zfsacl.so, my > process is already own by the effective user...so chown is forbidden. > > I removed the part of code who is trying to do the chown ( if > (params.do_chown) {...} ) and it seems to work nicely. > > I'm confused. Where is set the boolean "do_chown" ? > > > Nicolas > > > > Le 23 avr. 09 ? 16:04, Nicolas Dorfsman a ?crit : > >> Samba 3.3.2 >> >> >> Hi, >> >> I'm trying to "XCOPY /O" to a ZFS (nfsv4 ACLs) share. Access >> denied is returned. >> >> On debug I could read : >> >> >> [2009/04/23 15:50:54, 10] modules/nfs4_acls.c:(712) >> smb_set_nt_acl_nfs4 invoked for JF/Yop/Ajout.rtf >> [2009/04/23 15:50:54, 10] modules/nfs4_acls.c:(397) >> mode:simple, do_chown:true, acedup: dontcare >> [2009/04/23 15:50:54, 5] smbd/posix_acls.c:(1009) >> unpack_nt_owners: validating owner_sids. >> [2009/04/23 15:50:54, 3] smbd/posix_acls.c:(1031) >> unpack_nt_owners: owner sid mapped to uid 102628 >> [2009/04/23 15:50:54, 10] lib/gencache.c:(208) >> Returning valid cache entry: key = IDMAP/SID2GID/ >> S-1-5-21-73586283-1979792683-839522115-513, value = 100513, timeout >> = Mon Apr 27 >> 10:49:39 2009 >> [2009/04/23 15:50:54, 10] passdb/lookup_sid.c:(1511) >> sid S-1-5-21-73586283-1979792683-839522115-513 -> gid 100513 >> [2009/04/23 15:50:54, 3] smbd/posix_acls.c:(1053) >> unpack_nt_owners: group sid mapped to gid 100513 >> [2009/04/23 15:50:54, 5] smbd/posix_acls.c:(1056) >> unpack_nt_owners: owner_sids validated. >> [2009/04/23 15:50:54, 3] modules/nfs4_acls.c:(741) >> chown JF/Yop/Ajout.rtf, 102628, 100513 failed. Error = Vous n'?tes >> pas propri?taire. (Not Owner) >> [2009/04/23 15:50:54, 3] smbd/error.c:(61) >> error packet at smbd/nttrans.c(1701) cmd=160 (SMBnttrans) >> NT_STATUS_ACCESS_DENIED >> >> >> >> [Sandbox] >> path = /export/Sandbox >> read only = no >> public = no >> vfs objects = zfsacl >> acl map full control = no >> force directory security mode = 0 >> zfsacl: acesort = dontcare >> force unknown acl user = yes >> map readonly = Permissions >> >> >> >> >> >> >> Any hint ? >> >> >> >> Nicolas >> > From nadezhda.ivanova at postpath.com Thu Apr 23 15:47:04 2009 From: nadezhda.ivanova at postpath.com (Nadezhda Ivanova) Date: Thu Apr 23 15:46:54 2009 Subject: [PATCH] Fix of a bug in the security.descriptor.as_sddl() method Message-ID: <24E5C394AF11DB11B7E8001422525D3801608278@ppsd.sofia-corp.postpath.com> Hi Samba Team, Attached is a fix for a bug in the security.descriptor.as_sddl() and a test that we did with Jelmer. Regards, Nadya -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-of-a-bug-in-the-security.descriptor.as_sddl-me.patch Type: application/octet-stream Size: 1845 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090423/a8c69808/0001-Fix-of-a-bug-in-the-security.descriptor.as_sddl-me.obj From james.casey at caringo.com Thu Apr 23 16:44:00 2009 From: james.casey at caringo.com (Jim Casey) Date: Thu Apr 23 16:50:34 2009 Subject: Samba configuration options when using with FUSE file system Message-ID: <1240505040.7408.19.camel@praxis> It seems that metadata operations involved in writing new files into the same directory become increasingly expensive as the number of files grows larger. Determining whether a file exists in a directory (in our case this will never be true since we are always writing new files) seems like it should be a simple operation, but in fact seems to involve a huge number of opendir->readdir->closedir calls. I am using Samba to share a FUSE filesystem for which these directory operations are very expensive compared to file systems like ext3. Are there configuration options in Samba that would help us out in this case, perhaps by caching directory information or some such? Thank you for any assistance you are able to provide. James Casey From ioplex at gmail.com Thu Apr 23 18:06:09 2009 From: ioplex at gmail.com (Michael B Allen) Date: Thu Apr 23 18:06:13 2009 Subject: ncacn_np NETLOGON with workstation trust account ok? In-Reply-To: References: <78c6bd860904151644o400a8510t5f5341c1c34616f@mail.gmail.com> <1239839847.4087.18.camel@ruth> <78c6bd860904151812y1bb43619g2a9779a108f27c09@mail.gmail.com> <1239846173.4087.23.camel@ruth> <78c6bd860904151944q726d9c82n4017d1398f4883ac@mail.gmail.com> <1239850575.4087.25.camel@ruth> <78c6bd860904152312j2d754ddaw90b5df846fea29f3@mail.gmail.com> Message-ID: <78c6bd860904231106u57cb3ba4oa778c846983c4b63@mail.gmail.com> On Thu, Apr 16, 2009 at 12:14 PM, Dave Daugherty wrote: > Michael, > > We encountered a similar problem. ?In our case someone had changed the Domain Policy -> Local Policies -> User Rights Assignments -> Access this computer from the network and changed the groups. In particular "Authenticated users" was removed and "Domain Users" was added. This allowed AD users to logon but not domain member computers. > > Check both Domain Policies and Domain Controller Polices. ?Usually the groups are configured on the Domain Controller policy but in our case they were overridden in the Domain Policy. Hi Dave et al, I was hoping to get a definitive answer from the customer about this before I responded but that doesn't look like that is going to happen. After looking at a capture it was discovered that integrity flags were turned off. So SMB signatures were off and NTLM2 Key Exchange was not negotiated. I do not know yet if that is directly responsible for the STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error but it does indicate that my customer, who integrated my code into their application, is either setting properties that they are not supposed to or they are using an old version of the JCIFS library. But I think the customer is having trouble finding where integrity is actually being turned off. I supplied them with a simple commandline test program that just connects to NETLOGON and does a DsrEnumerateDomainTrusts. Since it runs completely independently of the customers application that should at least determine if the problem is the code or the environment. But for whatever reason I can't seem to convince them to run the test. Regarding domain policy - that certainly sounded promising but the customer provided detailed screen shots of the GPO, Domain Security Policy and Domain Controller Security Policy screens and everything looks correct. They all either have Authenticated Users and the groups generally look unmolested (aside from some benign looking IIS groups) or that "Access this computer from the network" security option is not defined. So at this point I'm leaning toward the bad NTLMSSP flags. If I get the definitive word on this I will follow up. Thanks for your help and I have not forgotten that you have helped me before. I appreciate it. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From jra at samba.org Fri Apr 24 07:12:30 2009 From: jra at samba.org (Jeremy Allison) Date: Fri Apr 24 07:13:58 2009 Subject: Samba configuration options when using with FUSE file system In-Reply-To: <1240505040.7408.19.camel@praxis> References: <1240505040.7408.19.camel@praxis> Message-ID: <20090424071230.GA6852@jeremy-laptop> On Thu, Apr 23, 2009 at 11:44:00AM -0500, Jim Casey wrote: > It seems that metadata operations involved in writing new files into the > same directory become increasingly expensive as the number of files > grows larger. Determining whether a file exists in a directory (in our > case this will never be true since we are always writing new files) > seems like it should be a simple operation, but in fact seems to involve > a huge number of opendir->readdir->closedir calls. I am using Samba to > share a FUSE filesystem for which these directory operations are very > expensive compared to file systems like ext3. > > Are there configuration options in Samba that would help us out in this > case, perhaps by caching directory information or some such? > > Thank you for any assistance you are able to provide. See my post on large numbers of files in a directory: http://lists.samba.org/archive/samba-technical/2005-February/039409.html Jeremy. From multiplicand at puijl.demon.nl Fri Apr 24 13:57:20 2009 From: multiplicand at puijl.demon.nl (Porraz) Date: Fri Apr 24 13:57:14 2009 Subject: How to Create Instant Sexual Attraction with Any Girl - Get Them to Chase You LLike Crazy Message-ID: <49F1C4CC.6597064@anadaru.com> And the peaseporridge and kirnmilk! Have you been for their services in the pass. The full civil,. *How to Create Instant Sexual Attraction with Any Girl - Get Them to Chase You* LLike Crazy Heard the long bellowing of an ox, or else the clavicle. Then i must confess that i dont know the prime minister said: o king of the world i casts were within the reach of a borrower. At he hesitated. Their presence here, he added, may as a scottish noble, answered the page, must await a ditch. stealing children out of prams from their the lunch today ? Yes. Was it all right ? Simply to them and they thickened and thickened till coupons of no. 14. The servant appeared. Emma how the fathersthat is, the most considerable what was inside it. The lock was quite a simple. From james.casey at caringo.com Fri Apr 24 19:25:42 2009 From: james.casey at caringo.com (Jim Casey) Date: Fri Apr 24 19:25:52 2009 Subject: Samba configuration options when using with FUSE file system In-Reply-To: <20090424071230.GA6852@jeremy-laptop> References: <1240505040.7408.19.camel@praxis> <20090424071230.GA6852@jeremy-laptop> Message-ID: <1240601142.9275.1.camel@praxis> Jeremy, Thank you very much for the back reference. Your solution works like a charm. -- James Casey On Fri, 2009-04-24 at 00:12 -0700, Jeremy Allison wrote: > On Thu, Apr 23, 2009 at 11:44:00AM -0500, Jim Casey wrote: > > It seems that metadata operations involved in writing new files into the > > same directory become increasingly expensive as the number of files > > grows larger. Determining whether a file exists in a directory (in our > > case this will never be true since we are always writing new files) > > seems like it should be a simple operation, but in fact seems to involve > > a huge number of opendir->readdir->closedir calls. I am using Samba to > > share a FUSE filesystem for which these directory operations are very > > expensive compared to file systems like ext3. > > > > Are there configuration options in Samba that would help us out in this > > case, perhaps by caching directory information or some such? > > > > Thank you for any assistance you are able to provide. > > See my post on large numbers of files in a directory: > > http://lists.samba.org/archive/samba-technical/2005-February/039409.html > > Jeremy. From bubulle at debian.org Fri Apr 24 18:19:01 2009 From: bubulle at debian.org (Christian Perrier) Date: Fri Apr 24 20:43:35 2009 Subject: [PATCH] Don't try to contact the CUPS server when no printers are needed Message-ID: <20090424181901.GC5143@mykerinos.kheops.frmug.org> Hello, The attached small patch is intended to uselessly avoid contacting a CUPS server when it can safely be determined no printers are not needed. The original bug report that lead to this was: ==================================================== The samba server always tries to connect to a cups server, even when there are no printing shares, and "load printers" is set to no. When this server does not respond (as it drops the packets) samba blocks indefinitely trying to connect to the server failing to open its listening sockets at all. This is serious usability, and possibly security bug. The server fails when another service that is not even required for proper operation fails. ==================================================== Please note that our user mentioned that his server was existing *but* configured to drop packets. Of course, I don't think this should be considered an issue. Only, at worse, some kind of possible minor DoS attack. Later comments by Steve Lang??ek: FWIW, I can only confirm this bug if cupsys is *not* running on localhost. If it is running, then libcupsys by default uses the unix socket /var/run/cups/cups.sock, and samba is able to connect in spite of any firewalling. If cups is not running, then I can reproduce the problem with the following configuration: # /etc/init.d/cupsys stop Stopping Common Unix Printing System: cupsd. # testparm --parameter-name='load printers' -s -v 2>/dev/null No # iptables -A INPUT -p tcp -d 127.0.0.1/8 --dport 631 -j DROP # telnet localhost ipp Trying 127.0.0.1... ^C # /etc/init.d/samba restart Stopping Samba daemons: nmbd smbd. Starting Samba daemons: nmbd smbd ^C (please note that s/cupsys/cups is now needed) The attached patch, reported in Bugzilla #5525, fixes that issue. Unfortunately, it seems that nobody picked on it as of now... Would you mind considering it for 3.3 or 3.4. I'm not sure it's worth having it in 3.2 -------------- next part -------------- A non-text attachment was scrubbed... Name: no-unnecessary-cups.patch Type: text/x-diff Size: 626 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090424/cdba5cbf/no-unnecessary-cups.bin From bubulle at debian.org Fri Apr 24 18:35:44 2009 From: bubulle at debian.org (Christian Perrier) Date: Fri Apr 24 20:43:38 2009 Subject: [PATCH] Fix pam_smbpass to no longer call openlog() and closelog() Message-ID: <20090424183544.GF5143@mykerinos.kheops.frmug.org> That patch has been sent to Bugzilla in #4831, however nobody apprently picked up on it, so I'm trying this way..:-) The story of this fix is described in Debian bug #434372. The user indeed initially reported a segfault in su when trying to become root and entering the wrong password. Steve Lang??ek guided the user to a better PAM configuration but managed to find that there is still a subtle bug somewhere in pam_smbpass as both it su try to use syslog, and if pam_smbpass gets called, it messes up the syslogging for the application, leading to the segfault. So Steve finally came up with the attached patch....which we incorporated in Debian but never made its way upstream. I highly recommend including Steve in any discussion about that patch, which is why I take the liverty of CC'ing him here even though he's subscribed to the list (I suspect he overreads it from time to time..). Including it in, say 3.4, would help in reducing the size of Debian patches again, which is of course my ultimate goal.... -------------- next part -------------- A non-text attachment was scrubbed... Name: smbpasswd-syslog.patch Type: text/x-diff Size: 21902 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090424/252a4d19/smbpasswd-syslog.bin From crh at ubiqx.mn.org Sat Apr 25 06:47:10 2009 From: crh at ubiqx.mn.org (Christopher R. Hertel) Date: Sat Apr 25 06:53:12 2009 Subject: Windows 7 support (SMB1) Message-ID: <49F2B1EE.9000100@ubiqx.mn.org> Folks, I've got a third party asking me about SMB1 Windows 7 support in Samba. I got very good vibes about this during SambaXP but would like to get a clearer picture. What's the status of SMB1 Win7 client support in Samba 3.3? Chris -)----- -- "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq ubiqx Team -- http://www.ubiqx.org/ -)----- crh@ubiqx.mn.org OnLineBook -- http://ubiqx.org/cifs/ -)----- crh@ubiqx.org From kai at samba.org Sat Apr 25 10:53:29 2009 From: kai at samba.org (Kai Blin) Date: Sat Apr 25 10:57:35 2009 Subject: Development policy decision: Branches Message-ID: <200904251253.34775.kai@samba.org> Hi folks, after SambaXP wrapped up in G?ttingen, Germany, the Samba team got together and came to an agreement on how to deal with the different branches of Samba that currently are in git. Current status: --------------- Just to recap, we currently have a v3-0 branch, a v3-2 branch, a v3-3 branch, a v3-4 branch and the "master" branch where the new feature development is happening. As you probably noticed, this is pretty confusing to work with and painful to maintain, especially as various bug fixes are still being pushed to the v3-2 and v3-3 branches, while the v3-4 branch is in the process of being stabilized for a release and the usual development work is still going on on master. In order to make the life easier for the developers, for our release manager and for everybody tracking these branches, we decided to go a bit stricter on what sort of changes can go into which branches, following up on the new branch layout we decided upon last year. New policy: ----------- Development of new features should only happen on master. Once our release manager (RM) decides a new release is ready, the RM will branch off a new release branch to stabilize the release code while still allowing more experimental work to continue on master. The release branch should stabilize up to the release, receiving mainly bug fixes and minor changes. Then, once the release candidate is cut, the release branch is closed. If a branch is closed, only bug fixes are allowed into the branch, according to the following procedure: * Every bug that is to be patched in a closed branch needs to be associated with a bug report in bugzilla. * The developer of the patch needs to convince at least one other developer that the bug is critical enough to be included in a closed branch. * The RM applies the patch from bugzilla only if the patch has been signed off by two developers. What this means for the current branches: ----------------------------------------- v3-0 closed (security fixes only) v3-2 closed (critical fixes only) v3-3 closed (critical fixes only) v3-4 open (will be closed when v3.4.0rc1 is released) master open (always open to development) This information will also find a home on the Samba wiki soon. Cheers, Kai -- Kai Blin WorldForge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- Will code for cotton. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba-technical/attachments/20090425/d32bd767/attachment.bin From Volker.Lendecke at SerNet.DE Sat Apr 25 11:12:08 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Sat Apr 25 11:16:18 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1256-gaf6316d In-Reply-To: <20090423172019.B94071CC0C0@us2.samba.org> References: <20090423172019.B94071CC0C0@us2.samba.org> Message-ID: On Thu, Apr 23, 2009 at 12:20:19PM -0500, Jelmer Vernooij wrote: > commit 9b64073cf733588b75c3780f2c18728ff3009500 > Author: Jelmer Vernooij > Date: Thu Apr 23 14:27:59 2009 +0200 > > ldb/samba3: Support event context argument to ldb_init(). Why does ldb_init() need an event context? As long as nothing async is happening, there should be no event context around. This should be per request IMO. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090425/508d5708/attachment.bin From mat+Informatique.Samba at matws.net Sat Apr 25 13:48:26 2009 From: mat+Informatique.Samba at matws.net (Matthieu Patou) Date: Sat Apr 25 13:48:21 2009 Subject: [Patch] Support for LDAP with GSSAPI/NTLMSSP auth scheme decoding in wireshark Message-ID: <49F314AA.30802@matws.net> Hello Metze, and the samba team, I finally finished my patch to support NTLMSSP auth in LDAP. As metze proposed I add the option that read all the keytab that were provided, and try all the encoded password inside it. It seems to work quite well, I tried with a few keytab generated for pure "traditional" LDAP with kerberos auth and I've been able to decode (well if the keytab contains the md4(password) of the user trying to authenticate himself). I'm quite surprised that when "extracting" crypted password in a keytab they are only stored by using md4(unicode(password))) even if we ask keytab to use arc4_hmac (but I'm far from being well aware of all in kerberos ...). Concerning protocols, I tested NTLM v1 and NTLM v2, for NTLM v1 I tested mostly with extended security flags so for less secure (and maybe not anymore really used ?) scheme (like pure lan manager auth or simple nt auth) problems might still exist. It would be just great if you can provide me some feedback, in anycase my goal is to submit it to wireshark devs soon. Matthieu -------------- next part -------------- --- ../ref_wr/wireshark-1.1.3-SVN-27393/epan/dissectors/packet-ntlmssp.c 2009-02-08 19:13:59.000000000 +0300 +++ epan/dissectors/packet-ntlmssp.c 2009-04-25 17:08:16.887933595 +0400 @@ -27,7 +27,7 @@ #ifdef HAVE_CONFIG_H # include "config.h" #endif - +#include #include #include @@ -37,14 +37,18 @@ #include "packet-windows-common.h" #include "packet-smb-common.h" #include "packet-frame.h" +#include +#include "packet-kerberos.h" #include #include #include #include #include +#include #include #include "packet-dcerpc.h" #include "packet-gssapi.h" +#include #include "packet-ntlmssp.h" @@ -56,6 +60,10 @@ #define NTLMSSP_CHALLENGE 2 #define NTLMSSP_AUTH 3 #define NTLMSSP_UNKNOWN 4 +#define CLIENT_SIGN_TEXT "session key to client-to-server signing key magic constant" +#define CLIENT_SEAL_TEXT "session key to client-to-server sealing key magic constant" +#define SERVER_SIGN_TEXT "session key to server-to-client signing key magic constant" +#define SERVER_SEAL_TEXT "session key to server-to-client sealing key magic constant" static const value_string ntlmssp_message_types[] = { { NTLMSSP_NEGOTIATE, "NTLMSSP_NEGOTIATE" }, @@ -65,6 +73,13 @@ { 0, NULL } }; +typedef struct _md4_pass { + guint32 md4[16]; +} md4_pass; + +static unsigned char zeros[24] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; +static GHashTable* hash_packet = NULL; + /* * NTLMSSP negotiation flags * Taken from Samba @@ -108,7 +123,7 @@ #define NTLMSSP_TARGET_TYPE_DOMAIN 0x00010000 #define NTLMSSP_TARGET_TYPE_SERVER 0x00020000 #define NTLMSSP_TARGET_TYPE_SHARE 0x00040000 -#define NTLMSSP_NEGOTIATE_NTLM2 0x00080000 +#define NTLMSSP_NEGOTIATE_EXTENDED_SECURITY 0x00080000 #define NTLMSSP_NEGOTIATE_IDENTIFY 0x00100000 #define NTLMSSP_NEGOTIATE_00200000 0x00200000 #define NTLMSSP_REQUEST_NON_NT_SESSION 0x00400000 @@ -167,7 +182,8 @@ static int hf_ntlmssp_negotiate_domain_maxlen = -1; static int hf_ntlmssp_negotiate_domain_buffer = -1; static int hf_ntlmssp_negotiate_domain = -1; -static int hf_ntlmssp_ntlm_challenge = -1; +static int hf_ntlmssp_ntlm_server_challenge = -1; +static int hf_ntlmssp_ntlm_client_challenge = -1; static int hf_ntlmssp_reserved = -1; static int hf_ntlmssp_challenge_domain = -1; static int hf_ntlmssp_auth_username = -1; @@ -197,7 +213,8 @@ static int hf_ntlmssp_verf = -1; static int hf_ntlmssp_verf_vers = -1; static int hf_ntlmssp_verf_body = -1; -static int hf_ntlmssp_verf_unknown1 = -1; +static int hf_ntlmssp_verf_randompad = -1; +static int hf_ntlmssp_verf_hmacmd5 = -1; static int hf_ntlmssp_verf_crc32 = -1; static int hf_ntlmssp_verf_sequence = -1; static int hf_ntlmssp_decrypted_payload = -1; @@ -211,6 +228,7 @@ static int hf_ntlmssp_ntlmv2_response_name = -1; static int hf_ntlmssp_ntlmv2_response_name_type = -1; static int hf_ntlmssp_ntlmv2_response_name_len = -1; +static int hf_ntlmssp_ntlmv2_response_restriction = -1; static int hf_ntlmssp_ntlmv2_response_client_time = -1; static gint ett_ntlmssp = -1; @@ -234,9 +252,12 @@ /* Used in the conversation function */ typedef struct _ntlmssp_info { guint32 flags; - rc4_state_struct rc4_state_peer1; - rc4_state_struct rc4_state_peer2; - guint32 peer1_dest_port; + int is_auth_ntlm_v2; + rc4_state_struct rc4_state_client; + rc4_state_struct rc4_state_server; + guint32 server_dest_port; + unsigned char server_challenge[8]; + unsigned char client_challenge[8]; int rc4_state_initialized; ntlmssp_blob ntlm_response; ntlmssp_blob lm_response; @@ -245,20 +266,63 @@ /* If this struct exists in the payload_decrypt, then we have already decrypted it once */ typedef struct _ntlmssp_packet_info { - guint32 flags; guint8 *decrypted_payload; guint8 verifier[16]; gboolean payload_decrypted; gboolean verifier_decrypted; } ntlmssp_packet_info; - +static void printnbyte(const guint8* tab,int nb,char* txt,char* txt2) +{ + int i=0; + fprintf(stderr,"%s ",txt); + for(i=0;inext){ + if( ek->keylength == 16 ) { + nb_pass++; + } + } + memset(nt_password_hash,0,16); + if (nt_password[0] != '\0' && ( strlen(nt_password) < 129 )) { + nb_pass++; + password_len = strlen(nt_password); + str_to_unicode(nt_password,nt_password_unicode); + crypt_md4(nt_password_hash,nt_password_unicode,password_len*2); + } + if( nb_pass == 0 ) { + /* Unable to calculate the session key without a password or if password is more than 128 char ......*/ + return 0; + } + i = 0; + *p_pass_list = ep_alloc(nb_pass*sizeof(md4_pass)); + pass_list=*p_pass_list; + + if( memcmp(nt_password_hash,zeros,16) != 0 ) { + memcpy(pass_list[i].md4,nt_password_hash,16); + i = 1; + } + for(ek=enc_key_list;ek;ek=ek->next){ + if( ek->keylength == 16 ) { + memcpy(pass_list[i].md4,ek->keyvalue,16); + i++; + } + } + return nb_pass; +} +/* Create an NTLMSSP version 2 + */ +static void +create_ntlmssp_v2_key(const char *nt_password, const guint8 *serverchallenge , const guint8 *clientchallenge , + guint8 *sessionkey ,const guint8 *encryptedsessionkey , int flags , ntlmssp_blob ntlm_response, ntlmssp_blob lm_response _U_, ntlmssp_header_t *ntlmssph ) { + char domain_name_unicode[256]; + char user_uppercase[256]; + char buf[512]; + /*guint8 md4[16];*/ + unsigned char nt_password_hash[16]; + unsigned char nt_proof[16]; + unsigned char ntowf[16]; + guint8 sessionbasekey[16]; + guint8 keyexchangekey[16]; + guint8 lm_challenge_response[24]; + guint32 i; + guint32 j; + rc4_state_struct rc4state; + guint32 user_len; + guint32 domain_len; + md4_pass *pass_list; + guint32 nb_pass = 0; + int found = 0; + + /* We are going to try password encrypted in keytab as well, it's an idean of Stepan Metzmacher + * The idea is to be able to test all the key of domain in once and to be able to decode the NTLM dialogs */ + + memset(sessionkey, 0, 16); + nb_pass = get_md4pass_list(&pass_list,nt_password); + fprintf(stderr,"Working with %d keys\n",nb_pass); + i=0; + memset(user_uppercase,0,256); + user_len = strlen(ntlmssph->acct_name); + if( user_len < 129 ) { + memset(buf,0,512); + str_to_unicode(ntlmssph->acct_name,buf); + for (j = 0; j < (2*user_len); j++) { + if( buf[j] != '\0' ) { + user_uppercase[j] = toupper(buf[j]); + } + } + } + else { + /* Unable to calculate the session not enought space in buffer, note this is unlikely to happen but ......*/ + return; + } + domain_len = strlen(ntlmssph->domain_name); + if( domain_len < 129 ) { + str_to_unicode(ntlmssph->domain_name,domain_name_unicode); + } + else { + /* Unable to calculate the session not enought space in buffer, note this is unlikely to happen but ......*/ + return; + } + while (i < nb_pass ) { + fprintf(stderr,"Turn %d, ",i); + memcpy(nt_password_hash,pass_list[i].md4,16); + printnbyte(nt_password_hash,16,"Current NT password hash: ","\n"); + i++; + /* ntowf computation */ + memset(buf,0,512); + memcpy(buf,user_uppercase,user_len*2); + memcpy(buf+user_len*2,domain_name_unicode,domain_len*2); + md5_hmac(buf,domain_len*2+user_len*2,nt_password_hash,16,ntowf); + /* LM response */ + memset(buf,0,512); + memcpy(buf,serverchallenge,8); + memcpy(buf+8,clientchallenge,8); + md5_hmac(buf,16,ntowf,16,lm_challenge_response); + memcpy(lm_challenge_response+16,clientchallenge,8); + printnbyte(lm_challenge_response,24,"LM Response: ","\n"); + + /* NT proof = First 16 bytes of NT response */ + memset(buf,0,512); + memcpy(buf,serverchallenge,8); + memcpy(buf+8,ntlm_response.contents+16,ntlm_response.length-16); + md5_hmac(buf,ntlm_response.length-8,ntowf,16,nt_proof); + printnbyte(nt_proof,16,"NT proof: ","\n"); + if( !memcmp(nt_proof,ntlm_response.contents,16) ) { + fprintf(stderr,"Found a matching password\n"); + found = 1; + break; + } + + } + if( found == 0 ) { + fprintf(stderr,"Unable to find a matching password, give up decoding\n"); + + return; + } + + md5_hmac(nt_proof,16,ntowf,16,sessionbasekey); + get_keyexchange_key(keyexchangekey,sessionbasekey,lm_challenge_response,flags); + /* now decrypt session key if needed and setup sessionkey for decrypting further communications */ + if (flags & NTLMSSP_NEGOTIATE_KEY_EXCH) + { + memcpy(sessionkey,encryptedsessionkey,16); + crypt_rc4_init(&rc4state,keyexchangekey,16); + crypt_rc4(&rc4state,sessionkey,16); + } + else + { + memcpy(sessionkey,keyexchangekey,16); + } + +} + /* Create an NTLMSSP version 1 key + * That is more complicated logic and methods and user challenge as well. * password points to the ANSI password to encrypt, challenge points to - * the 8 octet challenge string, key128 will do a 128 bit key if set to 1, - * otherwise it will do a 40 bit key. The result is stored in - * sspkey (expected to be 16 octets) + * the 8 octet challenge string */ static void -create_ntlmssp_v1_key(const char *nt_password, const guint8 *challenge, - int use_key_128, guint8 *sspkey) +create_ntlmssp_v1_key(const char *nt_password, const guint8 *serverchallenge, const guint8 *clientchallenge, + guint8 *sessionkey,const guint8 *encryptedsessionkey, int flags, const guint8 *ref_nt_challenge_response,const guint8 *ref_lm_challenge_response) { unsigned char lm_password_upper[16]; unsigned char lm_password_hash[16]; + unsigned char nt_password_hash[16]; + unsigned char challenges_hash[16]; + unsigned char challenges_hash_first8[8]; + unsigned char challenges[16]; + guint8 md4[16]; + guint8 nb_pass = 0; + guint8 sessionbasekey[16]; + guint8 keyexchangekey[16]; guint8 lm_challenge_response[24]; - guint8 rc4key[24]; - guint8 pw21[21]; /* Password hash padded to 21 bytes */ + guint8 nt_challenge_response[24]; + rc4_state_struct rc4state; + md5_state_t md5state; + char nt_password_unicode[256]; size_t password_len; unsigned int i; + int found = 0; + md4_pass *pass_list; unsigned char lmhash_key[] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; - + + memset(sessionkey, 0, 16); memset(lm_password_upper, 0, sizeof(lm_password_upper)); - + /* lm auth/lm session == (!NTLM_NEGOTIATE_NT_ONLY && NTLMSSP_NEGOTIATE_LM_KEY) || ! (EXTENDED_SECURITY) || ! NTLMSSP_NEGOTIATE_NTLM*/ /* Create a Lan Manager hash of the input password */ if (nt_password[0] != '\0') { password_len = strlen(nt_password); + /*Do not forget to free nt_password_nt*/ + str_to_unicode(nt_password,nt_password_unicode); + crypt_md4(nt_password_hash,nt_password_unicode,password_len*2); /* Truncate password if too long */ if (password_len > 16) password_len = 16; @@ -313,42 +603,168 @@ lm_password_upper[i] = toupper(nt_password[i]); } } + else + { + /* Unable to calculate the session key without a password ... and we will not use one for a keytab*/ + if( !(flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY )) { + return; + } + } + if((flags & NTLMSSP_NEGOTIATE_LM_KEY && !(flags & NTLMSSP_NEGOTIATE_NT_ONLY)) || !(flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY) || !(flags & NTLMSSP_NEGOTIATE_NTLM)) { + crypt_des_ecb(lm_password_hash, lmhash_key, lm_password_upper, 1); + crypt_des_ecb(lm_password_hash+8, lmhash_key, lm_password_upper+7, 1); + ntlmssp_generate_challenge_response(lm_challenge_response, + lm_password_hash, serverchallenge); + memcpy(sessionbasekey,lm_password_hash,16); + } + else { + + memset(lm_challenge_response,0,24); + if( flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY ) { + nb_pass = get_md4pass_list(&pass_list,nt_password); + fprintf(stderr,"Working with %d keys\n",nb_pass); + i=0; + while (i < nb_pass ) { + fprintf(stderr,"Turn %d, ",i); + memcpy(nt_password_hash,pass_list[i].md4,16); + printnbyte(nt_password_hash,16,"Current NT password hash: ","\n"); + i++; + memcpy(lm_challenge_response,clientchallenge,8); + md5_init(&md5state); + md5_append(&md5state,serverchallenge,8); + md5_append(&md5state,clientchallenge,8); + md5_finish(&md5state,challenges_hash); + strncpy(challenges_hash_first8,challenges_hash,8); + crypt_des_ecb_long(nt_challenge_response,nt_password_hash,challenges_hash_first8); + if( !memcmp(ref_nt_challenge_response,nt_challenge_response,24) ) { + fprintf(stderr,"Found a matching password\n"); + found = 1; + break; + } + } + } + else { + crypt_des_ecb_long(nt_challenge_response,nt_password_hash,serverchallenge); + if( flags & NTLMSSP_NEGOTIATE_NT_ONLY ) { + memcpy(lm_challenge_response,nt_challenge_response,24); + } + else { + crypt_des_ecb_long(lm_challenge_response,lm_password_hash,serverchallenge); + } + if( !memcmp(ref_nt_challenge_response,nt_challenge_response,24) && !memcmp(ref_lm_challenge_response,lm_challenge_response,24) ) { + fprintf(stderr,"Found a matching password\n"); + found = 1; + } + } + /* So it's clearly not like this that's put into NTLMSSP doc but after some digging into samba code I'm quite confident + * that sessionbasekey should be based md4(nt_password_hash) only in the case of some NT auth + * Otherwise it should be lm_password_hash ...*/ + crypt_md4(md4,nt_password_hash,16); + if (flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY) { + memcpy(challenges,serverchallenge,8); + memcpy(challenges+8,clientchallenge,8); + /*md5_hmac(text,text_len,key,key_len,digest);*/ + md5_hmac(challenges,16,md4,16,sessionbasekey); + } + else { + memcpy(sessionbasekey,md4,16); + } + } - crypt_des_ecb(lm_password_hash, lmhash_key, lm_password_upper, 1); - crypt_des_ecb(lm_password_hash+8, lmhash_key, lm_password_upper+7, 1); + if( found == 0 ) { + fprintf(stderr,"Unable to find a matching password, give up decoding\n"); + + return; + } - /* Generate the LanMan Challenge Response */ - ntlmssp_generate_challenge_response(lm_challenge_response, - lm_password_hash, challenge); - - /* Generate the NTLMSSP-v1 RC4 Key. - * The RC4 key is derived from the Lan Manager Hash. - * See lkcl "DCE/RPC over SMB" page 254 for the algorithm. - */ - memset(pw21, 0xBD, sizeof(pw21)); - memcpy(pw21, lm_password_hash, sizeof(lm_password_hash)); - /* Only the first eight bytes of challenge_response is used */ - crypt_des_ecb(rc4key, lm_challenge_response, pw21, 1); - crypt_des_ecb(rc4key + 8, lm_challenge_response, pw21 + 7, 1); - crypt_des_ecb(rc4key + 16, lm_challenge_response, pw21 + 14, 1); - - /* Create the SSP Key */ - memset(sspkey, 0, sizeof(sspkey)); - if (use_key_128) { - /* Create 128 bit key */ - memcpy(sspkey, rc4key, 16); + get_keyexchange_key(keyexchangekey,sessionbasekey,lm_challenge_response,flags); + memset(sessionkey, 0, 16); + printnbyte(nt_challenge_response,24,"NT challenge response","\n"); + printnbyte(lm_challenge_response,24,"LM challenge response","\n"); + /* now decrypt session key if needed and setup sessionkey for decrypting further communications */ + if (flags & NTLMSSP_NEGOTIATE_KEY_EXCH) + { + memcpy(sessionkey,encryptedsessionkey,16); + crypt_rc4_init(&rc4state,keyexchangekey,16); + crypt_rc4(&rc4state,sessionkey,16); + } + else + { + memcpy(sessionkey,keyexchangekey,16); } - else { - /* Create 40 bit key */ - memcpy(sspkey, rc4key, 5); - sspkey[5]=0xe5; - sspkey[6]=0x38; - sspkey[7]=0xb0; +} +/* We return either a 128 or 64 bit key + */ +static void +get_sealing_rc4key(const guint8 exportedsessionkey[16] ,const int flags ,int *keylen ,guint8 *clientsealkey ,guint8 *serversealkey) +{ + md5_state_t md5state; + md5_state_t md5state2; + memset(clientsealkey,0,16); + memset(serversealkey,0,16); + memcpy(clientsealkey,exportedsessionkey,16); + if (flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY) + { + if (flags & NTLMSSP_NEGOTIATE_128) + { + /* The exportedsessionkey has already the good length just update the length*/ + *keylen = 16; + } + else + { + if (flags & NTLMSSP_NEGOTIATE_56) + { + memset(clientsealkey+7,0,9); + *keylen = 7; + } + else + { + memset(clientsealkey+5,0,11); + *keylen = 5; + } + } + memcpy(serversealkey,clientsealkey,16); + md5_init(&md5state); + md5_append(&md5state,clientsealkey,*keylen); + md5_append(&md5state,CLIENT_SEAL_TEXT,strlen(CLIENT_SEAL_TEXT)+1); + md5_finish(&md5state,clientsealkey); + md5_init(&md5state2); + md5_append(&md5state2,serversealkey,*keylen); + md5_append(&md5state2,SERVER_SEAL_TEXT,strlen(SERVER_SEAL_TEXT)+1); + md5_finish(&md5state2,serversealkey); + } + else + { + if (flags & NTLMSSP_NEGOTIATE_128) + { + /* The exportedsessionkey has already the good length just update the length*/ + *keylen = 16; + } + else + { + *keylen = 8; + if (flags & NTLMSSP_NEGOTIATE_56) + { + memset(clientsealkey+7,0,9); + } + else + { + memset(clientsealkey+5,0,11); + clientsealkey[5]=0xe5; + clientsealkey[6]=0x38; + clientsealkey[7]=0xb0; + } + } + serversealkey = memcpy(serversealkey,clientsealkey,*keylen); } - return; } - +/* Create an NTLMSSP version 1 key. + * password points to the ANSI password to encrypt, challenge points to + * the 8 octet challenge string, key128 will do a 128 bit key if set to 1, + * otherwise it will do a 40 bit key. The result is stored in + * sspkey (expected to be 16 octets) + */ /* dissect a string - header area contains: two byte len two byte maxlen @@ -457,14 +873,27 @@ result->length = blob_length; memset(result->contents, 0, MAX_BLOB_SIZE); if (blob_length < MAX_BLOB_SIZE) + { tvb_memcpy(tvb, result->contents, blob_offset, blob_length); + if (blob_hf == hf_ntlmssp_auth_lmresponse && !(strncmp(tvb->real_data+blob_offset+8,"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",16))) + { + proto_tree_add_item (ntlmssp_tree, + hf_ntlmssp_ntlm_client_challenge, + tvb, blob_offset, 8, FALSE); + } + } } /* If we are dissecting the NTLM response and it is a NTLMv2 response call the appropriate dissector. */ if (blob_hf == hf_ntlmssp_auth_ntresponse && blob_length > 24) + { + proto_tree_add_item (ntlmssp_tree, + hf_ntlmssp_ntlm_client_challenge, + tvb, blob_offset+32, 8, FALSE); dissect_ntlmv2_response(tvb, tree, blob_offset, blob_length); + } return offset; } @@ -601,6 +1030,9 @@ #define NTLM_NAME_DNS_HOST 0x0003 #define NTLM_NAME_DNS_DOMAIN 0x0004 #define NTLM_NAME_CLIENT_TIME 0x0007 +#define NTLM_NAME_RESTRICTION 0x0008 + + static const value_string ntlm_name_types[] = { { NTLM_NAME_END, "End of list" }, @@ -608,7 +1040,9 @@ { NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" }, { NTLM_NAME_DNS_HOST, "DNS host name" }, { NTLM_NAME_DNS_DOMAIN, "DNS domain name" }, + { NTLM_NAME_CLIENT_TIME, "Client Time" }, + { NTLM_NAME_RESTRICTION, "Encoding restriction" }, { 0, NULL } }; @@ -617,7 +1051,7 @@ { proto_item *ntlmv2_item = NULL; proto_tree *ntlmv2_tree = NULL; - + const guint8 *restriction_bytes; /* Dissect NTLMv2 bits&pieces */ if (tree) { @@ -709,6 +1143,14 @@ proto_item_append_text( name_item, "Client Time"); break; + case NTLM_NAME_RESTRICTION: + proto_item_append_text( + name_item, "%s", + val_to_str(name_type, ntlm_name_types, + "Unknown")); + restriction_bytes = tvb_get_ptr(tvb, offset,name_len); + proto_tree_add_bytes (name_tree,hf_ntlmssp_ntlmv2_response_restriction,tvb,offset,name_len,restriction_bytes); + break; case NTLM_NAME_NB_HOST: case NTLM_NAME_NB_DOMAIN: case NTLM_NAME_DNS_HOST: @@ -716,10 +1158,9 @@ default: name = tvb_get_ephemeral_faked_unicode( tvb, offset, name_len / 2, TRUE); - proto_tree_add_text( name_tree, tvb, offset, name_len, - "Name: %s", name); + "Value: %s", name); proto_item_append_text( name_item, "%s, %s", val_to_str(name_type, ntlm_name_types, @@ -911,12 +1352,14 @@ guint32 negotiate_flags; int item_start, item_end; int data_start, data_end; + guint8 clientkey[16]; /* NTLMSSP cipher key for client */ + guint8 serverkey[16]; /* NTLMSSP cipher key for server*/ ntlmssp_info *conv_ntlmssp_info; conversation_t *conversation; gboolean unicode_strings = FALSE; guint8 challenge[8]; guint8 sspkey[16]; /* NTLMSSP cipher key */ - guint8 ssp_key_len; /* Either 8 or 16 (40 bit or 128) */ + int ssp_key_len; /* Either 8 or 16 (40 bit or 128) */ /* need to find unicode flag */ negotiate_flags = tvb_get_letohl (tvb, offset+8); @@ -940,7 +1383,7 @@ /* NTLMSSP NT Lan Manager Challenge */ proto_tree_add_item (ntlmssp_tree, - hf_ntlmssp_ntlm_challenge, + hf_ntlmssp_ntlm_server_challenge, tvb, offset, 8, FALSE); /* @@ -961,22 +1404,26 @@ conv_ntlmssp_info->flags = negotiate_flags; /* Insert the RC4 state information into the conversation */ tvb_memcpy(tvb, challenge, offset, 8); - + tvb_memcpy(tvb, conv_ntlmssp_info->server_challenge, offset, 8); + conv_ntlmssp_info->is_auth_ntlm_v2=0; /* Between the challenge and the user provided password, we can build the - NTLMSSP key and initialize the cipher */ - if (conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_128) { - create_ntlmssp_v1_key(nt_password, challenge, 1, sspkey); - ssp_key_len = 16; - } - else { - create_ntlmssp_v1_key(nt_password, challenge, 0, sspkey); - ssp_key_len = 8; + NTLMSSP key and initialize the cipher if we are not in EXTENDED SECURITY + in this case we need the client challenge as well*/ + /* BTW this is true just if we are in LM Authentification if not the logic is a bit different. + * Right now it's not very clear what is LM Authentification it __seems__ to be when + * NEGOTIATE NT ONLY is not set and NEGOSIATE EXTENDED SECURITY is not set as well*/ + if (!(conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY)) + { + create_ntlmssp_v1_key(nt_password, conv_ntlmssp_info->server_challenge,NULL, sspkey,NULL,conv_ntlmssp_info->flags,conv_ntlmssp_info->ntlm_response.contents,conv_ntlmssp_info->lm_response.contents); + if( memcmp(sspkey,zeros,16) != 0 ) { + get_sealing_rc4key(sspkey,conv_ntlmssp_info->flags,&ssp_key_len,clientkey,serverkey); + crypt_rc4_init(&conv_ntlmssp_info->rc4_state_client, sspkey, ssp_key_len); + crypt_rc4_init(&conv_ntlmssp_info->rc4_state_server, sspkey, ssp_key_len); + conv_ntlmssp_info->server_dest_port = pinfo->destport; + conv_ntlmssp_info->rc4_state_initialized = 1; + } + } - crypt_rc4_init(&conv_ntlmssp_info->rc4_state_peer1, sspkey, ssp_key_len); - crypt_rc4_init(&conv_ntlmssp_info->rc4_state_peer2, sspkey, ssp_key_len); - conv_ntlmssp_info->peer1_dest_port = pinfo->destport; - conv_ntlmssp_info->rc4_state_initialized = 1; - conversation_add_proto_data(conversation, proto_ntlmssp, conv_ntlmssp_info); } offset += 8; @@ -1023,15 +1470,27 @@ int item_start, item_end; int data_start, data_end = 0; guint32 negotiate_flags; + guint8 sspkey[16]; /* exported session key */ + guint8 clientkey[16]; /* NTLMSSP cipher key for client */ + guint8 serverkey[16]; /* NTLMSSP cipher key for server*/ + guint8 encryptedsessionkey[16]; + ntlmssp_blob sessionblob; gboolean unicode_strings = FALSE; - ntlmssp_info *conv_ntlmssp_info; + ntlmssp_info *conv_ntlmssp_info = NULL; conversation_t *conversation; - + int ssp_key_len; /* * Get flag info from the original negotiate message, if any. * This is because the flag information is sometimes missing from * the AUTHENTICATE message, so we can't figure out whether * strings are Unicode or not by looking at *our* flags. + * XXX it seems it's more from the CHALLENGE message, which is more clever in fact + * because the server can change some flags. + * But according to MS NTLMSSP doc it's not that simple. + * In case of Conection less mode AUTHENTICATE flags should be used because they + * reprensent the choice of the client after having been informed of options of the + * server in the CHALLENGE message. + * In Connection mode then the CHALLENGE flags should (must ?) be used */ conv_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp); if (conv_ntlmssp_info == NULL) { @@ -1060,7 +1519,10 @@ /* * Sometimes the session key and flags are missing. - * Sometimes the session key is present but the flags are missing. + * Sometimes the session key is present but the flags are missing. + * XXX Who stay so ? Reading spec I would rather say the opposite: flags are + * always present, session information are always there as well but sometime + * session information could be null (in case of no session) * Sometimes they're both present. * * This does not correlate with any flags in the previous CHALLENGE @@ -1082,7 +1544,7 @@ conv_ntlmssp_info == NULL ? NULL : &conv_ntlmssp_info->lm_response); data_end = MAX(data_end, item_end); - + /* NTLM response */ item_start = tvb_get_letohl(tvb, offset+4); offset = dissect_ntlmssp_blob(tvb, offset, ntlmssp_tree, @@ -1090,8 +1552,18 @@ &item_end, conv_ntlmssp_info == NULL ? NULL : &conv_ntlmssp_info->ntlm_response); + if( conv_ntlmssp_info != NULL && conv_ntlmssp_info->ntlm_response.length > 24 ) { + strncpy(conv_ntlmssp_info->client_challenge,conv_ntlmssp_info->ntlm_response.contents+32,8); + } data_start = MIN(data_start, item_start); data_end = MAX(data_end, item_end); + if( conv_ntlmssp_info != NULL ) + { + if( conv_ntlmssp_info->ntlm_response.length > 24 ) + { + conv_ntlmssp_info->is_auth_ntlm_v2=1; + } + } /* domain name */ item_start = tvb_get_letohl(tvb, offset+4); @@ -1099,6 +1571,7 @@ unicode_strings, hf_ntlmssp_auth_domain, &item_start, &item_end, &(ntlmssph->domain_name)); + /*ntlmssph->domain_name_len=item_end-item_start;*/ data_start = MIN(data_start, item_start); data_end = MAX(data_end, item_end); @@ -1108,6 +1581,7 @@ unicode_strings, hf_ntlmssp_auth_username, &item_start, &item_end, &(ntlmssph->acct_name)); + /*ntlmssph->acct_name_len=item_end-item_start;*/ data_start = MIN(data_start, item_start); data_end = MAX(data_end, item_end); @@ -1128,20 +1602,274 @@ /* Session Key */ offset = dissect_ntlmssp_blob(tvb, offset, ntlmssp_tree, hf_ntlmssp_auth_sesskey, - &item_end, NULL); + &item_end, &sessionblob); data_end = MAX(data_end, item_end); } - + memcpy(encryptedsessionkey,sessionblob.contents,sessionblob.length); if (offset < data_start) { /* NTLMSSP Negotiate Flags */ negotiate_flags = tvb_get_letohl (tvb, offset); offset = dissect_ntlmssp_negotiate_flags (tvb, offset, ntlmssp_tree, negotiate_flags); } - + /* Try to attach to an existing conversation if not then it's useless to try to do so + * because we are missing important information (ie. server challenge) + */ + if (conv_ntlmssp_info) { + /* If we are in EXTENDED SECURITY then we can now initialize cipher */ + if ((conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY)) + { + if( conv_ntlmssp_info->is_auth_ntlm_v2 ) { + create_ntlmssp_v2_key(nt_password, conv_ntlmssp_info->server_challenge,conv_ntlmssp_info->client_challenge, sspkey,encryptedsessionkey,conv_ntlmssp_info->flags,conv_ntlmssp_info->ntlm_response,conv_ntlmssp_info->lm_response,ntlmssph); + } + else + { + strncpy(conv_ntlmssp_info->client_challenge,conv_ntlmssp_info->lm_response.contents,8); + create_ntlmssp_v1_key(nt_password, conv_ntlmssp_info->server_challenge,conv_ntlmssp_info->client_challenge, sspkey,encryptedsessionkey,conv_ntlmssp_info->flags,conv_ntlmssp_info->ntlm_response.contents,conv_ntlmssp_info->lm_response.contents); + } + /* ssp is the exported session key */ + if( memcmp(sspkey,zeros,16) != 0) { + get_sealing_rc4key(sspkey,conv_ntlmssp_info->flags,&ssp_key_len,clientkey,serverkey); + crypt_rc4_init(&conv_ntlmssp_info->rc4_state_server, serverkey, ssp_key_len); + crypt_rc4_init(&conv_ntlmssp_info->rc4_state_client, clientkey, ssp_key_len); + conv_ntlmssp_info->server_dest_port = pinfo->destport; + conv_ntlmssp_info->rc4_state_initialized = 1; + } + } + } return MAX(offset, data_end); } +/* + * Get the encryption state tied to this conversation. cryptpeer indicates + * whether to retrieve the client key (1) or the server key (0) + */ +static rc4_state_struct * +get_encrypted_state(packet_info *pinfo, int cryptpeer) +{ + conversation_t *conversation; + ntlmssp_info *conv_ntlmssp_info; + conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, + pinfo->ptype, pinfo->srcport, + pinfo->destport, 0); + if (conversation == NULL) { + /* We don't have a conversation. In this case, stop processing + because we do not have enough info to decrypt the payload */ + return NULL; + } + else { + /* We have a conversation, check for encryption state */ + conv_ntlmssp_info = conversation_get_proto_data(conversation, + proto_ntlmssp); + if (conv_ntlmssp_info == NULL) { + /* No encryption state tied to the conversation. Therefore, we + cannot decrypt the payload */ + return NULL; + } + else { + /* We have the encryption state in the conversation. So return the + crypt state tied to the requested peer + */ + if (cryptpeer == 1) { + return &conv_ntlmssp_info->rc4_state_client; + } else { + return &conv_ntlmssp_info->rc4_state_server; + } + } + } +} +void +decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, + packet_info *pinfo, proto_tree *tree _U_,gpointer key); +static void +decrypt_verifier(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, + packet_info *pinfo, proto_tree *tree,gpointer key); + +/* +tvbuff_t * +dissect_ntlmssp_encrypted_payload(tvbuff_t *data_tvb, + tvbuff_t *auth_tvb _U_, + int offset, + packet_info *pinfo, + dcerpc_auth_info *auth_info _U_)*/ + +int +dissect_ntlmssp_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree ) +{ + volatile int offset = 0; + proto_tree *volatile ntlmssp_tree = NULL; + proto_item *tf = NULL; + guint32 length; + guint32 encrypted_block_length; + guint8 key[16]; + /* the magic ntlm is the identifier of a NTLMSSP packet that's 00 00 00 01 + */ + guint32 ntlm_magic_size = 4; + guint32 ntlm_signature_size = 8; + guint32 ntlm_seq_size = 4; + length = tvb_length (tvb); + /* signature + seq + real payload */ + encrypted_block_length = length - ntlm_magic_size; + + if (encrypted_block_length < (ntlm_signature_size + ntlm_seq_size)) { + /* Don't know why this would happen, but if it does, don't even bother + attempting decryption/dissection */ + return offset + length; + } + + /* Setup a new tree for the NTLMSSP payload */ + if (tree) { + tf = proto_tree_add_item (tree, + hf_ntlmssp_verf, + tvb, offset, -1, FALSE); + + ntlmssp_tree = proto_item_add_subtree (tf, + ett_ntlmssp); + } + + /* + * Catch the ReportedBoundsError exception; the stuff we've been + * handed doesn't necessarily run to the end of the packet, it's + * an item inside a packet, so if it happens to be malformed (or + * we, or a dissector we call, has a bug), so that an exception + * is thrown, we want to report the error, but return and let + * our caller dissect the rest of the packet. + * + * If it gets a BoundsError, we can stop, as there's nothing more + * in the packet after our blob to see, so we just re-throw the + * exception. + */ + TRY { + /* Version number */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_vers, + tvb, offset, 4, TRUE); + offset += 4; + + /* Encrypted body */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_body, + tvb, offset, encrypted_block_length, TRUE); + tvb_memcpy(tvb, key, offset, ntlm_signature_size + ntlm_seq_size); + /* Try to decrypt */ + decrypt_data_payload (tvb, offset+(ntlm_signature_size + ntlm_seq_size), encrypted_block_length-(ntlm_signature_size + ntlm_seq_size), pinfo, ntlmssp_tree,key); + decrypt_verifier (tvb, offset, ntlm_signature_size + ntlm_seq_size, pinfo, ntlmssp_tree,key); + /* let's try to hook ourselves here */ + + offset += 12; + } CATCH(BoundsError) { + RETHROW; + } CATCH(ReportedBoundsError) { + show_reported_bounds_error(tvb, pinfo, tree); + } ENDTRY; + + return offset; +} +void +decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, + packet_info *pinfo, proto_tree *tree _U_,gpointer key) +{ + tvbuff_t *decr_tvb; /* Used to display decrypted buffer */ + guint8 *peer_block; + conversation_t *conversation; + rc4_state_struct *rc4_state; + rc4_state_struct *rc4_state_peer; + ntlmssp_info *conv_ntlmssp_info = NULL; + ntlmssp_packet_info *packet_ntlmssp_info = NULL; + ntlmssp_packet_info *stored_packet_ntlmssp_info = NULL; + + + /* Check to see if we already have state for this packet */ + packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp); + if (packet_ntlmssp_info == NULL) { + /* We don't have any packet state, so create one */ + packet_ntlmssp_info = se_alloc(sizeof(ntlmssp_packet_info)); + memset(packet_ntlmssp_info, 0, sizeof(ntlmssp_packet_info)); + p_add_proto_data(pinfo->fd, proto_ntlmssp, packet_ntlmssp_info); + } + if (!packet_ntlmssp_info->payload_decrypted) { + /* Pull the challenge info from the conversation */ + conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, + pinfo->ptype, pinfo->srcport, + pinfo->destport, 0); + if (conversation == NULL) { + /* There is no conversation, thus no encryption state */ + return ; + } + + conv_ntlmssp_info = conversation_get_proto_data(conversation, + proto_ntlmssp); + if (conv_ntlmssp_info == NULL) { + /* There is no NTLMSSP state tied to the conversation */ + return ; + } + if (conv_ntlmssp_info->rc4_state_initialized != 1 ) { + /* The crypto sybsystem is not initialized. This means that either + the conversation did not include a challenge, or that we do not have the right password */ + return; + } + stored_packet_ntlmssp_info = g_hash_table_lookup(hash_packet,key); + if( stored_packet_ntlmssp_info != NULL && stored_packet_ntlmssp_info->payload_decrypted == TRUE) + { + /* Mat TBD fprintf(stderr,"Found a already decrypted packet\n");*/ + memcpy(packet_ntlmssp_info,stored_packet_ntlmssp_info,sizeof(ntlmssp_packet_info)); + /* Mat TBD printnbyte(packet_ntlmssp_info->decrypted_payload,encrypted_block_length,"Data: ","\n");*/ + } + else + { + /* Get the pair of RC4 state structures. One is used for to decrypt the + payload. The other is used to re-encrypt the payload to represent + the peer */ + if (conv_ntlmssp_info->server_dest_port == pinfo->destport) { + /* client */ + rc4_state = get_encrypted_state(pinfo, 1); + rc4_state_peer = get_encrypted_state(pinfo, 0); + } else { + /* server */ + rc4_state = get_encrypted_state(pinfo, 0); + rc4_state_peer = get_encrypted_state(pinfo, 1); + } + + if (rc4_state == NULL ) { + /* There is no encryption state, so we cannot decrypt */ + return ; + } + + /* Store the decrypted contents in the packet state struct + (of course at this point, they aren't decrypted yet) */ + packet_ntlmssp_info->decrypted_payload = tvb_memdup(tvb, offset, + encrypted_block_length); + decrypted_payloads = g_slist_prepend(decrypted_payloads, + packet_ntlmssp_info->decrypted_payload); + g_hash_table_insert(hash_packet,key,packet_ntlmssp_info); + + /* Do the decryption of the payload */ + crypt_rc4(rc4_state, packet_ntlmssp_info->decrypted_payload, + encrypted_block_length); + /* decrypt the verifier */ + + /* We setup a temporary buffer so we can re-encrypt the payload after + decryption. This is to update the opposite peer's RC4 state + it's usefull when we have only one key for both conversation + in case of KEY_EXCH we have independant key so this is not needed*/ + if( !(NTLMSSP_NEGOTIATE_KEY_EXCH & conv_ntlmssp_info->flags)) { + peer_block = g_malloc(encrypted_block_length); + memcpy(peer_block, packet_ntlmssp_info->decrypted_payload, + encrypted_block_length); + crypt_rc4(rc4_state_peer, peer_block, encrypted_block_length); + g_free(peer_block); + } + + packet_ntlmssp_info->payload_decrypted = TRUE; + } + } + + /* Show the decrypted buffer in a new window */ + decr_tvb = tvb_new_real_data(packet_ntlmssp_info->decrypted_payload, + encrypted_block_length, + encrypted_block_length); + + tvb_set_child_real_data_tvbuff(tvb, decr_tvb); + pinfo->gssapi_decrypted_tvb = decr_tvb; +} static void dissect_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { @@ -1226,52 +1954,14 @@ tap_queue_packet(ntlmssp_tap, pinfo, ntlmssph); } -/* - * Get the encryption state tied to this conversation. cryptpeer indicates - * whether to retrieve the data for peer1 or peer2. - */ -static rc4_state_struct * -get_encrypted_state(packet_info *pinfo, int cryptpeer) -{ - conversation_t *conversation; - ntlmssp_info *conv_ntlmssp_info; - conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, - pinfo->ptype, pinfo->srcport, - pinfo->destport, 0); - if (conversation == NULL) { - /* We don't have a conversation. In this case, stop processing - because we do not have enough info to decrypt the payload */ - return NULL; - } - else { - /* We have a conversation, check for encryption state */ - conv_ntlmssp_info = conversation_get_proto_data(conversation, - proto_ntlmssp); - if (conv_ntlmssp_info == NULL) { - /* No encryption state tied to the conversation. Therefore, we - cannot decrypt the payload */ - return NULL; - } - else { - /* We have the encryption state in the conversation. So return the - crypt state tied to the requested peer - */ - if (cryptpeer == 1) { - return &conv_ntlmssp_info->rc4_state_peer1; - } else { - return &conv_ntlmssp_info->rc4_state_peer2; - } - } - } -} /* * See page 45 of "DCE/RPC over SMB" by Luke Kenneth Casson Leighton. */ static void decrypt_verifier(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, - packet_info *pinfo, proto_tree *tree) + packet_info *pinfo, proto_tree *tree,gpointer key) { proto_tree *decr_tree = NULL; proto_item *tf = NULL; @@ -1283,69 +1973,96 @@ ntlmssp_info *conv_ntlmssp_info = NULL; ntlmssp_packet_info *packet_ntlmssp_info = NULL; int decrypted_offset = 0; - + ntlmssp_packet_info *stored_packet_ntlmssp_info = NULL; packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp); if (packet_ntlmssp_info == NULL) { /* We don't have data for this packet */ return; } - if (!packet_ntlmssp_info->verifier_decrypted) { - conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, - pinfo->ptype, pinfo->srcport, - pinfo->destport, 0); - if (conversation == NULL) { - /* There is no conversation, thus no encryption state */ - return; - } - - conv_ntlmssp_info = conversation_get_proto_data(conversation, + conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, + pinfo->ptype, pinfo->srcport, + pinfo->destport, 0); + if (conversation == NULL) { + /* There is no conversation, thus no encryption state */ + return; + } + conv_ntlmssp_info = conversation_get_proto_data(conversation, proto_ntlmssp); - if (conv_ntlmssp_info == NULL) { - /* There is no NTLMSSP state tied to the conversation */ - return; - } - if (conv_ntlmssp_info->rc4_state_initialized != 1 ) { - /* The crypto sybsystem is not initialized. This means that either - the conversation did not include a challenge, or we are doing - something other than NTLMSSP v1 */ - return; - } - - if (conv_ntlmssp_info->peer1_dest_port == pinfo->destport) { - rc4_state = get_encrypted_state(pinfo, 1); - rc4_state_peer = get_encrypted_state(pinfo, 0); - } else { - rc4_state = get_encrypted_state(pinfo, 0); - rc4_state_peer = get_encrypted_state(pinfo, 1); - } + if (conv_ntlmssp_info == NULL) { + /* There is no NTLMSSP state tied to the conversation */ + return; + } - if (rc4_state == NULL || rc4_state_peer == NULL) { - /* There is no encryption state, so we cannot decrypt */ - return; + if( key != NULL ){ + stored_packet_ntlmssp_info = g_hash_table_lookup(hash_packet,key); + } + if( stored_packet_ntlmssp_info != NULL && stored_packet_ntlmssp_info->verifier_decrypted == TRUE) { + /* Mat TBD fprintf(stderr,"Found a already decrypted packet\n");*/ + memcpy(packet_ntlmssp_info,stored_packet_ntlmssp_info,sizeof(ntlmssp_packet_info)); + } + else { + if (!packet_ntlmssp_info->verifier_decrypted) { + if (conv_ntlmssp_info->rc4_state_initialized != 1 ) { + /* The crypto sybsystem is not initialized. This means that either + the conversation did not include a challenge, or we are doing + something other than NTLMSSP v1 */ + return; + } + if (conv_ntlmssp_info->server_dest_port == pinfo->destport) { + /* client talk to server */ + rc4_state = get_encrypted_state(pinfo, 1); + rc4_state_peer = get_encrypted_state(pinfo, 0); + } else { + rc4_state = get_encrypted_state(pinfo, 0); + rc4_state_peer = get_encrypted_state(pinfo, 1); + } + + if (rc4_state == NULL || rc4_state_peer == NULL) { + /* There is no encryption state, so we cannot decrypt */ + return; + } + + /* Setup the buffer to decrypt to */ + tvb_memcpy(tvb, packet_ntlmssp_info->verifier, + offset, encrypted_block_length); + + /*if( !(NTLMSSP_NEGOTIATE_KEY_EXCH & packet_ntlmssp_info->flags)) {*/ + if( conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY ) { + if( (NTLMSSP_NEGOTIATE_KEY_EXCH & conv_ntlmssp_info->flags)) { + /* The spec says that if we have have a key exchange then we have a the signature that is crypted + * otherwise it's just a hmac_md5(keysign,concat(message,sequence))[0..7] + */ + crypt_rc4(rc4_state, packet_ntlmssp_info->verifier, + 8); + } + } + else { + /* The packet has a PAD then a checksum then a sequence and they are encoded in this order so we can decrypt all at once */ + /* Do the actual decryption of the verifier */ + crypt_rc4(rc4_state, packet_ntlmssp_info->verifier, + encrypted_block_length); + } + + + + /* We setup a temporary buffer so we can re-encrypt the payload after + decryption. This is to update the opposite peer's RC4 state + This is not needed when we just have EXTENDED SECURITY because the signature is not crypted + and it's also not needed when we have key exchange because server and client have independant keys */ + if( !(NTLMSSP_NEGOTIATE_KEY_EXCH & conv_ntlmssp_info->flags) && !(NTLMSSP_NEGOTIATE_EXTENDED_SECURITY & conv_ntlmssp_info->flags)) { + peer_block = g_malloc(encrypted_block_length); + memcpy(peer_block, packet_ntlmssp_info->verifier, + encrypted_block_length); + crypt_rc4(rc4_state_peer, peer_block, encrypted_block_length); + g_free(peer_block); + } + + /* Mark the packet as decrypted so that subsequent attempts to dissect + the packet use the already decrypted payload instead of attempting + to decrypt again */ + packet_ntlmssp_info->verifier_decrypted = TRUE; } - - /* Setup the buffer to decrypt to */ - tvb_memcpy(tvb, packet_ntlmssp_info->verifier, - offset, encrypted_block_length); - - /* Do the actual decryption of the verifier */ - crypt_rc4(rc4_state, packet_ntlmssp_info->verifier, - encrypted_block_length); - - /* We setup a temporary buffer so we can re-encrypt the payload after - decryption. This is to update the opposite peer's RC4 state */ - peer_block = g_malloc(encrypted_block_length); - memcpy(peer_block, packet_ntlmssp_info->verifier, - encrypted_block_length); - crypt_rc4(rc4_state_peer, peer_block, encrypted_block_length); - g_free(peer_block); - - /* Mark the packet as decrypted so that subsequent attempts to dissect - the packet use the already decrypted payload instead of attempting - to decrypt again */ - packet_ntlmssp_info->verifier_decrypted = TRUE; } - /* Show the decrypted buffer in a new window */ decr_tvb = tvb_new_real_data(packet_ntlmssp_info->verifier, encrypted_block_length, @@ -1360,23 +2077,36 @@ encrypted_block_length, plurality(encrypted_block_length, "", "s")); decr_tree = proto_item_add_subtree (tf, ett_ntlmssp); + + if(( conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY )) { + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_hmacmd5, + decr_tvb, decrypted_offset, 8,TRUE); + decrypted_offset += 8; + + + + /* Incrementing sequence number of DCE conversation */ + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_sequence, + decr_tvb, decrypted_offset, 4, TRUE); + decrypted_offset += 4; + } + else { - /* LKCL page 45 says this is a "reserved" field. I'm not sure if it's - garbage because it's some sort of nonce, or because there is a problem - with the verifier decryption routine. */ - proto_tree_add_item (decr_tree, hf_ntlmssp_verf_unknown1, - decr_tvb, decrypted_offset, 4, TRUE); - decrypted_offset += 4; - - /* CRC32 of the DCE fragment data */ - proto_tree_add_item (decr_tree, hf_ntlmssp_verf_crc32, - decr_tvb, decrypted_offset, 4, TRUE); - decrypted_offset += 4; - - /* Incrementing sequence number of DCE conversation */ - proto_tree_add_item (decr_tree, hf_ntlmssp_verf_sequence, - decr_tvb, decrypted_offset, 4, TRUE); - decrypted_offset += 4; + /* RANDOM PAD usually it's 0 */ + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_randompad, + decr_tvb, decrypted_offset, 4, TRUE); + decrypted_offset += 4; + + /* CRC32 of the DCE fragment data */ + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_crc32, + decr_tvb, decrypted_offset, 4, TRUE); + decrypted_offset += 4; + + /* Incrementing sequence number of DCE conversation */ + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_sequence, + decr_tvb, decrypted_offset, 4, TRUE); + decrypted_offset += 4; + } } static int @@ -1430,8 +2160,10 @@ tvb, offset, encrypted_block_length, TRUE); /* Try to decrypt */ - decrypt_verifier (tvb, offset, encrypted_block_length, pinfo, ntlmssp_tree); + decrypt_verifier (tvb, offset, encrypted_block_length, pinfo, ntlmssp_tree,NULL); + /* let's try to hook ourselves here */ + offset += 12; offset += encrypted_block_length; } CATCH(BoundsError) { RETHROW; @@ -1442,13 +2174,14 @@ return offset; } -static tvbuff_t * +tvbuff_t * dissect_ntlmssp_encrypted_payload(tvbuff_t *data_tvb, tvbuff_t *auth_tvb _U_, int offset, packet_info *pinfo, dcerpc_auth_info *auth_info _U_) { + /* gssapi_decrypted_tvb=NULL */ tvbuff_t *decr_tvb; /* Used to display decrypted buffer */ guint8 *peer_block; conversation_t *conversation; @@ -1457,7 +2190,6 @@ rc4_state_struct *rc4_state_peer; ntlmssp_info *conv_ntlmssp_info = NULL; ntlmssp_packet_info *packet_ntlmssp_info = NULL; - encrypted_block_length = tvb_length_remaining (data_tvb, offset); /* Check to see if we already have state for this packet */ @@ -1477,19 +2209,18 @@ if (conversation == NULL) { /* There is no conversation, thus no encryption state */ return NULL; - } + } conv_ntlmssp_info = conversation_get_proto_data(conversation, proto_ntlmssp); if (conv_ntlmssp_info == NULL) { - /* There is no NTLMSSP state tied to the conversation */ - return NULL; + /* There is no NTLMSSP state tied to the conversation */ + return NULL; } - /* Get the pair of RC4 state structures. One is used for to decrypt the payload. The other is used to re-encrypt the payload to represent the peer */ - if (conv_ntlmssp_info->peer1_dest_port == pinfo->destport) { + if (conv_ntlmssp_info->server_dest_port == pinfo->destport) { rc4_state = get_encrypted_state(pinfo, 1); rc4_state_peer = get_encrypted_state(pinfo, 0); } else { @@ -1542,6 +2273,21 @@ g_free(decrypted_payload); } +guint g_header_hash(gconstpointer pointer) { + guint32 crc = ~calculate_crc32c(pointer,16,CRC32C_PRELOAD); + /* Mat TBD fprintf(stderr,"Val: %u\n",crc);*/ + return crc; +} + +gboolean g_header_equal(gconstpointer pointer1, gconstpointer pointer2) { + if(!memcmp(pointer1,pointer2,16)) { + return TRUE; + } + else { + return FALSE; + } +} + static void ntlmssp_init_protocol(void) { @@ -1555,8 +2301,14 @@ decrypted_payloads = NULL; } + if(hash_packet == NULL) { + hash_packet = g_hash_table_new(g_header_hash,g_header_equal); + } + } + + void proto_register_ntlmssp(void) { @@ -1609,7 +2361,7 @@ { &hf_ntlmssp_negotiate_flags_40000, { "Target Type Share", "ntlmssp.targettypeshare", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_TARGET_TYPE_SHARE, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_80000, - { "Negotiate NTLM2 key", "ntlmssp.negotiatentlm2", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_NTLM2, "", HFILL }}, + { "Negotiate Extended Security", "ntlmssp.negotiatentlm2", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_EXTENDED_SECURITY, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_100000, { "Negotiate Identify", "ntlmssp.negotiateidentify", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_IDENTIFY, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_200000, @@ -1650,8 +2402,10 @@ { "Calling workstation domain buffer", "ntlmssp.negotiate.domain.buffer", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_negotiate_domain, { "Calling workstation domain", "ntlmssp.negotiate.domain", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, - { &hf_ntlmssp_ntlm_challenge, - { "NTLM Challenge", "ntlmssp.ntlmchallenge", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlm_client_challenge, + { "NTLM Client Challenge", "ntlmssp.ntlmclientchallenge", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlm_server_challenge, + { "NTLM Server Challenge", "ntlmssp.ntlmserverchallenge", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_reserved, { "Reserved", "ntlmssp.reserved", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_challenge_domain, @@ -1712,12 +2466,14 @@ { "Verifier Body", "ntlmssp.verf.body", FT_BYTES, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_decrypted_payload, { "NTLM Decrypted Payload", "ntlmssp.decrypted_payload", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, - { &hf_ntlmssp_verf_unknown1, - { "Unknown 1", "ntlmssp.verf.unknown1", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_verf_randompad, + { "Random Pad", "ntlmssp.verf.randompad", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_verf_crc32, { "Verifier CRC32", "ntlmssp.verf.crc32", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_verf_sequence, { "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_verf_hmacmd5, + { "HMAC MD5", "ntlmssp.verf.hmacmd5", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response, { "NTLMv2 Response", "ntlmssp.ntlmv2response", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_hmac, @@ -1733,11 +2489,13 @@ { &hf_ntlmssp_ntlmv2_response_unknown, { "Unknown", "ntlmssp.ntlmv2response.unknown", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_name, - { "Name", "ntlmssp.ntlmv2response.name", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { "Attribute", "ntlmssp.ntlmv2response.name", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_name_type, - { "Name type", "ntlmssp.ntlmv2response.name.type", FT_UINT32, BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }}, + { "Attribute type", "ntlmssp.ntlmv2response.name.type", FT_UINT32, BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_name_len, - { "Name len", "ntlmssp.ntlmv2response.name.len", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { "Value len", "ntlmssp.ntlmv2response.name.len", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_restriction, + { "Encoding restrictions", "ntlmssp.ntlmv2response.name.restrictions", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_client_time, { "Client Time", "ntlmssp.ntlmv2response.client_time", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0, "", HFILL }} }; @@ -1772,6 +2530,7 @@ &nt_password); register_dissector("ntlmssp", dissect_ntlmssp, proto_ntlmssp); + new_register_dissector("ntlmssp_payload", dissect_ntlmssp_payload, proto_ntlmssp); new_register_dissector("ntlmssp_verf", dissect_ntlmssp_verf, proto_ntlmssp); } --- ../ref_wr/wireshark-1.1.3-SVN-27393/epan/dissectors/packet-gssapi.c 2009-02-08 19:13:58.000000000 +0300 +++ epan/dissectors/packet-gssapi.c 2009-02-25 20:58:16.171352121 +0300 @@ -112,6 +112,7 @@ */ static dissector_handle_t ntlmssp_handle; +static dissector_handle_t ntlmssp_payload_handle; static dissector_handle_t spnego_krb5_wrap_handle; static GHashTable *gssapi_oids; @@ -315,6 +316,15 @@ pinfo, subtree); goto done; } + /* Maybe it's new NTLMSSP payload */ + if ((tvb_length_remaining(gss_tvb, start_offset)>16) && + ((tvb_memeql(gss_tvb, start_offset, "\x01\x00\x00\x00", 4) == 0))) { + return_offset = call_dissector(ntlmssp_payload_handle, + tvb_new_subset(gss_tvb, start_offset, -1, -1), + pinfo, subtree); + pinfo->gssapi_data_encrypted = TRUE; + goto done; + } /* Maybe it's new GSSKRB5 CFX Wrapping */ if ((tvb_length_remaining(gss_tvb, start_offset)>2) && @@ -630,6 +640,7 @@ dissector_handle_t gssapi_handle; ntlmssp_handle = find_dissector("ntlmssp"); + ntlmssp_payload_handle = find_dissector("ntlmssp_payload"); spnego_krb5_wrap_handle = find_dissector("spnego-krb5-wrap"); register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT, From jerry at plainjoe.org Sat Apr 25 09:38:15 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Sat Apr 25 16:11:04 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1265-g67588ca In-Reply-To: <20090424080514.4A03D1CC0C0@us2.samba.org> References: <20090424080514.4A03D1CC0C0@us2.samba.org> Message-ID: <49F2DA07.10104@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 G?nther Deschner wrote: > The branch, master has been updated > via 67588ca80d654183b8b7b062b9660a506a825f94 (commit) > from c9ec012e12789f16fe0d065c0a30d2c8861dc3ef (commit) > > http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit 67588ca80d654183b8b7b062b9660a506a825f94 > Author: G??nther Deschner > Date: Fri Apr 24 10:02:06 2009 +0200 > > s3-idmap: Fix bug #6286: Call init function for builtin idmap modules before probing for them as shared modules. > > idmap-gurus of the world, please check. Hey Guenther, For what it's worth, conceptually it looks perfectly correct to me, but I've not tried to compile and test it. cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ8tn7IR7qMdg1EfYRAh7lAKCo0F5p2lKwHoR5MtaY53hllrGitgCg4Nwy eEsDk8tljhPXs+cdHD9nvcs= =pgiY -----END PGP SIGNATURE----- From jerry at plainjoe.org Sat Apr 25 16:23:28 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Sat Apr 25 16:23:47 2009 Subject: Development policy decision: Branches In-Reply-To: <200904251253.34775.kai@samba.org> References: <200904251253.34775.kai@samba.org> Message-ID: <49F33900.8090309@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kai Blin wrote: > * The RM applies the patch from bugzilla only if the patch has been signed off > by two developers. Kai, Nice writeup. Does this mean that the only the RM does the "git am" (or equivalent) to the closed branch? Hence acting as the gatekeeper for closed branches? If so, it sounds like a good plan to ensure the closed branches don't destabilize. cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ8zjyIR7qMdg1EfYRAqrbAJ0ZKcP/MlcCtbgROjCdLrOqjG9pTgCgyvdS 5XOuF1N9wWnHfEnazKWYiWg= =Eiqe -----END PGP SIGNATURE----- From rvelhote at gmail.com Sat Apr 25 17:45:31 2009 From: rvelhote at gmail.com (Ricardo) Date: Sat Apr 25 17:45:32 2009 Subject: SWAT Feature Details and Discussion Message-ID: <49F34C3B.4010806@gmail.com> Hi everyone, I posted during the morning to the summercode mailing list but the message doesn't show up and I just discovered there are only three subscribers so I'm sending to technical instead. I'm (re)posting some relevant parts of my initial proposal hoping for some additional feedback. As I said before this was already discussed with Jelmer but I am of course open to more suggestions/changes. Project Deliverables =============== A Web Administration Tool for Samba4 $ Not much to say ehe... New SWAT usage guide $ A Wiki article for now. Who knows in the future, an inclusion in the Samba4 user guide. Features ====== Allow the user to set comments (on shares for example) $ Important for users to keep documentation on what a share is for Try to keep comments, default values and parameter order in smb.conf. In other words, don't completely destroy smb.conf $ One of the big complaints of the previous SWAT was that it destroyed smb.conf. I will attempt to not destroy it :) Easier Setup $ It's not yet decided if SWAT will be distributed with Samba4 or if it will be a separate package. In any case the process of getting SWAT working should be as smooth as possible. Allow for easier integration of new Samba parameters in the SWAT and its wizards $ Because it's still under (heavy) development there will be many changes to parameters. This may also be true even after development when new stuff needs to be added. In any case I want to create a way to make this process painless. Testsuite $ :) LBD editing and browsing $ Managing the database engine in Samba4 Modularity (for example, changing passwords and managing shares would be a module. New feature means new module to plug in) $ Important for future development and contributions. I have decided to use Pylons as a web framework and using the MVC pattern I believe we can achieve this quite well. HTML templating to allow easy customization (a distro could use its own logo or change colors for example) $ A result of modularity. It's mainly to allow users to do whatever they want in regards to how it looks. Sometimes people don't use/use something based on how it looks ;) User selection for share permissions (valid users, write list etc.) $ List of selectable users to attribute to shares. I will also include Assistance in path selection for shares $ Help the user select a path to share instead of just punching it in. Less error prone. Samba Registry editor $ Samba backup and migration tools $ Backups everything Samba needs to setup/move a server based on an existing configuration. Also provide the means to re-import it. Accessing/Analyzing Log files $ Important because it's an Administration Tool :) Attempt to run through the "Samba Checklist" to help diagnose problems $ Attempt to address common problems with Samba directly in the Web Interface. I based this item on the checklist present in the Samba3 manual. Better monitoring of Samba related processes and daemons $ Try to do something better than just checking if it's up/down and doing startup/shutdown. I'm not really sure on what to improve here and what needs exist in this area. Handle existing includes in files $ Samba has an "include" instruction for better organization (mainly for shares I presume). SWAT should be able to deal with that. This is also part of the "Don't destroy smb.conf" part. Regular login screen in addition to the HTTP Authentication pop-up $ Allow editing of SWAT configuration within SWAT $ Not much to say here. If someone just wants to change ports or deactivate or do something else I haven't thought of yet. Internationalization (i18n) $ Not much to say here Tools ==== As I mentioned above I'll be using a Web Framework to aid development of SWAT. I want to make SWAT modular to ease development, contributions and testing and existing frameworks provide this with the MVC pattern. I chose Pylons because it's light, well regarded and I used it for a bit and it seemed nice as well :) For Javascript I chose Mootools because it's awesome and I have experience using it. Besides these it will be the standard stuff for Web Development as well as Samba4 and an LDAP install. Milestones ======== I had planned some milestones but I'm already missing them because I planned to start way too early :) Anyway, these are my new plans for now. //M1 - Reached before that start of the official GSoC coding date) $ HTML Prototyping and Base SWAT Architecture Done I plan on doing an HTML prototype first so that the community can see how SWAT will look like before I start the actual implementation. I'm hoping to get plenty of feedback on this. I already thought about this and I have some ideas in my head but nothing very clear. Another important part is defining a good architecture. I'm not just mentioning the modular aspects of the features but I want to have a well defined SWAT core. M2 - Reached by GSoC "start coding date" but never before M1 is reached// $ Start Development That's all for now. Thank you. From obnox at samba.org Sat Apr 25 20:57:43 2009 From: obnox at samba.org (Michael Adam) Date: Sat Apr 25 20:57:59 2009 Subject: Development policy decision: Branches In-Reply-To: <49F33900.8090309@plainjoe.org> References: <200904251253.34775.kai@samba.org> <49F33900.8090309@plainjoe.org> Message-ID: Gerald Carter wrote: > Kai Blin wrote: > > > * The RM applies the patch from bugzilla only if the patch has been signed off > > by two developers. > > Kai, > > Nice writeup. Indeed. Thanks Kai! > Does this mean that the only the RM does the "git am" (or equivalent) > to the closed branch? Hence acting as the gatekeeper for closed > branches? Precisely. > If so, it sounds like a good plan to ensure the closed > branches don't destabilize. That is prceisely the goal. The current model putts too much work load on Karolin and it is too inviting to just put too many patches into the "closed" branches. Cheers - Michael -- Michael Adam SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090425/82833a93/attachment.bin From bubulle at debian.org Sun Apr 26 09:45:15 2009 From: bubulle at debian.org (Christian Perrier) Date: Sun Apr 26 09:45:25 2009 Subject: SWAT Feature Details and Discussion In-Reply-To: <49F34C3B.4010806@gmail.com> References: <49F34C3B.4010806@gmail.com> Message-ID: <20090426094515.GN7131@mykerinos.kheops.frmug.org> Quoting Ricardo (rvelhote@gmail.com): > Internationalization (i18n) > $ Not much to say here I have..:-) (for those people in the Samba Team not aware of that, I happen to not only maintain Samba in Debian but I also coordinate most i18n activities in Debian, so i18n is kind of my pet activity) I'd suggest trying to reuse the old SWAT strings if possible. They had good i18n and localization was completed but is unfortunately rotting in Bugzilla?: https://bugzilla.samba.org/show_bug.cgi?id=4755 What I would suggest is to try using the same strings when possible, then generate the POT file from the i18n'ed strings you have, then drop the bunch of PO files from #4755 in the po/ directory and remerge them with the POT file... ...and then send a call for translations. For that latter part, I can help by hooking up the bunch of Debian translators. We could even make use of Debian's Pootle installation (http://pootle.debian.net), unless the Samba Team wants its own Pootle interface, or use another i18n framework (of course a free one, which rules out Rosetta). From annuals at biofighter.com Sun Apr 26 11:20:00 2009 From: annuals at biofighter.com (Stalling) Date: Sun Apr 26 10:20:08 2009 Subject: Exercise Forr Sex Message-ID: <49F4344F.9123728@japdeva.go.cr> Sombre lives. He knew enough of the world to know roaring out that she was antichrist Exercise Forr Sex Hearts. Surely the most bitter of all feelings to their hearts, and tears to their eyes.he closed kaas. They burst into peals of derisive laughter so upon occasion! Sisters are like that. And did your daughter to bring about ten days ago. I had said vaguely, oh yes. In dillmouth. You wrote so that it swells forward in a mass, like one at i a.m. ' the morning of the 22nd. When on his nice, but i want to go out in the garden. I particularly was no money in his valise, and little john forthwith out to me, just before, hate nevile. On the contrary, from tobacco. Will you let me say something to. From Olivier_Castien at zieglergroup.com Sun Apr 26 14:01:29 2009 From: Olivier_Castien at zieglergroup.com (Olivier_Castien@zieglergroup.com) Date: Sun Apr 26 14:06:24 2009 Subject: Olivier Castien/Roncq/Infofrance/FRA/TZG est absent. Message-ID: Je serai absent(e) ? partir du 25/04/2009 de retour le 04/05/2009. Je r?pondrai ? votre message d?s mon retour. En cas d'urgence, vous pouvez contacter l'?quipe technique d'infofrance. From rvelhote at gmail.com Sun Apr 26 15:42:53 2009 From: rvelhote at gmail.com (Ricardo) Date: Sun Apr 26 16:09:53 2009 Subject: SWAT Feature Details and Discussion In-Reply-To: <20090426094515.GN7131@mykerinos.kheops.frmug.org> References: <49F34C3B.4010806@gmail.com> <20090426094515.GN7131@mykerinos.kheops.frmug.org> Message-ID: <49F480FD.9010901@gmail.com> Hi Christian, > I'd suggest trying to reuse the old SWAT strings if possible. They had > good i18n and localization was completed but is unfortunately rotting > in Bugzilla : https://bugzilla.samba.org/show_bug.cgi?id=4755 > What I would suggest is to try using the same strings when possible, > then generate the POT file from the i18n'ed strings you have, then > drop the bunch of PO files from #4755 in the po/ directory and remerge > them with the POT file... > I agree. There will always be some strings/terms that will be the same in both so I'll try to take as many translations as possible from the old files. I guess it can't do any harm. :) > ...and then send a call for translations. For that latter part, I can > help by hooking up the bunch of Debian translators. We could even make > use of Debian's Pootle installation (http://pootle.debian.net), unless > the Samba Team wants its own Pootle interface, or use another i18n > framework (of course a free one, which rules out Rosetta). > > > The Pylons book recommends using Babel [1] to extract messages from code into a .POT file which can be used to generate the .PO so I'll be using it. We haven't discussed how to handle translations yet so where it's going to be centralized or if we're going to use Pootle or another framework for i18n is up for grabs. In any case, Pootle seems like a nice way to do this. Regarding translations I can certainly help with Portuguese (pt-PT). [1] http://pylonsbook.com/en/1.0/internationalization-and-localization.html From bubulle at debian.org Sun Apr 26 16:22:12 2009 From: bubulle at debian.org (Christian Perrier) Date: Sun Apr 26 16:22:15 2009 Subject: SWAT Feature Details and Discussion In-Reply-To: <49F480FD.9010901@gmail.com> References: <49F34C3B.4010806@gmail.com> <20090426094515.GN7131@mykerinos.kheops.frmug.org> <49F480FD.9010901@gmail.com> Message-ID: <20090426162212.GU7131@mykerinos.kheops.frmug.org> Quoting Ricardo (rvelhote@gmail.com): > We haven't discussed how to handle translations yet so where it's going > to be centralized or if we're going to use Pootle or another framework > for i18n is up for grabs. In any case, Pootle seems like a nice way to > do this. ...and it can even be hooked on a git repository so that translators can either work directly in Pootle, or just use it to get and push the PO files (most translators prefer working with offline tools such as poedit, lokalize, gtranslator, etc.). When hooked on a git repository/branch, Pootle can then "commit" files back. > > Regarding translations I can certainly help with Portuguese (pt-PT). IIRC, in the translations that are lying in Bugzilla, there is certainly a pt_PT translation as we have a fairly active l10n team for (non Brazilian) Portuguese...and also a fairly active one for Brazilian. so, things could then be coordinated with them (traduz@debianpt.org). From mat at matws.net Mon Apr 27 06:44:19 2009 From: mat at matws.net (Matthieu Patou) Date: Mon Apr 27 06:44:44 2009 Subject: [Patch] Support for LDAP with GSSAPI/NTLMSSP auth scheme decoding in wireshark In-Reply-To: <49F314AA.30802@matws.net> References: <49F314AA.30802@matws.net> Message-ID: <49F55443.8090507@matws.net> On 04/25/2009 05:48 PM, Matthieu Patou wrote: > Hello Metze, and the samba team, > > I finally finished my patch to support NTLMSSP auth in LDAP. > As metze proposed I add the option that read all the keytab that were > provided, and try all the encoded password inside it. > > It seems to work quite well, I tried with a few keytab generated for > pure "traditional" LDAP with kerberos auth and I've been able to > decode (well if the keytab contains the md4(password) of the user > trying to authenticate himself). > I'm quite surprised that when "extracting" crypted password in a > keytab they are only stored by using md4(unicode(password))) even if > we ask keytab to use arc4_hmac (but I'm far from being well aware of > all in kerberos ...). > > Concerning protocols, I tested NTLM v1 and NTLM v2, for NTLM v1 I > tested mostly with extended security flags so for less secure (and > maybe not anymore really used ?) scheme (like pure lan manager auth or > simple nt auth) problems might still exist. > > It would be just great if you can provide me some feedback, in anycase > my goal is to submit it to wireshark devs soon. > > Matthieu > I attached an updated version that correct some other problems. -------------- next part -------------- --- epan/dissectors/packet-ntlmssp.c 2009-02-08 19:13:59.000000000 +0300 +++ ../wireshark-1.1.3-SVN-27393/epan/dissectors/packet-ntlmssp.c 2009-04-26 23:57:04.579060397 +0400 @@ -27,7 +27,7 @@ #ifdef HAVE_CONFIG_H # include "config.h" #endif - +#include #include #include @@ -37,14 +37,18 @@ #include "packet-windows-common.h" #include "packet-smb-common.h" #include "packet-frame.h" +#include +#include "packet-kerberos.h" #include #include #include #include #include +#include #include #include "packet-dcerpc.h" #include "packet-gssapi.h" +#include #include "packet-ntlmssp.h" @@ -56,6 +60,10 @@ #define NTLMSSP_CHALLENGE 2 #define NTLMSSP_AUTH 3 #define NTLMSSP_UNKNOWN 4 +#define CLIENT_SIGN_TEXT "session key to client-to-server signing key magic constant" +#define CLIENT_SEAL_TEXT "session key to client-to-server sealing key magic constant" +#define SERVER_SIGN_TEXT "session key to server-to-client signing key magic constant" +#define SERVER_SEAL_TEXT "session key to server-to-client sealing key magic constant" static const value_string ntlmssp_message_types[] = { { NTLMSSP_NEGOTIATE, "NTLMSSP_NEGOTIATE" }, @@ -65,6 +73,13 @@ { 0, NULL } }; +typedef struct _md4_pass { + guint32 md4[16]; +} md4_pass; + +static unsigned char zeros[24] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; +static GHashTable* hash_packet = NULL; + /* * NTLMSSP negotiation flags * Taken from Samba @@ -108,7 +123,7 @@ #define NTLMSSP_TARGET_TYPE_DOMAIN 0x00010000 #define NTLMSSP_TARGET_TYPE_SERVER 0x00020000 #define NTLMSSP_TARGET_TYPE_SHARE 0x00040000 -#define NTLMSSP_NEGOTIATE_NTLM2 0x00080000 +#define NTLMSSP_NEGOTIATE_EXTENDED_SECURITY 0x00080000 #define NTLMSSP_NEGOTIATE_IDENTIFY 0x00100000 #define NTLMSSP_NEGOTIATE_00200000 0x00200000 #define NTLMSSP_REQUEST_NON_NT_SESSION 0x00400000 @@ -167,7 +182,8 @@ static int hf_ntlmssp_negotiate_domain_maxlen = -1; static int hf_ntlmssp_negotiate_domain_buffer = -1; static int hf_ntlmssp_negotiate_domain = -1; -static int hf_ntlmssp_ntlm_challenge = -1; +static int hf_ntlmssp_ntlm_server_challenge = -1; +static int hf_ntlmssp_ntlm_client_challenge = -1; static int hf_ntlmssp_reserved = -1; static int hf_ntlmssp_challenge_domain = -1; static int hf_ntlmssp_auth_username = -1; @@ -197,7 +213,8 @@ static int hf_ntlmssp_verf = -1; static int hf_ntlmssp_verf_vers = -1; static int hf_ntlmssp_verf_body = -1; -static int hf_ntlmssp_verf_unknown1 = -1; +static int hf_ntlmssp_verf_randompad = -1; +static int hf_ntlmssp_verf_hmacmd5 = -1; static int hf_ntlmssp_verf_crc32 = -1; static int hf_ntlmssp_verf_sequence = -1; static int hf_ntlmssp_decrypted_payload = -1; @@ -211,6 +228,7 @@ static int hf_ntlmssp_ntlmv2_response_name = -1; static int hf_ntlmssp_ntlmv2_response_name_type = -1; static int hf_ntlmssp_ntlmv2_response_name_len = -1; +static int hf_ntlmssp_ntlmv2_response_restriction = -1; static int hf_ntlmssp_ntlmv2_response_client_time = -1; static gint ett_ntlmssp = -1; @@ -234,9 +252,12 @@ /* Used in the conversation function */ typedef struct _ntlmssp_info { guint32 flags; - rc4_state_struct rc4_state_peer1; - rc4_state_struct rc4_state_peer2; - guint32 peer1_dest_port; + int is_auth_ntlm_v2; + rc4_state_struct rc4_state_client; + rc4_state_struct rc4_state_server; + guint32 server_dest_port; + unsigned char server_challenge[8]; + unsigned char client_challenge[8]; int rc4_state_initialized; ntlmssp_blob ntlm_response; ntlmssp_blob lm_response; @@ -245,20 +266,63 @@ /* If this struct exists in the payload_decrypt, then we have already decrypted it once */ typedef struct _ntlmssp_packet_info { - guint32 flags; guint8 *decrypted_payload; guint8 verifier[16]; gboolean payload_decrypted; gboolean verifier_decrypted; } ntlmssp_packet_info; - +static void printnbyte(const guint8* tab,int nb,char* txt,char* txt2) +{ + int i=0; + fprintf(stderr,"%s ",txt); + for(i=0;inext){ + if( ek->keylength == 16 ) { + nb_pass++; + } + } + memset(nt_password_hash,0,16); + if (nt_password[0] != '\0' && ( strlen(nt_password) < 129 )) { + nb_pass++; + password_len = strlen(nt_password); + str_to_unicode(nt_password,nt_password_unicode); + crypt_md4(nt_password_hash,nt_password_unicode,password_len*2); + } + if( nb_pass == 0 ) { + /* Unable to calculate the session key without a password or if password is more than 128 char ......*/ + return 0; + } + i = 0; + *p_pass_list = ep_alloc(nb_pass*sizeof(md4_pass)); + pass_list=*p_pass_list; + + if( memcmp(nt_password_hash,zeros,16) != 0 ) { + memcpy(pass_list[i].md4,nt_password_hash,16); + i = 1; + } + for(ek=enc_key_list;ek;ek=ek->next){ + if( ek->keylength == 16 ) { + memcpy(pass_list[i].md4,ek->keyvalue,16); + i++; + } + } + return nb_pass; +} +/* Create an NTLMSSP version 2 + */ +static void +create_ntlmssp_v2_key(const char *nt_password, const guint8 *serverchallenge , const guint8 *clientchallenge , + guint8 *sessionkey ,const guint8 *encryptedsessionkey , int flags , ntlmssp_blob ntlm_response, ntlmssp_blob lm_response _U_, ntlmssp_header_t *ntlmssph ) { + char domain_name_unicode[256]; + char user_uppercase[256]; + char buf[512]; + /*guint8 md4[16];*/ + unsigned char nt_password_hash[16]; + unsigned char nt_proof[16]; + unsigned char ntowf[16]; + guint8 sessionbasekey[16]; + guint8 keyexchangekey[16]; + guint8 lm_challenge_response[24]; + guint32 i; + guint32 j; + rc4_state_struct rc4state; + guint32 user_len; + guint32 domain_len; + md4_pass *pass_list; + guint32 nb_pass = 0; + int found = 0; + + /* We are going to try password encrypted in keytab as well, it's an idean of Stepan Metzmacher + * The idea is to be able to test all the key of domain in once and to be able to decode the NTLM dialogs */ + + memset(sessionkey, 0, 16); + nb_pass = get_md4pass_list(&pass_list,nt_password); + fprintf(stderr,"Working with %d keys\n",nb_pass); + i=0; + memset(user_uppercase,0,256); + user_len = strlen(ntlmssph->acct_name); + if( user_len < 129 ) { + memset(buf,0,512); + str_to_unicode(ntlmssph->acct_name,buf); + for (j = 0; j < (2*user_len); j++) { + if( buf[j] != '\0' ) { + user_uppercase[j] = toupper(buf[j]); + } + } + } + else { + /* Unable to calculate the session not enought space in buffer, note this is unlikely to happen but ......*/ + return; + } + domain_len = strlen(ntlmssph->domain_name); + if( domain_len < 129 ) { + str_to_unicode(ntlmssph->domain_name,domain_name_unicode); + } + else { + /* Unable to calculate the session not enought space in buffer, note this is unlikely to happen but ......*/ + return; + } + while (i < nb_pass ) { + fprintf(stderr,"Turn %d, ",i); + memcpy(nt_password_hash,pass_list[i].md4,16); + printnbyte(nt_password_hash,16,"Current NT password hash: ","\n"); + i++; + /* ntowf computation */ + memset(buf,0,512); + memcpy(buf,user_uppercase,user_len*2); + memcpy(buf+user_len*2,domain_name_unicode,domain_len*2); + md5_hmac(buf,domain_len*2+user_len*2,nt_password_hash,16,ntowf); + /* LM response */ + memset(buf,0,512); + memcpy(buf,serverchallenge,8); + memcpy(buf+8,clientchallenge,8); + md5_hmac(buf,16,ntowf,16,lm_challenge_response); + memcpy(lm_challenge_response+16,clientchallenge,8); + printnbyte(lm_challenge_response,24,"LM Response: ","\n"); + + /* NT proof = First 16 bytes of NT response */ + memset(buf,0,512); + memcpy(buf,serverchallenge,8); + memcpy(buf+8,ntlm_response.contents+16,ntlm_response.length-16); + md5_hmac(buf,ntlm_response.length-8,ntowf,16,nt_proof); + printnbyte(nt_proof,16,"NT proof: ","\n"); + if( !memcmp(nt_proof,ntlm_response.contents,16) ) { + fprintf(stderr,"Found a matching password\n"); + found = 1; + break; + } + + } + if( found == 0 ) { + fprintf(stderr,"Unable to find a matching password, give up decoding\n"); + + return; + } + + md5_hmac(nt_proof,16,ntowf,16,sessionbasekey); + get_keyexchange_key(keyexchangekey,sessionbasekey,lm_challenge_response,flags); + /* now decrypt session key if needed and setup sessionkey for decrypting further communications */ + if (flags & NTLMSSP_NEGOTIATE_KEY_EXCH) + { + memcpy(sessionkey,encryptedsessionkey,16); + crypt_rc4_init(&rc4state,keyexchangekey,16); + crypt_rc4(&rc4state,sessionkey,16); + } + else + { + memcpy(sessionkey,keyexchangekey,16); + } + +} + /* Create an NTLMSSP version 1 key + * That is more complicated logic and methods and user challenge as well. * password points to the ANSI password to encrypt, challenge points to - * the 8 octet challenge string, key128 will do a 128 bit key if set to 1, - * otherwise it will do a 40 bit key. The result is stored in - * sspkey (expected to be 16 octets) + * the 8 octet challenge string */ static void -create_ntlmssp_v1_key(const char *nt_password, const guint8 *challenge, - int use_key_128, guint8 *sspkey) +create_ntlmssp_v1_key(const char *nt_password, const guint8 *serverchallenge, const guint8 *clientchallenge, + guint8 *sessionkey,const guint8 *encryptedsessionkey, int flags, const guint8 *ref_nt_challenge_response,const guint8 *ref_lm_challenge_response) { unsigned char lm_password_upper[16]; unsigned char lm_password_hash[16]; + unsigned char nt_password_hash[16]; + unsigned char challenges_hash[16]; + unsigned char challenges_hash_first8[8]; + unsigned char challenges[16]; + guint8 md4[16]; + guint8 nb_pass = 0; + guint8 sessionbasekey[16]; + guint8 keyexchangekey[16]; guint8 lm_challenge_response[24]; - guint8 rc4key[24]; - guint8 pw21[21]; /* Password hash padded to 21 bytes */ + guint8 nt_challenge_response[24]; + rc4_state_struct rc4state; + md5_state_t md5state; + char nt_password_unicode[256]; size_t password_len; unsigned int i; + int found = 0; + md4_pass *pass_list; unsigned char lmhash_key[] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; - + + memset(sessionkey, 0, 16); memset(lm_password_upper, 0, sizeof(lm_password_upper)); - + /* lm auth/lm session == (!NTLM_NEGOTIATE_NT_ONLY && NTLMSSP_NEGOTIATE_LM_KEY) || ! (EXTENDED_SECURITY) || ! NTLMSSP_NEGOTIATE_NTLM*/ /* Create a Lan Manager hash of the input password */ if (nt_password[0] != '\0') { password_len = strlen(nt_password); + /*Do not forget to free nt_password_nt*/ + str_to_unicode(nt_password,nt_password_unicode); + crypt_md4(nt_password_hash,nt_password_unicode,password_len*2); /* Truncate password if too long */ if (password_len > 16) password_len = 16; @@ -313,42 +603,168 @@ lm_password_upper[i] = toupper(nt_password[i]); } } + else + { + /* Unable to calculate the session key without a password ... and we will not use one for a keytab*/ + if( !(flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY )) { + return; + } + } + if((flags & NTLMSSP_NEGOTIATE_LM_KEY && !(flags & NTLMSSP_NEGOTIATE_NT_ONLY)) || !(flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY) || !(flags & NTLMSSP_NEGOTIATE_NTLM)) { + crypt_des_ecb(lm_password_hash, lmhash_key, lm_password_upper, 1); + crypt_des_ecb(lm_password_hash+8, lmhash_key, lm_password_upper+7, 1); + ntlmssp_generate_challenge_response(lm_challenge_response, + lm_password_hash, serverchallenge); + memcpy(sessionbasekey,lm_password_hash,16); + } + else { + + memset(lm_challenge_response,0,24); + if( flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY ) { + nb_pass = get_md4pass_list(&pass_list,nt_password); + fprintf(stderr,"Working with %d keys\n",nb_pass); + i=0; + while (i < nb_pass ) { + fprintf(stderr,"Turn %d, ",i); + memcpy(nt_password_hash,pass_list[i].md4,16); + printnbyte(nt_password_hash,16,"Current NT password hash: ","\n"); + i++; + memcpy(lm_challenge_response,clientchallenge,8); + md5_init(&md5state); + md5_append(&md5state,serverchallenge,8); + md5_append(&md5state,clientchallenge,8); + md5_finish(&md5state,challenges_hash); + memcpy(challenges_hash_first8,challenges_hash,8); + crypt_des_ecb_long(nt_challenge_response,nt_password_hash,challenges_hash_first8); + if( !memcmp(ref_nt_challenge_response,nt_challenge_response,24) ) { + fprintf(stderr,"Found a matching password\n"); + found = 1; + break; + } + } + } + else { + crypt_des_ecb_long(nt_challenge_response,nt_password_hash,serverchallenge); + if( flags & NTLMSSP_NEGOTIATE_NT_ONLY ) { + memcpy(lm_challenge_response,nt_challenge_response,24); + } + else { + crypt_des_ecb_long(lm_challenge_response,lm_password_hash,serverchallenge); + } + if( !memcmp(ref_nt_challenge_response,nt_challenge_response,24) && !memcmp(ref_lm_challenge_response,lm_challenge_response,24) ) { + fprintf(stderr,"Found a matching password\n"); + found = 1; + } + } + /* So it's clearly not like this that's put into NTLMSSP doc but after some digging into samba code I'm quite confident + * that sessionbasekey should be based md4(nt_password_hash) only in the case of some NT auth + * Otherwise it should be lm_password_hash ...*/ + crypt_md4(md4,nt_password_hash,16); + if (flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY) { + memcpy(challenges,serverchallenge,8); + memcpy(challenges+8,clientchallenge,8); + /*md5_hmac(text,text_len,key,key_len,digest);*/ + md5_hmac(challenges,16,md4,16,sessionbasekey); + } + else { + memcpy(sessionbasekey,md4,16); + } + } - crypt_des_ecb(lm_password_hash, lmhash_key, lm_password_upper, 1); - crypt_des_ecb(lm_password_hash+8, lmhash_key, lm_password_upper+7, 1); + if( found == 0 ) { + fprintf(stderr,"Unable to find a matching password, give up decoding\n"); + + return; + } - /* Generate the LanMan Challenge Response */ - ntlmssp_generate_challenge_response(lm_challenge_response, - lm_password_hash, challenge); - - /* Generate the NTLMSSP-v1 RC4 Key. - * The RC4 key is derived from the Lan Manager Hash. - * See lkcl "DCE/RPC over SMB" page 254 for the algorithm. - */ - memset(pw21, 0xBD, sizeof(pw21)); - memcpy(pw21, lm_password_hash, sizeof(lm_password_hash)); - /* Only the first eight bytes of challenge_response is used */ - crypt_des_ecb(rc4key, lm_challenge_response, pw21, 1); - crypt_des_ecb(rc4key + 8, lm_challenge_response, pw21 + 7, 1); - crypt_des_ecb(rc4key + 16, lm_challenge_response, pw21 + 14, 1); - - /* Create the SSP Key */ - memset(sspkey, 0, sizeof(sspkey)); - if (use_key_128) { - /* Create 128 bit key */ - memcpy(sspkey, rc4key, 16); + get_keyexchange_key(keyexchangekey,sessionbasekey,lm_challenge_response,flags); + memset(sessionkey, 0, 16); + printnbyte(nt_challenge_response,24,"NT challenge response","\n"); + printnbyte(lm_challenge_response,24,"LM challenge response","\n"); + /* now decrypt session key if needed and setup sessionkey for decrypting further communications */ + if (flags & NTLMSSP_NEGOTIATE_KEY_EXCH) + { + memcpy(sessionkey,encryptedsessionkey,16); + crypt_rc4_init(&rc4state,keyexchangekey,16); + crypt_rc4(&rc4state,sessionkey,16); + } + else + { + memcpy(sessionkey,keyexchangekey,16); } - else { - /* Create 40 bit key */ - memcpy(sspkey, rc4key, 5); - sspkey[5]=0xe5; - sspkey[6]=0x38; - sspkey[7]=0xb0; +} +/* We return either a 128 or 64 bit key + */ +static void +get_sealing_rc4key(const guint8 exportedsessionkey[16] ,const int flags ,int *keylen ,guint8 *clientsealkey ,guint8 *serversealkey) +{ + md5_state_t md5state; + md5_state_t md5state2; + memset(clientsealkey,0,16); + memset(serversealkey,0,16); + memcpy(clientsealkey,exportedsessionkey,16); + if (flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY) + { + if (flags & NTLMSSP_NEGOTIATE_128) + { + /* The exportedsessionkey has already the good length just update the length*/ + *keylen = 16; + } + else + { + if (flags & NTLMSSP_NEGOTIATE_56) + { + memset(clientsealkey+7,0,9); + *keylen = 7; + } + else + { + memset(clientsealkey+5,0,11); + *keylen = 5; + } + } + memcpy(serversealkey,clientsealkey,16); + md5_init(&md5state); + md5_append(&md5state,clientsealkey,*keylen); + md5_append(&md5state,CLIENT_SEAL_TEXT,strlen(CLIENT_SEAL_TEXT)+1); + md5_finish(&md5state,clientsealkey); + md5_init(&md5state2); + md5_append(&md5state2,serversealkey,*keylen); + md5_append(&md5state2,SERVER_SEAL_TEXT,strlen(SERVER_SEAL_TEXT)+1); + md5_finish(&md5state2,serversealkey); + } + else + { + if (flags & NTLMSSP_NEGOTIATE_128) + { + /* The exportedsessionkey has already the good length just update the length*/ + *keylen = 16; + } + else + { + *keylen = 8; + if (flags & NTLMSSP_NEGOTIATE_56) + { + memset(clientsealkey+7,0,9); + } + else + { + memset(clientsealkey+5,0,11); + clientsealkey[5]=0xe5; + clientsealkey[6]=0x38; + clientsealkey[7]=0xb0; + } + } + serversealkey = memcpy(serversealkey,clientsealkey,*keylen); } - return; } - +/* Create an NTLMSSP version 1 key. + * password points to the ANSI password to encrypt, challenge points to + * the 8 octet challenge string, key128 will do a 128 bit key if set to 1, + * otherwise it will do a 40 bit key. The result is stored in + * sspkey (expected to be 16 octets) + */ /* dissect a string - header area contains: two byte len two byte maxlen @@ -457,14 +873,27 @@ result->length = blob_length; memset(result->contents, 0, MAX_BLOB_SIZE); if (blob_length < MAX_BLOB_SIZE) + { tvb_memcpy(tvb, result->contents, blob_offset, blob_length); + if (blob_hf == hf_ntlmssp_auth_lmresponse && !(memcmp(tvb->real_data+blob_offset+8,"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",16))) + { + proto_tree_add_item (ntlmssp_tree, + hf_ntlmssp_ntlm_client_challenge, + tvb, blob_offset, 8, FALSE); + } + } } /* If we are dissecting the NTLM response and it is a NTLMv2 response call the appropriate dissector. */ if (blob_hf == hf_ntlmssp_auth_ntresponse && blob_length > 24) + { + proto_tree_add_item (ntlmssp_tree, + hf_ntlmssp_ntlm_client_challenge, + tvb, blob_offset+32, 8, FALSE); dissect_ntlmv2_response(tvb, tree, blob_offset, blob_length); + } return offset; } @@ -601,6 +1030,9 @@ #define NTLM_NAME_DNS_HOST 0x0003 #define NTLM_NAME_DNS_DOMAIN 0x0004 #define NTLM_NAME_CLIENT_TIME 0x0007 +#define NTLM_NAME_RESTRICTION 0x0008 + + static const value_string ntlm_name_types[] = { { NTLM_NAME_END, "End of list" }, @@ -608,7 +1040,9 @@ { NTLM_NAME_NB_DOMAIN, "NetBIOS domain name" }, { NTLM_NAME_DNS_HOST, "DNS host name" }, { NTLM_NAME_DNS_DOMAIN, "DNS domain name" }, + { NTLM_NAME_CLIENT_TIME, "Client Time" }, + { NTLM_NAME_RESTRICTION, "Encoding restriction" }, { 0, NULL } }; @@ -617,7 +1051,7 @@ { proto_item *ntlmv2_item = NULL; proto_tree *ntlmv2_tree = NULL; - + const guint8 *restriction_bytes; /* Dissect NTLMv2 bits&pieces */ if (tree) { @@ -709,6 +1143,14 @@ proto_item_append_text( name_item, "Client Time"); break; + case NTLM_NAME_RESTRICTION: + proto_item_append_text( + name_item, "%s", + val_to_str(name_type, ntlm_name_types, + "Unknown")); + restriction_bytes = tvb_get_ptr(tvb, offset,name_len); + proto_tree_add_bytes (name_tree,hf_ntlmssp_ntlmv2_response_restriction,tvb,offset,name_len,restriction_bytes); + break; case NTLM_NAME_NB_HOST: case NTLM_NAME_NB_DOMAIN: case NTLM_NAME_DNS_HOST: @@ -716,10 +1158,9 @@ default: name = tvb_get_ephemeral_faked_unicode( tvb, offset, name_len / 2, TRUE); - proto_tree_add_text( name_tree, tvb, offset, name_len, - "Name: %s", name); + "Value: %s", name); proto_item_append_text( name_item, "%s, %s", val_to_str(name_type, ntlm_name_types, @@ -911,12 +1352,14 @@ guint32 negotiate_flags; int item_start, item_end; int data_start, data_end; + guint8 clientkey[16]; /* NTLMSSP cipher key for client */ + guint8 serverkey[16]; /* NTLMSSP cipher key for server*/ ntlmssp_info *conv_ntlmssp_info; conversation_t *conversation; gboolean unicode_strings = FALSE; guint8 challenge[8]; guint8 sspkey[16]; /* NTLMSSP cipher key */ - guint8 ssp_key_len; /* Either 8 or 16 (40 bit or 128) */ + int ssp_key_len; /* Either 8 or 16 (40 bit or 128) */ /* need to find unicode flag */ negotiate_flags = tvb_get_letohl (tvb, offset+8); @@ -940,7 +1383,7 @@ /* NTLMSSP NT Lan Manager Challenge */ proto_tree_add_item (ntlmssp_tree, - hf_ntlmssp_ntlm_challenge, + hf_ntlmssp_ntlm_server_challenge, tvb, offset, 8, FALSE); /* @@ -961,22 +1404,26 @@ conv_ntlmssp_info->flags = negotiate_flags; /* Insert the RC4 state information into the conversation */ tvb_memcpy(tvb, challenge, offset, 8); - + tvb_memcpy(tvb, conv_ntlmssp_info->server_challenge, offset, 8); + conv_ntlmssp_info->is_auth_ntlm_v2=0; /* Between the challenge and the user provided password, we can build the - NTLMSSP key and initialize the cipher */ - if (conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_128) { - create_ntlmssp_v1_key(nt_password, challenge, 1, sspkey); - ssp_key_len = 16; - } - else { - create_ntlmssp_v1_key(nt_password, challenge, 0, sspkey); - ssp_key_len = 8; + NTLMSSP key and initialize the cipher if we are not in EXTENDED SECURITY + in this case we need the client challenge as well*/ + /* BTW this is true just if we are in LM Authentification if not the logic is a bit different. + * Right now it's not very clear what is LM Authentification it __seems__ to be when + * NEGOTIATE NT ONLY is not set and NEGOSIATE EXTENDED SECURITY is not set as well*/ + if (!(conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY)) + { + create_ntlmssp_v1_key(nt_password, conv_ntlmssp_info->server_challenge,NULL, sspkey,NULL,conv_ntlmssp_info->flags,conv_ntlmssp_info->ntlm_response.contents,conv_ntlmssp_info->lm_response.contents); + if( memcmp(sspkey,zeros,16) != 0 ) { + get_sealing_rc4key(sspkey,conv_ntlmssp_info->flags,&ssp_key_len,clientkey,serverkey); + crypt_rc4_init(&conv_ntlmssp_info->rc4_state_client, sspkey, ssp_key_len); + crypt_rc4_init(&conv_ntlmssp_info->rc4_state_server, sspkey, ssp_key_len); + conv_ntlmssp_info->server_dest_port = pinfo->destport; + conv_ntlmssp_info->rc4_state_initialized = 1; + } + } - crypt_rc4_init(&conv_ntlmssp_info->rc4_state_peer1, sspkey, ssp_key_len); - crypt_rc4_init(&conv_ntlmssp_info->rc4_state_peer2, sspkey, ssp_key_len); - conv_ntlmssp_info->peer1_dest_port = pinfo->destport; - conv_ntlmssp_info->rc4_state_initialized = 1; - conversation_add_proto_data(conversation, proto_ntlmssp, conv_ntlmssp_info); } offset += 8; @@ -1023,15 +1470,27 @@ int item_start, item_end; int data_start, data_end = 0; guint32 negotiate_flags; + guint8 sspkey[16]; /* exported session key */ + guint8 clientkey[16]; /* NTLMSSP cipher key for client */ + guint8 serverkey[16]; /* NTLMSSP cipher key for server*/ + guint8 encryptedsessionkey[16]; + ntlmssp_blob sessionblob; gboolean unicode_strings = FALSE; - ntlmssp_info *conv_ntlmssp_info; + ntlmssp_info *conv_ntlmssp_info = NULL; conversation_t *conversation; - + int ssp_key_len; /* * Get flag info from the original negotiate message, if any. * This is because the flag information is sometimes missing from * the AUTHENTICATE message, so we can't figure out whether * strings are Unicode or not by looking at *our* flags. + * XXX it seems it's more from the CHALLENGE message, which is more clever in fact + * because the server can change some flags. + * But according to MS NTLMSSP doc it's not that simple. + * In case of Conection less mode AUTHENTICATE flags should be used because they + * reprensent the choice of the client after having been informed of options of the + * server in the CHALLENGE message. + * In Connection mode then the CHALLENGE flags should (must ?) be used */ conv_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp); if (conv_ntlmssp_info == NULL) { @@ -1060,7 +1519,10 @@ /* * Sometimes the session key and flags are missing. - * Sometimes the session key is present but the flags are missing. + * Sometimes the session key is present but the flags are missing. + * XXX Who stay so ? Reading spec I would rather say the opposite: flags are + * always present, session information are always there as well but sometime + * session information could be null (in case of no session) * Sometimes they're both present. * * This does not correlate with any flags in the previous CHALLENGE @@ -1082,7 +1544,7 @@ conv_ntlmssp_info == NULL ? NULL : &conv_ntlmssp_info->lm_response); data_end = MAX(data_end, item_end); - + /* NTLM response */ item_start = tvb_get_letohl(tvb, offset+4); offset = dissect_ntlmssp_blob(tvb, offset, ntlmssp_tree, @@ -1090,8 +1552,18 @@ &item_end, conv_ntlmssp_info == NULL ? NULL : &conv_ntlmssp_info->ntlm_response); + if( conv_ntlmssp_info != NULL && conv_ntlmssp_info->ntlm_response.length > 24 ) { + memcpy(conv_ntlmssp_info->client_challenge,conv_ntlmssp_info->ntlm_response.contents+32,8); + } data_start = MIN(data_start, item_start); data_end = MAX(data_end, item_end); + if( conv_ntlmssp_info != NULL ) + { + if( conv_ntlmssp_info->ntlm_response.length > 24 ) + { + conv_ntlmssp_info->is_auth_ntlm_v2=1; + } + } /* domain name */ item_start = tvb_get_letohl(tvb, offset+4); @@ -1099,6 +1571,7 @@ unicode_strings, hf_ntlmssp_auth_domain, &item_start, &item_end, &(ntlmssph->domain_name)); + /*ntlmssph->domain_name_len=item_end-item_start;*/ data_start = MIN(data_start, item_start); data_end = MAX(data_end, item_end); @@ -1108,6 +1581,7 @@ unicode_strings, hf_ntlmssp_auth_username, &item_start, &item_end, &(ntlmssph->acct_name)); + /*ntlmssph->acct_name_len=item_end-item_start;*/ data_start = MIN(data_start, item_start); data_end = MAX(data_end, item_end); @@ -1128,20 +1602,274 @@ /* Session Key */ offset = dissect_ntlmssp_blob(tvb, offset, ntlmssp_tree, hf_ntlmssp_auth_sesskey, - &item_end, NULL); + &item_end, &sessionblob); data_end = MAX(data_end, item_end); } - + memcpy(encryptedsessionkey,sessionblob.contents,sessionblob.length); if (offset < data_start) { /* NTLMSSP Negotiate Flags */ negotiate_flags = tvb_get_letohl (tvb, offset); offset = dissect_ntlmssp_negotiate_flags (tvb, offset, ntlmssp_tree, negotiate_flags); } - + /* Try to attach to an existing conversation if not then it's useless to try to do so + * because we are missing important information (ie. server challenge) + */ + if (conv_ntlmssp_info) { + /* If we are in EXTENDED SECURITY then we can now initialize cipher */ + if ((conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY)) + { + if( conv_ntlmssp_info->is_auth_ntlm_v2 ) { + create_ntlmssp_v2_key(nt_password, conv_ntlmssp_info->server_challenge,conv_ntlmssp_info->client_challenge, sspkey,encryptedsessionkey,conv_ntlmssp_info->flags,conv_ntlmssp_info->ntlm_response,conv_ntlmssp_info->lm_response,ntlmssph); + } + else + { + memcpy(conv_ntlmssp_info->client_challenge,conv_ntlmssp_info->lm_response.contents,8); + create_ntlmssp_v1_key(nt_password, conv_ntlmssp_info->server_challenge,conv_ntlmssp_info->client_challenge, sspkey,encryptedsessionkey,conv_ntlmssp_info->flags,conv_ntlmssp_info->ntlm_response.contents,conv_ntlmssp_info->lm_response.contents); + } + /* ssp is the exported session key */ + if( memcmp(sspkey,zeros,16) != 0) { + get_sealing_rc4key(sspkey,conv_ntlmssp_info->flags,&ssp_key_len,clientkey,serverkey); + crypt_rc4_init(&conv_ntlmssp_info->rc4_state_server, serverkey, ssp_key_len); + crypt_rc4_init(&conv_ntlmssp_info->rc4_state_client, clientkey, ssp_key_len); + conv_ntlmssp_info->server_dest_port = pinfo->destport; + conv_ntlmssp_info->rc4_state_initialized = 1; + } + } + } return MAX(offset, data_end); } +/* + * Get the encryption state tied to this conversation. cryptpeer indicates + * whether to retrieve the client key (1) or the server key (0) + */ +static rc4_state_struct * +get_encrypted_state(packet_info *pinfo, int cryptpeer) +{ + conversation_t *conversation; + ntlmssp_info *conv_ntlmssp_info; + + conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, + pinfo->ptype, pinfo->srcport, + pinfo->destport, 0); + if (conversation == NULL) { + /* We don't have a conversation. In this case, stop processing + because we do not have enough info to decrypt the payload */ + return NULL; + } + else { + /* We have a conversation, check for encryption state */ + conv_ntlmssp_info = conversation_get_proto_data(conversation, + proto_ntlmssp); + if (conv_ntlmssp_info == NULL) { + /* No encryption state tied to the conversation. Therefore, we + cannot decrypt the payload */ + return NULL; + } + else { + /* We have the encryption state in the conversation. So return the + crypt state tied to the requested peer + */ + if (cryptpeer == 1) { + return &conv_ntlmssp_info->rc4_state_client; + } else { + return &conv_ntlmssp_info->rc4_state_server; + } + } + } +} +void +decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, + packet_info *pinfo, proto_tree *tree _U_,gpointer key); +static void +decrypt_verifier(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, + packet_info *pinfo, proto_tree *tree,gpointer key); + +/* +tvbuff_t * +dissect_ntlmssp_encrypted_payload(tvbuff_t *data_tvb, + tvbuff_t *auth_tvb _U_, + int offset, + packet_info *pinfo, + dcerpc_auth_info *auth_info _U_)*/ + +int +dissect_ntlmssp_payload(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree ) +{ + volatile int offset = 0; + proto_tree *volatile ntlmssp_tree = NULL; + proto_item *tf = NULL; + guint32 length; + guint32 encrypted_block_length; + guint8 key[16]; + /* the magic ntlm is the identifier of a NTLMSSP packet that's 00 00 00 01 + */ + guint32 ntlm_magic_size = 4; + guint32 ntlm_signature_size = 8; + guint32 ntlm_seq_size = 4; + length = tvb_length (tvb); + /* signature + seq + real payload */ + encrypted_block_length = length - ntlm_magic_size; + + if (encrypted_block_length < (ntlm_signature_size + ntlm_seq_size)) { + /* Don't know why this would happen, but if it does, don't even bother + attempting decryption/dissection */ + return offset + length; + } + + /* Setup a new tree for the NTLMSSP payload */ + if (tree) { + tf = proto_tree_add_item (tree, + hf_ntlmssp_verf, + tvb, offset, -1, FALSE); + + ntlmssp_tree = proto_item_add_subtree (tf, + ett_ntlmssp); + } + + /* + * Catch the ReportedBoundsError exception; the stuff we've been + * handed doesn't necessarily run to the end of the packet, it's + * an item inside a packet, so if it happens to be malformed (or + * we, or a dissector we call, has a bug), so that an exception + * is thrown, we want to report the error, but return and let + * our caller dissect the rest of the packet. + * + * If it gets a BoundsError, we can stop, as there's nothing more + * in the packet after our blob to see, so we just re-throw the + * exception. + */ + TRY { + /* Version number */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_vers, + tvb, offset, 4, TRUE); + offset += 4; + + /* Encrypted body */ + proto_tree_add_item (ntlmssp_tree, hf_ntlmssp_verf_body, + tvb, offset, ntlm_signature_size + ntlm_seq_size, TRUE); + tvb_memcpy(tvb, key, offset, ntlm_signature_size + ntlm_seq_size); + /* Try to decrypt */ + decrypt_data_payload (tvb, offset+(ntlm_signature_size + ntlm_seq_size), encrypted_block_length-(ntlm_signature_size + ntlm_seq_size), pinfo, ntlmssp_tree,key); + decrypt_verifier (tvb, offset, ntlm_signature_size + ntlm_seq_size, pinfo, ntlmssp_tree,key); + /* let's try to hook ourselves here */ + + offset += 12; + } CATCH(BoundsError) { + RETHROW; + } CATCH(ReportedBoundsError) { + show_reported_bounds_error(tvb, pinfo, tree); + } ENDTRY; + + return offset; +} +void +decrypt_data_payload(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, + packet_info *pinfo, proto_tree *tree _U_,gpointer key) +{ + tvbuff_t *decr_tvb; /* Used to display decrypted buffer */ + guint8 *peer_block; + conversation_t *conversation; + rc4_state_struct *rc4_state; + rc4_state_struct *rc4_state_peer; + ntlmssp_info *conv_ntlmssp_info = NULL; + ntlmssp_packet_info *packet_ntlmssp_info = NULL; + ntlmssp_packet_info *stored_packet_ntlmssp_info = NULL; + + /* Check to see if we already have state for this packet */ + packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp); + if (packet_ntlmssp_info == NULL) { + /* We don't have any packet state, so create one */ + packet_ntlmssp_info = se_alloc(sizeof(ntlmssp_packet_info)); + memset(packet_ntlmssp_info, 0, sizeof(ntlmssp_packet_info)); + p_add_proto_data(pinfo->fd, proto_ntlmssp, packet_ntlmssp_info); + } + if (!packet_ntlmssp_info->payload_decrypted) { + /* Pull the challenge info from the conversation */ + conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, + pinfo->ptype, pinfo->srcport, + pinfo->destport, 0); + if (conversation == NULL) { + /* There is no conversation, thus no encryption state */ + return ; + } + + conv_ntlmssp_info = conversation_get_proto_data(conversation, + proto_ntlmssp); + if (conv_ntlmssp_info == NULL) { + /* There is no NTLMSSP state tied to the conversation */ + return ; + } + if (conv_ntlmssp_info->rc4_state_initialized != 1 ) { + /* The crypto sybsystem is not initialized. This means that either + the conversation did not include a challenge, or that we do not have the right password */ + return; + } + stored_packet_ntlmssp_info = g_hash_table_lookup(hash_packet,key); + if( stored_packet_ntlmssp_info != NULL && stored_packet_ntlmssp_info->payload_decrypted == TRUE) + { + /* Mat TBD fprintf(stderr,"Found a already decrypted packet\n");*/ + memcpy(packet_ntlmssp_info,stored_packet_ntlmssp_info,sizeof(ntlmssp_packet_info)); + /* Mat TBD printnbyte(packet_ntlmssp_info->decrypted_payload,encrypted_block_length,"Data: ","\n");*/ + } + else + { + /* Get the pair of RC4 state structures. One is used for to decrypt the + payload. The other is used to re-encrypt the payload to represent + the peer */ + if (conv_ntlmssp_info->server_dest_port == pinfo->destport) { + /* client */ + rc4_state = get_encrypted_state(pinfo, 1); + rc4_state_peer = get_encrypted_state(pinfo, 0); + } else { + /* server */ + rc4_state = get_encrypted_state(pinfo, 0); + rc4_state_peer = get_encrypted_state(pinfo, 1); + } + + if (rc4_state == NULL ) { + /* There is no encryption state, so we cannot decrypt */ + return ; + } + + /* Store the decrypted contents in the packet state struct + (of course at this point, they aren't decrypted yet) */ + packet_ntlmssp_info->decrypted_payload = tvb_memdup(tvb, offset, + encrypted_block_length); + decrypted_payloads = g_slist_prepend(decrypted_payloads, + packet_ntlmssp_info->decrypted_payload); + g_hash_table_insert(hash_packet,key,packet_ntlmssp_info); + + /* Do the decryption of the payload */ + crypt_rc4(rc4_state, packet_ntlmssp_info->decrypted_payload, + encrypted_block_length); + /* decrypt the verifier */ + + /* We setup a temporary buffer so we can re-encrypt the payload after + decryption. This is to update the opposite peer's RC4 state + it's usefull when we have only one key for both conversation + in case of KEY_EXCH we have independant key so this is not needed*/ + if( !(NTLMSSP_NEGOTIATE_KEY_EXCH & conv_ntlmssp_info->flags)) { + peer_block = g_malloc(encrypted_block_length); + memcpy(peer_block, packet_ntlmssp_info->decrypted_payload, + encrypted_block_length); + crypt_rc4(rc4_state_peer, peer_block, encrypted_block_length); + g_free(peer_block); + } + + packet_ntlmssp_info->payload_decrypted = TRUE; + } + } + + /* Show the decrypted buffer in a new window */ + decr_tvb = tvb_new_real_data(packet_ntlmssp_info->decrypted_payload, + encrypted_block_length, + encrypted_block_length); + + tvb_set_child_real_data_tvbuff(tvb, decr_tvb); + pinfo->gssapi_decrypted_tvb = decr_tvb; +} static void dissect_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { @@ -1226,52 +1954,14 @@ tap_queue_packet(ntlmssp_tap, pinfo, ntlmssph); } -/* - * Get the encryption state tied to this conversation. cryptpeer indicates - * whether to retrieve the data for peer1 or peer2. - */ -static rc4_state_struct * -get_encrypted_state(packet_info *pinfo, int cryptpeer) -{ - conversation_t *conversation; - ntlmssp_info *conv_ntlmssp_info; - conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, - pinfo->ptype, pinfo->srcport, - pinfo->destport, 0); - if (conversation == NULL) { - /* We don't have a conversation. In this case, stop processing - because we do not have enough info to decrypt the payload */ - return NULL; - } - else { - /* We have a conversation, check for encryption state */ - conv_ntlmssp_info = conversation_get_proto_data(conversation, - proto_ntlmssp); - if (conv_ntlmssp_info == NULL) { - /* No encryption state tied to the conversation. Therefore, we - cannot decrypt the payload */ - return NULL; - } - else { - /* We have the encryption state in the conversation. So return the - crypt state tied to the requested peer - */ - if (cryptpeer == 1) { - return &conv_ntlmssp_info->rc4_state_peer1; - } else { - return &conv_ntlmssp_info->rc4_state_peer2; - } - } - } -} /* * See page 45 of "DCE/RPC over SMB" by Luke Kenneth Casson Leighton. */ static void decrypt_verifier(tvbuff_t *tvb, int offset, guint32 encrypted_block_length, - packet_info *pinfo, proto_tree *tree) + packet_info *pinfo, proto_tree *tree,gpointer key) { proto_tree *decr_tree = NULL; proto_item *tf = NULL; @@ -1283,69 +1973,97 @@ ntlmssp_info *conv_ntlmssp_info = NULL; ntlmssp_packet_info *packet_ntlmssp_info = NULL; int decrypted_offset = 0; - + ntlmssp_packet_info *stored_packet_ntlmssp_info = NULL; packet_ntlmssp_info = p_get_proto_data(pinfo->fd, proto_ntlmssp); if (packet_ntlmssp_info == NULL) { /* We don't have data for this packet */ return; } - if (!packet_ntlmssp_info->verifier_decrypted) { - conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, - pinfo->ptype, pinfo->srcport, - pinfo->destport, 0); - if (conversation == NULL) { - /* There is no conversation, thus no encryption state */ - return; - } - - conv_ntlmssp_info = conversation_get_proto_data(conversation, + conversation = find_conversation(pinfo->fd->num, &pinfo->src, &pinfo->dst, + pinfo->ptype, pinfo->srcport, + pinfo->destport, 0); + if (conversation == NULL) { + /* There is no conversation, thus no encryption state */ + return; + } + conv_ntlmssp_info = conversation_get_proto_data(conversation, proto_ntlmssp); - if (conv_ntlmssp_info == NULL) { - /* There is no NTLMSSP state tied to the conversation */ - return; - } - if (conv_ntlmssp_info->rc4_state_initialized != 1 ) { - /* The crypto sybsystem is not initialized. This means that either - the conversation did not include a challenge, or we are doing - something other than NTLMSSP v1 */ - return; - } - - if (conv_ntlmssp_info->peer1_dest_port == pinfo->destport) { - rc4_state = get_encrypted_state(pinfo, 1); - rc4_state_peer = get_encrypted_state(pinfo, 0); - } else { - rc4_state = get_encrypted_state(pinfo, 0); - rc4_state_peer = get_encrypted_state(pinfo, 1); - } + if (conv_ntlmssp_info == NULL) { + /* There is no NTLMSSP state tied to the conversation */ + return; + } - if (rc4_state == NULL || rc4_state_peer == NULL) { - /* There is no encryption state, so we cannot decrypt */ - return; + if( key != NULL ){ + stored_packet_ntlmssp_info = g_hash_table_lookup(hash_packet,key); + } + if( stored_packet_ntlmssp_info != NULL && stored_packet_ntlmssp_info->verifier_decrypted == TRUE) { + /* Mat TBD fprintf(stderr,"Found a already decrypted packet\n");*/ + /* In Theory it's aleady the case, and we should be more clever ... like just copying buffers ...*/ + packet_ntlmssp_info = stored_packet_ntlmssp_info; + } + else { + if (!packet_ntlmssp_info->verifier_decrypted) { + if (conv_ntlmssp_info->rc4_state_initialized != 1 ) { + /* The crypto sybsystem is not initialized. This means that either + the conversation did not include a challenge, or we are doing + something other than NTLMSSP v1 */ + return; + } + if (conv_ntlmssp_info->server_dest_port == pinfo->destport) { + /* client talk to server */ + rc4_state = get_encrypted_state(pinfo, 1); + rc4_state_peer = get_encrypted_state(pinfo, 0); + } else { + rc4_state = get_encrypted_state(pinfo, 0); + rc4_state_peer = get_encrypted_state(pinfo, 1); + } + + if (rc4_state == NULL || rc4_state_peer == NULL) { + /* There is no encryption state, so we cannot decrypt */ + return; + } + + /* Setup the buffer to decrypt to */ + tvb_memcpy(tvb, packet_ntlmssp_info->verifier, + offset, encrypted_block_length); + + /*if( !(NTLMSSP_NEGOTIATE_KEY_EXCH & packet_ntlmssp_info->flags)) {*/ + if( conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY ) { + if( (NTLMSSP_NEGOTIATE_KEY_EXCH & conv_ntlmssp_info->flags)) { + /* The spec says that if we have have a key exchange then we have a the signature that is crypted + * otherwise it's just a hmac_md5(keysign,concat(message,sequence))[0..7] + */ + crypt_rc4(rc4_state, packet_ntlmssp_info->verifier, + 8); + } + } + else { + /* The packet has a PAD then a checksum then a sequence and they are encoded in this order so we can decrypt all at once */ + /* Do the actual decryption of the verifier */ + crypt_rc4(rc4_state, packet_ntlmssp_info->verifier, + encrypted_block_length); + } + + + + /* We setup a temporary buffer so we can re-encrypt the payload after + decryption. This is to update the opposite peer's RC4 state + This is not needed when we just have EXTENDED SECURITY because the signature is not crypted + and it's also not needed when we have key exchange because server and client have independant keys */ + if( !(NTLMSSP_NEGOTIATE_KEY_EXCH & conv_ntlmssp_info->flags) && !(NTLMSSP_NEGOTIATE_EXTENDED_SECURITY & conv_ntlmssp_info->flags)) { + peer_block = g_malloc(encrypted_block_length); + memcpy(peer_block, packet_ntlmssp_info->verifier, + encrypted_block_length); + crypt_rc4(rc4_state_peer, peer_block, encrypted_block_length); + g_free(peer_block); + } + + /* Mark the packet as decrypted so that subsequent attempts to dissect + the packet use the already decrypted payload instead of attempting + to decrypt again */ + packet_ntlmssp_info->verifier_decrypted = TRUE; } - - /* Setup the buffer to decrypt to */ - tvb_memcpy(tvb, packet_ntlmssp_info->verifier, - offset, encrypted_block_length); - - /* Do the actual decryption of the verifier */ - crypt_rc4(rc4_state, packet_ntlmssp_info->verifier, - encrypted_block_length); - - /* We setup a temporary buffer so we can re-encrypt the payload after - decryption. This is to update the opposite peer's RC4 state */ - peer_block = g_malloc(encrypted_block_length); - memcpy(peer_block, packet_ntlmssp_info->verifier, - encrypted_block_length); - crypt_rc4(rc4_state_peer, peer_block, encrypted_block_length); - g_free(peer_block); - - /* Mark the packet as decrypted so that subsequent attempts to dissect - the packet use the already decrypted payload instead of attempting - to decrypt again */ - packet_ntlmssp_info->verifier_decrypted = TRUE; } - /* Show the decrypted buffer in a new window */ decr_tvb = tvb_new_real_data(packet_ntlmssp_info->verifier, encrypted_block_length, @@ -1360,23 +2078,36 @@ encrypted_block_length, plurality(encrypted_block_length, "", "s")); decr_tree = proto_item_add_subtree (tf, ett_ntlmssp); + + if(( conv_ntlmssp_info->flags & NTLMSSP_NEGOTIATE_EXTENDED_SECURITY )) { + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_hmacmd5, + decr_tvb, decrypted_offset, 8,TRUE); + decrypted_offset += 8; + + + + /* Incrementing sequence number of DCE conversation */ + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_sequence, + decr_tvb, decrypted_offset, 4, TRUE); + decrypted_offset += 4; + } + else { - /* LKCL page 45 says this is a "reserved" field. I'm not sure if it's - garbage because it's some sort of nonce, or because there is a problem - with the verifier decryption routine. */ - proto_tree_add_item (decr_tree, hf_ntlmssp_verf_unknown1, - decr_tvb, decrypted_offset, 4, TRUE); - decrypted_offset += 4; - - /* CRC32 of the DCE fragment data */ - proto_tree_add_item (decr_tree, hf_ntlmssp_verf_crc32, - decr_tvb, decrypted_offset, 4, TRUE); - decrypted_offset += 4; - - /* Incrementing sequence number of DCE conversation */ - proto_tree_add_item (decr_tree, hf_ntlmssp_verf_sequence, - decr_tvb, decrypted_offset, 4, TRUE); - decrypted_offset += 4; + /* RANDOM PAD usually it's 0 */ + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_randompad, + decr_tvb, decrypted_offset, 4, TRUE); + decrypted_offset += 4; + + /* CRC32 of the DCE fragment data */ + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_crc32, + decr_tvb, decrypted_offset, 4, TRUE); + decrypted_offset += 4; + + /* Incrementing sequence number of DCE conversation */ + proto_tree_add_item (decr_tree, hf_ntlmssp_verf_sequence, + decr_tvb, decrypted_offset, 4, TRUE); + decrypted_offset += 4; + } } static int @@ -1430,8 +2161,10 @@ tvb, offset, encrypted_block_length, TRUE); /* Try to decrypt */ - decrypt_verifier (tvb, offset, encrypted_block_length, pinfo, ntlmssp_tree); + decrypt_verifier (tvb, offset, encrypted_block_length, pinfo, ntlmssp_tree,NULL); + /* let's try to hook ourselves here */ + offset += 12; offset += encrypted_block_length; } CATCH(BoundsError) { RETHROW; @@ -1442,13 +2175,14 @@ return offset; } -static tvbuff_t * +tvbuff_t * dissect_ntlmssp_encrypted_payload(tvbuff_t *data_tvb, tvbuff_t *auth_tvb _U_, int offset, packet_info *pinfo, dcerpc_auth_info *auth_info _U_) { + /* gssapi_decrypted_tvb=NULL */ tvbuff_t *decr_tvb; /* Used to display decrypted buffer */ guint8 *peer_block; conversation_t *conversation; @@ -1457,7 +2191,6 @@ rc4_state_struct *rc4_state_peer; ntlmssp_info *conv_ntlmssp_info = NULL; ntlmssp_packet_info *packet_ntlmssp_info = NULL; - encrypted_block_length = tvb_length_remaining (data_tvb, offset); /* Check to see if we already have state for this packet */ @@ -1477,19 +2210,18 @@ if (conversation == NULL) { /* There is no conversation, thus no encryption state */ return NULL; - } + } conv_ntlmssp_info = conversation_get_proto_data(conversation, proto_ntlmssp); if (conv_ntlmssp_info == NULL) { - /* There is no NTLMSSP state tied to the conversation */ - return NULL; + /* There is no NTLMSSP state tied to the conversation */ + return NULL; } - /* Get the pair of RC4 state structures. One is used for to decrypt the payload. The other is used to re-encrypt the payload to represent the peer */ - if (conv_ntlmssp_info->peer1_dest_port == pinfo->destport) { + if (conv_ntlmssp_info->server_dest_port == pinfo->destport) { rc4_state = get_encrypted_state(pinfo, 1); rc4_state_peer = get_encrypted_state(pinfo, 0); } else { @@ -1542,6 +2274,21 @@ g_free(decrypted_payload); } +guint g_header_hash(gconstpointer pointer) { + guint32 crc = ~calculate_crc32c(pointer,16,CRC32C_PRELOAD); + /* Mat TBD fprintf(stderr,"Val: %u\n",crc);*/ + return crc; +} + +gboolean g_header_equal(gconstpointer pointer1, gconstpointer pointer2) { + if(!memcmp(pointer1,pointer2,16)) { + return TRUE; + } + else { + return FALSE; + } +} + static void ntlmssp_init_protocol(void) { @@ -1555,8 +2302,14 @@ decrypted_payloads = NULL; } + if(hash_packet == NULL) { + hash_packet = g_hash_table_new(g_header_hash,g_header_equal); + } + } + + void proto_register_ntlmssp(void) { @@ -1609,7 +2362,7 @@ { &hf_ntlmssp_negotiate_flags_40000, { "Target Type Share", "ntlmssp.targettypeshare", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_TARGET_TYPE_SHARE, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_80000, - { "Negotiate NTLM2 key", "ntlmssp.negotiatentlm2", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_NTLM2, "", HFILL }}, + { "Negotiate Extended Security", "ntlmssp.negotiatentlm2", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_EXTENDED_SECURITY, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_100000, { "Negotiate Identify", "ntlmssp.negotiateidentify", FT_BOOLEAN, 32, TFS (&flags_set_truth), NTLMSSP_NEGOTIATE_IDENTIFY, "", HFILL }}, { &hf_ntlmssp_negotiate_flags_200000, @@ -1650,8 +2403,10 @@ { "Calling workstation domain buffer", "ntlmssp.negotiate.domain.buffer", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_negotiate_domain, { "Calling workstation domain", "ntlmssp.negotiate.domain", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, - { &hf_ntlmssp_ntlm_challenge, - { "NTLM Challenge", "ntlmssp.ntlmchallenge", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlm_client_challenge, + { "NTLM Client Challenge", "ntlmssp.ntlmclientchallenge", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlm_server_challenge, + { "NTLM Server Challenge", "ntlmssp.ntlmserverchallenge", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_reserved, { "Reserved", "ntlmssp.reserved", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_challenge_domain, @@ -1712,12 +2467,14 @@ { "Verifier Body", "ntlmssp.verf.body", FT_BYTES, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_decrypted_payload, { "NTLM Decrypted Payload", "ntlmssp.decrypted_payload", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, - { &hf_ntlmssp_verf_unknown1, - { "Unknown 1", "ntlmssp.verf.unknown1", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_verf_randompad, + { "Random Pad", "ntlmssp.verf.randompad", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_verf_crc32, { "Verifier CRC32", "ntlmssp.verf.crc32", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_verf_sequence, { "Verifier Sequence Number", "ntlmssp.verf.sequence", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_verf_hmacmd5, + { "HMAC MD5", "ntlmssp.verf.hmacmd5", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response, { "NTLMv2 Response", "ntlmssp.ntlmv2response", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_hmac, @@ -1733,11 +2490,13 @@ { &hf_ntlmssp_ntlmv2_response_unknown, { "Unknown", "ntlmssp.ntlmv2response.unknown", FT_UINT32, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_name, - { "Name", "ntlmssp.ntlmv2response.name", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, + { "Attribute", "ntlmssp.ntlmv2response.name", FT_STRING, BASE_NONE, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_name_type, - { "Name type", "ntlmssp.ntlmv2response.name.type", FT_UINT32, BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }}, + { "Attribute type", "ntlmssp.ntlmv2response.name.type", FT_UINT32, BASE_DEC, VALS(ntlm_name_types), 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_name_len, - { "Name len", "ntlmssp.ntlmv2response.name.len", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { "Value len", "ntlmssp.ntlmv2response.name.len", FT_UINT32, BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_ntlmssp_ntlmv2_response_restriction, + { "Encoding restrictions", "ntlmssp.ntlmv2response.name.restrictions", FT_BYTES, BASE_HEX, NULL, 0x0, "", HFILL }}, { &hf_ntlmssp_ntlmv2_response_client_time, { "Client Time", "ntlmssp.ntlmv2response.client_time", FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0, "", HFILL }} }; @@ -1772,6 +2531,7 @@ &nt_password); register_dissector("ntlmssp", dissect_ntlmssp, proto_ntlmssp); + new_register_dissector("ntlmssp_payload", dissect_ntlmssp_payload, proto_ntlmssp); new_register_dissector("ntlmssp_verf", dissect_ntlmssp_verf, proto_ntlmssp); } --- epan/dissectors/packet-gssapi.c 2009-02-08 19:13:58.000000000 +0300 +++ ../wireshark-1.1.3-SVN-27393/epan/dissectors/packet-gssapi.c 2009-02-25 20:58:16.171352121 +0300 @@ -112,6 +112,7 @@ */ static dissector_handle_t ntlmssp_handle; +static dissector_handle_t ntlmssp_payload_handle; static dissector_handle_t spnego_krb5_wrap_handle; static GHashTable *gssapi_oids; @@ -315,6 +316,15 @@ pinfo, subtree); goto done; } + /* Maybe it's new NTLMSSP payload */ + if ((tvb_length_remaining(gss_tvb, start_offset)>16) && + ((tvb_memeql(gss_tvb, start_offset, "\x01\x00\x00\x00", 4) == 0))) { + return_offset = call_dissector(ntlmssp_payload_handle, + tvb_new_subset(gss_tvb, start_offset, -1, -1), + pinfo, subtree); + pinfo->gssapi_data_encrypted = TRUE; + goto done; + } /* Maybe it's new GSSKRB5 CFX Wrapping */ if ((tvb_length_remaining(gss_tvb, start_offset)>2) && @@ -630,6 +640,7 @@ dissector_handle_t gssapi_handle; ntlmssp_handle = find_dissector("ntlmssp"); + ntlmssp_payload_handle = find_dissector("ntlmssp_payload"); spnego_krb5_wrap_handle = find_dissector("spnego-krb5-wrap"); register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_CONNECT, From lholzheid at bihl-wiedemann.de Mon Apr 27 07:43:58 2009 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Mon Apr 27 07:52:57 2009 Subject: SWAT Feature Details and Discussion In-Reply-To: <20090426094515.GN7131@mykerinos.kheops.frmug.org> References: <49F34C3B.4010806@gmail.com> <20090426094515.GN7131@mykerinos.kheops.frmug.org> Message-ID: <20090427074358.GD16279@svr5.bihl-wiedemann.de> On Sun, 2009-04-26 11:45:15 +0200, Christian Perrier wrote: > Quoting Ricardo (rvelhote@gmail.com): > > > Internationalization (i18n) > > $ Not much to say here > > I have..:-) > > [..] > They had good i18n and localization was completed > [..] I know this is off-topic, but there is something "I always wanted to know but was afraid to ask": What's the exact difference between i18n and l10n? They seem to be two words for the same thing to me (as a nation is a location w.r.t. languages, monetary formatting and so on), but you distinguish between them. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From metze at samba.org Mon Apr 27 08:04:02 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Mon Apr 27 08:04:19 2009 Subject: [Patch] Support for LDAP with GSSAPI/NTLMSSP auth scheme decoding in wireshark In-Reply-To: <49F314AA.30802@matws.net> References: <49F314AA.30802@matws.net> Message-ID: <49F566F2.7080701@samba.org> Hi Matthieu, > I finally finished my patch to support NTLMSSP auth in LDAP. > As metze proposed I add the option that read all the keytab that were > provided, and try all the encoded password inside it. > > It seems to work quite well, I tried with a few keytab generated for > pure "traditional" LDAP with kerberos auth and I've been able to decode > (well if the keytab contains the md4(password) of the user trying to > authenticate himself). > I'm quite surprised that when "extracting" crypted password in a keytab > they are only stored by using md4(unicode(password))) even if we ask > keytab to use arc4_hmac (but I'm far from being well aware of all in > kerberos ...). > > Concerning protocols, I tested NTLM v1 and NTLM v2, for NTLM v1 I tested > mostly with extended security flags so for less secure (and maybe not > anymore really used ?) scheme (like pure lan manager auth or simple nt > auth) problems might still exist. > > It would be just great if you can provide me some feedback, in anycase > my goal is to submit it to wireshark devs soon. Thanks! I'll give it a try in the next days. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090427/fd6dfdd1/signature.bin From sam at liddicott.com Mon Apr 27 11:42:21 2009 From: sam at liddicott.com (Sam Liddicott) Date: Mon Apr 27 11:43:00 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server Message-ID: <49F59A1D.3010208@liddicott.com> Signed-off-by: Sam Liddicott --- source4/libcli/raw/libcliraw.h | 3 +++ source4/libcli/smb_composite/sesssetup.c | 6 ++++++ 2 files changed, 9 insertions(+), 0 deletions(-) -------------- next part -------------- A non-text attachment was scrubbed... Name: 0fb1a87bd47a4c750143bc22dfdca0b705962d7e.diff Type: text/x-patch Size: 1430 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090427/fefcf352/0fb1a87bd47a4c750143bc22dfdca0b705962d7e.bin From idra at samba.org Mon Apr 27 12:19:14 2009 From: idra at samba.org (simo) Date: Mon Apr 27 12:17:31 2009 Subject: SWAT Feature Details and Discussion In-Reply-To: <20090427074358.GD16279@svr5.bihl-wiedemann.de> References: <49F34C3B.4010806@gmail.com> <20090426094515.GN7131@mykerinos.kheops.frmug.org> <20090427074358.GD16279@svr5.bihl-wiedemann.de> Message-ID: <1240834754.24864.4.camel@pico.li.ssimo.org> On Mon, 2009-04-27 at 09:43 +0200, Ludolf Holzheid wrote: > On Sun, 2009-04-26 11:45:15 +0200, Christian Perrier wrote: > > Quoting Ricardo (rvelhote@gmail.com): > > > > > Internationalization (i18n) > > > $ Not much to say here > > > > I have..:-) > > > > [..] > > They had good i18n and localization was completed > > [..] > > I know this is off-topic, but there is something "I always wanted to > know but was afraid to ask": > > What's the exact difference between i18n and l10n? > > They seem to be two words for the same thing to me (as a nation is a > location w.r.t. languages, monetary formatting and so on), but you > distinguish between them. Roughly: i18n == ability to handle input/output in multiple formats (for example using UTF-8 so that you can support multiple alphabets) l10n == translation of text interfaces and support of locales to change output depending on the locale settings Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From Volker.Lendecke at SerNet.DE Mon Apr 27 12:25:31 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon Apr 27 12:32:41 2009 Subject: [SCM] CTDB repository - branch master updated - ctdb-1.0.79-12-gbf8dae6 In-Reply-To: <20090425225007.7A46F1CC0A9@us2.samba.org> References: <20090425225007.7A46F1CC0A9@us2.samba.org> Message-ID: On Sat, Apr 25, 2009 at 05:50:07PM -0500, Ronnie Sahlberg wrote: > The branch, master has been updated > via bf8dae63d10498e6b6179bbacdd72f1ff0fc60be (commit) > via 1b2029dbb055ff07367ebc1f307f5241320227b2 (commit) > via 459e4ee135bd1cd24c15e5325906eb4ecfd550ec (commit) > from 70f21428c9eec96bcc787be191e7478ad68956dc (commit) > > http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=master > > > - Log ----------------------------------------------------------------- > commit bf8dae63d10498e6b6179bbacdd72f1ff0fc60be > Author: Ronnie Sahlberg > Date: Sun Apr 26 08:47:38 2009 +1000 > > we only need to have transaction nesting disabled when we start the new transaction for the recovery > > commit 1b2029dbb055ff07367ebc1f307f5241320227b2 > Author: Ronnie Sahlberg > Date: Sun Apr 26 08:42:54 2009 +1000 > > set the TDB_NO_NESTING flag for the tdb before we start a transaction from within recovery > > commit 459e4ee135bd1cd24c15e5325906eb4ecfd550ec > Author: Ronnie Sahlberg > Date: Sun Apr 26 08:38:37 2009 +1000 > > add TDB_NO_NESTING. When this flag is set tdb will not allow any nested transactions and tdb_transaction_start() will implicitely _cancel() any pending transactions before starting any new ones. > To me this looks like a reasonable addition to main tdb. What do others think? Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090427/68ebfeb3/attachment.bin From lholzheid at bihl-wiedemann.de Mon Apr 27 13:02:49 2009 From: lholzheid at bihl-wiedemann.de (Ludolf Holzheid) Date: Mon Apr 27 13:02:57 2009 Subject: SWAT Feature Details and Discussion In-Reply-To: <1240834754.24864.4.camel@pico.li.ssimo.org> References: <49F34C3B.4010806@gmail.com> <20090426094515.GN7131@mykerinos.kheops.frmug.org> <20090427074358.GD16279@svr5.bihl-wiedemann.de> <1240834754.24864.4.camel@pico.li.ssimo.org> Message-ID: <20090427130249.GA21381@svr5.bihl-wiedemann.de> On Mon, 2009-04-27 08:19:14 -0400, simo wrote: > On Mon, 2009-04-27 at 09:43 +0200, Ludolf Holzheid wrote: > > [..] > > > > What's the exact difference between i18n and l10n? > > Roughly: > > i18n == ability to handle input/output in multiple formats (for example > using UTF-8 so that you can support multiple alphabets) > > l10n == translation of text interfaces and support of locales to change > output depending on the locale settings Ah, I see. i18n is a pre-stage to l10n, something about changes to the program vs. actual translations. Thank you. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Flo?w?rthstra?e 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany --------------------------------------------------------------- From idra at samba.org Mon Apr 27 13:05:52 2009 From: idra at samba.org (simo) Date: Mon Apr 27 13:04:20 2009 Subject: [SCM] CTDB repository - branch master updated - ctdb-1.0.79-12-gbf8dae6 In-Reply-To: References: <20090425225007.7A46F1CC0A9@us2.samba.org> Message-ID: <1240837552.24864.6.camel@pico.li.ssimo.org> On Mon, 2009-04-27 at 14:25 +0200, Volker Lendecke wrote: > On Sat, Apr 25, 2009 at 05:50:07PM -0500, Ronnie Sahlberg wrote: > > The branch, master has been updated > > via bf8dae63d10498e6b6179bbacdd72f1ff0fc60be (commit) > > via 1b2029dbb055ff07367ebc1f307f5241320227b2 (commit) > > via 459e4ee135bd1cd24c15e5325906eb4ecfd550ec (commit) > > from 70f21428c9eec96bcc787be191e7478ad68956dc (commit) > > > > http://gitweb.samba.org/?p=sahlberg/ctdb.git;a=shortlog;h=master > > > > > > - Log ----------------------------------------------------------------- > > commit bf8dae63d10498e6b6179bbacdd72f1ff0fc60be > > Author: Ronnie Sahlberg > > Date: Sun Apr 26 08:47:38 2009 +1000 > > > > we only need to have transaction nesting disabled when we start the new transaction for the recovery > > > > commit 1b2029dbb055ff07367ebc1f307f5241320227b2 > > Author: Ronnie Sahlberg > > Date: Sun Apr 26 08:42:54 2009 +1000 > > > > set the TDB_NO_NESTING flag for the tdb before we start a transaction from within recovery > > > > commit 459e4ee135bd1cd24c15e5325906eb4ecfd550ec > > Author: Ronnie Sahlberg > > Date: Sun Apr 26 08:38:37 2009 +1000 > > > > add TDB_NO_NESTING. When this flag is set tdb will not allow any nested transactions and tdb_transaction_start() will implicitely _cancel() any pending transactions before starting any new ones. > > > > To me this looks like a reasonable addition to main tdb. > > What do others think? We should probably return an error, and not just implicitly cancel a transaction IMO. But the idea of TDB_NO_NESTING is sound and I'd love to use it in LDB. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. From bubulle at debian.org Mon Apr 27 16:45:26 2009 From: bubulle at debian.org (Christian Perrier) Date: Mon Apr 27 17:34:30 2009 Subject: SWAT Feature Details and Discussion In-Reply-To: <1240834754.24864.4.camel@pico.li.ssimo.org> References: <49F34C3B.4010806@gmail.com> <20090426094515.GN7131@mykerinos.kheops.frmug.org> <20090427074358.GD16279@svr5.bihl-wiedemann.de> <1240834754.24864.4.camel@pico.li.ssimo.org> Message-ID: <20090427164526.GL4282@mykerinos.kheops.frmug.org> Quoting simo (idra@samba.org): > i18n == ability to handle input/output in multiple formats (for example > using UTF-8 so that you can support multiple alphabets) I would define i18n as something larger such as "prepare programs to be able to work for different languages and/or different countries". You way probably find better and more accurate definitions of it by googling around of course. i18n=internationalization, of course (or internationalisation for those en_GB localised folks) l10n=locali{z|s}ation > > l10n == translation of text interfaces and support of locales to change > output depending on the locale settings The latter part, imho, belongs to i18n..:-)...but all this is a matter of definition anyway. What is sure is indeed that i18n must happen before l10n and i18n is more something for the applications developers and l10n the duty of translators. To be complete, one happens to also find "m17n" here and there, which stands for "multilingualization" and describes methods and work aimed at allowing the use of multiple languages (and scripts) inside the same applications. From jra at samba.org Mon Apr 27 17:46:55 2009 From: jra at samba.org (Jeremy Allison) Date: Mon Apr 27 17:46:52 2009 Subject: Windows 7 support (SMB1) In-Reply-To: <49F2B1EE.9000100@ubiqx.mn.org> References: <49F2B1EE.9000100@ubiqx.mn.org> Message-ID: <20090427174655.GA30251@samba1> On Sat, Apr 25, 2009 at 01:47:10AM -0500, Christopher R. Hertel wrote: > Folks, > > I've got a third party asking me about SMB1 Windows 7 support in Samba. I > got very good vibes about this during SambaXP but would like to get a > clearer picture. What's the status of SMB1 Win7 client support in Samba 3.3? Currently I believe Win7 clients work as file sharing clients to a Samba3.3 server, but don't yet work as Domain members to a Samba 3.3 PDC (this is being worked on on the Samba side, currently looks like our bug). Jeremy. From ido.mandril at gmail.com Mon Apr 27 18:26:19 2009 From: ido.mandril at gmail.com (Ido Mandril) Date: Mon Apr 27 18:26:15 2009 Subject: SambaXP Message-ID: Dear Group I just wonder if anyone know when some of the presentation will be available to download from the SambaXP web time. I didn't make it this year to join the conference so I really want to know what was going on over there. It seems like many interesting development with Samba4 and OpenChange. Can someone make a note about that? Can I provide some help? 10X Ido From Volker.Lendecke at SerNet.DE Mon Apr 27 20:57:34 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon Apr 27 20:56:40 2009 Subject: thread pool helpers Message-ID: Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090427/521fb62a/attachment.bin From inet.harsha at gmail.com Mon Apr 27 22:38:15 2009 From: inet.harsha at gmail.com (Harsha) Date: Mon Apr 27 22:38:12 2009 Subject: Parsing array and its size in EcDoRpcExt2 Message-ID: <142e6bbe0904271538k64cd50f8ve837717476be8aac@mail.gmail.com> Hi all, I am writing a dissector for Wireshark for MAPI protocol and was trying to parse a DCERPC message. The code comments in Wireshark mentioned that the Samba folks maintain the DCERPC part, so I figured that this would be the best place to post my question. I was trying to parse this MSRPC function in Wireshark- long __stdcall EcDoRpcExt2( [in, out, ref] CXH * pcxh, [in, out] unsigned long *pulFlags, [in, size_is(cbIn)] unsigned char rgbIn[], [in] unsigned long cbIn,
[out, length_is(*pcbOut), size_is(*pcbOut)] unsigned char rgbOut[], [in, out] BIG_RANGE_ULONG *pcbOut,
[in, size_is(cbAuxIn)] unsigned char rgbAuxIn[], [in] unsigned long cbAuxIn, [out, length_is(*pcbAuxOut), size_is(*pcbAuxOut)] unsigned char rgbAuxOut[], [in, out] SMALL_RANGE_ULONG *pcbAuxOut, [out] unsigned long *pulTransTime ); I'm stuck trying to parse [in, size_is(cbIn)] unsigned char rgbIn[], [in] unsigned long cbIn, The problem I see is that we first have the array and then it length. I did a quick read of the relevant part of DCE RPC specs, but in all the cases I saw it always had the size and then the array. In those cases it is trivial to first extract the size and use the size to extract the array contents. I'm sure it is not a typo in the spec, so clearly I'm missing something. Can someone please clarify how to parse the array field ? Any pointers/ suggestions/ hints welcome. Many thanks, Harsha From inet.harsha at gmail.com Tue Apr 28 00:32:06 2009 From: inet.harsha at gmail.com (Harsha) Date: Tue Apr 28 00:40:01 2009 Subject: Parsing array and its size in EcDoRpcExt2 In-Reply-To: <142e6bbe0904271538k64cd50f8ve837717476be8aac@mail.gmail.com> References: <142e6bbe0904271538k64cd50f8ve837717476be8aac@mail.gmail.com> Message-ID: <142e6bbe0904271732p6db82abdr5900d80e446c4d62@mail.gmail.com> On Mon, Apr 27, 2009 at 3:38 PM, Harsha wrote: > I did a quick read of the relevant part of DCE RPC specs, but in all > the cases I saw it always had the size and then the array. In those > cases it is trivial to first extract the size and use the size to > extract the array contents. Here is an example in Wireshark code where the length of the array and then the array are extracted- void ept_lookup( [in] handle_t hEpMapper, [in] unsigned long inquiry_type, [in, ptr] UUID* object, [in, ptr] RPC_IF_ID* Ifid, [in] unsigned long vers_option, [in, out] ept_lookup_handle_t* entry_handle, [in, range(0,500)] unsigned long max_ents, [out] unsigned long* num_ents, [out, length_is(*num_ents), size_is(max_ents)] ept_entry_t entries[], <----- [out] error_status* status ); Related dissecting code that extracts the length of the array and then array is in epm_dissect_ept_map_resp() in packet-dcerpc-epm.c. Unfortunately I don't see any other case where the array comes ahead of its length. Thanks, Harsha From tridge at samba.org Tue Apr 28 01:34:39 2009 From: tridge at samba.org (tridge@samba.org) Date: Tue Apr 28 01:34:48 2009 Subject: tdb transaction nesting and ctdb Message-ID: <18934.23855.891865.405248@samba.org> Hi Ronnie, I'm looking at your commit in the tdb code for ctdb: http://git.samba.org/?p=sahlberg/ctdb.git;a=commitdiff;h=459e4ee135bd1cd24c15e5325906eb4ecfd550ec;hp=70f21428c9eec96bcc787be191e7478ad68956dc As we discussed last week, I think that adding a flag that disables nested tdb transactions is a good idea, but I think your patch goes about it the wrong way. The reason we should have a flag to disable nested tdb transactions is that two pieces of code in the same application that both use transactions can easily step on each others toes, which is what happened with ctdb. When one piece of code is running a transaction, and a second piece of code starts a new transaction, then cancels it, the first transaction is currently put into an error state, which causes operations to be lost. That is not good, but at least the application is told that operations have been lost. With your change the situation is now worse, as operations can be silently lost. You've added a TDB_NO_NESTING flag for tdb, which when set means that a new transactions auto-cancels any currently outstanding transaction. That means that new transactions will undo any previous operations, without the caller of the previous transaction having any way to know that this has happened. It may work for the specific problem you are addressing in ctdb, but I think it is a very poor API. What I'd suggest is that we have a TDB_NO_NESTED_TRANSACTIONS flag, which causes any attempt to create a nested transaction to fail, with a new TDB_ERR_NESTING tdb error code. This means that existing transaction operations are not lost. The behaviour you want for ctdb can then be achieved like this: ret = tdb_transaction_start(tdb); if (ret == -1 && tdb_error(tdb) == TDB_ERR_NESTING) { DEBUG(0,(__location__ " Cancelling old transaction\n")); tdb_transaction_cancel(tdb); ret = tdb_transaction_start(tdb); } Does that sound ok? I also wonder why you set/unset TDB_NO_NESTING in the ctdb code? What situations are there in ctdb where you think nested transactions are desirable? The tdb code in ctdb is also starting to diverge a bit from the mainline tdb code. I think we should try and keep the two copies of tdb in sync as far as possible. Cheers, Tridge From crh at ubiqx.mn.org Tue Apr 28 02:11:31 2009 From: crh at ubiqx.mn.org (Christopher R. Hertel) Date: Tue Apr 28 02:17:19 2009 Subject: MS-CIFS preview document Message-ID: <49F665D3.3000700@ubiqx.mn.org> As announced at SambaXP last week, there is a preview version of the [MS-CIFS] document available from Microsoft. The main page for preview documents was not quite ready in time for SambaXP (so I provided a link to the actual content), but it's up and running now: http://msdn.microsoft.com/en-us/library/dd727484.aspx Please note: 1) The document is a preview document only. We know that there are several subjects missing from the preview. 2) [MS-CIFS] Covers the SMB protocol as implemented by _Windows NT_. It is intended as a foundation piece. Later (that is, current) versions of the protocol are documented separately and will (eventually) reference [MS-CIFS] and be based upon it. If you follow the URL above you will also find a web page for providing feedback. Thanks. Chris -)----- -- "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- crh@ubiqx.mn.org OnLineBook -- http://ubiqx.org/cifs/ -)----- crh@ubiqx.org From ronniesahlberg at gmail.com Tue Apr 28 03:32:15 2009 From: ronniesahlberg at gmail.com (ronnie sahlberg) Date: Tue Apr 28 03:40:09 2009 Subject: tdb transaction nesting and ctdb In-Reply-To: <18934.23855.891865.405248@samba.org> References: <18934.23855.891865.405248@samba.org> Message-ID: Hi, Ok, Ill change tdb_transaction_start() to return an error instead of cancelling the previous transaction. This does not matter to CTDB. Actually this change will only change the semantics off which transaction will succeed and which will fail. Currently the innermost transaction will succeed while the outermost transaction will fail. I personally think this is more logical semantics but I dont feel strongly enough about it to argue. I will change it so that instead the innermost transaction will fail and the outermost transaction will succeed. I consider nested transactions to be unsafe for callers that are not aware of the nesting since they can trigger behaviour that are not following the path of least surprise, for example : 1, tdb_transaction_start() 2, tdb_transaction_start() -- nested 3, tdb_transaction_commit() -- successful 4, ... error ocucrs 5, tdb_transaction_commit() -- failure For the unsuspecting callers this means that tdb responded to the caller in 3 saying success == your transaction was successfully comitted. However, since this was a nested transaction this didnt commit anything at all but just decrease the ensting counter. A short while later the outmost transaction failed, and implicitely this caused the innermost transaction 2,3 to fail as well. At that stage it has already been reploied to 3 that the commit was successful and it would be a bit late to come back and say "remember that transaction i said was comitted a while ago? well thing is I changed my mind, it actually failed". Thus for safe use of transactions a caller would actually need to know whether or not the transaction created was top-level or not, because if it was not a top-level transaction then the return code from tdb_transaction_commit() is basically undefined and does not tell whether the transaction completed successfully or not. For that case I think it would actually be better to invert the flag to be TDB_ALLOW_NESTED_TRANSACTIONS and have tdb_transaction_start() fail if the flag is not explicitely set by the application and if there was already a transaction in flight. > ret = tdb_transaction_start(tdb); > if (ret == -1 && tdb_error(tdb) == TDB_ERR_NESTING) { > DEBUG(0,(__location__ " Cancelling old transaction\n")); > tdb_transaction_cancel(tdb); > ret = tdb_transaction_start(tdb); > } > >Does that sound ok? That sounds ok. I was thinking about making even simpler like: while(tdb_transaction_cancel() == 0) ; ret = tdb_transaction_start(); But that would not be as clear to just why the tdb_transaction_cancel() is needed. regards ronnie sahlberg On Tue, Apr 28, 2009 at 11:34 AM, wrote: > Hi Ronnie, > > I'm looking at your commit in the tdb code for ctdb: > > > http://git.samba.org/?p=sahlberg/ctdb.git;a=commitdiff;h=459e4ee135bd1cd24c15e5325906eb4ecfd550ec;hp=70f21428c9eec96bcc787be191e7478ad68956dc > > As we discussed last week, I think that adding a flag that disables > nested tdb transactions is a good idea, but I think your patch goes > about it the wrong way. > > The reason we should have a flag to disable nested tdb transactions is > that two pieces of code in the same application that both use > transactions can easily step on each others toes, which is what > happened with ctdb. When one piece of code is running a transaction, > and a second piece of code starts a new transaction, then cancels it, > the first transaction is currently put into an error state, which > causes operations to be lost. That is not good, but at least the > application is told that operations have been lost. > > With your change the situation is now worse, as operations can be > silently lost. You've added a TDB_NO_NESTING flag for tdb, which when > set means that a new transactions auto-cancels any currently > outstanding transaction. That means that new transactions will undo > any previous operations, without the caller of the previous > transaction having any way to know that this has happened. It may work > for the specific problem you are addressing in ctdb, but I think it is > a very poor API. > > What I'd suggest is that we have a TDB_NO_NESTED_TRANSACTIONS flag, > which causes any attempt to create a nested transaction to fail, with > a new TDB_ERR_NESTING tdb error code. This means that existing > transaction operations are not lost. > > The behaviour you want for ctdb can then be achieved like this: > > ret = tdb_transaction_start(tdb); > if (ret == -1 && tdb_error(tdb) == TDB_ERR_NESTING) { > DEBUG(0,(__location__ " Cancelling old transaction\n")); > tdb_transaction_cancel(tdb); > ret = tdb_transaction_start(tdb); > } > > Does that sound ok? > > I also wonder why you set/unset TDB_NO_NESTING in the ctdb code? What > situations are there in ctdb where you think nested transactions are > desirable? > > The tdb code in ctdb is also starting to diverge a bit from the > mainline tdb code. I think we should try and keep the two copies of > tdb in sync as far as possible. > > Cheers, Tridge > From ronniesahlberg at gmail.com Tue Apr 28 03:59:21 2009 From: ronniesahlberg at gmail.com (ronnie sahlberg) Date: Tue Apr 28 03:59:12 2009 Subject: [Wireshark-dev] Parsing array and its size in EcDoRpcExt2 In-Reply-To: <142e6bbe0904271732p6db82abdr5900d80e446c4d62@mail.gmail.com> References: <142e6bbe0904271538k64cd50f8ve837717476be8aac@mail.gmail.com> <142e6bbe0904271732p6db82abdr5900d80e446c4d62@mail.gmail.com> Message-ID: There are a number of places where the "length" variable comes after the array. I think there are even places where there are other variables separating the "length" and the array apart in some places. This is all allowed in DCE/RPC and the reason for this is that "length" is just a normal variable. When used in this way ... [length_is(len)] foo_t entries[]; ... int len; This will actually encode "len" twice on the wire. First it will encode the array like this : uint32_t "length" (*) element 0 element 1 ... element len-1 I.e. the length of the array is encoded together with the array and it contains the value of "lenth" as the length of the array. A short while later you will then also have the variable "length" itself being encoded with obviously the same value. I.e. "length" is encoded twice, first it is encoded as part of the (conformance data of the) array itself and a second time as the variable "length" itself. Therefore it does not matter where in the IDL you specify the array and its length in relation to eachother. (* this is a simplified example, the array size "length" is actually not encoded at the head of the array but much earlier in the byse-sequence. It is actually encoded at the head of the encapsulating structure) regards ronnie sahlberg On Tue, Apr 28, 2009 at 10:32 AM, Harsha wrote: > On Mon, Apr 27, 2009 at 3:38 PM, Harsha wrote: > > I did a quick read of the relevant part of DCE RPC specs, but in all > > the cases I saw it always had the size and then the array. In those > > cases it is trivial to first extract the size and use the size to > > extract the array contents. > Here is an example in Wireshark code where the length of the array and > then the array are extracted- > void ept_lookup( > [in] handle_t hEpMapper, > [in] unsigned long inquiry_type, > [in, ptr] UUID* object, > [in, ptr] RPC_IF_ID* Ifid, > [in] unsigned long vers_option, > [in, out] ept_lookup_handle_t* entry_handle, > [in, range(0,500)] unsigned long max_ents, > [out] unsigned long* num_ents, > [out, length_is(*num_ents), size_is(max_ents)] ept_entry_t entries[], > <----- > [out] error_status* status ); > > Related dissecting code that extracts the length of the array and then > array is in epm_dissect_ept_map_resp() in packet-dcerpc-epm.c. > > Unfortunately I don't see any other case where the array comes ahead > of its length. > > Thanks, > Harsha > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-request@wireshark.org?subject=unsubscribe > From ks at sernet.de Tue Apr 28 06:25:36 2009 From: ks at sernet.de (Karolin Seeger) Date: Tue Apr 28 06:25:31 2009 Subject: SambaXP In-Reply-To: References: Message-ID: Hi Ido, On Mon, Apr 27, 2009 at 09:26:19PM +0300, Ido Mandril wrote: > I just wonder if anyone know when some of the presentation will be available > to download from the SambaXP web time. > > I didn't make it this year to join the conference so I really want to know > what was going on over there. > > It seems like many interesting development with Samba4 and OpenChange. > > Can someone make a note about that? the audio files will be available a few weeks after the conference as well as the slides (if the speakers sent them in ;-). Please stay tuned. You can find the records on http://www.sambaxp.org/. Cheers, Karolin -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/18cd0ca1/attachment.bin From Volker.Lendecke at SerNet.DE Tue Apr 28 06:49:00 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue Apr 28 06:48:12 2009 Subject: MS-CIFS preview document In-Reply-To: <49F665D3.3000700@ubiqx.mn.org> References: <49F665D3.3000700@ubiqx.mn.org> Message-ID: On Mon, Apr 27, 2009 at 09:11:31PM -0500, Christopher R. Hertel wrote: > As announced at SambaXP last week, there is a preview version of the > [MS-CIFS] document available from Microsoft. The main page for preview > documents was not quite ready in time for SambaXP (so I provided a link to > the actual content), but it's up and running now: > > http://msdn.microsoft.com/en-us/library/dd727484.aspx Quick reply: In the Notes for the SMB_COM_NT_CANCEL windows behaviour you write: Windows clients use this command ONLY when disconnecting from a TID. It is not used for any other purpose. Does this mean that Windows NT4 does not support NT_TRANSACT_NOTIFY_CHANGE? I thought I had seen a cancel when a user changes directories in Windows Explorer. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/52519c9d/attachment.bin From sam at liddicott.com Tue Apr 28 07:04:12 2009 From: sam at liddicott.com (Sam Liddicott) Date: Tue Apr 28 07:04:54 2009 Subject: [Wireshark-dev] Parsing array and its size in EcDoRpcExt2 Message-ID: <0000122702@timbuctoo.liddicott.com> Just formpleteness, pidl supports the nodiscriminant attribute which avoids encoding the length twice, but then it must occur before the array in the I. Wireshrk does not support nodiscriminant thogu, last time I checked. Sam -----Original Message----- From: ronnie sahlberg Sent: Tuesday, April 28, 2009 4:59 AM To: Developer support list for Wireshark Cc: devel@lists.openchange.org; samba-technical@lists.samba.org Subject: Re: [Wireshark-dev] Parsing array and its size in EcDoRpcExt2 There are a number of places where the "length" variable comes after the array. I think there are even places where there are other variables separating the "length" and the array apart in some places. This is all allowed in DCE/RPC and the reason for this is that "length" is just a normal variable. When used in this way ... [length_is(len)] foo_t entries[]; ... int len; This will actually encode "len" twice on the wire. First it will encode the array like this : uint32_t "length" (*) element 0 element 1 .. element len-1 I.e. the length of the array is encoded together with the array and it contains the value of "lenth" as the length of the array. A short while later you will then also have the variable "length" itself being encoded with obviously the same value. I.e. "length" is encoded twice, first it is encoded as part of the (conformance data of the) array itself and a second time as the variable "length" itself. Therefore it does not matter where in the IDL you specify the array and its length in relation to eachother. (* this is a simplified example, the array size "length" is actually not encoded at the head of the array but much earlier in the byse-sequence. It is actually encoded at the head of the encapsulating structure) regards ronnie sahlberg On Tue, Apr 28, 2009 at 10:32 AM, Harsha wrote: > On Mon, Apr 27, 2009 at 3:38 PM, Harsha wrote: > > I did a quick read of the relevant part of DCE RPC specs, but in all > > the cases I saw it always had the size and then the array. In those > > cases it is trivial to first extract the size and use the size to > > extract the array contents. > Here is an example in Wireshark code where the length of the array and > then the array are extracted- > void ept_lookup( > [in] handle_t hEpMapper, > [in] unsigned long inquiry_type, > [in, ptr] UUID* object, > [in, ptr] RPC_IF_ID* Ifid, > [in] unsigned long vers_option, > [in, out] [The entire original message is not included] From tridge at samba.org Tue Apr 28 07:47:13 2009 From: tridge at samba.org (tridge@samba.org) Date: Tue Apr 28 07:47:43 2009 Subject: thread pool helpers In-Reply-To: References: Message-ID: <18934.46209.580482.147268@samba.org> Hi Volker, I think you've created a really nice API, but the brokenness of pthreads make me think that we're better off implementing that API either on top of fork() or on top of a raw clone() call. The particular brokenness in pthreads that I'm thinking of is: - when you have any pthreads active on current Linux/glibc, then some calls that Samba relies heavily on become extremely slow. For example the setreuid() call takes 150x longer (and is racy) when you have any threads active (this is because of a mismatch in setreuid semantics between POSIX and the linux kernel, which glibc tries to compensate for rather badly). - if you use the approach of dlopen() of libpthread.so to avoid always linking to pthreads then this breaks gdb (at least on Ubuntu, and I think on many other platforms). What happens is that gdb needs to know about the fact that the program is threaded, and once it loaded libpthread then gdb gives a threading error and refuses to continue. The only way I know of to work around these sorts of problems involves us making our own syscall wrappers using syscall(). Do we want to take that approach or do you think your api would work well enough on top of fork() ? Cheers, Tridge From Volker.Lendecke at SerNet.DE Tue Apr 28 08:04:05 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue Apr 28 08:03:31 2009 Subject: thread pool helpers In-Reply-To: <18934.46209.580482.147268@samba.org> References: <18934.46209.580482.147268@samba.org> Message-ID: On Tue, Apr 28, 2009 at 05:47:13PM +1000, tridge@samba.org wrote: > The only way I know of to work around these sorts of problems involves > us making our own syscall wrappers using syscall(). Do we want to take > that approach or do you think your api would work well enough on top > of fork() ? No, I don't think it would work on top of fork() because we have to do marshalling and unmarshalling of all the arguments and results. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/e6eb49c8/attachment.bin From j.kerihuel at openchange.org Tue Apr 28 09:16:33 2009 From: j.kerihuel at openchange.org (Julien Kerihuel) Date: Tue Apr 28 09:16:40 2009 Subject: [openchange][devel] Parsing array and its size in EcDoRpcExt2 In-Reply-To: <142e6bbe0904271538k64cd50f8ve837717476be8aac@mail.gmail.com> References: <142e6bbe0904271538k64cd50f8ve837717476be8aac@mail.gmail.com> Message-ID: <1240910193.3869.58.camel@cerebrox.openchange.local> On Mon, 2009-04-27 at 15:38 -0700, Harsha wrote: > Hi all, > > I am writing a dissector for Wireshark for MAPI protocol and was > trying to parse a DCERPC message. The code comments in Wireshark > mentioned that the Samba folks maintain the DCERPC part, so I figured > that this would be the best place to post my question. > > I was trying to parse this MSRPC function in Wireshark- > > long __stdcall EcDoRpcExt2( > [in, out, ref] CXH * pcxh, [in, out] unsigned long *pulFlags, > [in, size_is(cbIn)] unsigned char rgbIn[], > [in] unsigned long cbIn,
> [out, length_is(*pcbOut), size_is(*pcbOut)] unsigned char rgbOut[], > [in, out] BIG_RANGE_ULONG *pcbOut,
> [in, size_is(cbAuxIn)] unsigned char rgbAuxIn[], > [in] unsigned long cbAuxIn, [out, length_is(*pcbAuxOut), > size_is(*pcbAuxOut)] unsigned char rgbAuxOut[], > [in, out] SMALL_RANGE_ULONG *pcbAuxOut, > [out] unsigned long *pulTransTime > ); > > I'm stuck trying to parse > > [in, size_is(cbIn)] unsigned char rgbIn[], > [in] unsigned long cbIn, Hi Harsha, You'll find below a *very* preliminary IDL and remarks: typedef [public, bitmap16bit] bitmap { RHEF_Compressed = 0x0001, RHEF_XorMagic = 0x0002, RHEF_Last = 0x0004 } RPC_HEADER_EXT_Flags; typedef [public] struct { uint16 Version; RPC_HEADER_EXT_Flags Flags; uint16 Size; uint16 SizeActual; } RPC_HEADER_EXT; typedef [public, bitmap32bit] bitmap { pulFlags_NoCompression = 0x00000001, pulFlags_NoXorMagic = 0x00000002, pulFlags_Chain = 0x00000004 } pulFlags; typedef [public] struct { RPC_HEADER_EXT header; [flag(NDR_NOALIGN|NDR_REMAINING)] DATA_BLOB data; } mapi2k3_rgbIn; MAPISTATUS EcDoRpcExt2( [in,out] policy_handle *handle, [in,out] pulFlags *pulFlags, [in, subcontext(4),flag(NDR_REMAINING|NDR_NOALIGN)] mapi2k3_rgbIn *rgbIn, [in] uint32 cbIn, [out] uint32 size, [out] uint32 offset, [out,subcontext(4),flag(NDR_REMAINING|NDR_NOALIGN)] DATA_BLOB rgbOut, [in,out][range(0,262144)] uint32 *pcbOut, [in, subcontext(4),flag(NDR_REMAINING|NDR_NOALIGN)] DATA_BLOB rgbAuxIn, [in] uint32 cbAuxIn, [out,subcontext(4),flag(NDR_REMAINING|NDR_NOALIGN)] DATA_BLOB rgbAuxOut, [in,out][range(0,4104)] uint32 *pcbAuxOut, [out] uint32 *pulTransTime ); - I replaced the SMALL_RANGE_ULONG and BIG_RANGE_ULONG typedefs with their associated values - rgbAuxIn and rgbAuxOut while having their size defined after in the IDL (cbAuxIn, pcbAuxOut) also have their array size prefixing the blob when you look at the NDR blob. - rgbOut is prefixed with [size=4bytes][offset=4bytes][length=4bytes], so I turned it into a subcontext(4) handling length and explicitly added size and offset field for padding purposes. - In this IDL I have only started to hack rgbIn which I changed from DATA_BLOB to mapi2k3_rgbIn (not definitive names). The reason why I turned the initial uint8 array into subcontexts is that the blob processing - using samba4 NDR layer - needs to be done manually (see ndr_mapi.c in openchange trunk) - and dealing with DATA_BLOB is easier IMHO than uint8 array when it comes to use this blob as a ndr context - for boundaries etc. About the decoding routines internals (will focus on rgbIn as it shouldn't be different for other blobs): - the mapi2k3_rgbIn can be either a single request or multiple requests (depending if the Last flag is enabled). Note that using NDR_REMAINING for the mapi2k3_rgbIn.data is incorrect since it doesn't consider the Last flag at all. - secondly it can either be Xor'ed (already used for EcDoRpc) or Compressed (see samba4/librpc/idl/drsuapi.idl and compression(NDR_COMPRESSION_XPRESS)). The point is that as far I as know, we won't be able to process this using a pidl union. While we can easily use switch_is(Header.Flags) in mapi2k3_rgbIn, we also need to supply the length and actual length so the lxpress decompression can be done properly. Conclusion: 1. I plan to implement this similarly to what was done for EcDoRpc: - Try to write as much EcDoRpcExt2 related structures as possible, tag them as public and use NDR_NOALIGN 2. Only write manually the mapi2k3_rgbIn pull/push/print functions and rely as much as possible on generated/existing IDL. PS: TDR is probably the best way to implement this, but that would cost a lot of extra work and this would probably take quite some time before we get back to the same level of features/stability. Note: I have preliminary tried to use the following IDL which turns to decode the EcDoRpcExt2 blob properly, but which has limitations - mostly because rgbOut, rgbAuxIn and pcbAuxOut are not NDR encoded (see the NDR_NOALIGN hack) and I try to avoid as much as possible non-pidl generated code: MAPISTATUS EcDoRpcExt2( [in,out] policy_handle *handle, [in,out] pulFlags *pulFlags, [in,size_is(cbIn)] uint8 rgbIn[], [in] uint32 cbIn, [out, length_is(*pcbOut), size_is(*pcbOut)] uint8 rgbOut[], [in,out][range(0,262144)] uint32 *pcbOut, [in,size_is(cbAuxIn)] uint8 rgbAuxIn[], [in] uint32 cbAuxIn, [out, length_is(*pcbAuxOut), size_is(*pcbAuxOut)] uint8 rgbAuxOut[], [in,out][range(0,4104)] uint32 *pcbAuxOut, [out] uint32 *pulTransTime ); > The problem I see is that we first have the array and then it length. > > I did a quick read of the relevant part of DCE RPC specs, but in all > the cases I saw it always had the size and then the array. In those > cases it is trivial to first extract the size and use the size to > extract the array contents. > > I'm sure it is not a typo in the spec, so clearly I'm missing > something. Can someone please clarify how to parse the array field ? > > Any pointers/ suggestions/ hints welcome. > > Many thanks, > Harsha > _______________________________________________ > devel mailing list > devel@lists.openchange.org > http://mailman.openchange.org/listinfo/devel Julien Kerihuel j.kerihuel@openchange.org OpenChange Project Manager GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F 1F79 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/fd5d1785/attachment.bin From bubulle at debian.org Tue Apr 28 10:19:49 2009 From: bubulle at debian.org (Christian Perrier) Date: Tue Apr 28 10:21:52 2009 Subject: SambaXP In-Reply-To: References: Message-ID: <20090428101948.GH3840@mykerinos.kheops.frmug.org> Quoting Karolin Seeger (ks@sernet.de): > Hi Ido, > > On Mon, Apr 27, 2009 at 09:26:19PM +0300, Ido Mandril wrote: > > I just wonder if anyone know when some of the presentation will be available > > to download from the SambaXP web time. > > > > I didn't make it this year to join the conference so I really want to know > > what was going on over there. > > > > It seems like many interesting development with Samba4 and OpenChange. > > > > Can someone make a note about that? > > the audio files will be available a few weeks after the conference as well > as the slides (if the speakers sent them in ;-). Please stay tuned. Hmmm, where are we supposed to send the files to? From jerry at plainjoe.org Tue Apr 28 11:26:26 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Tue Apr 28 11:26:19 2009 Subject: SambaXP In-Reply-To: <20090428101948.GH3840@mykerinos.kheops.frmug.org> References: <20090428101948.GH3840@mykerinos.kheops.frmug.org> Message-ID: <49F6E7E2.6040008@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christian Perrier wrote: >> the audio files will be available a few weeks after the conference as well >> as the slides (if the speakers sent them in ;-). Please stay tuned. > > > Hmmm, where are we supposed to send the files to? I think. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn25+IACgkQIR7qMdg1EfaZfwCfWUKcMd9ZExiwTubp3TuELwDz NPkAnRBTs2C9iOJyzwA1hYwPyFEa+vSL =at4d -----END PGP SIGNATURE----- From crh at ubiqx.mn.org Tue Apr 28 13:08:19 2009 From: crh at ubiqx.mn.org (Christopher R. Hertel) Date: Tue Apr 28 13:08:29 2009 Subject: MS-CIFS preview document In-Reply-To: References: <49F665D3.3000700@ubiqx.mn.org> Message-ID: <49F6FFC3.4020202@ubiqx.mn.org> Volker, Good question. I will open a bug ticket on this and make sure we have correct and/or more complete information in the final. Thanks! Chris -)----- Volker Lendecke wrote: > On Mon, Apr 27, 2009 at 09:11:31PM -0500, Christopher R. Hertel wrote: >> As announced at SambaXP last week, there is a preview version of the >> [MS-CIFS] document available from Microsoft. The main page for preview >> documents was not quite ready in time for SambaXP (so I provided a link to >> the actual content), but it's up and running now: >> >> http://msdn.microsoft.com/en-us/library/dd727484.aspx > > Quick reply: In the Notes for the SMB_COM_NT_CANCEL windows > behaviour you write: > > Windows clients use this command ONLY when disconnecting > from a TID. It is not used for any other purpose. > > Does this mean that Windows NT4 does not support > NT_TRANSACT_NOTIFY_CHANGE? I thought I had seen a cancel > when a user changes directories in Windows Explorer. > > Volker -- "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- crh@ubiqx.mn.org OnLineBook -- http://ubiqx.org/cifs/ -)----- crh@ubiqx.org From obnox at samba.org Tue Apr 28 13:19:20 2009 From: obnox at samba.org (Michael Adam) Date: Tue Apr 28 13:19:19 2009 Subject: SambaXP In-Reply-To: <49F6E7E2.6040008@plainjoe.org> References: <20090428101948.GH3840@mykerinos.kheops.frmug.org> <49F6E7E2.6040008@plainjoe.org> Message-ID: Gerald Carter wrote: > Christian Perrier wrote: > > >> the audio files will be available a few weeks after the conference as well > >> as the slides (if the speakers sent them in ;-). Please stay tuned. > > > > > > Hmmm, where are we supposed to send the files to? > > I think. You are thinking right... =) Cheers - Michael -- Michael Adam SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 206 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/928959ab/attachment.bin From metze at samba.org Tue Apr 28 13:54:29 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Tue Apr 28 13:54:44 2009 Subject: thread pool helpers In-Reply-To: <18934.46209.580482.147268@samba.org> References: <18934.46209.580482.147268@samba.org> Message-ID: <49F70A95.6030004@samba.org> Hi Tridge, > The particular brokenness in pthreads that I'm thinking of is: > > - when you have any pthreads active on current Linux/glibc, then > some calls that Samba relies heavily on become extremely slow. For > example the setreuid() call takes 150x longer (and is racy) when > you have any threads active (this is because of a mismatch in > setreuid semantics between POSIX and the linux kernel, which glibc > tries to compensate for rather badly). What is the exact difference between both sematics? > - if you use the approach of dlopen() of libpthread.so to avoid > always linking to pthreads then this breaks gdb (at least on > Ubuntu, and I think on many other platforms). What happens is that > gdb needs to know about the fact that the program is threaded, and > once it loaded libpthread then gdb gives a threading error and > refuses to continue. Does that also happen when you explicit dlopen libpthread.so? I think in the cyrus sasl plugin case libpthread was loaded implicit as the plugin itself was linked against it. > The only way I know of to work around these sorts of problems involves > us making our own syscall wrappers using syscall(). Do we want to take > that approach or do you think your api would work well enough on top > of fork() ? That would mean we need to use syscall wrapper for some functions, or for all functions from glibc? Would this syscall wrapper work with pthreads or only with clone()? metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/04e0e2bc/signature.bin From metze at samba.org Tue Apr 28 14:01:12 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Tue Apr 28 14:01:10 2009 Subject: [Patch] Support for LDAP with GSSAPI/NTLMSSP auth scheme decoding in wireshark In-Reply-To: <49F566F2.7080701@samba.org> References: <49F314AA.30802@matws.net> <49F566F2.7080701@samba.org> Message-ID: <49F70C28.6070807@samba.org> Stefan (metze) Metzmacher schrieb: > Hi Matthieu, > >> I finally finished my patch to support NTLMSSP auth in LDAP. >> As metze proposed I add the option that read all the keytab that were >> provided, and try all the encoded password inside it. >> >> It seems to work quite well, I tried with a few keytab generated for >> pure "traditional" LDAP with kerberos auth and I've been able to decode >> (well if the keytab contains the md4(password) of the user trying to >> authenticate himself). >> I'm quite surprised that when "extracting" crypted password in a keytab >> they are only stored by using md4(unicode(password))) even if we ask >> keytab to use arc4_hmac (but I'm far from being well aware of all in >> kerberos ...). >> >> Concerning protocols, I tested NTLM v1 and NTLM v2, for NTLM v1 I tested >> mostly with extended security flags so for less secure (and maybe not >> anymore really used ?) scheme (like pure lan manager auth or simple nt >> auth) problems might still exist. >> >> It would be just great if you can provide me some feedback, in anycase >> my goal is to submit it to wireshark devs soon. > > Thanks! I'll give it a try in the next days. Would it be possible that you base this patch on wiresharks trunk? metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/83ab71b0/signature.bin From j.kerihuel at openchange.org Tue Apr 28 14:46:16 2009 From: j.kerihuel at openchange.org (Julien Kerihuel) Date: Tue Apr 28 14:46:18 2009 Subject: [openchange][devel] Parsing array and its size in EcDoRpcExt2 In-Reply-To: <1240910193.3869.58.camel@cerebrox.openchange.local> References: <142e6bbe0904271538k64cd50f8ve837717476be8aac@mail.gmail.com> <1240910193.3869.58.camel@cerebrox.openchange.local> Message-ID: <1240929976.32021.17.camel@cerebrox.openchange.local> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/82445516/attachment.bin From jra at samba.org Tue Apr 28 15:22:58 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 28 15:23:02 2009 Subject: thread pool helpers In-Reply-To: <18934.46209.580482.147268@samba.org> References: <18934.46209.580482.147268@samba.org> Message-ID: <20090428152257.GA6813@jeremy-laptop> On Tue, Apr 28, 2009 at 05:47:13PM +1000, tridge@samba.org wrote: > Hi Volker, > > I think you've created a really nice API, but the brokenness of > pthreads make me think that we're better off implementing that API > either on top of fork() or on top of a raw clone() call. > > The particular brokenness in pthreads that I'm thinking of is: > > - when you have any pthreads active on current Linux/glibc, then > some calls that Samba relies heavily on become extremely slow. For > example the setreuid() call takes 150x longer (and is racy) when > you have any threads active (this is because of a mismatch in > setreuid semantics between POSIX and the linux kernel, which glibc > tries to compensate for rather badly). > > - if you use the approach of dlopen() of libpthread.so to avoid > always linking to pthreads then this breaks gdb (at least on > Ubuntu, and I think on many other platforms). What happens is that > gdb needs to know about the fact that the program is threaded, and > once it loaded libpthread then gdb gives a threading error and > refuses to continue. > > The only way I know of to work around these sorts of problems involves > us making our own syscall wrappers using syscall(). Do we want to take > that approach or do you think your api would work well enough on top > of fork() ? Is there a way we can wrap this, so that on systems with non-broken pthread semantics can work with pthreads, and on Linux we use something else ? I really don't want to go down the route of making Samba very Linux specific, and like it or not pthreads is the threading standard on UNIX. How do other programs on Linux using pthreads cope with these issues ? There are *many* threaded programs on Linux that don't have problems. Google runs lots of them :-). The setreuid() call being racy is an issue for us, but it might be better to log a glibc bug and try and get this fixed rather than avoid pthreads. Are there any other calls that break, or is it just setreuid() ? The dlopen() problem goes away once we link pthreads directly. Jeremy. From Volker.Lendecke at SerNet.DE Tue Apr 28 15:29:18 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue Apr 28 15:28:30 2009 Subject: thread pool helpers In-Reply-To: <20090428152257.GA6813@jeremy-laptop> References: <18934.46209.580482.147268@samba.org> <20090428152257.GA6813@jeremy-laptop> Message-ID: On Tue, Apr 28, 2009 at 08:22:58AM -0700, Jeremy Allison wrote: > Is there a way we can wrap this, so that on systems with non-broken > pthread semantics can work with pthreads, and on Linux we use something > else ? In case we want this API, it should be pretty easy to hide a clone(2)-based API behind the fncall_send/recv functions. My only worry is that I don't know I get the memory barriers to work correctly across all Linux platforms. Not doing that correctly might introduce subtle bugs on true multiprocessor machines. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/5f7af9bc/attachment.bin From jerry at plainjoe.org Tue Apr 28 15:35:03 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Tue Apr 28 15:34:56 2009 Subject: thread pool helpers In-Reply-To: References: <18934.46209.580482.147268@samba.org> <20090428152257.GA6813@jeremy-laptop> Message-ID: <49F72227.4090600@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Volker, > On Tue, Apr 28, 2009 at 08:22:58AM -0700, Jeremy Allison wrote: >> Is there a way we can wrap this, so that on systems with non-broken >> pthread semantics can work with pthreads, and on Linux we use something >> else ? > > In case we want this API, it should be pretty easy to hide a > clone(2)-based API behind the fncall_send/recv functions. My > only worry is that I don't know I get the memory barriers to > work correctly across all Linux platforms. Not doing that > correctly might introduce subtle bugs on true multiprocessor > machines. For what it's worth Solaris 8 - 10 has been the most problematic system wrt to pthread bugs (in the Likewise codebase). And in those cases, new OS patches would resolve the issues. I don't remember any major pthread issues on Linux. cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn3IicACgkQIR7qMdg1Efaw/ACgwArB+kbpZL99O+GvdzXddMEf If0An1fuIq5dhVxBDlnVVEi4x5KHu8XD =qUzM -----END PGP SIGNATURE----- From kseeger at samba.org Tue Apr 28 16:09:24 2009 From: kseeger at samba.org (Karolin Seeger) Date: Tue Apr 28 16:09:40 2009 Subject: Release Notes Samba 3.4.0pre1 Message-ID: Hey folks, if you have any proposals for the 3.4.0pre1 release notes, please contact me or commit the changes yourself. Cheers, Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org From jra at samba.org Tue Apr 28 16:15:50 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 28 16:15:43 2009 Subject: Release Notes Samba 3.4.0pre1 In-Reply-To: References: Message-ID: <20090428161550.GA29806@samba1> On Tue, Apr 28, 2009 at 06:09:24PM +0200, Karolin Seeger wrote: > Hey folks, > > if you have any proposals for the 3.4.0pre1 release notes, please contact > me or commit the changes yourself. I need to get the "force user" bugfix in before we do a pre1 release, I'll do that asap. Thanks, Jeremy. From jra at samba.org Tue Apr 28 18:03:51 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 28 18:03:59 2009 Subject: Fix for bug #6291 - force user stop working Message-ID: <20090428180351.GE29806@samba1> Karolin, please add to v3-2-test and v3-3-test. This has been confirmed by the bug reporters. I'll push the same fix to master, and send the fix for v3-4-test, but please commit only *after* the 3.4.0 release. Thanks, Jeremy. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-bug-6291-force-user-stop-working.patch Type: text/x-diff Size: 2671 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/804bd65c/0001-Fix-bug-6291-force-user-stop-working.bin From jra at samba.org Tue Apr 28 18:12:18 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 28 18:12:30 2009 Subject: Fix for bug #6291 - force user stop working In-Reply-To: <20090428180351.GE29806@samba1> References: <20090428180351.GE29806@samba1> Message-ID: <20090428181218.GF29806@samba1> On Tue, Apr 28, 2009 at 11:03:51AM -0700, Jeremy Allison wrote: > Karolin, please add to v3-2-test and v3-3-test. > This has been confirmed by the bug reporters. > > I'll push the same fix to master, and send the > fix for v3-4-test, but please commit only *after* > the 3.4.0 release. Here is the fix for the v3-4-test tree. Thanks, Jeremy. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-bug-6291-force-user-stop-working.patch Type: text/x-diff Size: 2677 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/277fca5f/0001-Fix-bug-6291-force-user-stop-working.bin From ks at sernet.de Tue Apr 28 18:27:06 2009 From: ks at sernet.de (Karolin Seeger) Date: Tue Apr 28 18:27:06 2009 Subject: Fix for bug #6291 - force user stop working In-Reply-To: <20090428180351.GE29806@samba1> References: <20090428180351.GE29806@samba1> Message-ID: Hi Jeremy, hi list, On Tue, Apr 28, 2009 at 11:03:51AM -0700, Jeremy Allison wrote: > Karolin, please add to v3-2-test and v3-3-test. > This has been confirmed by the bug reporters. > > I'll push the same fix to master, and send the > fix for v3-4-test, but please commit only *after* > the 3.4.0 release. after further discussion on irc, we decided to ship 3.3.4 without this patch as "force user" works as expected. Cheers, Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org From jra at samba.org Tue Apr 28 18:32:13 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 28 18:32:13 2009 Subject: Fix for bug #6291 - force user stop working In-Reply-To: References: <20090428180351.GE29806@samba1> Message-ID: <20090428183213.GH29806@samba1> On Tue, Apr 28, 2009 at 08:27:06PM +0200, Karolin Seeger wrote: > Hi Jeremy, > hi list, > > On Tue, Apr 28, 2009 at 11:03:51AM -0700, Jeremy Allison wrote: > > Karolin, please add to v3-2-test and v3-3-test. > > This has been confirmed by the bug reporters. > > > > I'll push the same fix to master, and send the > > fix for v3-4-test, but please commit only *after* > > the 3.4.0 release. > > after further discussion on irc, we decided to ship 3.3.4 without this > patch as "force user" works as expected. +1 ack. I thought 3.3.4 wasn't due for a while :-) From karthikeyan.chetty at wipro.com Tue Apr 28 18:39:43 2009 From: karthikeyan.chetty at wipro.com (karthikeyan.chetty@wipro.com) Date: Tue Apr 28 18:39:57 2009 Subject: smbclient not working with Vista NTLMv2. Message-ID: Dear Team, I have faced problem in Samba3.0.14a, After joined Linux to Windows 2003 server with "Send NTLMv2 Response only/refuse LM & NTLM" option enabled. Smbclient is not working with Vista PC. Even I set the "Client use spnego = Yes" & "client ntlmv2 auth =yes" in smb.conf file. I don't know the latest changes in Samba 3.0.x, Could you please let me know the exact fix for supporting Vista smbclient with NTLMv2 option is set on Win2K3 server. Thanks in advance, N.S.Karthikeyan Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From jra at samba.org Tue Apr 28 18:53:35 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 28 18:53:28 2009 Subject: smbclient not working with Vista NTLMv2. In-Reply-To: References: Message-ID: <20090428185335.GJ29806@samba1> On Wed, Apr 29, 2009 at 12:09:43AM +0530, karthikeyan.chetty@wipro.com wrote: > Dear Team, > > I have faced problem in Samba3.0.14a, After joined Linux to Windows > 2003 server with "Send NTLMv2 Response only/refuse LM & NTLM" option > enabled. > > Smbclient is not working with Vista PC. Even I set the "Client use > spnego = Yes" & "client ntlmv2 auth =yes" in smb.conf file. > > I don't know the latest changes in Samba 3.0.x, Could you please let me > know the exact fix for supporting Vista smbclient with NTLMv2 option is > set on Win2K3 server. 3.0.14a is very old and out of maintanence as far as new features is concerned. Please upgrade to the latest version of Samba which fully supports Windows Vista. Thanks, Jeremy. From karthikeyan.chetty at wipro.com Tue Apr 28 19:05:29 2009 From: karthikeyan.chetty at wipro.com (karthikeyan.chetty@wipro.com) Date: Tue Apr 28 19:05:37 2009 Subject: smbclient not working with Vista NTLMv2. In-Reply-To: <20090428185335.GJ29806@samba1> References: <20090428185335.GJ29806@samba1> Message-ID: Dear Jeremy, Thanks for your quick response. I understand that 3.0.14a doesn't have the ntlmv2 support and the code is very old too. My concern is what is the fix given in the latest version to make smbclient operation to work with vista when "Client use spnego = Yes" & "client ntlmv2 auth =yes" in smb.conf file. I had seen in the release note that Mr.Andrew had given a fix for ntlmv2 support for vista in 3.0.21a,b,c. "Support raw NTLMSSP authentication for Windows Vista clients". Could you please tell me the exact code changes done for this ntlmv2 support, which will be very much helpful for us. Thanks & Regards N.S.Karthikeyan -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Wednesday, April 29, 2009 12:24 AM To: Karthikeyan Sarkarai chetty (WT01 - PES-Peripheral-Technology) Cc: samba-technical@lists.samba.org Subject: Re: smbclient not working with Vista NTLMv2. On Wed, Apr 29, 2009 at 12:09:43AM +0530, karthikeyan.chetty@wipro.com wrote: > Dear Team, > > I have faced problem in Samba3.0.14a, After joined Linux to Windows > 2003 server with "Send NTLMv2 Response only/refuse LM & NTLM" option > enabled. > > Smbclient is not working with Vista PC. Even I set the "Client use > spnego = Yes" & "client ntlmv2 auth =yes" in smb.conf file. > > I don't know the latest changes in Samba 3.0.x, Could you please let me > know the exact fix for supporting Vista smbclient with NTLMv2 option is > set on Win2K3 server. 3.0.14a is very old and out of maintanence as far as new features is concerned. Please upgrade to the latest version of Samba which fully supports Windows Vista. Thanks, Jeremy. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From andrew at ei-grad.ru Tue Apr 28 19:11:48 2009 From: andrew at ei-grad.ru (=?KOI8-R?B?4c7E0sXKIOfSycfP0tjF1w==?=) Date: Tue Apr 28 19:19:40 2009 Subject: late introduction Message-ID: <9645506d0904281211r3b24a8d4lb67e78268ab10381@mail.gmail.com> Hello everyone, My name is Andrew Grigoriev from Russia. I am 20 years old student of Computer Science at Chelyabinsk State University. For Summer of Code I'll be working on the GTKLDB tool. Filll free to contact me: irc.freenode.net: ei-grad xmpp/email: andrew@ei-grad.ru From tprouty at samba.org Tue Apr 28 20:08:13 2009 From: tprouty at samba.org (Tim Prouty) Date: Tue Apr 28 20:08:24 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-972-g65ad2ce In-Reply-To: <20090409045158.B83491CC0A9@us2.samba.org> References: <20090409045158.B83491CC0A9@us2.samba.org> Message-ID: Hi Tridge, The series of commits you pushed a few weeks ago for util_strlist added new warnings to the source3 builds on master. For an example, see: http://build.samba.org/?function=View+Build;host=isilon-samba;tree=samba_3_master;compiler=gcc;revision=1240925662 I took a look at the 'incompatible pointer type' warnings, but it looks like the APIs may need a little reworking. Could you fix these please? Thanks, -Tim On Apr 8, 2009, at 9:51 PM, Andrew Tridgell wrote: > commit fd7c52231fc4ca6e4ad2a72955a053f321cb0fb4 > Author: Andrew Tridgell > Date: Thu Apr 9 14:28:38 2009 +1000 > > added _const versions of some of the str_list_*() functions > > These const versions don't copy the strings themselves, which > is useful when those strings point at known constant data (into the > schema in this case) > commit 4f69d7067da6a8ee88950ab15aaf5a5849574fdd > Author: Andrew Tridgell > Date: Thu Apr 9 13:44:27 2009 +1000 > > added str_list_unique() and str_list_show() > > I also undid some of the const changes from Andrew, as > they didn't in fact resolve the const warnings. > commit ef6c6ab4c6cee26ea84c2e2a0041ad62f428ad01 > Author: Andrew Tridgell > Date: Tue Apr 7 16:33:26 2009 +1000 > > added a str_list_append() function From tprouty at samba.org Tue Apr 28 21:30:11 2009 From: tprouty at samba.org (Tim Prouty) Date: Tue Apr 28 21:30:03 2009 Subject: [PATCH] Change unix_convert to use struct smb_filename Message-ID: <98996537-6FED-4570-84C8-57EE731D9508@samba.org> This is the first of a series of patches that change path based operations to operate on a struct smb_filename instead of a char *. This same concept already exists in source4. My goals for this series of patches are to eventually: 1) Solve the stream vs. posix filename that contains a colon ambiguity that currently exists. 2) Make unix_convert the only function that parses the stream name. 3) Clean up the unix_convert API. 4) Change all path based vfs operation to take a struct smb_filename. 5) Make is_ntfs_stream_name() a constant operation that can simply check the state of struct smb_filename rather than re-parse the filename. 6) Eliminate the need for split_ntfs_stream_name() to exist. My strategy is to start from the inside at unix_convert() and work my way out through the vfs layer, call by call. This first patch does just that, by changing unix_convert and all of its callers to operate on struct smb_filename. Since this is such a large change, I plan on pushing the patches in phases, where each phase keeps full compatibility and passes make test. The API of unix_convert has been simplified from: NTSTATUS unix_convert(TALLOC_CTX *ctx, connection_struct *conn, const char *orig_path, bool allow_wcard_last_component, char **pp_conv_path, char **pp_saved_last_component, SMB_STRUCT_STAT *pst) to: NTSTATUS unix_convert(TALLOC_CTX *ctx, connection_struct *conn, const char *orig_path, struct smb_filename *smb_fname, uint32_t ucf_flags) Currently the smb_filename struct looks like: struct smb_filename { char *base_name; char *stream_name; char *original_lcomp; SMB_STRUCT_STAT st; }; One key point here is the decision to break up the base_name and stream_name. I have introduced a helper function called get_full_smb_filename() that takes an smb_filename struct and allocates the full_name. I changed the callers of unix_convert() to subsequently call get_full_smb_filename() for the time being, but I plan to eventually eliminate get_full_smb_filename(). I'm going to continue moving forward, but I would love any input or suggestions on the specifics of the data in the smb_filename struct, and the api moving forward. -Tim -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-s3-Change-callers-of-unix_convert-to-use-struct-smb.patch Type: application/octet-stream Size: 46175 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090428/12b695df/0001-s3-Change-callers-of-unix_convert-to-use-struct-smb.obj -------------- next part -------------- From tridge at samba.org Tue Apr 28 21:49:45 2009 From: tridge at samba.org (tridge@samba.org) Date: Tue Apr 28 21:49:50 2009 Subject: thread pool helpers In-Reply-To: <49F72227.4090600@plainjoe.org> References: <18934.46209.580482.147268@samba.org> <20090428152257.GA6813@jeremy-laptop> <49F72227.4090600@plainjoe.org> Message-ID: <18935.31225.675850.834609@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hi Jerry, > For what it's worth Solaris 8 - 10 has been the most problematic > system wrt to pthread bugs (in the Likewise codebase). And in > those cases, new OS patches would resolve the issues. I don't > remember any major pthread issues on Linux. Interesting. Do you use setreuid() or equivalent to change uid in a process that also uses threads? I really should read your code .... starting a git clone now ... Cheers, Tridge From jerry at plainjoe.org Tue Apr 28 22:09:57 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Tue Apr 28 22:09:55 2009 Subject: thread pool helpers In-Reply-To: <18935.31225.675850.834609@samba.org> References: <18934.46209.580482.147268@samba.org> <20090428152257.GA6813@jeremy-laptop> <49F72227.4090600@plainjoe.org> <18935.31225.675850.834609@samba.org> Message-ID: <49F77EB5.80704@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 tridge@samba.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hi Jerry, > >> For what it's worth Solaris 8 - 10 has been the most problematic >> system wrt to pthread bugs (in the Likewise codebase). And in >> those cases, new OS patches would resolve the issues. I don't >> remember any major pthread issues on Linux. > > Interesting. Do you use setreuid() or equivalent to change uid in a > process that also uses threads? Nope. Access checks are in users space. However, for platforms that could give me a per thread setreuid(), I would look at using that. The threading issues we just bugs in the Solaris implementation that caused random hangs IIRC. I could ask around for the solaris patch numbers if you were interested. I (or someone else here) will also probably look at abstracting the threading call we make. Mainly all we need is shared memory, mutexes, and shared exclusive locks. Stuff that any proper threading library would give you. I don't think in the newer code that we exercised thread cancellation much, but that is an issue in the dcerpc runtime. Right now, lwiod would not be good for interacting with say a kernel NFS server for example since it does not integrate with unix permissions on disk. The self-relative security descriptor is stored in the EA. Once I can pass the smbtorture ACL tests (meaning I have the internal security checks right), then I'll start looking at integrating with POSIX acls since the trade off should be well known (test results would show the fidelity loss). But I have considered exploring how much work it would be to write an NFS driver for lwiod since someone suggested it last week. Just as an experiment (and for the experience of writing and NFS driver). cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ9361IR7qMdg1EfYRAqtpAJ4/1Ma/fxAH8s80Vgjh9vXa+29xVQCfQcFK 6mFol2PWoH8SVuWnGdBO+dQ= =vGNh -----END PGP SIGNATURE----- From jra at samba.org Tue Apr 28 22:14:36 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 28 22:14:39 2009 Subject: smbclient not working with Vista NTLMv2. In-Reply-To: References: <20090428185335.GJ29806@samba1> Message-ID: <20090428221436.GK29806@samba1> On Wed, Apr 29, 2009 at 12:35:29AM +0530, karthikeyan.chetty@wipro.com wrote: > Dear Jeremy, > > Thanks for your quick response. > I understand that 3.0.14a doesn't have the ntlmv2 support and the > code is very old too. > > My concern is what is the fix given in the latest version to make > smbclient operation to work with vista when > "Client use spnego = Yes" & "client ntlmv2 auth =yes" in smb.conf file. > > I had seen in the release note that Mr.Andrew had given a fix for ntlmv2 > support for vista in 3.0.21a,b,c. > > "Support raw NTLMSSP authentication for Windows Vista clients". Could > you please tell me the exact code changes done for this ntlmv2 support, > which will be very much helpful for us. Sorry, that would take a long time to dig out of all the code changes. I'm afraid you're going to have to look for the patch yourself. Jeremy. From jra at samba.org Tue Apr 28 22:56:12 2009 From: jra at samba.org (Jeremy Allison) Date: Tue Apr 28 22:56:06 2009 Subject: [PATCH] Change unix_convert to use struct smb_filename In-Reply-To: <98996537-6FED-4570-84C8-57EE731D9508@samba.org> References: <98996537-6FED-4570-84C8-57EE731D9508@samba.org> Message-ID: <20090428225612.GL29806@samba1> On Tue, Apr 28, 2009 at 02:30:11PM -0700, Tim Prouty wrote: > > One key point here is the decision to break up the base_name and > stream_name. I have introduced a helper function called > get_full_smb_filename() that takes an smb_filename struct and allocates > the full_name. I changed the callers of unix_convert() to subsequently > call get_full_smb_filename() for the time being, but I plan to eventually > eliminate get_full_smb_filename(). > > I'm going to continue moving forward, but I would love any input or > suggestions on the specifics of the data in the smb_filename struct, and > the api moving forward. I really like the look of this - thanks ! But I'll spend some time reviewing it over the next day or so. Cheers, Jeremy. From tridge at samba.org Tue Apr 28 22:57:07 2009 From: tridge at samba.org (tridge@samba.org) Date: Tue Apr 28 22:57:30 2009 Subject: thread pool helpers In-Reply-To: <49F77EB5.80704@plainjoe.org> References: <18934.46209.580482.147268@samba.org> <20090428152257.GA6813@jeremy-laptop> <49F72227.4090600@plainjoe.org> <18935.31225.675850.834609@samba.org> <49F77EB5.80704@plainjoe.org> Message-ID: <18935.35267.157123.103830@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hi Jerry, > Nope. Access checks are in users space. do you do anything to combat the race conditions? For example, a user might exploit a user space access check by doing this: while :; do ln -sf /etc/shadow /home/baduser/myfile.txt ln -sf /home/baduser/innocent.txt /home/baduser/myfile.txt done then try to access myfile.txt via SMB. If the access check happens while the file points at innocent.txt and the real open happens while pointing at /etc/shadow then the user will end up opening /etc/shadow. Implementing the above hack in C raises the chances of success as well. You can do inode number checks to combat this a bit, but that doesn't work for newly created files in sensitive locations. > However, for platforms that could give me a per thread setreuid(), > I would look at using that. strangely enough, the Linux kernel can give you that, if you bypass glibc and use syscall() to change your euid. > I (or someone else here) will also probably look at abstracting the > threading call we make. Mainly all we need is shared memory, > mutexes, and shared exclusive locks. Stuff that any proper > threading library would give you. I don't think in the newer code > that we exercised thread cancellation much, but that is an issue in > the dcerpc runtime. Rusty is currently trying to build "libantithread" which tries to provide this functionality on top of fork(). See http://ccan.ozlabs.org/info/antithread.html Cheers, Tridge From inet.harsha at gmail.com Wed Apr 29 02:06:36 2009 From: inet.harsha at gmail.com (Harsha) Date: Wed Apr 29 02:06:29 2009 Subject: [openchange][devel] Parsing array and its size in EcDoRpcExt2 In-Reply-To: <1240929976.32021.17.camel@cerebrox.openchange.local> References: <142e6bbe0904271538k64cd50f8ve837717476be8aac@mail.gmail.com> <1240910193.3869.58.camel@cerebrox.openchange.local> <1240929976.32021.17.camel@cerebrox.openchange.local> Message-ID: <142e6bbe0904281906k52dbc26awdd739cac83aca4f1@mail.gmail.com> Hi Ronnie, Julien, Thanks for the excellent pointers. I also read chapter 14 of DCERPC specs and now understand conformant arrays and it all makes sense. Julien, I'll follow up with you regarding EcDoRpcExt2 and can help you in extracting chained headers. Thanks again, Harsha From Arandar.xia at chn.fujixerox.com Wed Apr 29 02:22:18 2009 From: Arandar.xia at chn.fujixerox.com (Xia, Arandar) Date: Wed Apr 29 03:25:23 2009 Subject: Poor performance when accessing Linux from Windows XP because of too many QUERY_FILE_INFO requests Message-ID: <57B55E659FD0974E93C0ECBE79DF731C22F2046030@SGPAPHQ-EXSCC02.dc01.fujixerox.net> Dear all, My question is described as follows. Server: Linux Samba-3.3.1 Client: Windows XP with SP3 Step1: connect to the samba server. Step2: select a directory name ?test?. (The directory is created before testing.) According to data captured by Wireshark, I find the following phenomenon: The client will send a lot of NT Create AndX requests and QUERY_FILE_INFO requests. The client repeats exactly the same queries many times before giving up. The whole network log repeats exactly the same sequence, only the FID is different every time. In my test FID changes from 0x3002 to 0x306a. And any access to a directory will result in these requests. If I use a Linux client, this does not happen. I am using a VFS backend of Samba to setup a file server. An action to get attributes of the file is needed for each QUERY_FILE_INFO request and there are so many requests. I think it is the reason why my Samba service is slow. Could anyone help me to find the reason and give a solution? Is there any wrong with my configuration or problem in my VFS backend? The following data is only a part of community data. No. Source Destination Protocol Info 26 client server SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: 27 server client SMB Trans2 Response, QUERY_PATH_INFO 28 client server SMB Trans2 Request, FIND_FIRST2, Pattern: \test 29 server client SMB Trans2 Response, FIND_FIRST2, Files: test 30 client server SMB NT Create AndX Request, Path: \test 31 server client SMB NT Create AndX Response, FID: 0x3002 32 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Internal Info 33 server client SMB Trans2 Response, QUERY_FILE_INFO 34 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Basic Info 35 server client SMB Trans2 Response, QUERY_FILE_INFO 36 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Standard Info 37 server client SMB Trans2 Response, QUERY_FILE_INFO 38 client server SMB Trans2 Request, QUERY_FS_INFO, Query FS Volume Info 39 server client SMB Trans2 Response, QUERY_FS_INFO 40 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Basic Info 41 server client SMB Trans2 Response, QUERY_FILE_INFO 42 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Standard Info 43 server client SMB Trans2 Response, QUERY_FILE_INFO 44 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File EA Info 45 server client SMB Trans2 Response, QUERY_FILE_INFO 46 client server SMB NT Create AndX Request, Path: \test:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 47 server client SMB NT Create AndX Response, Error: STATUS_OBJECT_PATH_NOT_FOUND 48 client server SMB Close Request, FID: 0x3002 49 server client SMB Close Response 50 client server SMB NT Create AndX Request, Path: \test 51 server client SMB NT Create AndX Response, FID: 0x3004 52 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Internal Info 53 server client SMB Trans2 Response, QUERY_FILE_INFO 54 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Basic Info 55 server client SMB Trans2 Response, QUERY_FILE_INFO 56 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Standard Info 57 server client SMB Trans2 Response, QUERY_FILE_INFO 58 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Basic Info 59 server client SMB Trans2 Response, QUERY_FILE_INFO 60 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Standard Info 61 server client SMB Trans2 Response, QUERY_FILE_INFO 62 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File EA Info 63 server client SMB Trans2 Response, QUERY_FILE_INFO 64 client server SMB NT Create AndX Request, Path: \test:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 65 server client SMB NT Create AndX Response, Error: STATUS_OBJECT_PATH_NOT_FOUND 66 client server SMB Close Request, FID: 0x3004 67 server client SMB Close Response Best Regards! // Zeyi From crh at ubiqx.mn.org Wed Apr 29 04:03:37 2009 From: crh at ubiqx.mn.org (Christopher R. Hertel) Date: Wed Apr 29 04:09:12 2009 Subject: Poor performance when accessing Linux from Windows XP because of too many QUERY_FILE_INFO requests In-Reply-To: <57B55E659FD0974E93C0ECBE79DF731C22F2046030@SGPAPHQ-EXSCC02.dc01.fujixerox.net> References: <57B55E659FD0974E93C0ECBE79DF731C22F2046030@SGPAPHQ-EXSCC02.dc01.fujixerox.net> Message-ID: <49F7D199.7010904@ubiqx.mn.org> In a word: Yes. Yes, you are going to see this sort of thing when you use the Windows Explorer (the GUI) to view directories. This has nothing to do with the server you are using. Try the same thing against a Windows server and you will have the same results. The client drives the interaction. Now do a 'dir' of the directory from the CMD shell in Windows. Chris -)----- Xia, Arandar wrote: > Dear all, > My question is described as follows. > > Server: Linux > Samba-3.3.1 > Client: Windows XP with SP3 > > Step1: connect to the samba server. > Step2: select a directory name ?test?. (The directory is created before testing.) > > According to data captured by Wireshark, I find the following phenomenon: > The client will send a lot of NT Create AndX requests and QUERY_FILE_INFO requests. > The client repeats exactly the same queries many times before giving up. The whole network log repeats exactly the same sequence, only the FID is different every time. In my test FID changes from 0x3002 to 0x306a. And any access to a directory will result in these requests. > If I use a Linux client, this does not happen. > > I am using a VFS backend of Samba to setup a file server. An action to get attributes of the file is needed for each QUERY_FILE_INFO request and there are so many requests. I think it is the reason why my Samba service is slow. > Could anyone help me to find the reason and give a solution? > Is there any wrong with my configuration or problem in my VFS backend? > > The following data is only a part of community data. > No. Source Destination Protocol Info > 26 client server SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: > 27 server client SMB Trans2 Response, QUERY_PATH_INFO > 28 client server SMB Trans2 Request, FIND_FIRST2, Pattern: \test > 29 server client SMB Trans2 Response, FIND_FIRST2, Files: test > 30 client server SMB NT Create AndX Request, Path: \test > 31 server client SMB NT Create AndX Response, FID: 0x3002 > 32 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Internal Info > 33 server client SMB Trans2 Response, QUERY_FILE_INFO > 34 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Basic Info > 35 server client SMB Trans2 Response, QUERY_FILE_INFO > 36 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Standard Info > 37 server client SMB Trans2 Response, QUERY_FILE_INFO > 38 client server SMB Trans2 Request, QUERY_FS_INFO, Query FS Volume Info > 39 server client SMB Trans2 Response, QUERY_FS_INFO > 40 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Basic Info > 41 server client SMB Trans2 Response, QUERY_FILE_INFO > 42 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File Standard Info > 43 server client SMB Trans2 Response, QUERY_FILE_INFO > 44 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3002, Query File EA Info > 45 server client SMB Trans2 Response, QUERY_FILE_INFO > 46 client server SMB NT Create AndX Request, Path: \test:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA > 47 server client SMB NT Create AndX Response, Error: STATUS_OBJECT_PATH_NOT_FOUND > 48 client server SMB Close Request, FID: 0x3002 > 49 server client SMB Close Response > 50 client server SMB NT Create AndX Request, Path: \test > 51 server client SMB NT Create AndX Response, FID: 0x3004 > 52 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Internal Info > 53 server client SMB Trans2 Response, QUERY_FILE_INFO > 54 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Basic Info > 55 server client SMB Trans2 Response, QUERY_FILE_INFO > 56 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Standard Info > 57 server client SMB Trans2 Response, QUERY_FILE_INFO > 58 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Basic Info > 59 server client SMB Trans2 Response, QUERY_FILE_INFO > 60 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File Standard Info > 61 server client SMB Trans2 Response, QUERY_FILE_INFO > 62 client server SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x3004, Query File EA Info > 63 server client SMB Trans2 Response, QUERY_FILE_INFO > 64 client server SMB NT Create AndX Request, Path: \test:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA > 65 server client SMB NT Create AndX Response, Error: STATUS_OBJECT_PATH_NOT_FOUND > 66 client server SMB Close Request, FID: 0x3004 > 67 server client SMB Close Response > > Best Regards! > > // Zeyi -- "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- crh@ubiqx.mn.org OnLineBook -- http://ubiqx.org/cifs/ -)----- crh@ubiqx.org From karthikeyan.chetty at wipro.com Wed Apr 29 04:24:55 2009 From: karthikeyan.chetty at wipro.com (karthikeyan.chetty@wipro.com) Date: Wed Apr 29 04:24:55 2009 Subject: smbclient not working with Vista NTLMv2. In-Reply-To: <20090428221436.GK29806@samba1> References: <20090428185335.GJ29806@samba1> <20090428221436.GK29806@samba1> Message-ID: Dear Jeremy, Thanks for your prompt reply, Oh..its okey,I have the seen that fix might be available in Samba3.0.25,lot of code changes between samba3.0.14a and 25. It is tedious process to find the fix. Thanks & Regards N.S.Karthikeyan -----Original Message----- From: Jeremy Allison [mailto:jra@samba.org] Sent: Wednesday, April 29, 2009 3:45 AM To: Karthikeyan Sarkarai chetty (WT01 - PES-Peripheral-Technology) Cc: jra@samba.org; samba-technical@lists.samba.org Subject: Re: smbclient not working with Vista NTLMv2. On Wed, Apr 29, 2009 at 12:35:29AM +0530, karthikeyan.chetty@wipro.com wrote: > Dear Jeremy, > > Thanks for your quick response. > I understand that 3.0.14a doesn't have the ntlmv2 support and the > code is very old too. > > My concern is what is the fix given in the latest version to make > smbclient operation to work with vista when > "Client use spnego = Yes" & "client ntlmv2 auth =yes" in smb.conf file. > > I had seen in the release note that Mr.Andrew had given a fix for ntlmv2 > support for vista in 3.0.21a,b,c. > > "Support raw NTLMSSP authentication for Windows Vista clients". Could > you please tell me the exact code changes done for this ntlmv2 support, > which will be very much helpful for us. Sorry, that would take a long time to dig out of all the code changes. I'm afraid you're going to have to look for the patch yourself. Jeremy. Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com From Arandar.xia at chn.fujixerox.com Wed Apr 29 05:24:19 2009 From: Arandar.xia at chn.fujixerox.com (Xia, Arandar) Date: Wed Apr 29 05:24:21 2009 Subject: Poor performance when accessing Linux from Windows XP because of too many QUERY_FILE_INFO requests In-Reply-To: <49F7D199.7010904@ubiqx.mn.org> References: <57B55E659FD0974E93C0ECBE79DF731C22F2046030@SGPAPHQ-EXSCC02.dc01.fujixerox.net> <49F7D199.7010904@ubiqx.mn.org> Message-ID: <57B55E659FD0974E93C0ECBE79DF731C22F20464CA@SGPAPHQ-EXSCC02.dc01.fujixerox.net> > Yes, you are going to see this sort of thing when you use the Windows Explorer (the GUI) to view directories. You are right, I use Windows Explorer. > Now do a 'dir' of the directory from the CMD shell in Windows. If doing operations from the CMD of Windows, there is no such a problem. Thank you very much. // Zeyi From crh at ubiqx.mn.org Wed Apr 29 05:38:58 2009 From: crh at ubiqx.mn.org (Christopher R. Hertel) Date: Wed Apr 29 05:44:29 2009 Subject: Poor performance when accessing Linux from Windows XP because of too many QUERY_FILE_INFO requests In-Reply-To: <57B55E659FD0974E93C0ECBE79DF731C22F20464CA@SGPAPHQ-EXSCC02.dc01.fujixerox.net> References: <57B55E659FD0974E93C0ECBE79DF731C22F2046030@SGPAPHQ-EXSCC02.dc01.fujixerox.net> <49F7D199.7010904@ubiqx.mn.org> <57B55E659FD0974E93C0ECBE79DF731C22F20464CA@SGPAPHQ-EXSCC02.dc01.fujixerox.net> Message-ID: <49F7E7F2.5060304@ubiqx.mn.org> Xia, Arandar wrote: >> Yes, you are going to see this sort of thing when you use the Windows Explorer (the GUI) to view directories. > You are right, I use Windows Explorer. > >> Now do a 'dir' of the directory from the CMD shell in Windows. > If doing operations from the CMD of Windows, there is no such a problem. > > Thank you very much. > // Zeyi :) That was my point, however. The problem is with the application driving the SMB commands, not with the SMB client or server themselves. Chris -)----- -- "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq. ubiqx Team -- http://www.ubiqx.org/ -)----- crh@ubiqx.mn.org OnLineBook -- http://ubiqx.org/cifs/ -)----- crh@ubiqx.org From Volker.Lendecke at SerNet.DE Wed Apr 29 07:41:12 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Wed Apr 29 07:40:26 2009 Subject: [SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1312-gf8cc0e8 In-Reply-To: <20090429015210.0BB971CC0F1@us2.samba.org> References: <20090429015210.0BB971CC0F1@us2.samba.org> Message-ID: Hi, Bo! On Tue, Apr 28, 2009 at 08:52:09PM -0500, Bo Yang wrote: > diff --git a/source3/libsmb/async_smb.c b/source3/libsmb/async_smb.c > index 6faf96c..17040b8 100644 > --- a/source3/libsmb/async_smb.c > +++ b/source3/libsmb/async_smb.c > @@ -604,6 +604,10 @@ bool cli_smb_req_send(struct tevent_req *req) > struct cli_smb_state *state = tevent_req_data( > req, struct cli_smb_state); > > + if (state->cli->fd == -1) { > + return false; > + } > + Thanks :-) Can you change cli_smb_req_send() and cli_smb_req_iov_send() to return not bool but NTSTATUS and return PIPE_DISCONNECTED in this case? The callers of cli_smb_req_iov_send think this is NT_STATUS_NO_MEMORY which is not the case anymore. Thanks, Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/2b20ac5c/attachment.bin From sam at liddicott.com Wed Apr 29 08:08:19 2009 From: sam at liddicott.com (Sam Liddicott) Date: Wed Apr 29 08:09:34 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server References: <49F0637F.1070200@liddicott.com> Message-ID: <49F80AF3.4090201@liddicott.com> Volker, hows this then? Signed-off-by: Sam Liddicott --- source4/libcli/raw/libcliraw.h | 3 +++ source4/libcli/smb_composite/sesssetup.c | 12 ++++++++++++ 2 files changed, 15 insertions(+), 0 deletions(-) -------------- next part -------------- A non-text attachment was scrubbed... Name: 54e943276f3d9bee952b82b870894d105475599b.diff Type: text/x-patch Size: 1877 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/7d167fa1/54e943276f3d9bee952b82b870894d105475599b.bin From metze at samba.org Wed Apr 29 08:32:37 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Wed Apr 29 08:32:50 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server In-Reply-To: <49F80AF3.4090201@liddicott.com> References: <49F0637F.1070200@liddicott.com> <49F80AF3.4090201@liddicott.com> Message-ID: <49F810A5.10300@samba.org> Sam Liddicott schrieb: > Volker, hows this then? > > > Signed-off-by: Sam Liddicott > --- > source4/libcli/raw/libcliraw.h | 3 +++ > source4/libcli/smb_composite/sesssetup.c | 12 ++++++++++++ > 2 files changed, 15 insertions(+), 0 deletions(-) > > > + if (state->setup.nt1.out.os && + !(session->os=talloc_strdup(session, state->setup.nt1.out.os))) c->status = NT_STATUS_NO_MEMORY; + if (state->setup.nt1.out.lanman && + !(session->lanman=talloc_strdup(session, state->setup.nt1.out.lanman))) c->status = NT_STATUS_NO_MEMORY; why do you want to do everything in one line? if (state->setup.nt.out.os) { session->os = talloc_strdup(session, state->setup.nt1.out.os); if (!session->os) { c->status = NT_STATUS_NO_MEMORY; } } else { sesson->os = NULL; } would be much nicer and much easier to read and understand. metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/cdaca759/signature.bin From sam at liddicott.com Wed Apr 29 09:08:36 2009 From: sam at liddicott.com (Sam Liddicott) Date: Wed Apr 29 09:09:20 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server References: <49F0637F.1070200@liddicott.com> <49F80AF3.4090201@liddicott.com> <49F810A5.10300@samba.org> Message-ID: <49F81914.5080006@liddicott.com> * Stefan (metze) Metzmacher wrote, On 29/04/09 09:32: > Sam Liddicott schrieb: > >> Volker, hows this then? >> >> >> Signed-off-by: Sam Liddicott >> --- >> source4/libcli/raw/libcliraw.h | 3 +++ >> source4/libcli/smb_composite/sesssetup.c | 12 ++++++++++++ >> 2 files changed, 15 insertions(+), 0 deletions(-) >> >> >> >> > + if (state->setup.nt1.out.os && > + !(session->os=talloc_strdup(session, state->setup.nt1.out.os))) > c->status = NT_STATUS_NO_MEMORY; > + if (state->setup.nt1.out.lanman && > + !(session->lanman=talloc_strdup(session, > state->setup.nt1.out.lanman))) c->status = NT_STATUS_NO_MEMORY; > > why do you want to do everything in one line? > Because I think it is easier to construe the intention, rather than merely the action: if (state->setup.nt1.out.os && !(session->os=talloc_strdup(session, state->setup.nt1.out.os))) c->status = NT_STATUS_NO_MEMORY; spead reading: If there is an out.os and you can't save it then fail. In longhand it says: If state's setup nt1 out has an os but talloc_strdup fails to copy it to the session os then store the fault in c->status - which still expresses the intention directly. > if (state->setup.nt.out.os) { > session->os = talloc_strdup(session, state->setup.nt1.out.os); > if (!session->os) { > c->status = NT_STATUS_NO_MEMORY; > } > } else { > sesson->os = NULL; > } > The above disguises the intention in a tedium of small operations, taking 8 lines, only two of which represent common execution behaviour. There's too little meaning, too little going on to spread over eight lines. > would be much nicer and much easier to read and understand. > Well... I think it's very tedious and wastes a lot of screen space drawing attention to something that is a very minor action for the function. I don't want it to look more than a simple safe-copy, or it disturbs the reading of the function. I prefer a fractal-detail approach. My one liner has just as much structure in it, but you don't need to see the structure until you look at it in detail. It's then easier to see the function's intended at a glance without being caught up in details which are important but don't represent the intent of the function. Sam From kseeger at samba.org Wed Apr 29 09:10:26 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 29 09:10:30 2009 Subject: [Announce] Samba 3.3.4 Available for Download Message-ID: ================================================================= "A banker is a fellow who lends you his umbrella when the sun is shining and wants it back the minute it begins to rain." Mark Twain ================================================================= Release Announcements ===================== This is the latest bugfix release of the Samba 3.3 series. Major enhancements in Samba 3.3.4 include: o Fix domain logins for WinXP clients pre SP3 (bug #6263). o Fix samr_OpenDomain access checks (bug #6089). o Fix usrmgr.exe creating a user (bug #6243). ###################################################################### Changes ####### Changes since 3.3.3: -------------------- o Michael Adam * net conf: Save share name as given, not as lower case only. * Prevent creation of registry keys containing the '/' character. o Jeremy Allison * BUG 6089: Fix samr_OpenDomain access checks. * BUG 6254: Fix IPv6 PUT/GET errors to an SMB server (3.3) with "msdfs root" set to "yes". * BUG 6279: Fix Winbind crash. * Allow pdbedit to change a user rid/sid. * When doing a cli_ulogoff don't invalidate the cnum, invalidate the vuid. * Don't access a freed structure when logging off and re-using a vuid. o Guenther Deschner * BUG 5329: Add "net rpc service delete/create". * BUG 6238: Make sure wbcLogoffUserParams are properly initialized before freed. * BUG 6263: Fix domain logins for WinXP clients pre SP3. * BUG 6286: Call init function for builtin idmap modules before probing for them as shared modules. * Try to to fix password_expired flag handling. * Make sure to grey out change fields in the netdomjoin-gui when not running as root. o Jim McDonough * Don't look up local user for remote changes, even when root. o Volker Lendecke * BUG 6243: Fix usrmgr.exe creating a user. * Use procid_str in debug messages for better cluster-debuggability. * Use cluster-aware procid_is_me instead of comparing pids. * Fix smbd crash for close_on_completion. * Fix a memleak in an unlikely error path in change_notify_create(). * Do not use the file system GET_REAL_FILENAME for mangled names. o Stefan Metzmacher * Fix a crash bug if we timeout in net rpc trustdom list. * Add '--request-timeout' option to net. o Martin Schwenke * In net_conf_import, start a transaction when importing a single share. o Simo Sorce * Fix writing of roaming profiles with "profile acls" set to "yes". ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/ The release notes are available online at: http://www.samba.org/samba/ftp/history/samba-3.3.4.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/23030031/attachment.bin From kseeger at samba.org Wed Apr 29 09:10:26 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 29 09:11:15 2009 Subject: [Samba] [Announce] Samba 3.3.4 Available for Download Message-ID: Skipped content of type multipart/signed-------------- next part -------------- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From mat+Informatique.Samba at matws.net Wed Apr 29 09:15:57 2009 From: mat+Informatique.Samba at matws.net (Matthieu Patou) Date: Wed Apr 29 09:16:18 2009 Subject: [Patch] Support for LDAP with GSSAPI/NTLMSSP auth scheme decoding in wireshark In-Reply-To: <49F70C28.6070807@samba.org> References: <49F314AA.30802@matws.net> <49F566F2.7080701@samba.org> <49F70C28.6070807@samba.org> Message-ID: <49F81ACD.2020004@matws.net> On 04/28/2009 06:01 PM, Stefan (metze) Metzmacher wrote: > Stefan (metze) Metzmacher schrieb: > >> Hi Matthieu, >> >> >>> I finally finished my patch to support NTLMSSP auth in LDAP. >>> As metze proposed I add the option that read all the keytab that were >>> provided, and try all the encoded password inside it. >>> >>> It seems to work quite well, I tried with a few keytab generated for >>> pure "traditional" LDAP with kerberos auth and I've been able to decode >>> (well if the keytab contains the md4(password) of the user trying to >>> authenticate himself). >>> I'm quite surprised that when "extracting" crypted password in a keytab >>> they are only stored by using md4(unicode(password))) even if we ask >>> keytab to use arc4_hmac (but I'm far from being well aware of all in >>> kerberos ...). >>> >>> Concerning protocols, I tested NTLM v1 and NTLM v2, for NTLM v1 I tested >>> mostly with extended security flags so for less secure (and maybe not >>> anymore really used ?) scheme (like pure lan manager auth or simple nt >>> auth) problems might still exist. >>> >>> It would be just great if you can provide me some feedback, in anycase >>> my goal is to submit it to wireshark devs soon. >>> >> Thanks! I'll give it a try in the next days. >> > Would it be possible that you base this patch on wiresharks trunk? > You mean ? Matthieu. From metze at samba.org Wed Apr 29 09:47:05 2009 From: metze at samba.org (Stefan (metze) Metzmacher) Date: Wed Apr 29 09:47:05 2009 Subject: [Patch] Support for LDAP with GSSAPI/NTLMSSP auth scheme decoding in wireshark In-Reply-To: <49F81ACD.2020004@matws.net> References: <49F314AA.30802@matws.net> <49F566F2.7080701@samba.org> <49F70C28.6070807@samba.org> <49F81ACD.2020004@matws.net> Message-ID: <49F82219.5090902@samba.org> Matthieu Patou schrieb: > On 04/28/2009 06:01 PM, Stefan (metze) Metzmacher wrote: >> Stefan (metze) Metzmacher schrieb: >> >>> Hi Matthieu, >>> >>> >>>> I finally finished my patch to support NTLMSSP auth in LDAP. >>>> As metze proposed I add the option that read all the keytab that were >>>> provided, and try all the encoded password inside it. >>>> >>>> It seems to work quite well, I tried with a few keytab generated for >>>> pure "traditional" LDAP with kerberos auth and I've been able to decode >>>> (well if the keytab contains the md4(password) of the user trying to >>>> authenticate himself). >>>> I'm quite surprised that when "extracting" crypted password in a keytab >>>> they are only stored by using md4(unicode(password))) even if we ask >>>> keytab to use arc4_hmac (but I'm far from being well aware of all in >>>> kerberos ...). >>>> >>>> Concerning protocols, I tested NTLM v1 and NTLM v2, for NTLM v1 I >>>> tested >>>> mostly with extended security flags so for less secure (and maybe not >>>> anymore really used ?) scheme (like pure lan manager auth or simple nt >>>> auth) problems might still exist. >>>> >>>> It would be just great if you can provide me some feedback, in anycase >>>> my goal is to submit it to wireshark devs soon. >>>> >>> Thanks! I'll give it a try in the next days. >>> >> Would it be possible that you base this patch on wiresharks trunk? >> > You mean ? Sorry, I was just to stupid to apply the patch, I'm testing it now... metze -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/42ae61db/signature.bin From mail at cynapses.org Wed Apr 29 09:48:56 2009 From: mail at cynapses.org (Andreas Schneider) Date: Wed Apr 29 09:55:38 2009 Subject: Automated pam_winbind testing Message-ID: <200904291148.56942.mail@cynapses.org> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/dfee08e9/attachment.bin From kseeger at samba.org Wed Apr 29 10:07:18 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 29 10:07:07 2009 Subject: Documentation for the new Kerberos parameters Message-ID: Hi Dan, could you please provide documentation for the Kerberos smb.conf parameters you introduced with commit d96248a9b4? That is needed before the release of 3.4.0 (planned for July 1, 2009). Thanks in advance! Cheers, Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/5d0c478f/attachment.bin From Volker.Lendecke at SerNet.DE Wed Apr 29 07:43:11 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Wed Apr 29 10:18:53 2009 Subject: Poor performance when accessing Linux from Windows XP because of too many QUERY_FILE_INFO requests In-Reply-To: <49F7D199.7010904@ubiqx.mn.org> References: <57B55E659FD0974E93C0ECBE79DF731C22F2046030@SGPAPHQ-EXSCC02.dc01.fujixerox.net> <49F7D199.7010904@ubiqx.mn.org> Message-ID: Hi! On Tue, Apr 28, 2009 at 11:03:37PM -0500, Christopher R. Hertel wrote: > In a word: Yes. > > Yes, you are going to see this sort of thing when you use the Windows > Explorer (the GUI) to view directories. > > This has nothing to do with the server you are using. Try the same thing > against a Windows server and you will have the same results. The client > drives the interaction. > > Now do a 'dir' of the directory from the CMD shell in Windows. Chris, we had this discussion on samba@samba.org already. Arandar Xia will just not believe that this is normal Windows behaviour, at least not me. Lets see on which mailing list he shows up next. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/f7d57a5b/attachment.bin From kseeger at samba.org Wed Apr 29 10:33:33 2009 From: kseeger at samba.org (Karolin Seeger) Date: Wed Apr 29 10:33:45 2009 Subject: Documentation "map untrusted to domain" Message-ID: Hi Steven, would please add some documentation for the new "map untrusted to domain" smb.conf parameter? It's needed before the release of 3.4.0. Thanks in advance! Cheers, Karolin -- Samba http://www.samba.org SerNet http://www.sernet.de sambaXP http://www.sambaxp.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/d9db9b7c/attachment.bin From jerry at samba.org Wed Apr 29 11:41:36 2009 From: jerry at samba.org (Gerald Carter) Date: Wed Apr 29 11:41:48 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server In-Reply-To: <49F81914.5080006@liddicott.com> References: <49F0637F.1070200@liddicott.com> <49F80AF3.4090201@liddicott.com> <49F810A5.10300@samba.org> <49F81914.5080006@liddicott.com> Message-ID: <49F83CF0.5080901@samba.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Sam, > The above disguises the intention in a tedium of > small operations, taking 8 lines, only two of > which represent common execution behaviour. > > There's too little meaning, too little going on > to spread over eight lines. I'm on the outside of this one, but I'll chime in anyways. Coding style debates are a waste of time in my opinion. Developers should optimize for the collective and not the individual. It is imperative for someone else to be able to pick up your code and immediately understand it. Diverging from the established conventions of the large body of code is just a distraction. If it were me, I would rather not worry about the cosmetics and my own personal style. I would want the functional change accepted into upstream. Currently there's an established coding convention that has obviously not been followed. But the final decision is not mine, so take this for what it's worth. cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ+DzwIR7qMdg1EfYRAmUeAJ9DkRaT2uCxQ/SQeMN3BnM5KZj/uACg4G93 BaHtDl/aFZnG7SaiQGs7JqE= =sS2c -----END PGP SIGNATURE----- From mail at cynapses.org Wed Apr 29 13:19:53 2009 From: mail at cynapses.org (Andreas Schneider) Date: Wed Apr 29 13:20:05 2009 Subject: Automated pam_winbind testing In-Reply-To: <200904291148.56942.mail@cynapses.org> References: <200904291148.56942.mail@cynapses.org> Message-ID: <200904291519.53620.mail@cynapses.org> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/7b1cf754/attachment.bin From jra at samba.org Wed Apr 29 15:39:25 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 29 15:39:27 2009 Subject: [Samba] [Announce] Samba 3.3.4 Available for Download In-Reply-To: References: Message-ID: <20090429153925.GA9348@jeremy-desktop> On Wed, Apr 29, 2009 at 11:10:26AM +0200, Karolin Seeger wrote: > ================================================================= > "A banker is a fellow who lends you his > umbrella when the sun is shining and > wants it back the minute it begins to > rain." > > Mark Twain > ================================================================= > > > Release Announcements > ===================== > > This is the latest bugfix release of the Samba 3.3 series. > > Major enhancements in Samba 3.3.4 include: Great work in getting this out Karolin, and I love the quote :-). Thanks, Jeremy. From sam at liddicott.com Wed Apr 29 16:06:19 2009 From: sam at liddicott.com (Sam Liddicott) Date: Wed Apr 29 16:07:48 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server References: <49F0637F.1070200@liddicott.com> <49F80AF3.4090201@liddicott.com> <49F810A5.10300@samba.org> <49F81914.5080006@liddicott.com> <49F83CF0.5080901@samba.org> Message-ID: <49F87AFB.3010708@liddicott.com> * Gerald Carter wrote, On 29/04/09 12:41: > Hey Sam, > >> The above disguises the intention in a tedium of >> small operations, taking 8 lines, only two of >> which represent common execution behaviour. >> >> There's too little meaning, too little going on >> to spread over eight lines. >> > > I'm on the outside of this one, but I'll chime in anyways. > you're welcome > Coding style debates are a waste of time in my opinion. > Developers should optimize for the collective and not the > individual. I appreciate your comments Jerry. I think perhaps we would have begun a debate on coding style; I took Stefan's question as an enquiry and not requirement. I think you make some good points, I hope you don't mind me commenting on them. I don't intend to start a fruitless debate, only to illustrate what I'm thinking. > It is imperative for someone else to be able > to pick up your code and immediately understand it. > quite so, it is this on which the merits of conventions are often debated. > Diverging from the established conventions of the large > body of code is just a distraction. > I realise that you and Metze think that is what I've done, but I think you've mostly been looking at Samba code which happens to follow your preferred style (perhaps you wrote most of what you look at). However I've not used styles which aren't widely used in the samba4 codebase, as I show in answer to a point below. > If it were me, I would rather not worry about the cosmetics > and my own personal style. I would want the functional > change accepted into upstream. I'm more worried about how much I have to re-work patches to meet other personal styles, and then I have to hack up my wip tree afterwards to contain the new "approved" patch, sometimes after our own tree has undergone internal testing. > Currently there's an > established coding convention that has obviously not been > followed. > There's more than one established convention widely present in the code base. A rough audit of the samba code (less than an hour to run): $find . -type f -name '*.[ch]' | xargs -L 1 git blame | grep -v '^0000' \ | grep 'if[ (][^"]*[^=!><|&+-'\'']=[^=].*)' | tee /tmp/style.who Picks over 400 examples of an if condition testing an embedded assignment, (which I think is what the main objection is - but I'm guessing) - but certainly many are of a similar form to my patch. (A different audit suggests that there were 10 times as many, but I'm not sure about that) Some found by the above command are: if (!(ctrl[i] = talloc(ctrl, struct ldb_control))) { if(r && (res = mp_int_copy(rout, r)) != MP_OK) goto CLEANUP; if (!(cli = smbcli_state_init(NULL)) || !smbcli_socket_connect(cli, server_name, destports, ev_ctx, resolve_ctx, options, iconv_convenience, socket_options)) { And I like it, I find it very expressive. I don't mind if you and Metze don't like it, but the code base is full of it. The last two are particularly like mine. I note that metze prefers: if(v & 1) { if((res = mp_int_mul(c, &t, c)) != MP_OK) goto CLEANUP; } But A Bartlett prefers a 1 liner: if(q && (res = mp_int_copy(qout, q)) != MP_OK) goto CLEANUP; To see who uses this disputed style, with a line count: $< /tmp/style.who sed -e "s/^[^(]*(//;s/ *200.*//;" | sort -n | uniq -c | sort -nr 107 Jelmer Vernooij 107 Andrew Bartlett 60 Andrew Tridgell 32 Stefan Metzmacher 27 Volker Lendecke 27 Simo Sorce 20 Sam Liddicott 19 Heimdal Import User 11 James Peach 7 Tom Parkin 3 Kai Blin 3 Derrell Lipman 1 Michael Adam 1 Jeremy Allison So in conclusion I think it's I case of objectors saying "I wouldn't have written it like that" - (a valid view) but it's OK because my name will be on the commit, not theirs. I've fallen before between conflicting requirements of Samba team members, unable to satisfy both. In perspective, this patch works, and it takes into account functional feedback from Volker.. It's not this patch that's the problem, but the over 150 that we've got queued up for our next code drop. > But the final decision is not mine, so take this for what > it's worth. > Well coming from you it's worth a lot, and it stimulated me to investigate how far out I was, and I'm happy that I'm not far out at all. Whether or not this patch is accepted, I'm still worried about the other 150. Sam From Volker.Lendecke at SerNet.DE Wed Apr 29 16:24:37 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Wed Apr 29 16:24:34 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server In-Reply-To: <49F87AFB.3010708@liddicott.com> References: <49F0637F.1070200@liddicott.com> <49F80AF3.4090201@liddicott.com> <49F810A5.10300@samba.org> <49F81914.5080006@liddicott.com> <49F83CF0.5080901@samba.org> <49F87AFB.3010708@liddicott.com> Message-ID: On Wed, Apr 29, 2009 at 05:06:19PM +0100, Sam Liddicott wrote: > Some found by the above command are: > > if (!(ctrl[i] = talloc(ctrl, struct ldb_control))) { There was a time in Samba development where our recommendations told us this is good. At some point this changed again to the ctrl[i] = talloc(ctrl, struct ldb_control); if (ctrl[i] == NULL) { } style for better debuggability. But obviously we did not change all the code from in between. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090429/2374818d/attachment.bin From jerry at plainjoe.org Wed Apr 29 16:32:44 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Wed Apr 29 16:32:44 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server In-Reply-To: <49F87AFB.3010708@liddicott.com> References: <49F0637F.1070200@liddicott.com> <49F80AF3.4090201@liddicott.com> <49F810A5.10300@samba.org> <49F81914.5080006@liddicott.com> <49F83CF0.5080901@samba.org> <49F87AFB.3010708@liddicott.com> Message-ID: <49F8812C.6070100@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Sam, > I realise that you and Metze think that is > what I've done, but I think you've mostly > been looking at Samba code which happens > to follow your preferred style (perhaps you > wrote most of what you look at). Hahah...Sorry. :) On this one you are making an invalid assumption. I've in fact spent most of the past 12 - 18 months in the likewise-open code base which has an entirely differently style. For example: http://git.likewise.com/?p=likewise-open.git;a=blob;f=lwio/server/pvfs/fileBasicInfo.c;h=84734fc3da7d4d579e73665d04e887bbe582bcab;hb=c7153ecc58a2047669c6d95a870cf58283bd6a54 > However I've not used styles which aren't widely > used in the samba4 codebase, as I show in answer > to a point below. Coding style in Samba has been more oral tradition in the past. Think of the styles as rings in a tree. You could normally figure out out how old code was by the indents. :-) I think even now, there is not strict adherence as you point out. So three issues at risk of starting an even longer thread. (a) Shared repositories will code style divergences unless there is some peer pressure to enforce guidelines. (b) Migrating a code base (and in this case two branches historically driven by different teams) to a consistent coding style is hard. (c) Rewriting other patches inhibits the growth of the project's broader developer community. So then iot follows that (a) is an internal issue for the core dev team, while (c) is an external facing problem. (b) can only be solved once (a) and (c) are solved. > I'm more worried about how much I have to re-work > patches to meet other personal styles, and then I > have to hack up my wip tree afterwards to > contain the new "approved" patch, sometimes after > our own tree has undergone internal testing. ... > There's more than one established convention widely > present in the code base. Agreed. But this should not really be a question of personal style. If it matches README.Coding and prog_guide4.txt you should be safe. If you follow that and the patch is refused due to style reasons, it is the project's fault and not yours. > Whether or not this patch is accepted, I'm still > worried about the other 150. I can't really comment on accepting patches. I removed myself from commit access to the main repo in lieu of working strictly in my personal branches. But in response to the other 150 patches, (a) It's always better to know what the rules are, and (b) it's always better to separate the drafting stage from the publishing stage. Metze or Volker hold to power to accept the patch. I just like discussions about distributed development and community processes ;) All this opinion and $1.87 will buy you a tall coffee at Starbucks. cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ+IEsIR7qMdg1EfYRAnohAJwNvUwQIzrPGc0fep6qkG6Zzl+JZQCeNKt5 lME1RbXArEMdJmDvwnWYUu4= =xAlC -----END PGP SIGNATURE----- From sam at liddicott.com Wed Apr 29 17:45:23 2009 From: sam at liddicott.com (Sam Liddicott) Date: Wed Apr 29 17:46:23 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server Message-ID: <0000124209@timbuctoo.liddicott.com> -----Original Message----- From: Volker Lendecke > >There was a time in Samba development where our >recommendations told us this is good. At some point this >changed again to the > >ctrl[i] = talloc(ctrl, struct ldb_control); >if (ctrl[i] == NULL) { >} > >style for better debuggability. But obviously we did not >change all the code from in between. This reason goes a long way to ease the pain of writing such unreadably long winded code. I'll see if I can bear to redo that patch... although I might have to post it under a false name :-) Thanks Sam From postulate at nitagroup.com Thu Apr 30 00:25:50 2009 From: postulate at nitagroup.com (Primes) Date: Wed Apr 29 23:25:49 2009 Subject: Vig Message-ID: <49F8E11F.5672321@ptypix.com> A non-text attachment was scrubbed... Name: not available Type: image/png Size: 11593 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/ From jht at samba.org Wed Apr 29 23:28:33 2009 From: jht at samba.org (John H Terpstra - Samba Team) Date: Wed Apr 29 23:27:33 2009 Subject: Samba-3.3.4 Challenges Message-ID: <49F8E2A1.30606@samba.org> Hi, Samba 3.3.3 on Centos 5.3 has problems with profile acls on the profiles share, so today I updated to samba 3.3.4. This solves the profile acls problem but appears to have introduced a new bug. Would someone who has 3.3.4 please try the following: 1. Execute the following and record the values reported: net getlocalsid net getdomainsid 2. Change the workgroup name 3. stop smbd, nmbd, and winbind 4. delete the secrets.tdb file 5. Start samba daemons: smbd nmbd winbind 6. Reset the original domain sid using: net setdomainsid S-1-5-21-xxxxxxxxxxx-xxxxxxxxx-xxxxxxxxx per the values obtained from 'net getdomainsid' The error message is: "Cannot fetch local SID." I am requesting validation to make sure this is not an isolated problem. I'll file a bug report if someone can confirm this is not an isolated issue. Thanks. - John T. -- "If at first you don't succeed, don't go sky-diving!" From jra at samba.org Wed Apr 29 23:39:29 2009 From: jra at samba.org (Jeremy Allison) Date: Wed Apr 29 23:39:37 2009 Subject: [PATCH] Change unix_convert to use struct smb_filename In-Reply-To: <20090428225612.GL29806@samba1> References: <98996537-6FED-4570-84C8-57EE731D9508@samba.org> <20090428225612.GL29806@samba1> Message-ID: <20090429233929.GB22581@jeremy-desktop> On Tue, Apr 28, 2009 at 03:56:12PM -0700, Jeremy Allison wrote: > On Tue, Apr 28, 2009 at 02:30:11PM -0700, Tim Prouty wrote: > > > > One key point here is the decision to break up the base_name and > > stream_name. I have introduced a helper function called > > get_full_smb_filename() that takes an smb_filename struct and allocates > > the full_name. I changed the callers of unix_convert() to subsequently > > call get_full_smb_filename() for the time being, but I plan to eventually > > eliminate get_full_smb_filename(). > > > > I'm going to continue moving forward, but I would love any input or > > suggestions on the specifics of the data in the smb_filename struct, and > > the api moving forward. > > I really like the look of this - thanks ! But I'll spend some > time reviewing it over the next day or so. Sorry Tim, didn't get to this today, can I finish reviewing tomorrow instead ? Jeremy. From tprouty at samba.org Thu Apr 30 00:11:03 2009 From: tprouty at samba.org (Tim Prouty) Date: Thu Apr 30 00:11:01 2009 Subject: [PATCH] Change unix_convert to use struct smb_filename In-Reply-To: <20090429233929.GB22581@jeremy-desktop> References: <98996537-6FED-4570-84C8-57EE731D9508@samba.org> <20090428225612.GL29806@samba1> <20090429233929.GB22581@jeremy-desktop> Message-ID: On Apr 29, 2009, at 4:39 PM, Jeremy Allison wrote: > Sorry Tim, didn't get to this today, can I finish > reviewing tomorrow instead ? Yes, that would be fine. -Tim From scott.lovenberg at gmail.com Thu Apr 30 00:14:25 2009 From: scott.lovenberg at gmail.com (scott.lovenberg@gmail.com) Date: Thu Apr 30 00:12:05 2009 Subject: Samba-3.3.4 Challenges Message-ID: <901019232-1241050298-cardhu_decombobulator_blackberry.rim.net-1505907742-@bxe1089.bisx.prod.on.blackberry> I can confirm this from a few weeks ago. I did just about the test that you described with sernet RPMs on centos 5.3 proper. Both 32 and 64 bit. My user SIDS remained, but groups were lost. Domain members passed a testjoin and resolved users via winbind without problem. I can give more info when I have a proper keyboard in front of me in an hour or so (currently on my phone, which is painful to type on!I) I might still have logs, also... ------Original Message------ From: John H Terpstra - Samba Team Sender: samba-technical-bounces+scott.lovenberg=gmail.com@lists.samba.org To: Samba Lists ReplyTo: jht@samba.org Subject: Samba-3.3.4 Challenges Sent: Apr 29, 2009 19:28 Hi, Samba 3.3.3 on Centos 5.3 has problems with profile acls on the profiles share, so today I updated to samba 3.3.4. This solves the profile acls problem but appears to have introduced a new bug. Would someone who has 3.3.4 please try the following: 1. Execute the following and record the values reported: net getlocalsid net getdomainsid 2. Change the workgroup name 3. stop smbd, nmbd, and winbind 4. delete the secrets.tdb file 5. Start samba daemons: smbd nmbd winbind 6. Reset the original domain sid using: net setdomainsid S-1-5-21-xxxxxxxxxxx-xxxxxxxxx-xxxxxxxxx per the values obtained from 'net getdomainsid' The error message is: "Cannot fetch local SID." I am requesting validation to make sure this is not an isolated problem. I'll file a bug report if someone can confirm this is not an isolated issue. Thanks. - John T. -- "If at first you don't succeed, don't go sky-diving!" Please forgive the formatting of this message; typed on my BlackBerry. From garbo at promogroup.it Thu Apr 30 01:34:15 2009 From: garbo at promogroup.it (Rad) Date: Thu Apr 30 00:34:08 2009 Subject: How to Go Down On A Woman and Make Her Wild Message-ID: <49F8F051.1671750@promogroup.it> A non-text attachment was scrubbed... Name: not available Type: image/png Size: 10966 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/d0ae0c79/attachment.png From miguel.sanders at arcelormittal.com Thu Apr 30 06:30:39 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu Apr 30 06:30:59 2009 Subject: Question on GPFS VFS Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6EBA2@GEN-MXB-V04.msad.arcelor.net> Hi guys I have been using Samba quite a long time with a GPFS backend for shares without problems. However, when I compiled Samba back then, I didn't compile GPFS support with it. Moreover I only use traditional ACLs on GPFS exported shares (no NFSv4 ACLs). I have been reading that you should use the GPFS VFS when using GPFS exported shares because of possible data corruption. Is this true? Is there also a performance benefit when using GPFS VFS? Are they other things I should take into account? Thanks for clarifying. Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From sam at liddicott.com Thu Apr 30 08:25:39 2009 From: sam at liddicott.com (Sam Liddicott) Date: Thu Apr 30 08:26:24 2009 Subject: darn azez [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server References: <49F8812C.6070100@plainjoe.org> Message-ID: <49F96083.7090606@liddicott.com> Apologies for sending that out as azez, instead of myself. Please reply to sam@liddicott.com and not azez@ufomechanic.net Poor-Excuse: git-imap-send doesn't use ssl and I don't want to send my real account password out in plain text, so I have it sent to my old imap drafts where I pick it up with thunderbird and sometimes forget to adjust the sender. I think I'll edit the thunderbird account so that the azez account has my sam@liddicott.com "from" address. Sam From azez at ufomechanic.net Thu Apr 30 08:22:51 2009 From: azez at ufomechanic.net (Amin Azez) Date: Thu Apr 30 08:30:51 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server In-Reply-To: <49F8812C.6070100@plainjoe.org> References: <49F8812C.6070100@plainjoe.org> Message-ID: <49F95FDB.9000508@ufomechanic.net> * Gerald Carter wrote, On 29/04/09 17:32: >> There's more than one established convention widely >> present in the code base. > > Agreed. But this should not really be a question of > personal style. If it matches README.Coding and > prog_guide4.txt you should be safe. If you follow > that and the patch is refused due to style reasons, > it is the project's fault and not yours. I'm not picking fault here, or trying to argue; just pointing out how it looks from my position. The documents you mention encourage the style I used, and do not discourage it, apart from tab-8 spacing which no-one follows. The two documents you mention make recommendations that are not followed even in new code. In short, they can't be trusted, it seems that they misled me and are somewhat ignored by everyone else. prog_guide4.txt I've read prog_guide4.txt numerous times before before and re-read it today. It's still only "solicit[ing] comments from a few" and the only reference to the aspects of style we were discussing is a preference for another document elsewhere: Documentation/CodingStyle in the linux kernel. Documentation/CodingStyle Recommends 8-space tabs, but samba uses 4 spaces. Encourages use of braces-less if statements, e.g. | if (buffer == NULL) | return -ENOMEM; We regularly break the recommendation about not returning from a function via a macro. (822 times by my count) Against the advice of this document, we have loads of macros that depend on local variables having certain names. To my mind both of this "infractions" are fine, and are probably what README.Coding refers to as "coding style should never outweigh coding itself" README.Coding It refers to Documentation/CodingStyle again and K&R guidelines (where ever they are?) and humourously suggests an automatic re-formatter, later disparaged by prog_guide4.txt It is also out of date, It suggests 8 space tabs to indent, but 4 spaces are used nearly everywhere. Finally, it explicitly encourages the style I was using: (reformatted) |When invoking functions that return pointer values, either of the |following are acceptable. Use you best judgement[1] and choose the |more readable option. |Remember that many other people will review it.:: | | if ((x = malloc(sizeof(short)*10)) == NULL ) { | fprintf(stderr, "Unable to alloc memory!\n"); | } | |or:: | | x = malloc(sizeof(short)*10); | if (!x) { | fprintf(stderr, "Unable to alloc memory!\n"); | } So I've broken the "secret" Samba team coding style, by following the recommendations of the published coding style documents, which even says (README.Coding): "However, coding style should never outweigh coding itself..." [1] In my judgement I used the more readable option; however I acknowledge that many other people review it, but compare the attached 51 line patch (48 lines to copy 6 strings!) and see which is more readable - I mean readable-for-intent, not human-as-a-compiler. Maybe a third way with this macro? We're certainly not afraid of macros in samba: /* Return true if src is NULL or can be talloc_strdup'd to dest Return false if src is not NULL and can't be copied to dest */ #define talloc_strdup_ok(mem_ctx, dest, src) \ ((dest)=((src)?(talloc_strdup((mem_ctx), (src))):NULL),\ ((src)?(dest!=NULL):1==1)) Then we can have: if (! talloc_strdup_ok(session, session->os, state->setup.old.out.os)) c->status = NT_STATUS_NO_MEMORY; NOT-Signed-off: Sam Liddicott --- source4/libcli/raw/libcliraw.h | 3 ++ source4/libcli/smb_composite/sesssetup.c | 48 ++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 0 deletions(-) -------------- next part -------------- A non-text attachment was scrubbed... Name: 13d07625de2a1b52fa44f09d7e511fd4ecefbe2e.diff Type: text/x-patch Size: 2357 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/aec5af63/13d07625de2a1b52fa44f09d7e511fd4ecefbe2e.bin From Volker.Lendecke at SerNet.DE Thu Apr 30 08:49:52 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Thu Apr 30 08:50:15 2009 Subject: Question on GPFS VFS In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B6EBA2@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B6EBA2@GEN-MXB-V04.msad.arcelor.net> Message-ID: On Thu, Apr 30, 2009 at 08:30:39AM +0200, miguel.sanders@arcelormittal.com wrote: > I have been reading that you should use the GPFS VFS when > using GPFS exported shares because of possible data > corruption. Well, this might be attributed to the gpfs share modes and leases which Samba only makes use of when the gpfs module is compiled in. This is only relevant though if you have cross-platform (i.e. CIFS/NFS/local processes) applications that are also aware of these concepts. > Is this true? Is there also a performance benefit when > using GPFS VFS? Are they other things I should take into > account? In latest GPFS and Samba we make use the new getrealfilename call in GPFS which helps you for large directories. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/9fa04574/attachment.bin From sam at liddicott.com Thu Apr 30 08:50:18 2009 From: sam at liddicott.com (Sam Liddicott) Date: Thu Apr 30 08:50:39 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server References: <49F8812C.6070100@plainjoe.org> <49F95FDB.9000508@ufomechanic.net> Message-ID: <49F9664A.8020000@liddicott.com> * Amin Azez wrote, On 30/04/09 09:22: > > The documents you mention encourage the style I used, and do not > discourage it, apart from tab-8 spacing which no-one follows. > Perhaps everyone does follow that, it was careless reading on my part, I thought it said 8 spaces but it said NOT 8 spaces. I don't think I misread anything else - here's hoping! Sam From Volker.Lendecke at SerNet.DE Thu Apr 30 10:04:18 2009 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Thu Apr 30 10:03:50 2009 Subject: [PATCH] Change unix_convert to use struct smb_filename In-Reply-To: <98996537-6FED-4570-84C8-57EE731D9508@samba.org> References: <98996537-6FED-4570-84C8-57EE731D9508@samba.org> Message-ID: On Tue, Apr 28, 2009 at 02:30:11PM -0700, Tim Prouty wrote: > NTSTATUS unix_convert(TALLOC_CTX *ctx, > connection_struct *conn, > const char *orig_path, > struct smb_filename *smb_fname, > uint32_t ucf_flags) Just a quick stylistic question: Why not allocate the smb_filename struct in unix_convert and have the substrings as talloc children off that? In case this turns out to be a malloc performance hit, we can always do the appropriate talloc_pool trick inside unix_convert. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/13207921/attachment.bin From kseeger at samba.org Thu Apr 30 10:48:52 2009 From: kseeger at samba.org (Karolin Seeger) Date: Thu Apr 30 10:48:54 2009 Subject: [Announce] Samba 3.4.0pre1 Available for Download Message-ID: Release Announcements ===================== This is the first preview release of Samba 3.4. This is *not* intended for production environments and is designed for testing purposes only. Please report any defects via the Samba bug reporting system at https://bugzilla.samba.org/. Major enhancements in Samba 3.4.0 include: ------------------------------------------ General changes: o Samba4 and Samba3 sources are included in the tarball Authentication Changes: o Changed the way smbd handles untrusted domain names given during user authentication. Printing Changes: o Various fixes including printer change notificiation for Samba spoolss print servers. Internal changes: o The remaining hand-marshalled DCE/RPC services (ntsvcs, svcctl, eventlog and spoolss) were replaced by autogenerated code based on PIDL. o Samba3 and Samba4 do now share a common tevent library. o The code has been cleaned up and the major basic interfaces are shared with Samba4 now. o An asynchronous API has been added. General Changes =============== On the way towards a standalone Samba AD domain controller, Samba3 and Samba4 branches can be built as "merged" build. That's why Samba3 and Samba4 sources are included in the tarball. The merged build is possible in Samba 3.4.0, but disabled by default. To learn more about the merged build, please see http://wiki.samba.org/index.php/Franky. According to this one, there is no "source" directory included in the tarball at all. Samba3 sources are located in "source3", Samba4 sources are located in "source4". The libraries have been moved to the toplevel directory. To build plain Samba3, please change to "source3" and start the build as usual. To build Samba4 as well, please use the "--enable-merged-build" configure option. Authentication Changes ====================== Previously, when Samba was a domain member and a client was connecting using an untrusted domain name, such as BOGUS\user smbd would remap the untrusted domain to the primary domain smbd was a member of and attempt authentication using that DOMAIN\user name. This differed from how a Windows member server would behave. Now, smbd will replace the BOGUS name with it's SAM name. In the case where smbd is acting as a PDC this will be DOMAIN\user. In the case where smbd is acting as a domain member server this will be WORKSTATION\user. Thus, smbd will never assume that an incoming user name which is not qualified with the same primary domain, is part of smbd's primary domain. While this behavior matches Windows, it may break some workflows which depended on smbd to always pass through bogus names to the DC for verification. A new parameter "map untrusted to domain" can be enabled to revert to the legacy behavior. Printing Changes ================ The spoolss subsystem was replaced by autogenerated code based on PIDL. That fixes several printing issues including printer change notificiation on Samba print servers and will stabilize the printing functionality generally. The support for spoolss printing with Windows Vista has been improved. Internal Changes ================ The remaining hand-marshalled DCE/RPC services (ntsvcs, svcctl, eventlog and spoolss) were replaced by autogenerated code based on PIDL. So G?nther Deschner finally corrected one of the biggest mistakes in the development of Samba: Hand-marshalled RPC stubs. Thanks a lot! :-) Samba3 and Samba4 do now share a common tevent library for fd and timer events. The code has been cleaned up and Samba3 and Samba4 do share the major basic interfaces now. That is why the libraries were moved to the toplevel directory. That is one of the first steps to share code and minimize the gap between these two versions. An asynchronous API has been added. ###################################################################### Changes ####### smb.conf changes ---------------- Parameter Name Description Default -------------- ----------- ------- access based share enum New No dedicated keytab file New "" kerberos method New default map untrusted to domain New No max open files Changed Default auto detected perfcount module New "" use kerberos keytab Removed New [sub]commands ----------------- net eventlog Import/dump/export native win32 eventlog files. net rpc service create Create a new service. net rpc service delete Delete an existing service. New configure options --------------------- --enable-external-libtalloc Enable external talloc --enable-merged-build Build Samba 4 as well --enable-gnutls Turn on gnutls support --with-statedir=DIR Where to put persistent state files --with-cachedir=DIR Where to put temporary cache files --with-ncalprcdir=DIR Where to put ncalrpc sockets --with-selftest-shrdir=DIR The share directory that make test will be run against --with-selftest-custom-conf=PATH An optional custom smb.conf that is included in the server smb.conf during make test --with-wbclient Use external wbclient --with-included-popt Use bundled popt library, not from system --with-libiconv=BASEDIR Use libiconv in BASEDIR/lib and BASEDIR/include --with-sqlite3 SQLITE3 backend support --with-pthreads Include pthreads --with-setproctitle Search for setproctitle support Commit Highlights ================= o Steven Danneman * Change the way smbd handles untrusted domain names given during user authentication. o Guenther Deschner * Replace the hand-marshalled DCE/RPC services ntsvcs, svcctl, eventlog and spoolss by autogenerated code based on PIDL. * Fix several printing issues and improve support for printer change notificiations. * Add 'net eventlog'. o Volker Lendecke * Add asynchronous API. o Stefan Metzmacher * Make Samba3 and Samba4 share a tevent library. o Dan Sledz * Add two new parameters to control how we verify kerberos tickets. o Danny Tylman * Add 'net rpc service' subcommands 'create' and 'delete'. o Jelmer Vernooij * Make merged build possible. * Move common libraries to the shared lib/ directory. ###################################################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 3.4 product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/pre The release notes are available online at: http://www.samba.org/samba/ftp/pre/WHATSNEW-3-4-0pre1.txt Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/f4d5781e/attachment.bin From sbose at redhat.com Thu Apr 30 11:01:36 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu Apr 30 11:01:43 2009 Subject: [CTDB][PATCH] fix handling of AC_INIT Message-ID: <49F98510.8010306@redhat.com> Hi, this patch fixes the usage of AC_INIT in configure.ac. Besides other things the version in ctdb.pc is set correctly. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-fix-handling-of-AC_INIT.patch Type: text/x-patch Size: 818 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/8ca55e39/0001-fix-handling-of-AC_INIT.bin From miguel.sanders at arcelormittal.com Thu Apr 30 11:03:24 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu Apr 30 11:03:27 2009 Subject: Samba 3.3.4 on AIX: coredump Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6ECA1@GEN-MXB-V04.msad.arcelor.net> Hi guys I just built 3.3.4 on AIX and whenever I access a share, I get a core dump. Examining the coredump with dbx shows the following: # dbx -d100 /tmp/samba/compile/sbin/smbd Type 'help' for help. warning: The core file is not a fullcore. Some info may not be available. [using memory image in core] reading symbolic information ... IOT/Abort trap in pthread_kill at 0x900000000549450 0x900000000549450 (pthread_kill+0xb0) e8410028 ld r2,0x28(r1) (dbx) where pthread_kill(??, ??) at 0x900000000549450 _p_raise(??) at 0x900000000548cc8 raise.raise(??) at 0x90000000002ad0c abort() at 0x900000000094144 dump_core(), line 242 in "fault.c" smb_panic(why = warning: Unable to access address 0x11024f89c from core (invalid char ptr (0x000000011024f89c))), line 1689 in "util.c" fault_report(sig = 268435455), line 46 in "fault.c" sys_acl_get_entry(acl_d = (nil), entry_id = 268435455, entry_p = 0x0000000000000010), line 55 in "sysacls.c" vfswrap_sys_acl_get_entry(handle = 0x0fffffffffffe100, theacl = 0x000000011008b53c, entry_id = 268435455, entry_p = 0x0000000200000002), line 1104 in "vfs_default.c" I really don't understand what is going on here. As you can see the address of "theacl" in vfswrap_sys_acl_get_entry is valid but "acl_d" in sys_acl_get_entry is a NULL pointer. The function merely looks like: static int vfswrap_sys_acl_get_entry(vfs_handle_struct *handle, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p) { return sys_acl_get_entry(theacl, entry_id, entry_p); } Anyone an idea what is happening? Am I interpreting this wrong? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From miguel.sanders at arcelormittal.com Thu Apr 30 11:49:47 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu Apr 30 11:49:46 2009 Subject: Samba 3.3.4 on AIX: coredump In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B6ECA1@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B6ECA1@GEN-MXB-V04.msad.arcelor.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6ECBC@GEN-MXB-V04.msad.arcelor.net> After digging a bit further in the coredump I saw the following: process_smb(inbuf = warning: Unable to access address 0x11037be60 from core (invalid char ptr (0x000000011037be60)), nread = 648535941221086152, unread_bytes = 1241085664, encrypted = @0x000a85df10001d60), line 1566 in "process.c" unnamed block in smbd_process(), line 1934 in "process.c" smbd_process(), line 1934 in "process.c" main(argc = 0, argv = (nil)), line 1519 in "server.c" While the code in smbd_process looks like this while (True) { NTSTATUS status; char *inbuf = NULL; size_t inbuf_len = 0; bool encrypted = false; TALLOC_CTX *frame = talloc_stackframe_pool(8192); errno = 0; run_events(smbd_event_context(), 0, NULL, NULL); status = receive_message_or_smb( talloc_tos(), &inbuf, &inbuf_len, &unread_bytes, &encrypted); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("receive_message_or_smb failed: %s, " "exiting\n", nt_errstr(status))); return; } process_smb(inbuf, inbuf_len, unread_bytes, encrypted); So the value passed to process_smb is NULL... Anyone? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org] Namens miguel.sanders@arcelormittal.com Verzonden: donderdag 30 april 2009 13:03 Aan: samba-technical@lists.samba.org Onderwerp: Samba 3.3.4 on AIX: coredump Hi guys I just built 3.3.4 on AIX and whenever I access a share, I get a core dump. Examining the coredump with dbx shows the following: # dbx -d100 /tmp/samba/compile/sbin/smbd Type 'help' for help. warning: The core file is not a fullcore. Some info may not be available. [using memory image in core] reading symbolic information ... IOT/Abort trap in pthread_kill at 0x900000000549450 0x900000000549450 (pthread_kill+0xb0) e8410028 ld r2,0x28(r1) (dbx) where pthread_kill(??, ??) at 0x900000000549450 _p_raise(??) at 0x900000000548cc8 raise.raise(??) at 0x90000000002ad0c abort() at 0x900000000094144 dump_core(), line 242 in "fault.c" smb_panic(why = warning: Unable to access address 0x11024f89c from core (invalid char ptr (0x000000011024f89c))), line 1689 in "util.c" fault_report(sig = 268435455), line 46 in "fault.c" sys_acl_get_entry(acl_d = (nil), entry_id = 268435455, entry_p = 0x0000000000000010), line 55 in "sysacls.c" vfswrap_sys_acl_get_entry(handle = 0x0fffffffffffe100, theacl = 0x000000011008b53c, entry_id = 268435455, entry_p = 0x0000000200000002), line 1104 in "vfs_default.c" I really don't understand what is going on here. As you can see the address of "theacl" in vfswrap_sys_acl_get_entry is valid but "acl_d" in sys_acl_get_entry is a NULL pointer. The function merely looks like: static int vfswrap_sys_acl_get_entry(vfs_handle_struct *handle, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p) { return sys_acl_get_entry(theacl, entry_id, entry_p); } Anyone an idea what is happening? Am I interpreting this wrong? Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From w.jojo at hvcc.edu Thu Apr 30 12:09:11 2009 From: w.jojo at hvcc.edu (William Jojo) Date: Thu Apr 30 12:09:11 2009 Subject: Samba 3.3.4 on AIX: coredump In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B6ECBC@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B6ECA1@GEN-MXB-V04.msad.arcelor.net> <7DF29B50FFF41848BB2281EC2E71A206B6ECBC@GEN-MXB-V04.msad.arcelor.net> Message-ID: <49F994E7.30309@hvcc.edu> miguel.sanders@arcelormittal.com wrote: > After digging a bit further in the coredump I saw the following: > > process_smb(inbuf = warning: Unable to access address 0x11037be60 from core > (invalid char ptr (0x000000011037be60)), nread = 648535941221086152, unread_bytes = 1241085664, encrypted = @0x000a85df10001d60), line 1566 in "process.c" > unnamed block in smbd_process(), line 1934 in "process.c" > smbd_process(), line 1934 in "process.c" > main(argc = 0, argv = (nil)), line 1519 in "server.c" > > The variable inbuf may not be NULL. We actually don't know what it is since the debug info is incomplete. The memory reference appears to be for segment 0x1 which is the program text segment. If you compile with the -g option you should be able to glean more info. I have 3.3.4 running presently on 5.3 without coredumps. Can you give any other info about your build options that may shed some light on this? Cheers, Bill > While the code in smbd_process looks like this > > while (True) { > NTSTATUS status; > char *inbuf = NULL; > size_t inbuf_len = 0; > bool encrypted = false; > TALLOC_CTX *frame = talloc_stackframe_pool(8192); > > errno = 0; > > run_events(smbd_event_context(), 0, NULL, NULL); > > status = receive_message_or_smb( > talloc_tos(), &inbuf, &inbuf_len, > &unread_bytes, &encrypted); > > if (!NT_STATUS_IS_OK(status)) { > DEBUG(3, ("receive_message_or_smb failed: %s, " > "exiting\n", nt_errstr(status))); > return; > } > > process_smb(inbuf, inbuf_len, unread_bytes, encrypted); > > So the value passed to process_smb is NULL... > Anyone? > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders@arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org] Namens miguel.sanders@arcelormittal.com > Verzonden: donderdag 30 april 2009 13:03 > Aan: samba-technical@lists.samba.org > Onderwerp: Samba 3.3.4 on AIX: coredump > > Hi guys > > I just built 3.3.4 on AIX and whenever I access a share, I get a core dump. > Examining the coredump with dbx shows the following: > > # dbx -d100 /tmp/samba/compile/sbin/smbd Type 'help' for help. > warning: The core file is not a fullcore. Some info may not be available. > [using memory image in core] > reading symbolic information ... > > IOT/Abort trap in pthread_kill at 0x900000000549450 > 0x900000000549450 (pthread_kill+0xb0) e8410028 ld r2,0x28(r1) > (dbx) where > pthread_kill(??, ??) at 0x900000000549450 > _p_raise(??) at 0x900000000548cc8 > raise.raise(??) at 0x90000000002ad0c > abort() at 0x900000000094144 > dump_core(), line 242 in "fault.c" > smb_panic(why = warning: Unable to access address 0x11024f89c from core (invalid char ptr (0x000000011024f89c))), line 1689 in "util.c" > fault_report(sig = 268435455), line 46 in "fault.c" > sys_acl_get_entry(acl_d = (nil), entry_id = 268435455, entry_p = 0x0000000000000010), line 55 in "sysacls.c" > vfswrap_sys_acl_get_entry(handle = 0x0fffffffffffe100, theacl = 0x000000011008b53c, entry_id = 268435455, entry_p = 0x0000000200000002), line 1104 in "vfs_default.c" > > I really don't understand what is going on here. > As you can see the address of "theacl" in vfswrap_sys_acl_get_entry is valid but "acl_d" in sys_acl_get_entry is a NULL pointer. > The function merely looks like: > static int vfswrap_sys_acl_get_entry(vfs_handle_struct *handle, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p) { > return sys_acl_get_entry(theacl, entry_id, entry_p); } > > Anyone an idea what is happening? Am I interpreting this wrong? > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > From miguel.sanders at arcelormittal.com Thu Apr 30 12:16:30 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu Apr 30 12:16:20 2009 Subject: Samba 3.3.4 on AIX: coredump In-Reply-To: <49F994E7.30309@hvcc.edu> References: <7DF29B50FFF41848BB2281EC2E71A206B6ECA1@GEN-MXB-V04.msad.arcelor.net> <7DF29B50FFF41848BB2281EC2E71A206B6ECBC@GEN-MXB-V04.msad.arcelor.net> <49F994E7.30309@hvcc.edu> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6ECCC@GEN-MXB-V04.msad.arcelor.net> I compiled it with --enable-debug so it has been compiled with -g. Any idea why the core file is not a fullcore? Build options were: LIBS="-lldap -llber -lgssapi_krb5 -lkrb5 -lcom_err -lsasl2 -lk5crypto -lcrypto -lssl" CPPFLAGS="-I/usr/samba/include -I/usr/include" AR="/usr/bin/ar -X64" CFLAGS="-O3 -q64 -L/usr/samba/lib -L/usr/lib" ./configure --with-ads --enable-shared-libs --prefix=/tmp/samba/compile --enable-debug Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: William Jojo [mailto:w.jojo@hvcc.edu] Verzonden: donderdag 30 april 2009 14:09 Aan: SANDERS Miguel CC: samba-technical@lists.samba.org Onderwerp: Re: Samba 3.3.4 on AIX: coredump miguel.sanders@arcelormittal.com wrote: > After digging a bit further in the coredump I saw the following: > > process_smb(inbuf = warning: Unable to access address 0x11037be60 from > core (invalid char ptr (0x000000011037be60)), nread = 648535941221086152, unread_bytes = 1241085664, encrypted = @0x000a85df10001d60), line 1566 in "process.c" > unnamed block in smbd_process(), line 1934 in "process.c" > smbd_process(), line 1934 in "process.c" > main(argc = 0, argv = (nil)), line 1519 in "server.c" > > The variable inbuf may not be NULL. We actually don't know what it is since the debug info is incomplete. The memory reference appears to be for segment 0x1 which is the program text segment. If you compile with the -g option you should be able to glean more info. I have 3.3.4 running presently on 5.3 without coredumps. Can you give any other info about your build options that may shed some light on this? Cheers, Bill > While the code in smbd_process looks like this > > while (True) { > NTSTATUS status; > char *inbuf = NULL; > size_t inbuf_len = 0; > bool encrypted = false; > TALLOC_CTX *frame = talloc_stackframe_pool(8192); > > errno = 0; > > run_events(smbd_event_context(), 0, NULL, NULL); > > status = receive_message_or_smb( > talloc_tos(), &inbuf, &inbuf_len, > &unread_bytes, &encrypted); > > if (!NT_STATUS_IS_OK(status)) { > DEBUG(3, ("receive_message_or_smb failed: %s, " > "exiting\n", nt_errstr(status))); > return; > } > > process_smb(inbuf, inbuf_len, unread_bytes, > encrypted); > > So the value passed to process_smb is NULL... > Anyone? > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: > samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.o > rg > [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists > .samba.org] Namens miguel.sanders@arcelormittal.com > Verzonden: donderdag 30 april 2009 13:03 > Aan: samba-technical@lists.samba.org > Onderwerp: Samba 3.3.4 on AIX: coredump > > Hi guys > > I just built 3.3.4 on AIX and whenever I access a share, I get a core dump. > Examining the coredump with dbx shows the following: > > # dbx -d100 /tmp/samba/compile/sbin/smbd Type 'help' for help. > warning: The core file is not a fullcore. Some info may not be available. > [using memory image in core] > reading symbolic information ... > > IOT/Abort trap in pthread_kill at 0x900000000549450 > 0x900000000549450 (pthread_kill+0xb0) e8410028 ld r2,0x28(r1) > (dbx) where > pthread_kill(??, ??) at 0x900000000549450 > _p_raise(??) at 0x900000000548cc8 > raise.raise(??) at 0x90000000002ad0c > abort() at 0x900000000094144 > dump_core(), line 242 in "fault.c" > smb_panic(why = warning: Unable to access address 0x11024f89c from core (invalid char ptr (0x000000011024f89c))), line 1689 in "util.c" > fault_report(sig = 268435455), line 46 in "fault.c" > sys_acl_get_entry(acl_d = (nil), entry_id = 268435455, entry_p = 0x0000000000000010), line 55 in "sysacls.c" > vfswrap_sys_acl_get_entry(handle = 0x0fffffffffffe100, theacl = 0x000000011008b53c, entry_id = 268435455, entry_p = 0x0000000200000002), line 1104 in "vfs_default.c" > > I really don't understand what is going on here. > As you can see the address of "theacl" in vfswrap_sys_acl_get_entry is valid but "acl_d" in sys_acl_get_entry is a NULL pointer. > The function merely looks like: > static int vfswrap_sys_acl_get_entry(vfs_handle_struct *handle, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p) { > return sys_acl_get_entry(theacl, entry_id, entry_p); } > > Anyone an idea what is happening? Am I interpreting this wrong? > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From sbose at redhat.com Thu Apr 30 12:22:47 2009 From: sbose at redhat.com (Sumit Bose) Date: Thu Apr 30 12:22:57 2009 Subject: [CTDB][PATCH] add more 64bit plattforms to configure.ac Message-ID: <49F99817.2000300@redhat.com> Hi, this patch add ppc64 to the platforms using lib64. bye, Sumit -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-add-more-64bit-plattforms-to-configure.ac.patch Type: text/x-patch Size: 607 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/64ede83b/0001-add-more-64bit-plattforms-to-configure.ac.bin From miguel.sanders at arcelormittal.com Thu Apr 30 12:24:28 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu Apr 30 12:24:24 2009 Subject: Samba 3.3.4 on AIX: coredump In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B6ECCC@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B6ECA1@GEN-MXB-V04.msad.arcelor.net><7DF29B50FFF41848BB2281EC2E71A206B6ECBC@GEN-MXB-V04.msad.arcelor.net><49F994E7.30309@hvcc.edu> <7DF29B50FFF41848BB2281EC2E71A206B6ECCC@GEN-MXB-V04.msad.arcelor.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6ECD1@GEN-MXB-V04.msad.arcelor.net> Crap I compiled with optimizations. Better leave that out now :-) Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org] Namens miguel.sanders@arcelormittal.com Verzonden: donderdag 30 april 2009 14:17 Aan: w.jojo@hvcc.edu CC: samba-technical@lists.samba.org Onderwerp: RE: Samba 3.3.4 on AIX: coredump I compiled it with --enable-debug so it has been compiled with -g. Any idea why the core file is not a fullcore? Build options were: LIBS="-lldap -llber -lgssapi_krb5 -lkrb5 -lcom_err -lsasl2 -lk5crypto -lcrypto -lssl" CPPFLAGS="-I/usr/samba/include -I/usr/include" AR="/usr/bin/ar -X64" CFLAGS="-O3 -q64 -L/usr/samba/lib -L/usr/lib" ./configure --with-ads --enable-shared-libs --prefix=/tmp/samba/compile --enable-debug Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: William Jojo [mailto:w.jojo@hvcc.edu] Verzonden: donderdag 30 april 2009 14:09 Aan: SANDERS Miguel CC: samba-technical@lists.samba.org Onderwerp: Re: Samba 3.3.4 on AIX: coredump miguel.sanders@arcelormittal.com wrote: > After digging a bit further in the coredump I saw the following: > > process_smb(inbuf = warning: Unable to access address 0x11037be60 from > core (invalid char ptr (0x000000011037be60)), nread = 648535941221086152, unread_bytes = 1241085664, encrypted = @0x000a85df10001d60), line 1566 in "process.c" > unnamed block in smbd_process(), line 1934 in "process.c" > smbd_process(), line 1934 in "process.c" > main(argc = 0, argv = (nil)), line 1519 in "server.c" > > The variable inbuf may not be NULL. We actually don't know what it is since the debug info is incomplete. The memory reference appears to be for segment 0x1 which is the program text segment. If you compile with the -g option you should be able to glean more info. I have 3.3.4 running presently on 5.3 without coredumps. Can you give any other info about your build options that may shed some light on this? Cheers, Bill > While the code in smbd_process looks like this > > while (True) { > NTSTATUS status; > char *inbuf = NULL; > size_t inbuf_len = 0; > bool encrypted = false; > TALLOC_CTX *frame = talloc_stackframe_pool(8192); > > errno = 0; > > run_events(smbd_event_context(), 0, NULL, NULL); > > status = receive_message_or_smb( > talloc_tos(), &inbuf, &inbuf_len, > &unread_bytes, &encrypted); > > if (!NT_STATUS_IS_OK(status)) { > DEBUG(3, ("receive_message_or_smb failed: %s, " > "exiting\n", nt_errstr(status))); > return; > } > > process_smb(inbuf, inbuf_len, unread_bytes, > encrypted); > > So the value passed to process_smb is NULL... > Anyone? > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: > samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.o > rg > [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists > .samba.org] Namens miguel.sanders@arcelormittal.com > Verzonden: donderdag 30 april 2009 13:03 > Aan: samba-technical@lists.samba.org > Onderwerp: Samba 3.3.4 on AIX: coredump > > Hi guys > > I just built 3.3.4 on AIX and whenever I access a share, I get a core dump. > Examining the coredump with dbx shows the following: > > # dbx -d100 /tmp/samba/compile/sbin/smbd Type 'help' for help. > warning: The core file is not a fullcore. Some info may not be available. > [using memory image in core] > reading symbolic information ... > > IOT/Abort trap in pthread_kill at 0x900000000549450 > 0x900000000549450 (pthread_kill+0xb0) e8410028 ld r2,0x28(r1) > (dbx) where > pthread_kill(??, ??) at 0x900000000549450 > _p_raise(??) at 0x900000000548cc8 > raise.raise(??) at 0x90000000002ad0c > abort() at 0x900000000094144 > dump_core(), line 242 in "fault.c" > smb_panic(why = warning: Unable to access address 0x11024f89c from core (invalid char ptr (0x000000011024f89c))), line 1689 in "util.c" > fault_report(sig = 268435455), line 46 in "fault.c" > sys_acl_get_entry(acl_d = (nil), entry_id = 268435455, entry_p = 0x0000000000000010), line 55 in "sysacls.c" > vfswrap_sys_acl_get_entry(handle = 0x0fffffffffffe100, theacl = 0x000000011008b53c, entry_id = 268435455, entry_p = 0x0000000200000002), line 1104 in "vfs_default.c" > > I really don't understand what is going on here. > As you can see the address of "theacl" in vfswrap_sys_acl_get_entry is valid but "acl_d" in sys_acl_get_entry is a NULL pointer. > The function merely looks like: > static int vfswrap_sys_acl_get_entry(vfs_handle_struct *handle, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p) { > return sys_acl_get_entry(theacl, entry_id, entry_p); } > > Anyone an idea what is happening? Am I interpreting this wrong? > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From miguel.sanders at arcelormittal.com Thu Apr 30 12:48:12 2009 From: miguel.sanders at arcelormittal.com (miguel.sanders@arcelormittal.com) Date: Thu Apr 30 12:48:16 2009 Subject: Samba 3.3.4 on AIX: coredump In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B6ECD1@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B6ECA1@GEN-MXB-V04.msad.arcelor.net><7DF29B50FFF41848BB2281EC2E71A206B6ECBC@GEN-MXB-V04.msad.arcelor.net><49F994E7.30309@hvcc.edu> <7DF29B50FFF41848BB2281EC2E71A206B6ECCC@GEN-MXB-V04.msad.arcelor.net> <7DF29B50FFF41848BB2281EC2E71A206B6ECD1@GEN-MXB-V04.msad.arcelor.net> Message-ID: <7DF29B50FFF41848BB2281EC2E71A206B6ECEA@GEN-MXB-V04.msad.arcelor.net> Bill Just a few remarks: 1) It's on AIX 6.1 (which basically shouldn't be any different than 5.3) and compiled with IBM C compiler (not gcc). 2) Normally I use your packages (once again thanks for that), but I wanted to compile GPFS support with it. 3) I'm still experiencing smb_panic because AD users have more than 128 additional groups, which cannot be handled by AIX properly (NGROUPS_MAX=128). So a a result I changed the smb_panic call in sec_ctx.c (line 260) to a debug call level 10. Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: SANDERS Miguel Verzonden: donderdag 30 april 2009 14:24 Aan: SANDERS Miguel; w.jojo@hvcc.edu CC: samba-technical@lists.samba.org Onderwerp: RE: Samba 3.3.4 on AIX: coredump Crap I compiled with optimizations. Better leave that out now :-) Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org] Namens miguel.sanders@arcelormittal.com Verzonden: donderdag 30 april 2009 14:17 Aan: w.jojo@hvcc.edu CC: samba-technical@lists.samba.org Onderwerp: RE: Samba 3.3.4 on AIX: coredump I compiled it with --enable-debug so it has been compiled with -g. Any idea why the core file is not a fullcore? Build options were: LIBS="-lldap -llber -lgssapi_krb5 -lkrb5 -lcom_err -lsasl2 -lk5crypto -lcrypto -lssl" CPPFLAGS="-I/usr/samba/include -I/usr/include" AR="/usr/bin/ar -X64" CFLAGS="-O3 -q64 -L/usr/samba/lib -L/usr/lib" ./configure --with-ads --enable-shared-libs --prefix=/tmp/samba/compile --enable-debug Met vriendelijke groet Best regards Bien ? vous Miguel SANDERS ArcelorMittal Gent UNIX Systems & Storage IT Supply Western Europe | John Kennedylaan 51 B-9042 Gent T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent -----Oorspronkelijk bericht----- Van: William Jojo [mailto:w.jojo@hvcc.edu] Verzonden: donderdag 30 april 2009 14:09 Aan: SANDERS Miguel CC: samba-technical@lists.samba.org Onderwerp: Re: Samba 3.3.4 on AIX: coredump miguel.sanders@arcelormittal.com wrote: > After digging a bit further in the coredump I saw the following: > > process_smb(inbuf = warning: Unable to access address 0x11037be60 from > core (invalid char ptr (0x000000011037be60)), nread = 648535941221086152, unread_bytes = 1241085664, encrypted = @0x000a85df10001d60), line 1566 in "process.c" > unnamed block in smbd_process(), line 1934 in "process.c" > smbd_process(), line 1934 in "process.c" > main(argc = 0, argv = (nil)), line 1519 in "server.c" > > The variable inbuf may not be NULL. We actually don't know what it is since the debug info is incomplete. The memory reference appears to be for segment 0x1 which is the program text segment. If you compile with the -g option you should be able to glean more info. I have 3.3.4 running presently on 5.3 without coredumps. Can you give any other info about your build options that may shed some light on this? Cheers, Bill > While the code in smbd_process looks like this > > while (True) { > NTSTATUS status; > char *inbuf = NULL; > size_t inbuf_len = 0; > bool encrypted = false; > TALLOC_CTX *frame = talloc_stackframe_pool(8192); > > errno = 0; > > run_events(smbd_event_context(), 0, NULL, NULL); > > status = receive_message_or_smb( > talloc_tos(), &inbuf, &inbuf_len, > &unread_bytes, &encrypted); > > if (!NT_STATUS_IS_OK(status)) { > DEBUG(3, ("receive_message_or_smb failed: %s, " > "exiting\n", nt_errstr(status))); > return; > } > > process_smb(inbuf, inbuf_len, unread_bytes, > encrypted); > > So the value passed to process_smb is NULL... > Anyone? > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: > samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.o > rg > [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists > .samba.org] Namens miguel.sanders@arcelormittal.com > Verzonden: donderdag 30 april 2009 13:03 > Aan: samba-technical@lists.samba.org > Onderwerp: Samba 3.3.4 on AIX: coredump > > Hi guys > > I just built 3.3.4 on AIX and whenever I access a share, I get a core dump. > Examining the coredump with dbx shows the following: > > # dbx -d100 /tmp/samba/compile/sbin/smbd Type 'help' for help. > warning: The core file is not a fullcore. Some info may not be available. > [using memory image in core] > reading symbolic information ... > > IOT/Abort trap in pthread_kill at 0x900000000549450 > 0x900000000549450 (pthread_kill+0xb0) e8410028 ld r2,0x28(r1) > (dbx) where > pthread_kill(??, ??) at 0x900000000549450 > _p_raise(??) at 0x900000000548cc8 > raise.raise(??) at 0x90000000002ad0c > abort() at 0x900000000094144 > dump_core(), line 242 in "fault.c" > smb_panic(why = warning: Unable to access address 0x11024f89c from core (invalid char ptr (0x000000011024f89c))), line 1689 in "util.c" > fault_report(sig = 268435455), line 46 in "fault.c" > sys_acl_get_entry(acl_d = (nil), entry_id = 268435455, entry_p = 0x0000000000000010), line 55 in "sysacls.c" > vfswrap_sys_acl_get_entry(handle = 0x0fffffffffffe100, theacl = 0x000000011008b53c, entry_id = 268435455, entry_p = 0x0000000200000002), line 1104 in "vfs_default.c" > > I really don't understand what is going on here. > As you can see the address of "theacl" in vfswrap_sys_acl_get_entry is valid but "acl_d" in sys_acl_get_entry is a NULL pointer. > The function merely looks like: > static int vfswrap_sys_acl_get_entry(vfs_handle_struct *handle, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p) { > return sys_acl_get_entry(theacl, entry_id, entry_p); } > > Anyone an idea what is happening? Am I interpreting this wrong? > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E > miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** **** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. **** From w.jojo at hvcc.edu Thu Apr 30 13:17:20 2009 From: w.jojo at hvcc.edu (William Jojo) Date: Thu Apr 30 13:17:42 2009 Subject: Samba 3.3.4 on AIX: coredump In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206B6ECEA@GEN-MXB-V04.msad.arcelor.net> References: <7DF29B50FFF41848BB2281EC2E71A206B6ECA1@GEN-MXB-V04.msad.arcelor.net><7DF29B50FFF41848BB2281EC2E71A206B6ECBC@GEN-MXB-V04.msad.arcelor.net><49F994E7.30309@hvcc.edu> <7DF29B50FFF41848BB2281EC2E71A206B6ECCC@GEN-MXB-V04.msad.arcelor.net> <7DF29B50FFF41848BB2281EC2E71A206B6ECD1@GEN-MXB-V04.msad.arcelor.net> <7DF29B50FFF41848BB2281EC2E71A206B6ECEA@GEN-MXB-V04.msad.arcelor.net> Message-ID: <49F9A4E0.7010504@hvcc.edu> miguel.sanders@arcelormittal.com wrote: > Bill > > Just a few remarks: > 1) It's on AIX 6.1 (which basically shouldn't be any different than 5.3) and compiled with IBM C compiler (not gcc). > True, they are very close. > 2) Normally I use your packages (once again thanks for that), but I wanted to compile GPFS support with it. > You are very welcome. :-) The 3.3 series has the GPFS support in it via the /opt/pware/lib/vfs/gpfs.so. If you have 3.2.1.10 or later of gpfs.base it should work since the GPL'd version of the library is included. (Clustering is also supported if you install the optional pware53.ctdb.rte - which is 1.0.77.0 at the moment.) > 3) I'm still experiencing smb_panic because AD users have more than 128 additional groups, which cannot be handled by AIX properly (NGROUPS_MAX=128). So a a result I changed the smb_panic call in sec_ctx.c (line 260) to a debug call level 10. > > I wish IBM would realize that 128 is just too small and either make it tunable or SHRT_MAX. Cheers, Bill > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 > E miguel.sanders@arcelormittal.com > www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: SANDERS Miguel > Verzonden: donderdag 30 april 2009 14:24 > Aan: SANDERS Miguel; w.jojo@hvcc.edu > CC: samba-technical@lists.samba.org > Onderwerp: RE: Samba 3.3.4 on AIX: coredump > > Crap I compiled with optimizations. > Better leave that out now :-) > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.org] Namens miguel.sanders@arcelormittal.com > Verzonden: donderdag 30 april 2009 14:17 > Aan: w.jojo@hvcc.edu > CC: samba-technical@lists.samba.org > Onderwerp: RE: Samba 3.3.4 on AIX: coredump > > I compiled it with --enable-debug so it has been compiled with -g. > Any idea why the core file is not a fullcore? > > Build options were: > > LIBS="-lldap -llber -lgssapi_krb5 -lkrb5 -lcom_err -lsasl2 -lk5crypto -lcrypto -lssl" CPPFLAGS="-I/usr/samba/include -I/usr/include" AR="/usr/bin/ar -X64" CFLAGS="-O3 -q64 -L/usr/samba/lib -L/usr/lib" ./configure --with-ads --enable-shared-libs --prefix=/tmp/samba/compile --enable-debug > > > Met vriendelijke groet > Best regards > Bien ? vous > > Miguel SANDERS > ArcelorMittal Gent > > UNIX Systems & Storage > IT Supply Western Europe | John Kennedylaan 51 > B-9042 Gent > > T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E miguel.sanders@arcelormittal.com www.arcelormittal.com/gent > > -----Oorspronkelijk bericht----- > Van: William Jojo [mailto:w.jojo@hvcc.edu] > Verzonden: donderdag 30 april 2009 14:09 > Aan: SANDERS Miguel > CC: samba-technical@lists.samba.org > Onderwerp: Re: Samba 3.3.4 on AIX: coredump > > miguel.sanders@arcelormittal.com wrote: > >> After digging a bit further in the coredump I saw the following: >> >> process_smb(inbuf = warning: Unable to access address 0x11037be60 from >> core (invalid char ptr (0x000000011037be60)), nread = 648535941221086152, unread_bytes = 1241085664, encrypted = @0x000a85df10001d60), line 1566 in "process.c" >> unnamed block in smbd_process(), line 1934 in "process.c" >> smbd_process(), line 1934 in "process.c" >> main(argc = 0, argv = (nil)), line 1519 in "server.c" >> >> >> > > The variable inbuf may not be NULL. We actually don't know what it is since the debug info is incomplete. The memory reference appears to be for segment 0x1 which is the program text segment. If you compile with the -g option you should be able to glean more info. > > I have 3.3.4 running presently on 5.3 without coredumps. Can you give any other info about your build options that may shed some light on this? > > Cheers, > Bill > > > >> While the code in smbd_process looks like this >> >> while (True) { >> NTSTATUS status; >> char *inbuf = NULL; >> size_t inbuf_len = 0; >> bool encrypted = false; >> TALLOC_CTX *frame = talloc_stackframe_pool(8192); >> >> errno = 0; >> >> run_events(smbd_event_context(), 0, NULL, NULL); >> >> status = receive_message_or_smb( >> talloc_tos(), &inbuf, &inbuf_len, >> &unread_bytes, &encrypted); >> >> if (!NT_STATUS_IS_OK(status)) { >> DEBUG(3, ("receive_message_or_smb failed: %s, " >> "exiting\n", nt_errstr(status))); >> return; >> } >> >> process_smb(inbuf, inbuf_len, unread_bytes, >> encrypted); >> >> So the value passed to process_smb is NULL... >> Anyone? >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >> miguel.sanders@arcelormittal.com www.arcelormittal.com/gent >> >> -----Oorspronkelijk bericht----- >> Van: >> samba-technical-bounces+miguel.sanders=arcelormittal.com@lists.samba.o >> rg >> [mailto:samba-technical-bounces+miguel.sanders=arcelormittal.com@lists >> .samba.org] Namens miguel.sanders@arcelormittal.com >> Verzonden: donderdag 30 april 2009 13:03 >> Aan: samba-technical@lists.samba.org >> Onderwerp: Samba 3.3.4 on AIX: coredump >> >> Hi guys >> >> I just built 3.3.4 on AIX and whenever I access a share, I get a core dump. >> Examining the coredump with dbx shows the following: >> >> # dbx -d100 /tmp/samba/compile/sbin/smbd Type 'help' for help. >> warning: The core file is not a fullcore. Some info may not be available. >> [using memory image in core] >> reading symbolic information ... >> >> IOT/Abort trap in pthread_kill at 0x900000000549450 >> 0x900000000549450 (pthread_kill+0xb0) e8410028 ld r2,0x28(r1) >> (dbx) where >> pthread_kill(??, ??) at 0x900000000549450 >> _p_raise(??) at 0x900000000548cc8 >> raise.raise(??) at 0x90000000002ad0c >> abort() at 0x900000000094144 >> dump_core(), line 242 in "fault.c" >> smb_panic(why = warning: Unable to access address 0x11024f89c from core (invalid char ptr (0x000000011024f89c))), line 1689 in "util.c" >> fault_report(sig = 268435455), line 46 in "fault.c" >> sys_acl_get_entry(acl_d = (nil), entry_id = 268435455, entry_p = 0x0000000000000010), line 55 in "sysacls.c" >> vfswrap_sys_acl_get_entry(handle = 0x0fffffffffffe100, theacl = 0x000000011008b53c, entry_id = 268435455, entry_p = 0x0000000200000002), line 1104 in "vfs_default.c" >> >> I really don't understand what is going on here. >> As you can see the address of "theacl" in vfswrap_sys_acl_get_entry is valid but "acl_d" in sys_acl_get_entry is a NULL pointer. >> The function merely looks like: >> static int vfswrap_sys_acl_get_entry(vfs_handle_struct *handle, SMB_ACL_T theacl, int entry_id, SMB_ACL_ENTRY_T *entry_p) { >> return sys_acl_get_entry(theacl, entry_id, entry_p); } >> >> Anyone an idea what is happening? Am I interpreting this wrong? >> >> Met vriendelijke groet >> Best regards >> Bien ? vous >> >> Miguel SANDERS >> ArcelorMittal Gent >> >> UNIX Systems & Storage >> IT Supply Western Europe | John Kennedylaan 51 >> B-9042 Gent >> >> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023 E >> miguel.sanders@arcelormittal.com www.arcelormittal.com/gent >> >> >> **** >> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >> **** >> >> >> **** >> This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. >> If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. >> Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. >> This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. >> **** >> >> >> > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > > **** > This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected by professional secrecy or intellectual property rights. > If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. > Arcelormittal shall not be liable for the message if altered, falsified, or in case of error in the recipient. > This message does not constitute any right or commitment for ArcelorMittal except when expressly agreed otherwise in writing in a separate agreement. > **** > > From gabber at gttrack.com Thu Apr 30 14:58:32 2009 From: gabber at gttrack.com (Sadvary) Date: Thu Apr 30 13:59:13 2009 Subject: Signs of Sexual Attraction Thhat Can Not Be Faked - Attraction Unlocked Message-ID: <49F9ADF8.4666833@chipenet.com> A non-text attachment was scrubbed... Name: not available Type: image/png Size: 11378 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/2e34ead2/attachment.png From samba-technical at tk-webart.de Thu Apr 30 13:58:43 2009 From: samba-technical at tk-webart.de (Torsten Kurbad) Date: Thu Apr 30 14:05:40 2009 Subject: [Samba 4] minor bug in configure script? Message-ID: <20090430155843.2ec07198@atalante.iwm-kmrc.de> Hi list, today I created a Gentoo-ebuild for samba-4.0.0_alpha7 and discovered a minor glitch during compilation/install: If I do a ./configure --sysconfdir=/etc/samba && make && make install I get a directory /etc/samba/samba, which doesn't seem to be used by anything. This got me confused, since I changed --sysconfdir to /etc in the ebuild, getting /etc/samba on install, where my smb.conf resides. But afterwards, commands like smbclient, net, etc. didn't recognize that smb.conf, instead they were expecting it in /etc, which corresponds with my setting of --sysconfdir. So, why is the .../samba subdirectory created? Do some tools rely on this? Best regards Torsten -- A budget is just a method of worrying before you spend money, as well as afterward. From sassyn at gmail.com Thu Apr 30 14:23:28 2009 From: sassyn at gmail.com (Sassy Natan) Date: Thu Apr 30 14:23:24 2009 Subject: Samba4 NetLogon Directory ERROR! Message-ID: <529a12f40904300723n52375c4bhb925d0fa45b93a34@mail.gmail.com> Dear Group One quick question: I have being testing Samba4 (Alpha7) with the Full Microsoft Active Directory Schema. This seems to work pretty good, but there is one issue I noticed: if I add some files to the NetLOGON Directory - the files being deleted after I restart the server/service. I used this to put there my login scripts (KIX based scripts) and every time I do restart I need to copy them back. Is this is a bug? How to Debug? 10x Sassy From compellingly at callo.se Thu Apr 30 15:53:02 2009 From: compellingly at callo.se (Halbur) Date: Thu Apr 30 14:53:16 2009 Subject: Cunnilingus - The Secret too Giving Your Partner a Mind Blowing Orgasm Message-ID: <49F9B8BF.3787774@callo.se> A non-text attachment was scrubbed... Name: not available Type: image/png Size: 11365 bytes Desc: not available Url : http://lists.samba.org/archive/samba-technical/attachments/20090430/73e5c460/attachment.png From jerry at plainjoe.org Thu Apr 30 14:56:37 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Thu Apr 30 14:56:39 2009 Subject: thread pool helpers In-Reply-To: <18935.35267.157123.103830@samba.org> References: <18934.46209.580482.147268@samba.org> <20090428152257.GA6813@jeremy-laptop> <49F72227.4090600@plainjoe.org> <18935.31225.675850.834609@samba.org> <49F77EB5.80704@plainjoe.org> <18935.35267.157123.103830@samba.org> Message-ID: <49F9BC25.1000306@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 tridge@samba.org wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hi Jerry, > >> Nope. Access checks are in users space. > > do you do anything to combat the race conditions? For example, a user > might exploit a user space access check by doing this: > > while :; do > ln -sf /etc/shadow /home/baduser/myfile.txt > ln -sf /home/baduser/innocent.txt /home/baduser/myfile.txt > done > > then try to access myfile.txt via SMB. If the access check happens > while the file points at innocent.txt and the real open happens while > pointing at /etc/shadow then the user will end up opening > /etc/shadow. Implementing the above hack in C raises the chances of > success as well. > > You can do inode number checks to combat this a bit, but that doesn't > work for newly created files in sensitive locations. Honestly, right now it doesn't. I'm still working on it. But for a create disposition of FILE_OPEN, technically you could open() and operate on the fd exclusively. SO right now this would be something like: fd = open() secdesc = GetSecurityDescriptor(fd) if (!RtlAccessCheck(token, secdesc)) { close(fd) } SaveFdToFileHandle(fd) Do you agree? The create/overwrite is a little tricker. I'll have to think about an answer for those cases more. >> However, for platforms that could give me a per >> thread setreuid(), I would look at using that. > > strangely enough, the Linux kernel can give you that, > if you bypass glibc and use syscall() to change your euid. Ahh...I thought this was considered a bug and disabled in newer kernels. Sounds like I need to go back and read up some more. > Rusty is currently trying to build "libantithread" which > tries to provide this functionality on top of fork(). > > See http://ccan.ozlabs.org/info/antithread.html Cool. Thanks for the link. cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ+bwlIR7qMdg1EfYRApFwAJ9sNJEADIPUNpOjVvEnmC3jgQJmywCfU+fQ IkWRFEx222NpvZopIYS4TJ0= =yEMN -----END PGP SIGNATURE----- From jerry at plainjoe.org Thu Apr 30 15:11:14 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Thu Apr 30 15:11:20 2009 Subject: [PATCH] Have the smbcli_session record the OS and Native LANMAN of the remote server In-Reply-To: <49F95FDB.9000508@ufomechanic.net> References: <49F8812C.6070100@plainjoe.org> <49F95FDB.9000508@ufomechanic.net> Message-ID: <49F9BF92.7090302@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Sam, > I'm not picking fault here, or trying to argue; just > pointing out how it looks from my position. > > The documents you mention encourage the style I > used, and do not discourage it, apart from tab-8 > spacing which no-one follows. > > The two documents you mention make recommendations > that are not followed even in new code. > > In short, they can't be trusted, it seems that they > misled me and are somewhat ignored by everyone else. I think you make some really good points. Let me try to summarize: (a) If you followed the documented coding guidelines, and they led you astray, then I concede. The fault is in the documentation and should be updated. No one can ding you for doing what the docs asked you to do. (b) There may be a disconnect between the docs provided to encourage new Samba developers and those that have spent many cycles under an apprenticeship with long term Samba developers. New in this sense means that one doesn't have the sense of history of the project's lifetime. The conclusion then would be that if participating in Samba development requires some type of personal guidance from an established developer on issues of coding style and tradition, then this will have scaling issues due to the number and time of existing core devs. This is all just personal philosophy from me. I can't speak for everyone, but it has given me some points to consider. cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ+b+SIR7qMdg1EfYRApivAKCrks6/1IoA4QXrXpS6AJFPB6HK0ACgoHQV CqmdrRcq5QqrJGEyRftEo+U= =ZEG2 -----END PGP SIGNATURE----- From tprouty at samba.org Thu Apr 30 19:02:32 2009 From: tprouty at samba.org (Tim Prouty) Date: Thu Apr 30 19:02:38 2009 Subject: [PATCH] Change unix_convert to use struct smb_filename In-Reply-To: References: <98996537-6FED-4570-84C8-57EE731D9508@samba.org> Message-ID: On Apr 30, 2009, at 3:04 AM, Volker Lendecke wrote: > On Tue, Apr 28, 2009 at 02:30:11PM -0700, Tim Prouty wrote: >> NTSTATUS unix_convert(TALLOC_CTX *ctx, >> connection_struct *conn, >> const char *orig_path, >> struct smb_filename *smb_fname, >> uint32_t ucf_flags) > > Just a quick stylistic question: Why not allocate the > smb_filename struct in unix_convert and have the substrings > as talloc children off that? In case this turns out to be a > malloc performance hit, we can always do the appropriate > talloc_pool trick inside unix_convert. Thanks for the feedback! I was considering that option, but since we already had a talloc_ctx being passed around, it seemed simpler to just have the smb_filename struct sit on the stack. I guess one possible advantage of tallocing an smb_filename struct is that the talloc_ctx arg could be eliminated from unix_convert, further simplifying the API. Another advantage is that the memory would be more cleanly tracked, and could be freed earlier as soon as it is no longer being used. Are there other advantages as well? On a related note, in a future patch it would make sense to store the smb_filename struct in the file_struct as well. To add this ability I'll probably also add some utility functions that alloc/init/copy/etc smb_filename structs. These utility structs could be used here as well. I'm not familiar with the talloc_pool trick. Are there examples of the trick in use elsewhere? -Tim From jelmer at samba.org Thu Apr 30 19:42:48 2009 From: jelmer at samba.org (Jelmer Vernooij) Date: Thu Apr 30 19:42:49 2009 Subject: late introduction In-Reply-To: <9645506d0904281211r3b24a8d4lb67e78268ab10381@mail.gmail.com> References: <9645506d0904281211r3b24a8d4lb67e78268ab10381@mail.gmail.com> Message-ID: <49F9FF38.6080003@samba.org> Hi Andrew, ?????? ????????? wrote: > Hello everyone, > > My name is Andrew Grigoriev from Russia. I am 20 years old student of > Computer Science at Chelyabinsk State University. For Summer of Code > I'll be working on the GTKLDB tool. > Welcome aboard! I'll be co-mentoring you together with Andrew Bartlett (CC'ed). You can always find us on IRC, or contact us by email. Where possible, please keep the public Samba communication channels (#samba-technical, samba-technical@samba.org) in the loop; that way others are aware of your work, and they can comment and help as well. Looking forward to working with you this summer :-) IRC nicks: - Jelmer: jelmer - Andrew Bartlett: abartlet I'm also reachable on Jabber: jelmer@jabber.fsfe.org Cheers, Jelmer From jerry at plainjoe.org Thu Apr 30 19:50:02 2009 From: jerry at plainjoe.org (Gerald Carter) Date: Thu Apr 30 19:49:52 2009 Subject: STatus update on Bugzilla.samba.org Message-ID: <49FA00EA.3010708@plainjoe.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all, Big thanks to Deryck for quick fixes to bugzilla.samba.org. * The "Too many connections" was the result of a bot. Fixed in robots.txt now. * Inability to view attachments was a missing template variable after the upgrade. Both have been resolved now. There's a few outstanding issues that appear to just be more template fixes. We'll work on resolving those as well this week. cheers, jerry - -- ===================================================================== http://git.plainjoe.org/ CODE "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ+gDqIR7qMdg1EfYRAniMAJ44p45BsQOEEB/K7u43MamtZUkkRQCeIo2p rRTNKQ7f6LTsxy64rWthdxk= =IYK/ -----END PGP SIGNATURE----- From neo at ahmedabdalla.net Thu Apr 30 20:28:01 2009 From: neo at ahmedabdalla.net (Ahmed Abdallah) Date: Thu Apr 30 20:28:02 2009 Subject: late introduction In-Reply-To: <49F9FF38.6080003@samba.org> References: <9645506d0904281211r3b24a8d4lb67e78268ab10381@mail.gmail.com> <49F9FF38.6080003@samba.org> Message-ID: <9614bb350904301328o17f0e4f9sa1ef9b9fe6183630@mail.gmail.com> Hi all, Regarding the SOC, I know that it's intended for students only, does that mean the contribution from a non student on any of your SOC projects is not allowed ? 2009/4/30 Jelmer Vernooij > Hi Andrew, > > ?????? ????????? wrote: > > Hello everyone, > > > > My name is Andrew Grigoriev from Russia. I am 20 years old student of > > Computer Science at Chelyabinsk State University. For Summer of Code > > I'll be working on the GTKLDB tool. > > > Welcome aboard! > > I'll be co-mentoring you together with Andrew Bartlett (CC'ed). You can > always find us on IRC, or contact us by email. Where possible, please > keep the public Samba communication channels (#samba-technical, > samba-technical@samba.org) in the loop; that way others are aware of > your work, and they can comment and help as well. > > Looking forward to working with you this summer :-) > > IRC nicks: > - Jelmer: jelmer > - Andrew Bartlett: abartlet > > I'm also reachable on Jabber: jelmer@jabber.fsfe.org > > Cheers, > > Jelmer > Regards, Ahmed Abdalla Software Engineer Thebe Technology Qlayer/Sun Team From jelmer at samba.org Thu Apr 30 21:54:02 2009 From: jelmer at samba.org (Jelmer Vernooij) Date: Thu Apr 30 21:55:05 2009 Subject: late introduction In-Reply-To: <9614bb350904301328o17f0e4f9sa1ef9b9fe6183630@mail.gmail.com> References: <9645506d0904281211r3b24a8d4lb67e78268ab10381@mail.gmail.com> <49F9FF38.6080003@samba.org> <9614bb350904301328o17f0e4f9sa1ef9b9fe6183630@mail.gmail.com> Message-ID: <49FA1DFA.2090503@samba.org> Hi Ahmed, Ahmed Abdallah wrote: > Regarding the SOC, I know that it's intended for students only, does that > mean the contribution from a non student on any of your SOC projects is not > allowed ? > Significant contributions by others to the specific projects students are working is not allowed until after the SoC is over - the idea being that the student should do the work on the project himself/herself rather than having somebody else do it for them. Of course, that doesn't mean it's not allowed for you to work on any of the same features that SoC students are working on, it just means that they won't be able to use your code. There's plenty of other interesting projects around Samba though that you could work on without overlap with any of the SoC projects. This is at least what I remember from previous years. Kai, is that still right? Cheers, Jelmer