From canfield at uindy.edu Wed Apr 1 01:58:00 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch References: <19980331021025Z12583384-24328+6628@samba.anu.edu.au> Message-ID: <35219F28.B4D7D802@uindy.edu> Just for clarification, does this mean that we no longer need to acquire arcfour separately? I suspect it doesn't, but just thought I should check. Thanks! Andrew Tridgell wrote: Note that: > 1) you don't need to compile with -DNTDOMAIN, that is now the default > 2) you don't need any external code or libraries. All the necessary > code is built in. > > You still need to follow Lukes instructions on how to set this stuff > up, which is why I'm particularly interested in hearing from people From jallison at whistle.com Wed Apr 1 02:25:02 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch References: <35219F28.B4D7D802@uindy.edu> Message-ID: <3521A57E.284797A9@whistle.com> Dana Canfield wrote: > > Just for clarification, does this mean that we no longer need to acquire arcfour > separately? I suspect it > doesn't, but just thought I should check. > Yes, it does mean you no longer need to acquire arcfour separately. Jeremy Allison, Samba Team. From tridge at samba.anu.edu.au Wed Apr 1 03:00:16 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch In-Reply-To: <35219F28.B4D7D802@uindy.edu> (message from Dana Canfield on Tue, 31 Mar 1998 20:58:00 -0500) References: <19980331021025Z12583384-24328+6628@samba.anu.edu.au> <35219F28.B4D7D802@uindy.edu> Message-ID: <19980401030017Z12616068-24328+6880@samba.anu.edu.au> > Just for clarification, does this mean that we no longer need to acquire arcfour > separately? that's right, you don't need to get arcfour separately. Cheers, Andrew From eparis at ven.ra.rockwell.com Wed Apr 1 04:08:06 1998 From: eparis at ven.ra.rockwell.com (Eloy A. Paris) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch References: <3521A57E.284797A9@whistle.com> Message-ID: <6fsej6$6ns$1@zeus.ven.ra.rockwell.com> Jeremy Allison wrote: : Yes, it does mean you no longer need to acquire arcfour : separately. And what about export restrictions in the US, do they still apply? Thanks, E.- From tridge at samba.anu.edu.au Wed Apr 1 06:50:17 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch In-Reply-To: <6fsej6$6ns$1@zeus.ven.ra.rockwell.com> (eparis@ven.ra.rockwell.com) References: <6fsej6$6ns$1@zeus.ven.ra.rockwell.com> Message-ID: <19980401065024Z12587946-17352+7176@samba.anu.edu.au> > : Yes, it does mean you no longer need to acquire arcfour > : separately. > > And what about export restrictions in the US, do they still apply? Jeremy and I believe that what is currently in the CVS tree is exportable from the US. (yes, we have some legal reasons/opinions to back that up but they are a bit complex to describe here). What is in the tree is not a full arcfour implementation but it is sufficient for the NT domain code. This means that the next major release of Samba (ie. not just patch releases) will be able to do NT domain logons "out of the box". Cheers, Andrew From jan.van.rensburg at epiuse.com Wed Apr 1 12:28:37 1998 From: jan.van.rensburg at epiuse.com (jan van rensburg) Date: Tue Dec 2 02:23:55 2003 Subject: authentication Message-ID: <352232F5.1B33A5DC@epiuse.com> hi, this is a very newbie question, if you'll excuse me. i'm fairly unfamiliar with both samba and PAM for linux. however, what i want to do is this: set up a nt 4 server as a pdc then i want to set up a linux box with samba as a file & mail server (smtp/pop3/imap4) i want the user names and password on the linux and nt machines to be synched, and the best option i've come across is to use the pam module for linux that does it's authentication through the nt pdc. i know that i'll still have to add the user names in /etc/passwd for the pam module to work, but since i only have to do this once it's ok. is this the best way to do it? and how do i set up the pam module? i've done a `make` and get a pam_ntdom_auth.so executable, but what next? where do i install the executable, and how do i let pam/linux know that it should use that module for authentication. i've read the documentation, but it looks like the documentation assumes a basic knowledge of pam which i don't have. thanks, jan van rensburg From bernard at zeus.rug.ac.be Wed Apr 1 08:17:33 1998 From: bernard at zeus.rug.ac.be (Bernard Grymonpon) Date: Tue Dec 2 02:23:55 2003 Subject: Getting Samba 1.9.18p4 and NTdomain support... Message-ID: Hi, here i'm back, sorry, ... I just downloaded samba 1.9.18p4, and installed it. When i insert my old smb.conf file, and do a testpar, then i get errors on the part where my domain control is enabled : domain sid = 1-3-5-21-123-456-789. The error is that it doesn't know the parameter "domain sid". Then i checked NTDOMAIN, and there is stated that "p4" doesn't support NTdomain. Now, I've seen on this mailinglist that some people are able to get some other (extra) source code (BRANCH NTDOM) through "cvs". The problem is that i am behind a firewall, and i can't use cvs. Is there some way to get 1.9.18p4 and the ntdomain source (as one or apart) through ftp? Or can someone tell me where i can get the newest code of BRANCH_NTDOM without "cvs"... Thanks in advance Bernard bernard@zeus.rug.ac.be -------------------------------------------------------------------------------- *** Make an idiot proof program, and someone will make a better idiot *** ------------------------------------------------------------------------------- From heinig at hdz-ima.rwth-aachen.de Wed Apr 1 14:04:34 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:23:55 2003 Subject: Solution: "Could not update internal security to add machine to domain" Message-ID: <35224972.76F5E13@hdz-ima.rwth-aachen.de> Hi all, Thanks to a sample smb.conf from Johan Hedin I've now got NT domain logons on our Samba server. In case anyone comes across the following message from NT (translated from the german) whilst trying to connect the NT wks to the Samba server: Could not update internal security. Could not add MACHINE to DOMAIN The problem arose because I had got the domain sid wrong. I had mistakenly put domain sid = 1-5-21-111-222-333-444 ^^^^ instead of domain sid = S-1-5-21-111-222-333-444 ^^^ ie. I forgot the S- at the beginning of the sid. It might be worthwhile to put this in the FAQ. I don't know how many other people made the same mistake. cheers Gerald From lkcl at switchboard.net Wed Apr 1 14:12:12 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: Andrew Tridgell Sued by Microsoft! In-Reply-To: Message-ID: andrew sued by microsoft is not news. microsoft sued by andrew, _that's_ news :-) From lkcl at switchboard.net Wed Apr 1 16:16:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: Solution: "Could not update internal security to add machine to domain" In-Reply-To: <35224972.76F5E13@hdz-ima.rwth-aachen.de> Message-ID: gerald, you want to limit the number of entries after the S-1-5-21 to 3. see docs/NTDOMAIN.txt. luke On Wed, 1 Apr 1998, Gerald Heinig wrote: > Hi all, > > Thanks to a sample smb.conf from Johan Hedin I've now got NT domain > logons on our Samba server. > In case anyone comes across the following message from NT (translated > from the german) whilst trying to connect the NT wks to the Samba > server: > > Could not update internal security. Could not add MACHINE to DOMAIN > > The problem arose because I had got the domain sid wrong. I had > mistakenly put > > domain sid = 1-5-21-111-222-333-444 > ^^^^ > > instead of > > domain sid = S-1-5-21-111-222-333-444 > ^^^ > > ie. I forgot the S- at the beginning of the sid. > > It might be worthwhile to put this in the FAQ. I don't know how many > other people made the same mistake. > > cheers > > Gerald > > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From jallison at whistle.com Wed Apr 1 17:36:14 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch References: <6fsej6$6ns$1@zeus.ven.ra.rockwell.com> Message-ID: <35227B0D.2C67412E@whistle.com> Eloy A. Paris wrote: > > And what about export restrictions in the US, do they still apply? > No the implementation is not usable for anything other than authentication, as is our des code. So export restrictions do not apply, the code is free to be exported outside the USA. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cmwirun at comcept.com Wed Apr 1 20:05:07 1998 From: cmwirun at comcept.com (Corey M. Wirun) Date: Tue Dec 2 02:23:55 2003 Subject: IPC password now req'd? Message-ID: <01BD5D6E.D0ACC050@PIHOME> Hello All, I recently downloaded the latest 'main-stream' CVS repository for samba. I compiled and installed it with no problem. Everything worked. Even when I switched the NT4.0 WKS over to domain logins, it worked. But (you knew that was coming), now nobody on the network, including the samba machine can browse the shares on the machine. I see the machine in the Network Neighborhood, but when I go deeper, it asks for a password for IPC$. With normal 'workgroup' logins, I can browse the box, map shares, etc., but not now. Running smbclient from the server says, "Session setup failed ... - ERRnoaccess". I do have the box's server service running. And I am able to browse myself at the NT machine with no problems. Does the samba PDC have something to do with share access to NT with domain users logged in on? Thanks in advance. Corey. From canfield at uindy.edu Thu Apr 2 01:30:39 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:55 2003 Subject: Will this list continue? Message-ID: <3522EA3E.A5E3161A@uindy.edu> Just curious if this list will continue once the NTDOM is fully integrated and tested with the main branch. -Dana From jallison at whistle.com Thu Apr 2 02:04:23 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:55 2003 Subject: Will this list continue? References: <3522EA3E.A5E3161A@uindy.edu> Message-ID: <3522F227.102F11D5@whistle.com> Dana Canfield wrote: > > Just curious if this list will continue once the NTDOM is fully > integrated and tested with the main branch. > Oh yes - people using the code in the main branch are very much on the 'bleeding edge' (it doesn't even always compile, although the goal is that it should :-). This list should continue so people can scream at us when we break something :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Thu Apr 2 04:29:08 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:55 2003 Subject: Will this list continue? In-Reply-To: <3522F227.102F11D5@whistle.com> Message-ID: On Thu, 2 Apr 1998, Jeremy Allison wrote: > Dana Canfield wrote: > > > > Just curious if this list will continue once the NTDOM is fully > > integrated and tested with the main branch. > > > > Oh yes - people using the code in the main > branch are very much on the 'bleeding edge' > (it doesn't even always compile, although > the goal is that it should :-). > > This list should continue so people can > scream at us when we break something :-). > I whole-heartedly agree! :-) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From phgrau at mail.wi-bw.tfh-wildau.de Thu Apr 2 08:31:06 1998 From: phgrau at mail.wi-bw.tfh-wildau.de (Philipp Grau) Date: Tue Dec 2 02:23:55 2003 Subject: unix passwd sync and nis Message-ID: <19980402103106.08163@tampere> Hello samba-dancers, I have a bit trouble with the new passwd sync feature: Our samba server (main branch) is not our YP/NIS server. So I tried to set the password with smbpasswd on the samba server (entrypted passwords) and on the NIS server. I used the following settings and got the according error messages (the only change is the "%u" ins the passwd program line): 1) smb.conf: unix password sync = yes passwd program = /usr/bin/yppasswd %U passwd chat = *\n*old*password* %n\n *new*password* %n\n \ *new*password* %n\n *changed* log.suumi: ---------------------- Dochild for user phgrau (uid=0,gid=0) chatbuf=[* *old*password*] responsebuf=[Changing NIS account information for phgrau on tampere. Please enter root password:] response 1 incorrect Child failed to change password: phgrau end of file from client ---------------------- Since I do the smbpasswd call as user "phgrau" why wants "yppasswd" the root password?? Yes, I see the uid=0,gid=0 thing! I think it would be better if the "Dochild" was done with the uid and gid of phgrau or??? 2) smb.conf: unix password sync = yes passwd program = /usr/bin/yppasswd passwd chat = *\n*old*password* %n\n *new*password* %n\n \ *new*password* %n\n *changed* log.suumi ---------------------- Dochild for user phgrau (uid=0,gid=0) chatbuf=[* *old*password*] responsebuf=[Unknown error yppasswd: unknown user (uid=0). ] response 1 incorrect Child failed to change password: phgrau end of file from client ---------------------- Here again the call of "Dochild" with uid,gid=0 is that ok? Am I wrong with something?? Any hints?? \bye Philipp Grau -- ----------------------------------------------------------------------------- Philipp Grau, Sysadmin, Raum 123a, Tel. +49-3375 508-136, phgrau@wi-bw.tfh-wildau.de in Wildau ---------------------------------------------The-Answer-is-42-!-------------- From lkcl at switchboard.net Thu Apr 2 11:14:14 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: Will this list continue? In-Reply-To: <3522EA3E.A5E3161A@uindy.edu> Message-ID: i reckon. two options. 1) turn into a pseudo-admin ntdom-only sort-of list. 2) deal with nt 5. by the way, i am fascinated to note that a large number of people on the ntdom list are from educational establishments :-) On Thu, 2 Apr 1998, Dana Canfield wrote: > Just curious if this list will continue once the NTDOM is fully > integrated and tested with the main branch. > > -Dana > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From eilhard at warstein.owl.de Thu Apr 2 12:46:41 1998 From: eilhard at warstein.owl.de (Holger Eilhard) Date: Tue Dec 2 02:23:55 2003 Subject: User Administration Message-ID: <01bd5e35$626d4d90$0200a8c0@bart.homenet.de> Hi, First I want to thank all the people who helped me to set up my PDC! Now it runs, and I have trouble with the user security on my NT machine! If I want to change the security of a file on my NTFS partition I can't change it to a user on my PDC. The PDC just says that it can't get the user list. Is this feature not available on Samba or is there a package that enables this? Thanks in advance! Holger -- Holger Eilhard - eilhard@warstein.owl.de - http://www.warstein.owl.de/~eilhard/ "Ich darf nicht ohne Anordnung Dinge zerlegen" - B. Simpson From cartegw at Eng.Auburn.EDU Thu Apr 2 12:59:47 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:55 2003 Subject: User Administration In-Reply-To: <01bd5e35$626d4d90$0200a8c0@bart.homenet.de> Message-ID: On Thu, 2 Apr 1998, Holger Eilhard wrote: > Hi, > > First I want to thank all the people who helped me to set up my PDC! > > Now it runs, and I have trouble with the user security on my NT machine! > If I want to change the security of a file on my NTFS partition I can't > change > it to a user on my PDC. The PDC just says that it can't get the user list. > Is this feature not available on Samba or is there a package that enables > this? > You're correct. The feature is not available yet. ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Thu Apr 2 14:04:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: User Administration In-Reply-To: <01bd5e35$626d4d90$0200a8c0@bart.homenet.de> Message-ID: On Thu, 2 Apr 1998, Holger Eilhard wrote: > Hi, > > First I want to thank all the people who helped me to set up my PDC! > > Now it runs, and I have trouble with the user security on my NT machine! > If I want to change the security of a file on my NTFS partition I can't > change > it to a user on my PDC. The PDC just says that it can't get the user list. > Is this feature not available on Samba or is there a package that enables > this? hi holger, it's something we will need to investigate: for sure, it's not currently possible to view user lists at the moment: the dce/rpc calls aren't supported, yet. we'll be adding them as/and/when, but definitely before a major release. luke From canfield at uindy.edu Thu Apr 2 14:10:41 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:55 2003 Subject: Will this list continue? References: Message-ID: <35239C61.A3245A67@uindy.edu> In my case, it's because if we bought the Microsoft equivalents of all the free software we use, we would have to fire several staff members! And specifically here, the security and roaming profiles that are offered a primary domain controller and NT Workstation are what administrators have been trying to kludge together in their labs for years. It's off topic, but I am piecing together a web site on how we've almost completely become a free software campus (on the server side... desktops are another story). I hope to have step-by-step instructions and performance statistics, a lot of the scripts we have written, etc. If anyone is interested in seeing it when I'm finished, drop me a line and I'll mail you when it's done. Dana Luke Kenneth Casson Leighton wrote: > i reckon. two options. 1) turn into a pseudo-admin ntdom-only sort-of > list. 2) deal with nt 5. > > by the way, i am fascinated to note that a large number of people on the > ntdom list are from educational establishments :-) > > On Thu, 2 Apr 1998, Dana Canfield wrote: > > > Just curious if this list will continue once the NTDOM is fully > > integrated and tested with the main branch. > > > > -Dana > > > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba and Network Consultancy From lkcl at switchboard.net Thu Apr 2 15:22:07 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: Will this list continue? In-Reply-To: <35239C61.A3245A67@uindy.edu> Message-ID: On Fri, 3 Apr 1998, Dana Canfield wrote: > In my case, it's because if we bought the Microsoft equivalents of all the free > > software we use, we would have to fire several staff members! And specifically > here, the security > and roaming profiles that are offered a primary domain controller and NT > Workstation > are what administrators have been trying to kludge together in their labs for > years. > > It's off topic, but I am piecing together a web site on how we've almost > completely become a free software campus (on the server side... desktops are > another story). I hope to have step-by-step instructions and performance > statistics, a lot of the scripts we have written, etc. If anyone is interested > in seeing it when I'm finished, drop me a line and I'll mail you when it's > done. dana, i have suggested to the other samba team people that we put such tools and stuff on the main samba site. if you wanted to put your docs / tools, with copyright notices / GPL or other license agreements attached as appropriate, then we would be happy to do so. i hate the "me-too" type postings so common to aol and compuserv... luke From jan.van.rensburg at epiuse.com Thu Apr 2 20:34:12 1998 From: jan.van.rensburg at epiuse.com (jan van rensburg) Date: Tue Dec 2 02:23:55 2003 Subject: PAM-NTDOM huh? Message-ID: <3523F644.CED244E8@epiuse.com> hi, i have some questions about the pam module. if this is not the right place to ask "user support questions" tell me to bug off or ignore me. scenario: redhat5.0 which must do file sharing and mail: with newest samba with pam0.59 -did a make on pam_ntdom, and placed pam_ntdom_auth.so in /lib/security -created the /etc/pam_smb.conf as specified -created a /etc/pam.d/imap file like this: #%PAM-1.0 auth required /lib/security/pam_ntdom_auth.so account required /lib/security/pam_ntdom_auth.so -changed the /etc/pam.d/samba file like this: auth required /lib/security/pam_ntdom_auth.so account required /lib/security/pam_ntdom_auth.so - i'll attach the /etc/smb.conf at the end of this message nt4 server, domain pdc: added the linux station under the nt server manager (but it's name stayed greyed out) now, the problem is that i can't authenticate when i want to read my imap mail, or even when i just want to map a nt drive from the samba shares. i can't even "find" the samba machine from the nt machines. life sucks. thanks, jan van rensburg --- /etc/smb.conf: #======================= Global Settings ===================================== [global] workgroup = WISE server string = Bachus Samba Server hosts allow = 10.13.70. printcap name = /etc/printcap log file = /var/log/samba/log.%m max log size = 50 security = server password server = wise-server.wise.co.za encrypt passwords = yes smb passwd file = /etc/smbpasswd socket options = TCP_NODELAY remote browse sync = 10.13.70.63 remote announce = 10.13.70.63 local master = no os level = 33 domain controller = wise_server wins support = yes wins server = 10.13.70.66 wins proxy = yes dns proxy = no preserve case = yes short preserve case = no default case = lower case sensitive = yes #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers comment = All Printers path = /var/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes From lkcl at switchboard.net Thu Apr 2 17:11:58 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: PAM-NTDOM huh? In-Reply-To: <3523F644.CED244E8@epiuse.com> Message-ID: jan, do you have access to Microsoft NetMonitor or to tcpdump? can you send me a packet trace, please? thanks, luke On Thu, 2 Apr 1998, jan van rensburg wrote: > hi, > i have some questions about the pam module. if this is not > the right place to ask "user support questions" tell me to > bug off or ignore me. > > scenario: > redhat5.0 which must do file sharing and mail: > with newest samba > with pam0.59 > > -did a make on pam_ntdom, and placed pam_ntdom_auth.so in > /lib/security > > -created the /etc/pam_smb.conf as specified > > -created a /etc/pam.d/imap file like this: > #%PAM-1.0 > > auth required /lib/security/pam_ntdom_auth.so > account required /lib/security/pam_ntdom_auth.so > > -changed the /etc/pam.d/samba file like this: > auth required /lib/security/pam_ntdom_auth.so > account required /lib/security/pam_ntdom_auth.so > > - i'll attach the /etc/smb.conf at the end of this message > > nt4 server, domain pdc: > added the linux station under the nt server manager (but > it's name stayed greyed out) > > now, the problem is that i can't authenticate when i want to > read my imap mail, or even when i just want to map a nt > drive from the samba shares. i can't even "find" the samba > machine from the nt machines. life sucks. > > thanks, > jan van rensburg > > --- > /etc/smb.conf: > #======================= Global Settings > ===================================== > [global] > workgroup = WISE > server string = Bachus Samba Server > hosts allow = 10.13.70. > printcap name = /etc/printcap > log file = /var/log/samba/log.%m > max log size = 50 > security = server > password server = wise-server.wise.co.za > encrypt passwords = yes > smb passwd file = /etc/smbpasswd > socket options = TCP_NODELAY > remote browse sync = 10.13.70.63 > remote announce = 10.13.70.63 > local master = no > os level = 33 > domain controller = wise_server > wins support = yes > wins server = 10.13.70.66 > wins proxy = yes > dns proxy = no > preserve case = yes > short preserve case = no > default case = lower > case sensitive = yes > > #============================ Share Definitions > ============================== > [homes] > comment = Home Directories > browseable = no > writable = yes > [printers] > comment = All Printers > comment = All Printers > path = /var/spool/samba > browseable = no > # Set public = yes to allow user 'guest account' to print > guest ok = no > writable = no > printable = yes > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From winadmin at osd.fau.edu Thu Apr 2 17:18:51 1998 From: winadmin at osd.fau.edu (Workstation Maintenance) Date: Tue Dec 2 02:23:55 2003 Subject: Will this list continue? In-Reply-To: <35239C61.A3245A67@uindy.edu> Message-ID: Hello, I am extremely interested in the free software concept. I run a Assistive Technology (speech output as well as input, large print, etc) computer lab for students with disabilities at Florida Atlantic University, and we're running a Linux server with samba. I am always making sure that when I am gone who ever replaces me will be able to function ok, and I'm getting the word that I should probably shut down our server totally, or run an NT server because no one will be able to run Unix. Maybe being able to control a samba PDC from an NT machine (i.e. as close to an NT PDC as possible including the user management and group management) will help bridge the gap, and I'm looking forward to testing the code. I am very "distressed" at the fact that they'd rather have no server at all, or spend money on Microsoft when they don't have to, but I can see their point also. . . How hard could it be to find a Unix-minded person here - Not that hard. The position is not a standing position (would close if I left) however and does not pay that well, which is where the real problem comes in. Sorry for rambling so much folks. I would be very interested in seeing your webpage Dana, Thanks, Ivan Fetch Earlier you wrote: >In my case, it's because if we bought the Microsoft equivalents of all the >free > >software we use, we would have to fire several staff members! And specifically >here, the security >and roaming profiles that are offered a primary domain controller and NT >Workstation >are what administrators have been trying to kludge together in their labs for >years. > >It's off topic, but I am piecing together a web site on how we've almost >completely become a free software campus (on the server side... desktops are >another story). I hope to have step-by-step instructions and performance >statistics, a lot of the scripts we have written, etc. If anyone is >interested >in seeing it when I'm finished, drop me a line and I'll mail you when it's >done. > >Dana From lkcl at switchboard.net Thu Apr 2 18:35:57 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: Will this list continue? In-Reply-To: Message-ID: On Fri, 3 Apr 1998, Workstation Maintenance wrote: > Hello, > I am extremely interested in the free software concept. I run a Assistive > Technology (speech output as well as input, large print, etc) computer lab > for students with disabilities at Florida Atlantic University, and we're > running a Linux server with samba. I am always making sure that when I am > gone who ever replaces me will be able to function ok, and I'm getting the > word that I should probably shut down our server totally, or run an NT > server because no one will be able to run Unix. Maybe being able to > control a samba PDC from an NT machine (i.e. as close to an NT PDC as > possible including the user management and group management) will help > bridge the gap, and I'm looking forward to testing the code. I am very > "distressed" at the fact that they'd rather have no server at all, or spend > money on Microsoft when they don't have to, but I can see their point also. > . How hard could it be to find a Unix-minded person here - Not that > hard. The position is not a standing position (would close if I left) > however and does not pay that well, which is where the real problem comes > in. Sorry for rambling so much folks. ivan, no problem. yes i intend to add code to do read-only admin of a samba PDC from "user manager for domains". then to do read-write admin, which _may_ require some input from microsoft, or failing that, some reverse engineering (following the EC directives on reverse engineering to the letter). so, you can let your happy people know that it will be possible to administer UNIX machines either through "User Manager for Domains" or via an HTML interface (swat), at some point in the future. luke From dhamm at itserve.com Thu Apr 2 19:03:07 1998 From: dhamm at itserve.com (David Hamm) Date: Tue Dec 2 02:23:55 2003 Subject: errors on nt domain controler Message-ID: On samba ver 1.9.17p2 RedHat 4.2 I have changed my config so I can participate in the NT domain. Now on our NT domain server we are getting the following error. The master browser has received a server announcement from the computer DAVIDHSP C that believes that it is the master browser for the domain on transport NetBT_ El90x1. The master browser is stopping or an election is being forced. Below is a list of the config params from smb.conf that I think are pertinent. I must be wrong though. Could any one help? workgroup = itserve security = server password server = itadmin os level = 20 ; domain master = no domain controller = itadmin domain logons = yes ------ David Hamm - dhamm@itserve.com -------- From lkcl at switchboard.net Thu Apr 2 20:06:28 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: errors on nt domain controler In-Reply-To: Message-ID: david, this is a standard samba admin question that is therefore best asked on the samba@samba.anu.edu.au list. luke On Fri, 3 Apr 1998, David Hamm wrote: > On samba ver 1.9.17p2 RedHat 4.2 I have changed my config so I can participate > in the NT domain. Now on our NT domain server we are getting the following > error. > > The master browser has received a server announcement from the computer DAVIDHSP > C that believes that it is the master browser for the domain on transport NetBT_ > El90x1. The master browser is stopping or an election is being forced. > > Below is a list of the config params from smb.conf that I think are pertinent. > I must be wrong though. Could any one help? > > workgroup = itserve > security = server > password server = itadmin > os level = 20 > ; domain master = no > domain controller = itadmin > domain logons = yes > > > ------ David Hamm - dhamm@itserve.com -------- > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From dhamm at itserve.com Thu Apr 2 19:50:51 1998 From: dhamm at itserve.com (David Hamm) Date: Tue Dec 2 02:23:55 2003 Subject: errors on nt domain controler In-Reply-To: Message-ID: On 02-Apr-98 Luke Kenneth Casson Leighton wrote: > david, > > this is a standard samba admin question that is therefore best asked on > the samba@samba.anu.edu.au list. Sorry. Thanks. > luke > > On Fri, 3 Apr 1998, David Hamm wrote: > >> On samba ver 1.9.17p2 RedHat 4.2 I have changed my config so I can >> participate >> in the NT domain. Now on our NT domain server we are getting the following >> error. >> >> The master browser has received a server announcement from the computer >> DAVIDHSP >> C that believes that it is the master browser for the domain on transport >> NetBT_ >> El90x1. The master browser is stopping or an election is being forced. >> >> Below is a list of the config params from smb.conf that I think are >> pertinent. >> I must be wrong though. Could any one help? >> >> workgroup = itserve >> security = server >> password server = itadmin >> os level = 20 >> ; domain master = no >> domain controller = itadmin >> domain logons = yes >> >> >> ------ David Hamm - dhamm@itserve.com -------- >> > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba and Network Consultancy ------ David Hamm - dhamm@itserve.com -------- From jjorgens at bdsinc.com Thu Apr 2 20:45:13 1998 From: jjorgens at bdsinc.com (Jens B. Jorgensen) Date: Tue Dec 2 02:23:55 2003 Subject: programming question: authenticating to a domain controller Message-ID: <3523F8D9.99AF62A8@bdsinc.com> Folks, I'd like to add authentication into my program and I want to authenticate users to an NT domain controller. I used CVS to get the latest domain branch of the samba codebase and found that smbclient has an 'ntlogin' command. I figured if this works I could cut and paste code into my program. However, this code doesn't work. That is to say, ntlogin fails to log in. First I needed to add the computer to the domain, which I did. Even then I got back a wrong user or password status, ie 'NET_SAMLOGON: NT_STATUS_WRONG_PASSWORD'. I tried compiling with RC4 support (linked against ssleay libs, generated my own 'arcfour' functions), without, and with DES support (which didn't compile for lack of a des_encrypt8 function which I couldn't see how to do even using the ssl des libs). Is this code supposed to work? As a side note, I'm authenticating to an NT4.0 server machine and although I have enabled the logging of auth failures (and tested, they do indeed generate events) I *never* get a message in the event log about the login failure. -- Jens B. Jorgensen jjorgens@bdsinc.com From lkcl at switchboard.net Thu Apr 2 21:38:57 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:55 2003 Subject: programming question: authenticating to a domain controller In-Reply-To: <3523F8D9.99AF62A8@bdsinc.com> Message-ID: yes it does work. you must first do the sub-command lsaquery, followed by the nltest (or ntlogin) command. you do not need DES libraries; you will need http://mailhost.cb1.com/~lkcl/arcfour.c (in the BRANCH_NTDOM version, which you say you are using). use a samba BRANCH_NTDOM server with debug level 20 to 30, because you will get nice pretty output in the log.smb file :-) alternatively, use NETMON on the nt server. luke On Fri, 3 Apr 1998, Jens B. Jorgensen wrote: > Folks, > > I'd like to add authentication into my program and I want to > authenticate users to an NT domain controller. I used CVS to get the > latest domain branch of the samba codebase and found that smbclient has > an 'ntlogin' command. I figured if this works I could cut and paste code > into my program. However, this code doesn't work. That is to say, > ntlogin fails to log in. First I needed to add the computer to the > domain, which I did. Even then I got back a wrong user or password > status, ie 'NET_SAMLOGON: NT_STATUS_WRONG_PASSWORD'. I tried compiling > with RC4 support (linked against ssleay libs, generated my own 'arcfour' > functions), without, and with DES support (which didn't compile for lack > of a des_encrypt8 function which I couldn't see how to do even using the > ssl des libs). Is this code supposed to work? As a side note, I'm > authenticating to an NT4.0 server machine and although I have enabled > the logging of auth failures (and tested, they do indeed generate > events) I *never* get a message in the event log about the login > failure. > > -- > Jens B. Jorgensen > jjorgens@bdsinc.com > > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From cartegw at Eng.Auburn.EDU Thu Apr 2 21:54:44 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:55 2003 Subject: errors on nt domain controler In-Reply-To: Message-ID: On Fri, 3 Apr 1998, David Hamm wrote: > On samba ver 1.9.17p2 RedHat 4.2 I have changed my config so I can participate > in the NT domain. Now on our NT domain server we are getting the following > error. > > The master browser has received a server announcement from the computer DAVIDHSP > C that believes that it is the master browser for the domain on transport NetBT_ > El90x1. The master browser is stopping or an election is being forced. > > Below is a list of the config params from smb.conf that I think are pertinent. > I must be wrong though. Could any one help? > > workgroup = itserve > security = server > password server = itadmin > os level = 20 > ; domain master = no > domain controller = itadmin > domain logons = yes David, You'll probably get more help on this type of issue from the normal samba list. Main purpose of this one is deal to deal with issues related to Samba acting as a PDC. However, if both the NT server and the samba server are on the same subnet try adding 'local master = no'. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From ink at inconnu.isu.edu Thu Apr 2 22:39:11 1998 From: ink at inconnu.isu.edu (Craig Kelley) Date: Tue Dec 2 02:23:55 2003 Subject: Free Networks In-Reply-To: <19980402212547Z12632749-23598+8192@samba.anu.edu.au> Message-ID: Dana wrote: > It's off topic, but I am piecing together a web site on how we've almost > completely become a free software campus (on the server side... desktops are > another story). I hope to have step-by-step instructions and performance > statistics, a lot of the scripts we have written, etc. If anyone is interested > in seeing it when I'm finished, drop me a line and I'll mail you when it's > done. I have started one as well: http://inconnu.isu.edu/~ink/new/links/computing/links/gront We have been using samba for some years now; the NTDOMAIN branch seems to be progressing very well. Muchisimas Gracias, Craig Wheel is turning, but the hamster is dead. Craig Kelley -- kellcrai@isu.edu http://www.isu.edu/~kellcrai finger ink@inconnu.isu.edu for PGP block From x7currie at lab2.cc.wmich.edu Thu Apr 2 23:03:53 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:23:55 2003 Subject: Problems finding Domain. Message-ID: <35241959.F8867244@unix.cc.wmich.edu> I am having difficulty locating a samba box across campus that is trying to act as a PDC. I can map a drive configured in the conf file and that works fine. If I try and for a Find Computer from the NT box I can only locate the Samba server if the drive is mapped. The samba server is acting as a WINS server, the NT box is using it as its WINS server. Also, when I do a Find Computer the location and comment field have some ASCII garbage after them. I am using the lastest CVS code from the main branch. The IP address of the server is xxx.xxx.112.20 and the IP of the client is xxx.xxx.113.63. The OS of the samba machine is Solaris 2.5.1. I have placed a Redhat Linux box (that I have control over) with an IP of xxx.xxx.113.155 running Samba in my lab. I can map to the the Linux box okay, but agin I can only "Find" it when a drive is mapped. Niether of these computers shows up in the browse list. When I try and make the Linux box the PDC I get an error message telling me to have the admin check my computer account. When I try to use the Solaris machine I get an error message that I cannot even find the domain. We had thought that there might be some routing issues, but we can browse other NT and 95 machines around campus so I am pretty sure that ports 137,138, and 139 are not being blocked. I am at a loss as to how to remedy any of this and would apprciate as much information as possible. If you need logs, anything please specify what I might need to look for. Thanks, Kevin Currie From cartegw at Eng.Auburn.EDU Fri Apr 3 00:36:47 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:55 2003 Subject: Problems finding Domain. In-Reply-To: <35241959.F8867244@unix.cc.wmich.edu> Message-ID: On Fri, 3 Apr 1998, Kevin Currie wrote: > I am having difficulty locating a samba box across campus that is trying to > act as a PDC. I can map a drive configured in the conf file and that works > fine. If I try and for a Find Computer from the NT box I can only locate the > Samba server if the drive is mapped. The samba server is acting as a WINS > server, the NT box is using it as its WINS server. Also, when I do a Find > Computer the location and comment field have some ASCII garbage after them. > I am using the lastest CVS code from the main branch. The IP address of the > server is xxx.xxx.112.20 and the IP of the client is xxx.xxx.113.63. The OS > of the samba machine is Solaris 2.5.1. Does the Samba PDC work with machines on the same subnet? I am using the exact same configuration ( Solaris 2.5.1 running on an Ultra and latest main cvs branch code ) with no problems. Can you look at the $LOCKDIR/wins.dat files on the Samba pdc and make sure the NT client is actually registering with the wins server? Are you using static DNS and WINS server entries on the NT box? There as a KB article I remember about DNS queries repsonding negatively before the real response from the PDC is received. My DNS and WINS server entries are assigned via DHCP. Could you send a complete log.smb and log.nmb ( debug level about 20 )? Just send them directly to me if you want. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From andre at lme.usp.br Fri Apr 3 13:26:22 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:55 2003 Subject: Questions about log files Message-ID: <3.0.1.32.19980403102622.0094e330@ws10.lme.usp.br> Hello, I have some questions regarding the log files that are generated by samba, when running with debug level equal or above 3: 1. In my linux samba server, there are 2 nmbd daemons running, why ? 2. When the user connects to the PDC, one smbd process is spanned for this user, and the resulting smb log file is 'log.smb'. If other users connect, the smbd log file is the same ... Is it possible to generate separate log.smb files for each smbd daemon ? 3. After some time, the NT workstation log file becomes 'old' (extension .old) and another log begins ... What is the condition that triggers this behavior ? TIA, Andre Gerhard Systems/Network administrator Universidade de Sao Paulo - SP - Brazil From cartegw at Eng.Auburn.EDU Fri Apr 3 14:04:04 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:55 2003 Subject: Questions about log files References: <3.0.1.32.19980403102622.0094e330@ws10.lme.usp.br> Message-ID: <3524EC54.86CF0D8B@eng.auburn.edu> Andre Gerhard wrote: > > Hello, > > I have some questions regarding the log files that are generated by > samba, when running with debug level equal or above 3: > > 1. In my linux samba server, there are 2 nmbd daemons running, why ? This was added in the 1.9.18alpha series first to prevent blocking DNS calls. > > 2. When the user connects to the PDC, one smbd process is spanned > for this user, and the resulting smb log file is 'log.smb'. If > other users connect, the smbd log file is the same ... > Is it possible to generate separate log.smb files for each smbd > daemon ? log file = log.%U should do it for per user basis ( log file = log.%M willget a per machine basis ) > 3. After some time, the NT workstation log file becomes 'old' > (extension .old) and another log begins ... What is the condition > that triggers this behavior ? "max log size =" parameter in [global] section. This default to 5Mb j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jjorgens at bdsinc.com Fri Apr 3 19:58:58 1998 From: jjorgens at bdsinc.com (Jens B. Jorgensen) Date: Tue Dec 2 02:23:55 2003 Subject: domain/share authen Message-ID: <35253F82.F1B592B0@bdsinc.com> What's the difference between a) connecting to an NT domain controller and authenticating for a connection to IPC$ and b) doing an actual NT login, other than extra info you might get back about the user account. I mean, they both would use the same user/password database, right? Or would it depend on what whether security for the share was share/user? -- Jens B. Jorgensen jjorgens@bdsinc.com From x7currie at lab2.cc.wmich.edu Fri Apr 3 18:14:45 1998 From: x7currie at lab2.cc.wmich.edu (CURRIE KEVIN) Date: Tue Dec 2 02:23:56 2003 Subject: Problems finding Domain. In-Reply-To: Message-ID: > Does the Samba PDC work with machines on the same subnet? I am using the > exact same configuration ( Solaris 2.5.1 running on an Ultra and latest > main cvs branch code ) with no problems. Can you look at the > $LOCKDIR/wins.dat files on the Samba pdc and make sure the NT client is > actually registering with the wins server? Unfortunately we did not have any NT machines on that subnet. We got everything going though this morning. I think the big issue was that there were alignment problems w/ gcc. When the unix admin used Sun's C compiler everything took off. That would tend to explain the garbage we were getting in the location and comment strings. However, we are now having trouble browsing anything other that the domain that samba is serving. This is a far less critical problem for us, but still rather annoying. Is there any way to samba to go scavenging across subnets to find other master browsers/wins servers and get their information? > Are you using static DNS and WINS server entries on the NT box? There as > a KB article I remember about DNS queries repsonding negatively before the > real response from the PDC is received. My DNS and WINS server entries > are assigned via DHCP. WINS is static, DNS is bootp. Thanks for the help... Kevin From Ed_Ponzini/Austin/IBM at us.ibm.com Sat Apr 4 07:12:33 1998 From: Ed_Ponzini/Austin/IBM at us.ibm.com (Ed_Ponzini/Austin/IBM@us.ibm.com) Date: Tue Dec 2 02:23:56 2003 Subject: Problems finding Domain. Message-ID: <5010060003286388000002L682*@MHS> Status Distribution April 03, 1998 23:50:11 The message regarding "Re: Problems finding Domain." sent on April 03, 1998 23:50:11 was sent by Status Recipient Type To Native Name samba-ntdom@samba.anu.edu.au Foreign Native Name samba-ntdom@samba.anu.edu.au\n\n\nINTERNET Recipients Status Reporters Type From Name Domain NOTES Native Name CN=Ed Ponzini/OU=Austin/O=IBM@IBMLMS01 Foreign Native Name CN=Ed Ponzini/OU=Austin/O=IBM\nIBMLMS01\n\n Organization IBM Org Unit 1 Austin Last Name Ponzini First Name Ed Status 769 Explanation Invalid recipient X.400 Status 769 Explanation User Ed Ponzini/Austin/IBM not listed in public Name & Address Book From Ed_Ponzini/Austin/IBM at us.ibm.com Sat Apr 4 07:12:36 1998 From: Ed_Ponzini/Austin/IBM at us.ibm.com (Ed_Ponzini/Austin/IBM@us.ibm.com) Date: Tue Dec 2 02:23:56 2003 Subject: domain/share authen Message-ID: <5010060003286400000002L602*@MHS> Status Distribution April 03, 1998 23:50:02 The message regarding "domain/share authen" sent on April 03, 1998 23:50:02 was sent by Status Recipient Type To Native Name samba-ntdom@samba.anu.edu.au Foreign Native Name samba-ntdom@samba.anu.edu.au\n\n\nINTERNET Recipients Status Reporters Type From Name Domain NOTES Native Name CN=Ed Ponzini/OU=Austin/O=IBM@IBMLMS01 Foreign Native Name CN=Ed Ponzini/OU=Austin/O=IBM\nIBMLMS01\n\n Organization IBM Org Unit 1 Austin Last Name Ponzini First Name Ed Status 769 Explanation Invalid recipient X.400 Status 769 Explanation User Ed Ponzini/Austin/IBM not listed in public Name & Address Book From tridge at samba.anu.edu.au Sat Apr 4 10:39:35 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:23:56 2003 Subject: bounced mail References: <5010060003286400000002L602*@MHS> Message-ID: <19980404103936Z12584006-399+119@samba.anu.edu.au> I've fixed the bouncing mail problem from the IBM site by putting a block in place. Cheers, Andrew From cartegw at Eng.Auburn.EDU Sat Apr 4 13:53:52 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:56 2003 Subject: Problems finding Domain. In-Reply-To: Message-ID: On Sat, 4 Apr 1998, CURRIE KEVIN wrote: > However, we are now having trouble browsing anything other that > the domain that samba is serving. This is a far less critical problem for > us, but still rather annoying. Is there any way to samba to go scavenging > across subnets to find other master browsers/wins servers and get their > information? I've CC'd this message to the regular samba list. More of a browsing issue. Might want to look at "remote announce" in the smb.conf man page. Seems to remember something about this parameter being outdated though. Could someone help me out on this one? ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Sat Apr 4 15:53:03 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: domain/share authen In-Reply-To: <35253F82.F1B592B0@bdsinc.com> Message-ID: On Sat, 4 Apr 1998, Jens B. Jorgensen wrote: > What's the difference between a) connecting to an NT domain controller > and authenticating for a connection to IPC$ and b) doing an actual NT > login, other than extra info you might get back about the user account. jens, an NT login _is_ authentication using a connection to IPC$ (note the change of wording). the question i think you are asking is, what is the difference between connecting anonymously to IPC$ and then doing a SAMLOGON, and doing a SMBsesssetupX with the username/password/domain? the answer (and i can only speculate here from what documentation is available publicly) is, nothing. the username/password/domain from the SAMLOGON is passed to the SAM "local security authority", and the username/password/domain from the SMBsessetupX is _also_ passed to the SAM LSA. or to the Netware LSA, if you have that installed. > I mean, they both would use the same user/password database, right? Or yes. > would it depend on what whether security for the share was share/user? yes. but i've never bothered with share level security (i don't like it) so i wouldn't be able to even describe the difference to you, technically! luke From lkcl at switchboard.net Sat Apr 4 15:57:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: Problems finding Domain. In-Reply-To: Message-ID: On Sat, 4 Apr 1998, CURRIE KEVIN wrote: > > > Does the Samba PDC work with machines on the same subnet? I am using the > > exact same configuration ( Solaris 2.5.1 running on an Ultra and latest > > main cvs branch code ) with no problems. Can you look at the > > $LOCKDIR/wins.dat files on the Samba pdc and make sure the NT client is > > actually registering with the wins server? > > Unfortunately we did not have any NT machines on that subnet. We > got everything going though this morning. I think the big issue was that > there were alignment problems w/ gcc. When the unix admin used Sun's C > compiler everything took off. That would tend to explain the garbage we > were getting in the location and comment strings. interesting. i had a similar but less obvious problem with HPUX 10.x's compiler: had to compile with +DAportable. > However, we are now having trouble browsing anything other that > the domain that samba is serving. This is a far less critical problem for > us, but still rather annoying. Is there any way to samba to go scavenging > across subnets to find other master browsers/wins servers and get their > information? there are responses on this issue in the cifs archives. briefly, it's an outstanding issue that can be dealt with. you change the NetServerEnum2 response to always include the workgroups that you want other machines to see. luke From lkcl at switchboard.net Sat Apr 4 16:18:13 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: Problems finding Domain. In-Reply-To: Message-ID: On Sat, 4 Apr 1998, Gerald W. Carter wrote: > On Sat, 4 Apr 1998, CURRIE KEVIN wrote: > > > However, we are now having trouble browsing anything other that > > the domain that samba is serving. This is a far less critical problem for > > us, but still rather annoying. Is there any way to samba to go scavenging > > across subnets to find other master browsers/wins servers and get their > > information? > > I've CC'd this message to the regular samba list. More of a browsing > issue. Might want to look at "remote announce" in the smb.conf man page. > Seems to remember something about this parameter being outdated though. > Could someone help me out on this one? the remote announce option is a... pain in the neck, shall we say? jerry, i think you might be right: i think it _could_ be used to achieve the desired results. it could equally be used incorrectly, and i would only advise people to use this option if they fully understand microsoft browsing. lukes From lkcl at switchboard.net Sun Apr 5 12:34:48 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: Mapping of RIDs to uid_t and gid_t In-Reply-To: Message-ID: could the people on the samba nt domains list please review the above-named thread in the samba-technical archives (http://samba.anu.edu.au/listproc/samba-technical, select "thread"), as if you have both unix and nt background, or just mainly nt backgroup, then your input / approval would be invaluable and appreciated. thank you! luke Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From jem at condor.com.au Mon Apr 6 03:57:56 1998 From: jem at condor.com.au (Jem Atahan) Date: Tue Dec 2 02:23:56 2003 Subject: Samba NTDOM under solaris 2.6 Message-ID: <01bd6110$2ea777a0$30e102cb@aaaaargh.condor.com.au> Hi all, I have been doing battle with NTDOM on a Solaris 2.6 Sparc 2 for a couple of days now. I am using the main CVS branch (which I got initially on Apr 1, and refreshed today Apr 6). I have followed the NTDOMAIN.txt with the exception of step 3, where I ran the command smbpasswd -a -m BUG (the clients name is BUG). Encrypted passwords seem to be working fine for simple filesharing. When an BUG (NT4 SP3) tries to join the domain, it gets "The machine account for this computer either does not exist or is not accessable." I have set the debug level to 20 and pored through the results, but I am unable to find an obvious error condition. To summarise the machine seems to connect to IPC$ as guest, do an LSA_OPENPOLICY, two LSA_QUERYINFOPOLICY with SID=S-1-5-21-123-456-789-123, and one LSA_CLOSE. I have not included any logs as they are large, and I am unaware which bits are relevant. I have not seen any reference to NTDOM working on Solaris, letalone 2.6. Should this work? If anyone else has got this combination to work, do they have any tips for me? Failing that, can anyone make any helpfull suggestions? Thanks... From svinto at ita.chalmers.se Mon Apr 6 05:28:44 1998 From: svinto at ita.chalmers.se (Svante Sormark) Date: Tue Dec 2 02:23:56 2003 Subject: SIDs of local groups (fwd) Message-ID: This was posted to NT-Bugtraq yesterday. Maybe it is old news... ----------------------------------------------------------------------- | Svante S?rmark | Chalmers IT -avdelning | S-412 96 GBG Sweden | ----------------------------------------------------------------------- | 0707 53 83 36 | svante@ita.chalmers.se | www.ita.chalmers.se | ----------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Sun, 5 Apr 1998 20:44:23 +0400 From: Evgenii Borisovich Rudnyi To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: SIDs of local groups The Knowledge Base article Q163846 of 12-05-1997 "SID Values For Default Windows NT Installations" states that SID values for local groups are as follows BUILTIN\ADMINISTRATORS S-1-2-32-544 BUILTIN\USERS S-1-2-32-545 BUILTIN\GUESTS S-1-2-32-546 BUILTIN\ACCOUNT OPERATORS S-1-2-32-548 BUILTIN\SERVER OPERATORS S-1-2-32-549 BUILTIN\PRINT OPERATORS S-1-2-32-550 BUILTIN\BACKUP OPERATORS S-1-2-32-551 BUILTIN\REPLICATOR S-1-2-32-552 Interestingly enough that GETSID from the NT Resource Kit confirms this from several NT boxes I have tried it on. However, I could not reproduce this with WIN32 function LookupAccountName. The latter shows that SIDs above are erroneous and they should look like BUILTIN\ADMINISTRATORS S-1-5-32-544 BUILTIN\USERS S-1-5-32-545 ... This also can be confirmed by watching binary values in SAM and by employing WIN32 functions AllocateAndInitializeSid and LookupAccountSid. If SID S-1-5-32-544 is generated then LookupAccountSid tells us that it belongs to BUILTIN\ADMINISTRATORS. However, if SID S-1-2-32-544 is put in, then the answer is that the account for this SID does not exist. The question is whether this is the error in documentation (and in GETSID, it looks like that its authors did not employ WIN32 API), or there are some sophisticated security implications. Evgenii Rudnyi -- Chemistry Department rudnyi@comp.chem.msu.su Moscow State University http://www.chem.msu.su/~rudnyi/welcome.html 119899 Moscow +(095)939 5452, fax+(095)932 8846, +(095)939 1205 Russia From heinig at HDZ-IMA.RWTH-Aachen.de Mon Apr 6 20:17:47 1998 From: heinig at HDZ-IMA.RWTH-Aachen.de (heinig) Date: Tue Dec 2 02:23:56 2003 Subject: Samba NTDOM under solaris 2.6 References: <01bd6110$2ea777a0$30e102cb@aaaaargh.condor.com.au> Message-ID: <3529386B.2088@HDZ-IMA.RWTH-Aachen.de> Jem Atahan wrote: > > Hi all, > > I have been doing battle with NTDOM on a Solaris 2.6 Sparc 2 for a couple of > days now. I am using the main CVS branch (which I got initially on Apr 1, > and refreshed today Apr 6). > > I have followed the NTDOMAIN.txt with the exception of step 3, where I ran > the command smbpasswd -a -m BUG (the clients name is BUG). Encrypted > passwords seem to be working fine for simple filesharing. > > When an BUG (NT4 SP3) tries to join the domain, it gets "The machine account > for this computer either does not exist or is not accessable." I have set > the debug level to 20 and pored through the results, but I am unable to find > an obvious error condition. To summarise the machine seems to connect to > IPC$ as guest, do an LSA_OPENPOLICY, two LSA_QUERYINFOPOLICY with > SID=S-1-5-21-123-456-789-123, and one LSA_CLOSE. > > I have not included any logs as they are large, and I am unaware which bits > are relevant. > > I have not seen any reference to NTDOM working on Solaris, letalone 2.6. > Should this work? If anyone else has got this combination to work, do they > have any tips for me? > > Failing that, can anyone make any helpfull suggestions? > > Thanks... Hi Jem, Your error message sounds rather familiar: if I translate it into the german (we're running the kraut-ised version of NT 4.0 SP3) it sounds like what I got. I've got a similar set-up to you - Solaris 2.6 on a SPARCstation 20 with NT 4.0 SP3. Try having a look at your network settings, in particular your netmask. I found that my netmask on the Solaris box was set to 255.255.0.0 whereas the NT machine had 255.255.255.0 (which is correct). Instead of complaining, NT's networking just behaved rather strangely - sometimes it found Samba on the network, sometimes it couldn't be bothered... When I changed the netmask on the SPARCstation to what it should be (ie. 255.255.255.0) the problems went away and we've now got a running configuration with domain logons. By the way, if I may ask a rude question: you have remembered to add a machine account to your smbpasswd file, haven't you? ie. MACHINE$:123:MACHINE_NMB_PASSWD:MACHINE_NT_PASSWD:0080:: OK. That's my ha'penny's worth... Hope it helps Gerald From lkcl at switchboard.net Mon Apr 6 13:17:24 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: SIDs of local groups (fwd) In-Reply-To: Message-ID: On Mon, 6 Apr 1998, Svante Sormark wrote: > > This was posted to NT-Bugtraq yesterday. Maybe it is old news... oops - i cross-posted it, too, but to samba-technical! no, it's relevant news to the uid/gid thread. thank you, svante! luke From lkcl at switchboard.net Mon Apr 6 13:32:06 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: Samba NTDOM under solaris 2.6 In-Reply-To: <3529386B.2088@HDZ-IMA.RWTH-Aachen.de> Message-ID: On Mon, 6 Apr 1998, heinig wrote: > Jem Atahan wrote: > > > > Hi all, > > > > I have been doing battle with NTDOM on a Solaris 2.6 Sparc 2 for a couple of > > days now. I am using the main CVS branch (which I got initially on Apr 1, > > and refreshed today Apr 6). > > > > I have followed the NTDOMAIN.txt with the exception of step 3, where I ran > > the command smbpasswd -a -m BUG (the clients name is BUG). Encrypted > > passwords seem to be working fine for simple filesharing. > > > > When an BUG (NT4 SP3) tries to join the domain, it gets "The machine account > > for this computer either does not exist or is not accessable." I have set > > the debug level to 20 and pored through the results, but I am unable to find > > an obvious error condition. To summarise the machine seems to connect to > > IPC$ as guest, do an LSA_OPENPOLICY, two LSA_QUERYINFOPOLICY with > > SID=S-1-5-21-123-456-789-123, and one LSA_CLOSE. > > > > I have not included any logs as they are large, and I am unaware which bits > > are relevant. > > > > I have not seen any reference to NTDOM working on Solaris, letalone 2.6. > > Should this work? If anyone else has got this combination to work, do they > > have any tips for me? > > > > Failing that, can anyone make any helpfull suggestions? > > > > Thanks... > > Hi Jem, > > Your error message sounds rather familiar: if I translate it into the german (we're running the > kraut-ised version of NT 4.0 SP3) it sounds like what I got. > I've got a similar set-up to you - Solaris 2.6 on a SPARCstation 20 with NT 4.0 SP3. > > Try having a look at your network settings, in particular your netmask. I found that my netmask on > the Solaris box was set to 255.255.0.0 whereas the NT machine had 255.255.255.0 (which is > correct). Instead of complaining, NT's networking just behaved rather strangely - sometimes it > found Samba on the network, sometimes it couldn't be bothered... > When I changed the netmask on the SPARCstation to what it should be (ie. 255.255.255.0) the > problems went away and we've now got a running configuration with domain logons. gerald, thanks for this. jem, if you have tcpdump or netmonitor, you will be able to detect and analyse such problems. jerry (carter!), can you add this one into your FAQ? that's two people in the last few weeks with mis-configured subnet masks. this is the most common problem that another large CIFS vendor had, so much so that they put in code to disconnect the network at installation time and reconnect with various subnet masks looking for incorrectly configured Win95 and NT machines! > By the way, if I may ask a rude question: you have remembered to add a machine account to your > smbpasswd file, haven't you? ie. > > MACHINE$:123:MACHINE_NMB_PASSWD:MACHINE_NT_PASSWD:0080:: yes jem had, by using the new option "-m" smbpasswd -a -m MACHINE_NAME. luke From lkcl at switchboard.net Mon Apr 6 15:37:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: Mapping of RIDs to uid_t and gid_t In-Reply-To: <3528E60F.2D622D31@canada.sun.com> Message-ID: On Tue, 7 Apr 1998, David Collier-Brown wrote: > I wrote: > > > > If true, we have two number lines like this where the x's > > indicate unix uid's are (probabilistically) present > > > > Uid |xxxx xxxxxxxxxxx xx xx | x xx| > > +---------------------------+---------------------------+ > > | | | n-1 n > > 0 100 1000 2 2 > > > > NT RID > > | | > > +---------------------------+---------------------------+ > > | n-1 n > > 0 2 2 > > > > If we fold the negative numbers down adjacent to the uids, > > this only requires us to fold a smallish range plus four > > bits of attributes into a quite large range. > > Concrete proposal A: > 1) treat -1, -2 and any friends as special cases > and map them to 1, 2, ... dave, which domain is being mapped to which? -1 unix uid being mapped to 1 nt RID? if so, you cannot do this: the NT RIDs from 1 to 0x1ff i have never seen used (anyone know what they are for?) NT splits RIDs into ranges. it would be useful to know exactly what those ranges are. anyone got any sources of info on this? > Concrete proposal B: > If and only if you don't need to know if the number > represents user group or whatever, map groups into > a range following the small negative numbers, and > use 2**32 - n digits to represent 2*32 digits. In > this case n is (number of groups + number of negative > uids). i think that the purpose of jeremy / andrew's proposal was to come up with a scheme that easily identifies an NT RID as a group or user RID, given that both are in the same number space. i think NT does something similar, and the numbers wrap around using some of the lower bits to identify users from groups: - jeremy / andrew propose top four bits to identify groups, users, trust accounts and inter-domain-trusted users. - NT uses, oh, i don't know, bits 10 and 11 to identify groups from users. why do we need to identify inter-domain-trusted users by only the NT RID (or are we), and why do we need to give them their own UNIX uid/gid? the scheme suggested by jeremy/andrew implies that we are going to allow users which actually should be identified fully by their own SID _plus_ their NT RID access to another unix machine. hm. this implies that the smbpasswd scheme might be a bit limited. hm. inter-domain-trusted users have their own SID+RID, which at present we do not store anywhere. hm. i know i'm the one that brought the subject up, but can we leave this one for now until more info is available, and just deal with a single domain? luke From martin at cs.york.ac.uk Mon Apr 6 14:52:46 1998 From: martin at cs.york.ac.uk (Martin Atkins) Date: Tue Dec 2 02:23:56 2003 Subject: Domain groups, etc Message-ID: <01BD6174.0B9B7540@pc001.cs.york.ac.uk> Hello, I've got a copy of the latest "HEAD" branch of samba running as a PDC, it seems to work fine... I think, except :-) ...! 1) Is there any description of how to set up groups with "domain groups"? There is a short description in the NTDOMAIN branch of smb.conf.5 (BTW: this doesn't appear to have made it to the HEAD branch!) which refers to "group ids" - where do these come from? Are they derived from the group SID (earlier messages today have pointed out getsid, etc)? And how do you say which users are in each group? Is there an example smb.conf which contains examples of all the PDC stuff? (I want my users to be "power users" - otherwise they can do anything useful!) 2) The docs say that "if there is a 20 second delay before the login screen appearing, then you might have problems". Well, I have a delay - sometimes - but everything else seems to work. do I have a problem, or not? How do I know :-) ? Thanks in advance - Great work guys! Martin PS I saw a previous message where it was asked what exactly "domain admins" does. I believe that it makes the user a local admin, since when I turned it on, all the files I created were owned by "administrators". Does a network admin also have this strange liability? From cartegw at Eng.Auburn.EDU Mon Apr 6 15:48:56 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:56 2003 Subject: Samba NTDOM under solaris 2.6 References: Message-ID: <3528F968.B9F64D9A@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > jerry (carter!), > > can you add this one into your FAQ? that's two people in the last few > weeks with mis-configured subnet masks. this is the most common problem > that another large CIFS vendor had, so much so that they put in code to > disconnect the network at installation time and reconnect with various > subnet masks looking for incorrectly configured Win95 and NT machines! > > luke Will do. One more question regarding the FAQ. I know there are a few issues left to resolve with merging the BRANCH_NTDOM and MAIN samba code ( smbclient is the only one I can think of right now ). For this reason I have held off changing the information about downloading the latest source code via cvs. When do you want to change the reference from BRANCH_NTDOM to the main samba branch? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Mon Apr 6 16:44:39 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: Samba NTDOM under solaris 2.6 In-Reply-To: <3528F968.B9F64D9A@eng.auburn.edu> Message-ID: On Mon, 6 Apr 1998, Gerald W. Carter wrote: > Luke Kenneth Casson Leighton wrote: > > > > jerry (carter!), > > > > can you add this one into your FAQ? that's two people in the last few > > weeks with mis-configured subnet masks. this is the most common problem > > that another large CIFS vendor had, so much so that they put in code to > > disconnect the network at installation time and reconnect with various > > subnet masks looking for incorrectly configured Win95 and NT machines! > > > > luke > > Will do. ta! > One more question regarding the FAQ. I know there are a few issues left > to resolve with merging the BRANCH_NTDOM and MAIN samba code ( smbclient > is the only one I can think of right now ). For this reason I have held > off changing the information about downloading the latest source code > via cvs. hm. the BRANCH_NTDOM version of smbclient is really only for test purposes / other purposes, although there are some topological changes that i _really_ don't want to see lost. if anyone wants to do nt login tests, or write some awk or perl scripts (update smb2www for example) then use (at the moment) BRANCH_NTDOM smbclient. otherwise, use the main branch version. > When do you want to change the reference from BRANCH_NTDOM to the main > samba branch? oh, about now would do :) ta jerry! luke Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From jem at condor.com.au Tue Apr 7 05:08:14 1998 From: jem at condor.com.au (Jem Atahan) Date: Tue Dec 2 02:23:56 2003 Subject: Samba NTDOM under solaris 2.6 Message-ID: <01bd61e3$2b453bf0$30e102cb@aaaaargh.condor.com.au> > Hi Jem, > > Your error message sounds rather familiar: if I translate it into the german (we're running the > kraut-ised version of NT 4.0 SP3) it sounds like what I got. > I've got a similar set-up to you - Solaris 2.6 on a SPARCstation 20 with NT 4.0 SP3. > Try having a look at your network settings, in particular your netmask. I found that my netmask on > the Solaris box was set to 255.255.0.0 whereas the NT machine had 255.255.255.0 (which is > correct). Instead of complaining, NT's networking just behaved rather strangely - sometimes it > found Samba on the network, sometimes it couldn't be bothered... > When I changed the netmask on the SPARCstation to what it should be (ie. 255.255.255.0) the > problems went away and we've now got a running configuration with domain logons. Hmm, the netmasks on each of the machines match. The NT machine is using a statically assigned IP address and netmask. I havn't set any other settings. > By the way, if I may ask a rude question: you have remembered to add a machine account to your > smbpasswd file, haven't you? ie. > > MACHINE$:123:MACHINE_NMB_PASSWD:MACHINE_NT_PASSWD:0080:: I ran the smbpasswd -a -m BUG command which inserted a similar line in private/smbpasswd. The 0080 field had changed to [W], and the userid was improbably large (I tried substituting another valid uid). As far as I can tell, the basic IP connectivity is OK. I can't join the domain, however. Does anyone have a lvl 20 log from a sucessfull domain connection the could send me for comparison, as I'm not sure what my logs are telling me... thanks From daniel at cibercafe.pt Tue Apr 7 08:57:50 1998 From: daniel at cibercafe.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:56 2003 Subject: New passwd sync option In-Reply-To: <3.0.3.32.19980318143801.00824e90@bioserve.biochem.latrobe.edu.au> Message-ID: Hi all, I was trying the new passwd sync option to change the users's passwords from the NT workstations but I don't seem to get it to work. Yes, I compiled with the -DALLOW_CHANGE_PASSWORD. (* Big note here - In the sources there's a comment refering to this flag as -DALLOW_PASSWORD_CHANGE which led me into some confusion at first *) line 33 of chgpasswd.c: * This routine is called by set_user_password() in password.c only if ALLOW_PASSWORD_CHANGE * is defined in the compiler directives located in the Makefile. line 54 of chgpasswd.c: #ifdef ALLOW_CHANGE_PASSWORD (* Cross-post this to samba-bugs? *) Yes, I checked the passwd chat option (had to hack and recompile with new name the passwd program from shadow suite, for it not to be picky with the passwords) passwd program = /usr/local/bin/ch_passwd %u (Tried %U also) passwd chat = *\n*Old password* %o\n *New password* %n\n Re-enter new password* %n\n *changed* What I found strange was that none of the DEBUG messages in the chgpasswd.c appeared in the logfiles (Yes, my syslog level was high enough - tried 3, 20, 50) - nothing. Also, can you tell me why they say it only works in *some* systems? Does this have to do with the NT's or the Samba PDC? I have Slackware 3.4 - kernel 2.0.33 - samba by CVS main branch. Clients run NT 4 SP3. I can supply you with all the confs and logs, but didn't think it to be necessary, due to the explanation presented. I hope someone can shed some light on the matter, because I won't waste another day, before I turn to my old clean poppasswd/Eudora way of changing the passwords for the users. Let me just state again what wonderfull job you guys are doing, and how eagger I am to finish these configurations and start helping on the main thing. Thanx in advance, __________________________________________________ /_________________________________________________/\ \ Daniel Fonseca - daniel@cibercafe.pt \ \ \SysAdmin for Cibercafe' - http://www.cibercafe.pt\ \ \ Cibercafe - *Your* Internet Cafe' in Oporto \ \ \_________________________________________________\/ From cartegw at Eng.Auburn.EDU Tue Apr 7 12:47:22 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:56 2003 Subject: New passwd sync option References: Message-ID: <352A205A.46B4DBDA@eng.auburn.edu> Daniel Fonseca wrote: > > Hi all, > > I was trying the new passwd sync option to change the users's > passwords from the NT workstations but I don't seem to get it > to work. > >From release notes on 1.9.18p4... <....snip> Samba now supports Windows 95 clients changing both their SMB and UNIX passwords. Samba must be set up with encrypted passwords for this to work correctly. See the file docs/ENCRYPTION.txt and the list of new parameters in the release notes below for details. Samba can also now change Windows NT user passwords from a UNIX machine. Read the documentation of the command smbpasswd for details on how to change an NT user password from a UNIX machine with Samba installed. Daniel, Couple of things. This issue doesn't really have to do with using samba as a PDC which is really more or less the purpose of this list. You'll probably get more help from the normal Samba list. I know there have been several recent threads on password changing issues. Second thing ( and I am only going from the release docs ), the password sync abaility is provided from Windows 95 clients ( not NT ). The ability to change NT user passwords from a UNIX box is provided through smbpassword. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From daniel at cibercafe.pt Tue Apr 7 12:11:10 1998 From: daniel at cibercafe.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:56 2003 Subject: New passwd sync option In-Reply-To: <352A20AD.76E0FE8C@eng.auburn.edu> Message-ID: On Tue, 7 Apr 1998, Gerald W. Carter wrote: > Daniel, > > One more thing I forgot to mention, the BRANCH_NTDOM ( and recent merge > with the main branch does not support password changing from an NT > client yet. Paul Aston was working on it but I am not sure of the > latest status of it. > Thanks for all your help (as always)!!! No problem, I will use the poppassd feature of Eudora so that *all* clients can change their password (no unix shells for any of them) with the same method. If anyone else has this problem just mail me for the modified sources (poppassd w/ smbpasswd extensions + modified shadow suite to talk properly to poppassd). Do you know when can or how can we see the status for the changing of the password from the NT clients? The docs don't seem clear on this issue. Thanx again, __________________________________________________ /_________________________________________________/\ \ Daniel Fonseca - daniel@cibercafe.pt \ \ \SysAdmin for Cibercafe' - http://www.cibercafe.pt\ \ \ Cibercafe - *Your* Internet Cafe' in Oporto \ \ \_________________________________________________\/ From cartegw at Eng.Auburn.EDU Tue Apr 7 14:20:05 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:56 2003 Subject: New passwd sync option References: Message-ID: <352A3615.E9AB5944@eng.auburn.edu> Daniel Fonseca wrote: > > Do you know when can or how can we see the status for the changing of > the password from the NT clients? The docs don't seem clear on this > issue. I would check the samba-ntdom list archives for threads on this. I am trying to get a TODO / status list up on the web soon. Just had some other pressing matters ( as usual ). :-) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Tue Apr 7 16:12:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: Samba NTDOM under solaris 2.6 Message-ID: oops - samba post office rejected the message. i'll move the log file to http://www.cb1.com/~lkcl/tmp/log.knight, ok? ---------- Forwarded message ---------- Date: Tue, 7 Apr 1998 17:06:44 +0100 (BST) From: Luke Kenneth Casson Leighton To: Multiple recipients of list , Jem Atahan Subject: Re: Samba NTDOM under solaris 2.6 > Does anyone have a lvl 20 log from a sucessfull domain connection the could > send me for comparison, as I'm not sure what my logs are telling me... he he. here you go. a new user account "test" - debug log level 150 (the usual - gets everything :-) comparisons are always useful... luke From lkcl at switchboard.net Tue Apr 7 16:26:33 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:56 2003 Subject: information about "user manager for domains", local machines and , domains. Message-ID: this message is cross-posted to both samba-technical and samba-ntdom. just realised something, but wanted to a) check it with other people b) make sure those who _need_ to know do know. it means that we need a shift in thinking (well, i do, anyway :-) and some additional programming. run "usrmgr.exe" for domains (nt server only). select a _machine_ not a domain. you get the machine's local accounts up, as if you had run the program "musrmgr.exe" which is available only for nt workstation. this ties in with what i mentioned a while back about nt workstations and nt stand-alone servers. namely, that the LsaQueryInfoPolicy call with level 3 gives you the domain that the machine is a member of, along with the domain SID; LsaQueryInfoPolicy with level 5 gives you the _workstation_ name, along with what is presumably the _workstation's_ SID. oops. in other words, we need a new parameter "machine sid" as well as "domain sid". or _do_ we. i think we probably need to have samba generate the sids (randomly) in an untoucheable file, with dire warnings added to it as to the consequences of modifying / deleting it. samba should generate the machine or domain sid depending on whether it is configured as a "domain controller" or a "domain member". once and only once. hey, wouldn't it be great to have a PDC that you didn't have to reboot if you changed the domain name, or made it a BDC instead of a PDC? (small dig here...) luke From cartegw at Eng.Auburn.EDU Tue Apr 7 16:25:33 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:56 2003 Subject: net users /domain vs. user mgr for domains Message-ID: <352A537D.CF9DA15D@eng.auburn.edu> Found this interesting thing. 'net user /domain' correctly lists all users ( about 125 ) in the smbpasswd file on the samba PDC while the "User Manager for Domains" gives the RPC failure. I know the RPC code will bomb for more than 8 or so users but even then it would list the same user multiple times. Just found this interesting. I'm not sure what other stuff work from the command line right now but will keep poking around. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From mark at byford.com Tue Apr 7 18:07:35 1998 From: mark at byford.com (Mark Hodge) Date: Tue Dec 2 02:23:56 2003 Subject: (no subject) Message-ID: <352A6B67.16B947C8@byford.com> subscribe From canfield at uindy.edu Wed Apr 8 04:39:02 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:56 2003 Subject: TO DO List Message-ID: <352AFF66.D7EEE9A0@uindy.edu> Since the others on the list have been too busy to complete the infamous TO DO list, I took the liberty of starting it myself. Hope nobody minds. You can find it at http://peng1.uindy.edu/samba/todo.html (this is a sub-section of the yet-to-be-completed site I mentioned before). It's nothing fancy, and I'm going to need a lot of suggestions from the techies of the group to make it very useful, but it's a start. I have more time than tech skill, so I'll gladly keep it up to date if people can send me suggestions/additions. When we get MySQL/PHP3 running solidly on this machine, I will convert the page into a dynamic page (something I *can* do, yippee!) that won't require further intervention. BTW, the "definitions" at the beginning were just pulled out of the air. If anyone takes issue with them, or where an item is placed in the lists, please tell me. In general, though, Luke will be the authority on whether items are bugs, to-do's, or wishes. -Dana From Ed_Ponzini/Austin/IBM at us.ibm.com Wed Apr 8 09:34:23 1998 From: Ed_Ponzini/Austin/IBM at us.ibm.com (Ed_Ponzini/Austin/IBM@us.ibm.com) Date: Tue Dec 2 02:23:56 2003 Subject: TO DO List Message-ID: <5010060003519520000002L602*@MHS> Status Distribution April 08, 1998 01:33:36 The message regarding "TO DO List" sent on April 08, 1998 01:33:36 was sent by Status Recipient Type To Native Name samba-ntdom@samba.anu.edu.au Foreign Native Name samba-ntdom@samba.anu.edu.au\n\n\nINTERNET Recipients Status Reporters Type From Name Domain NOTES Native Name CN=Ed Ponzini/OU=Austin/O=IBM@IBMLMS01 Foreign Native Name CN=Ed Ponzini/OU=Austin/O=IBM\nIBMLMS01\n\n Organization IBM Org Unit 1 Austin Last Name Ponzini First Name Ed Status 769 Explanation Invalid recipient X.400 Status 769 Explanation Error delivering to D26NMS03/26/M/IBM mail3/ponzini; There is not enough memory for a view or database buffer. Increase NSF_BUFF From daniel at cibercafe.pt Wed Apr 8 08:41:16 1998 From: daniel at cibercafe.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:56 2003 Subject: New passwd sync option In-Reply-To: <352A3615.E9AB5944@eng.auburn.edu> Message-ID: Hi Folks (or you mates, there in Australia ;-)! Thanks for you feedback on the modified sources. I'll be putting them on a web site, soon, since there's some requests. It'll take me some time though, because I'm in the middle of some movings now (onto SysAdmin for the University of Oporto's Med School - http://www.med.up.pt) - my third big Samba Installation. If anyone would like it sooner, I can e-mail them (please use my new e-mail: daniel@med.up.pt - already sent e-mail to listproc with address update) If any doubts left or for public clarification, here goes a brief description: Eudora E-mail client (the only one I know that works) as an option (Change Password...) in the Menu "Special". Eudora does the new password double-check for the client, and when all the info is collected, knocks on PDC's (must also be the mail server or use rdist to sync files) port 106 (poppassd) and dumps the info (user, oldpass, newpass) - checking the response from the server - and informs the user accordingly (password changed /not changed). These sources are modified to cope with samba encryption (using smbpasswd) and the shadow suite - some hacked poppassd passwd sync. It's a fine method (not at all secure - for the purists) for clean password changing, and even simpler than (in W95) going into Control Panel (which I disabled via registry settings)/ Passwords/ Change Other Passwords... too many clickings...) It's more friendly to the client than just telnet to the PDC and having /usr/bin/passwd as a login shell. __________________________________________________ /_________________________________________________/\ \ Daniel Fonseca - daniel@cibercafe.pt \ \ \SysAdmin for Cibercafe' - http://www.cibercafe.pt\ \ \ Cibercafe - *Your* Internet Cafe' in Oporto \ \ \_________________________________________________\/ From daniel at med.up.pt Wed Apr 8 10:30:11 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:56 2003 Subject: New passwd sync option (fwd) Message-ID: Seems my daniel@cibercafe.pt message didn't get posted (listproc to fast for me ;-) Anyway, good news: I put up http://www.med.up.pt/samba with the desired sources. I didn't write any credits (no time for that) but put in a small README file. Keep up, Daniel Fonseca - daniel@med.up.pt ---------- Forwarded message ---------- Date: Wed, 8 Apr 1998 10:41:16 +0200 (MET DST) From: Daniel Fonseca To: Multiple recipients of list Cc: daniel@med.up.pt Subject: Re: New passwd sync option Hi Folks (or you mates, there in Australia ;-)! Thanks for you feedback on the modified sources. I'll be putting them on a web site, soon, since there's some requests. It'll take me some time though, because I'm in the middle of some movings now (onto SysAdmin for the University of Oporto's Med School - http://www.med.up.pt) - my third big Samba Installation. If anyone would like it sooner, I can e-mail them (please use my new e-mail: daniel@med.up.pt - already sent e-mail to listproc with address update) If any doubts left or for public clarification, here goes a brief description: Eudora E-mail client (the only one I know that works) as an option (Change Password...) in the Menu "Special". Eudora does the new password double-check for the client, and when all the info is collected, knocks on PDC's (must also be the mail server or use rdist to sync files) port 106 (poppassd) and dumps the info (user, oldpass, newpass) - checking the response from the server - and informs the user accordingly (password changed /not changed). These sources are modified to cope with samba encryption (using smbpasswd) and the shadow suite - some hacked poppassd passwd sync. It's a fine method (not at all secure - for the purists) for clean password changing, and even simpler than (in W95) going into Control Panel (which I disabled via registry settings)/ Passwords/ Change Other Passwords... too many clickings...) It's more friendly to the client than just telnet to the PDC and having /usr/bin/passwd as a login shell. __________________________________________________ /_________________________________________________/\ \ Daniel Fonseca - daniel@cibercafe.pt \ \ \SysAdmin for Cibercafe' - http://www.cibercafe.pt\ \ \ Cibercafe - *Your* Internet Cafe' in Oporto \ \ \_________________________________________________\/ From grandjea at dgrsunm.epfl.ch Wed Apr 8 12:55:27 1998 From: grandjea at dgrsunm.epfl.ch (Daniel Grandjean) Date: Tue Dec 2 02:23:56 2003 Subject: New passwd sync option Message-ID: <199804081255.OAA05812@dgrsunm.epfl.ch> Hello All, As the password synchronisation is a hot topic For the winter semester, I'll plan to put a new password synchronisation scheme in production. A main design goal is to lower the number of unencrypted password visible on our net. (and easy to administer) -I've set up a securized apache server with SSL -A cgi-bin perl script check the client ask for the username / password of the user and check it against the NIS+ database, and propose the change of the password As the script get the password in cleartext it can -check the proposed password validity (dictionary check...) -change the NIS+ password -change the NIS+ credential -change the smbpasswd (on samba NTDOM or NT PDC) -change the APOP passwd database (any additional synchronisation take place here) And then give some personalized info/status to the user. I'm wondering if someone is already using/building something similar and have some hint about this setup in real life. It's working on my brute force prototype (which is not well securised). -It also a matter of time as this is not my first priority job- Notes: Its my choice of having the NIS+ as primary authentification database. (I am SUN shop, but Wintel is coming) :-{ User Browsers are using 128-bit key RC4 cipher (fortify) If needed, Weak link between the apache server and machine synchronized will use SKIP IP encrytion. (i.e apache<-> NT PDC ?) Thanks Daniel. _ Daniel Grandjean, Swiss Federal Institute of Technology __ __ Address: EPFL SI-DGR, CH-1015 Lausanne, Switzerland | \/ | E-mail: Daniel.Grandjean@epfl.ch |o ()o _ Phone: +41 21 693 27 24 (Central European Time) |__/\__/ Fax: +41 21 693 27 27 WWW: http://dgrwww.epfl.ch \__/ From harper at banks.scar.utoronto.ca Wed Apr 8 16:51:58 1998 From: harper at banks.scar.utoronto.ca (John Harper) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains Message-ID: <352BAB2D.1E11@lake.scar.utoronto.ca> I just got the NTDOM branch compiled and working - I can authenticate from an NT client no problem. However, our system arrangement is such that we have two Solaris servers - one is dedicated to staff/faculty, the other is for students. Each class of user only has access to and account info on their particular server. I would therefore assume the logical extension into the world of NT domains would imply that I configure both Unix servers as separate PDC's in two NT domains (it seems reasonable to me!). But our labs can be used by both students and faculty, and I therefore need the client NT machines to be able to connect to either domain - as far as I can tell this is not possible. Is there in fact any way to get a client to belong/connect to more than one domain? Am I missing something, or can I add this to my growing list of "Why I Hate M$"? Thanks for any insight. John Harper ------------------------------------ Academic Computing Coordinator University of Toronto at Scarborough harper@scar.utoronto.ca From cartegw at Eng.Auburn.EDU Wed Apr 8 17:32:44 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains References: <352BAB2D.1E11@lake.scar.utoronto.ca> Message-ID: <352BB4BC.657D5B01@eng.auburn.edu> John Harper wrote: > > However, our system arrangement is such that we have two Solaris > servers - one is dedicated to staff/faculty, the other is for students. > Each class of user only has access to and account info on their > particular server. I would therefore assume the logical extension into > the world of NT domains would imply that I configure both Unix servers > as separate PDC's in two NT domains (it seems reasonable to me!). > > But our labs can be used by both students and faculty, and I therefore > need the client NT machines to be able to connect to either domain - > as far as I can tell this is not possible. Is there in fact any way > to get a client to belong/connect to more than one domain? Am I Nope. Only member of one domain at a time. > missing something, or can I add this to my growing list of "Why I > Hate M$"? That's up to you :) Here's my take on the situation. I would try to set up one domain a differentiate between services depending on the user. In other words, have a single login script and branch. Here's one thing I have been meaning to try but haven't had the chance. Set "password server" to be the other samba serber so you only have to keep up with one smbpasswd file. -----snip------------------- rem get the user's group...abitrary...no relation to NT or unix groups if "%GROUP%" == "group1" goto group1 if "%GROUP%" == "group2" goto group2 :group1 .... goto end :group2 goto end :end echo Done! -----snip------------------- Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From paulle at microsoft.com Wed Apr 8 18:33:28 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3D68@red-msg-51.dns.microsoft.com> > -----Original Message----- > From: John Harper [mailto:harper@banks.scar.utoronto.ca] > Sent: Wednesday, April 08, 1998 9:58 AM > To: Multiple recipients of list > Subject: A question about NT Domains > > > I just got the NTDOM branch compiled and working - I can authenticate > from an NT client no problem. > > However, our system arrangement is such that we have two Solaris > servers - one is dedicated to staff/faculty, the other is for > students. > Each class of user only has access to and account info on their > particular server. I would therefore assume the logical extension into > the world of NT domains would imply that I configure both Unix servers > as separate PDC's in two NT domains (it seems reasonable to me!). > > But our labs can be used by both students and faculty, and I therefore > need the client NT machines to be able to connect to either domain - > as far as I can tell this is not possible. Is there in fact any way > to get a client to belong/connect to more than one domain? Am I > missing something, or can I add this to my growing list of "Why I > Hate M$"? A workstation doesn't need to belong to both domains in order to access them. The domains just need to trust one another, so that each one can use the other one to authenticate that domain's users. That's assuming that the SAMBA NTDOM stuff implements cross domain trust. Paul From roger.nichols at scope.com Wed Apr 8 19:38:00 1998 From: roger.nichols at scope.com (Roger Nichols) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains Message-ID: Hi-- >the world of NT domains would imply that I configure both Unix servers >as separate PDC's in two NT domains (it seems reasonable to me!). > >But our labs can be used by both students and faculty, and I therefore >need the client NT machines to be able to connect to either domain - >as far as I can tell this is not possible. Is there in fact any way >to get a client to belong/connect to more than one domain? Am I >missing something, or can I add this to my growing list of "Why I >Hate M$"? you can only connect to one domain at a time. you may want to look into establishing a 'trust relationship' between the two domains. that will allow users from domain -f- to freely (according to their permissions of course) roam about domain -s- and vice versa w/out separate logons. i do not know if it solves the logon/authentication problem of which domain to log into. i am also unclear if samba supports trust relationships. you could also force the user to know which domain they are in and have them specify at the logon screen. (m/s provides a utility to clear the last logged in user's info, search for "power toys" at the ms web site, i think its actually under w95.) good luck, --roger From jallison at whistle.com Wed Apr 8 18:49:37 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains References: <5CEA8663F24DD111A96100805FFE6587031E3D68@red-msg-51.dns.microsoft.com> Message-ID: <352BC6C1.7991A45@whistle.com> Paul Leach wrote: > > > A workstation doesn't need to belong to both domains in order to access > them. The domains just need to trust one another, so that each one can use > the other one to authenticate that domain's users. > > That's assuming that the SAMBA NTDOM stuff implements cross domain trust. Not yet we don't. Just getting the single domain stuff working by sniffing the wire is hard enough for now (but we'll be working on it :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From x7currie at lab2.cc.wmich.edu Wed Apr 8 19:06:11 1998 From: x7currie at lab2.cc.wmich.edu (CURRIE KEVIN) Date: Tue Dec 2 02:23:56 2003 Subject: Machine accounts is smbpasswd file. Message-ID: This was posted a while ago, I'm going to repost it here for reference. FYI: One thing that has changed is the definition of what is a 'machine' account in smbpasswd. Luke's NTDOM branch had a ':080:' field that encoded the account type, I have now changed this in the main branch to be an ASCII encoded :[W]: field (see the source for details, I haven't had time to write everything up for the docs). As any account ending in '$' is automatically treated as a workstation account even if it doesn't have the magic [W] field then old NTDOM smbpasswd files should still work ok - but you might want to note the change for future reference. I have been unable to get a machine account to work without have the name end in a $. Could someone reply with a sample account not using the $ but using [W] so that I can see what it looks like? Second, I have a question as too a good way to accomplish a task. We want to have a smbpasswd file that contains user accounts from our entire campus NIS+ database. We will eventually have several labs authenticating to samba as a PDC. Each of these labs will be managed by different people, who should not have access to the smbpasswd file. We want these people to be able to add machine accounts w/o intervention of a super user who has access to the smbpasswd file. We were thinking of having seperate smbpasswd files (one for the NIS+ users, and seperate ones for the labs) and then having a cron scripts periodically smush them together. The NIS+ smbpasswd file will have to be updated along w/ the NIS+ passwords, we can take care of this. My question is how can I get smbpasswd to recogonize separate smbpasswd files, especially if smbpasswd isn't going to be run by root to change passwords for machine accounts? Would compiling several copies of smbpasswd for each separate file and then calling the appropriate binary be the best solution. Will it work at all? thanks, Kevin Currie From BC3-AU at bigfoot.com Wed Apr 8 19:09:25 1998 From: BC3-AU at bigfoot.com (Bruce Cook) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains In-Reply-To: <352BB4BC.657D5B01@eng.auburn.edu> References: <352BB4BC.657D5B01@eng.auburn.edu> Message-ID: <199804081909.DAA30595@cletus.kintailrd> Gerald W. Carter writes: > John Harper wrote: > > > > However, our system arrangement is such that we have two Solaris > > servers - one is dedicated to staff/faculty, the other is for students. > > Each class of user only has access to and account info on their > > particular server. I would therefore assume the logical extension into > > the world of NT domains would imply that I configure both Unix servers > > as separate PDC's in two NT domains (it seems reasonable to me!). > > > > But our labs can be used by both students and faculty, and I therefore > > need the client NT machines to be able to connect to either domain - > > as far as I can tell this is not possible. Is there in fact any way > > to get a client to belong/connect to more than one domain? Am I > > Nope. Only member of one domain at a time. Ummm. Am I missing somthing ? What's that domain list box in the login dialog on your NT WS for ? Are you saying that the samba domain browsing isn't working, or that as user can't log onto any domain on the local network he choses. (I haven't installed as WS since 3.51 so I maybe misremembering somthing) From cartegw at Eng.Auburn.EDU Wed Apr 8 19:13:49 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains References: <352BB4BC.657D5B01@eng.auburn.edu> <199804081909.DAA30595@cletus.kintailrd> Message-ID: <352BCC6D.F66C9550@eng.auburn.edu> Bruce Cook wrote: > > > Nope. Only member of one domain at a time. > > Ummm. Am I missing somthing ? > > What's that domain list box in the login dialog on your NT WS for ? > > Are you saying that the samba domain browsing isn't working, or that > as user can't log onto any domain on the local network he choses. > > I haven't installed as WS since 3.51 so I maybe misremembering > somthing) Hmmm...Unless I am missing something here as well. When you join a domain ( samba or otherwise ) you must leave the current domain to join another. The popup menu at the login prompt allows you to choose between the network domain or the local machine. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From william at hae.com Wed Apr 8 19:17:14 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains In-Reply-To: <352BAB2D.1E11@lake.scar.utoronto.ca> Message-ID: There is no way to get an NT machine to be a member of two domains. I believe you can get an NT machine to log into two different domains if the domains have a trust relationship. You should probably create one domain, then limit access to each server via user groups. REMEMBER: Microsoft operates on the philosophy of one person, one computer, using and accessing all Microsoft software. Very little has been done by Microsoft to accommodate multiple users using the same computer; just as very little has been done to interconnect NT with any other system (thus SAMBA). Don't look for any improvements in this arena in the future either. It looks like NT 5 was built around this philosophy as well. William On Thu, 9 Apr 1998, John Harper wrote: > I just got the NTDOM branch compiled and working - I can authenticate > from an NT client no problem. > > However, our system arrangement is such that we have two Solaris > servers - one is dedicated to staff/faculty, the other is for students. > Each class of user only has access to and account info on their > particular server. I would therefore assume the logical extension into > the world of NT domains would imply that I configure both Unix servers > as separate PDC's in two NT domains (it seems reasonable to me!). > > But our labs can be used by both students and faculty, and I therefore > need the client NT machines to be able to connect to either domain - > as far as I can tell this is not possible. Is there in fact any way > to get a client to belong/connect to more than one domain? Am I > missing something, or can I add this to my growing list of "Why I > Hate M$"? > > Thanks for any insight. > > John Harper > ------------------------------------ > Academic Computing Coordinator > University of Toronto at Scarborough > harper@scar.utoronto.ca > From druch at nonags.com Wed Apr 8 22:34:56 1998 From: druch at nonags.com (Didier Ruch) Date: Tue Dec 2 02:23:56 2003 Subject: Are trust relationships supported in samba-ntdom ? Message-ID: <01BD633E.9CC329C0@druch> Or will it be added to the "whishlist" ? Didier Ruch CTIL From cartegw at Eng.Auburn.EDU Wed Apr 8 19:48:00 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:56 2003 Subject: Machine accounts is smbpasswd file. References: Message-ID: <352BD470.187B2D9A@eng.auburn.edu> CURRIE KEVIN wrote: > > I have been unable to get a machine account to work without have > the name end in a $. Could someone reply with a sample account not > using the $ but using [W] so that I can see what it looks like? > branch had a ':080:' field that encoded the account type, > I have now changed this in the main branch to be an ASCII > encoded :[W]: field The ending '$' in the name is still neccessary. It's the :0080: that was replaced. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From harper at scar.utoronto.ca Wed Apr 8 20:23:55 1998 From: harper at scar.utoronto.ca (John Harper) Date: Tue Dec 2 02:23:56 2003 Subject: A question about NT Domains In-Reply-To: ; from William Stuart on Wed, Apr 08, 1998 at 12:17:14PM -0700 References: <352BAB2D.1E11@lake.scar.utoronto.ca> Message-ID: <19980408162354.23957@scar.utoronto.ca> I'd like to thank all who responded to my earlier query about accessing multiple domains from an NT client. The answer to my question is "NO". sigh. On Wed, Apr 08, 1998 at 12:17:14PM -0700, William Stuart wrote: > There is no way to get an NT machine to be a member of two domains. I > believe you can get an NT machine to log into two different domains if > the domains have a trust relationship. Many people have suggested some sort of domain trust, but as Jeremy pointed out, SAMBA does not yet implement this. I'm not sure it would help me anyway. > > You should probably create one domain, then limit access to each server > via user groups. I'm not sanguine about groups either. I think the answer to my particular problem is to configure a third system with SAMBA and make that the PDC (and browse master, and domain master etc) - it will have an smbpasswd file for all accounts but will offer no other shares. Once a user has authenticated with that controller, they can connect to whichever server their account really exists on, but not the other (i.e each server has an smbpasswd file containing only those entries for the appropriate class of user - faculty or student). In my previous scenario, one of the servers was PDC and also offering shares, which would then be accessible to all users (since I'd have to put all users in its smbpasswd file and this file is used both for domain authentication and share authentication). I now have just a minor administrative problem of managing 3 smbpasswd files - one on each server, and a concatentation of these 2 on the PDC (which must also include the machine entries -- it would be useful if smbpasswd could accept a flag specifying an alternate passwd file). I can probably keep it in sync by running a cron job every minute to pull the smbpasswd files off the servers. Thanks John Harper ------------------------------------ Academic Computing Coordinator University of Toronto at Scarborough harper@scar.utoronto.ca From lkcl at switchboard.net Wed Apr 8 22:39:35 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: TODO List Message-ID: [unreliable email system being used at the moment!] dana, great: an on-line wish list. can you put: bugs ---- 5) some of these commands exist in smbclient: nltest.exe is the basis for causing various such commands from the NT side, from which packet traces can be generated. the net.exe command also generates some dce/rpc commands. priority: low. 7) fix the long dce/rpc packet format, which usually involves one SMBtrans followed by several SMBreadX calls. priority: high 8) investigate "long share names" - over 12 characters in length priority: medium 9) get PDC functionality (domain logons for NT 3.51 / NT 4.0) working / verified as working. priority: high 2) priority: low 3) priority: medium (because there is an interim manual "fix"). 4) and \PIPE\spoolss. call for assistance / reference to instructions on how to do this. gerry, can you put this in your FAQ: how to install netmon.exe; where to get it (SMS or local version); where to send .CAP files (samba-bugs); caveats: only use test user accounts, or for the really paranoid don't send anything from a production server / network. priority: medium. wish list --------- 3) this is already partly done, by jeremy! 4) NT user password changes. 5) NT machine account password changes 6) DFS (distributed file system) dce/rpc admin calls. thank you! luke (not sure which email address i live at, right now...) From william at hae.com Wed Apr 8 22:50:32 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <352BCC6D.F66C9550@eng.auburn.edu> Message-ID: On Thu, 9 Apr 1998, Gerald W. Carter wrote: > > Hmmm...Unless I am missing something here as well. When you join a > domain ( samba or otherwise ) you must leave the current domain to join > another. The popup menu at the login prompt allows you to choose > between the network domain or the local machine. > In a multi-domain environment all domains and the local system are listed in the list box; but a machine can only be (registered?) on one domain at a time. I have never tried to log on to a domain other than the one registered by the system. William From paulle at microsoft.com Wed Apr 8 23:12:19 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3D76@red-msg-51.dns.microsoft.com> > -----Original Message----- > From: William Stuart [mailto:william@hae.com] > Sent: Wednesday, April 08, 1998 12:28 PM > To: Multiple recipients of list > Subject: Re: A question about NT Domains > > > REMEMBER: Microsoft operates on the philosophy of one person, one > computer, using and accessing all Microsoft software. Very little > has been done by Microsoft to accommodate multiple users > using the same > computer; just as very little has been done to interconnect > NT with any > other system (thus SAMBA). I don't understand this comment at all. Both NT and Win95 support serial reuse (many users, just one at a time) pretty well (in my obviously biased opinion -- is that IMOBO?). All the people sharing a Win95 machine have to totally trust one another, and all the people sharing the NT machine have to trust the admin (but what's new), and the NT machine needs to run NTFS and have some physical security if the people sharing the machine are really untrustworthy. With NT5/Hydra, NT will support multiple simultaneous users via WinTerms. Paul From paulle at microsoft.com Wed Apr 8 23:13:15 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3D77@red-msg-51.dns.microsoft.com> > -----Original Message----- > From: Jeremy Allison [mailto:jallison@whistle.com] > Sent: Wednesday, April 08, 1998 12:04 PM > To: Multiple recipients of list > Subject: Re: A question about NT Domains > > > Paul Leach wrote: > > > > > > A workstation doesn't need to belong to both domains in > order to access > > them. The domains just need to trust one another, so that > each one can use > > the other one to authenticate that domain's users. > > > > That's assuming that the SAMBA NTDOM stuff implements cross > domain trust. > > Not yet we don't. Just getting the single domain stuff > working by sniffing the wire is hard enough for now (but > we'll be working on it :-). We have to have _some_ reason for people to buy NT servers. Paul From paulle at microsoft.com Wed Apr 8 23:17:40 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3D78@red-msg-51.dns.microsoft.com> Everyone is totally confusing a user logging in to a domain with a workstation being a member of a domain. Just the facts, ma'am: A workstation can only be a member of one domain; a user account can exist in only one domain. A human user can have many accounts. A user in domain A can log in to a WS in domain B if domain B trusts domain A, and that user can access anything in either domain if they are on the ACL for the object being accessed. Paul > -----Original Message----- > From: Gerald W. Carter [mailto:cartegw@Eng.Auburn.EDU] > Sent: Wednesday, April 08, 1998 12:22 PM > To: Multiple recipients of list > Subject: Re: A question about NT Domains > > > Bruce Cook wrote: > > > > > Nope. Only member of one domain at a time. > > > > Ummm. Am I missing something ? > > > > What's that domain list box in the login dialog on your NT WS for ? > > > > Are you saying that the samba domain browsing isn't working, or that > > as user can't log onto any domain on the local network he chooses. > > > > I haven't installed as WS since 3.51 so I maybe misremembering > > something) > > Hmmm...Unless I am missing something here as well. When you join a > domain ( samba or otherwise ) you must leave the current > domain to join > another. The popup menu at the login prompt allows you to choose > between the network domain or the local machine. > > > > j- > ______________________________________________________________ > __________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn > University > jerry@eng.auburn.edu > http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a > Bottle" ( 1979 ) > From ratzka at HRZ.Uni-Marburg.DE Thu Apr 9 06:30:46 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <5CEA8663F24DD111A96100805FFE6587031E3D76@red-msg-51.dns.microsoft.com> References: <5CEA8663F24DD111A96100805FFE6587031E3D76@red-msg-51.dns.microsoft.com> Message-ID: <199804090630.IAA24478@pprz04.HRZ.Uni-Marburg.DE> >>>>> "PL" == Paul Leach writes: >> -----Original Message----- From: William Stuart >> REMEMBER: Microsoft operates on the philosophy of one person, >> one computer, using and accessing all Microsoft software. Very >> little has been done by Microsoft to accommodate multiple users >> using the same computer; just as very little has been done to >> interconnect NT with any other system (thus SAMBA). PL> I don't understand this comment at all. Neither do I. PL> Both NT and Win95 support serial reuse (many users, just one PL> at a time) pretty well (in my obviously biased opinion -- is PL> that IMOBO?). Windows NT does, but far to many application programmers still rely on things like .INI files in the program directory to store user preferences. (I'm talking about mainstream applications and not excluding application programmers at M$ --- just check where Office 97 stores information on user's spelling dictionaries...) I think this is some kind of cultural problem (good old DOS/Windows philosophy). PL> With NT5/Hydra, NT will support multiple simultaneous users PL> via WinTerms. ...which may finally force application programmers to get it right. But all this has nothing to do with the original question or with Samba... -- Wolfgang Ratzka Phone: +49 6421 28 3531 FAX: +49 6421 28 6994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany ------------------------------Where do you want to go tomorrow? From ratzka at HRZ.Uni-Marburg.DE Thu Apr 9 06:32:48 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <5CEA8663F24DD111A96100805FFE6587031E3D77@red-msg-51.dns.microsoft.com> References: <5CEA8663F24DD111A96100805FFE6587031E3D77@red-msg-51.dns.microsoft.com> Message-ID: <199804090632.IAA21930@pprz04.HRZ.Uni-Marburg.DE> >>>>> "PL" == Paul Leach writes: PL> We have to have _some_ reason for people to buy NT servers. Ah, its a conspiracy. That's what I suspected all the time. -- Wolfgang Ratzka Phone: +49 6421 28 3531 FAX: +49 6421 28 6994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany ------------------------------Where do you want to go tomorrow? From ratzka at HRZ.Uni-Marburg.DE Thu Apr 9 06:42:10 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <19980408162354.23957@scar.utoronto.ca> References: <19980408162354.23957@scar.utoronto.ca> Message-ID: <199804090642.IAA24520@pprz04.HRZ.Uni-Marburg.DE> >>>>> "JH" == John Harper writes: JH> I now have just a minor administrative problem of managing 3 JH> smbpasswd files - one on each server, and a concatentation of JH> these 2 on the PDC (which must also include the machine JH> entries -- it would be useful if smbpasswd could accept a flag JH> specifying an alternate passwd file). I can probably keep it JH> in sync by running a cron job every minute to pull the JH> smbpasswd files off the servers. I think you could cut this down to one smbpasswd file (which still has to stay in sync with the unix accounts on the student and the staff machine) by authenticating samba access to the shares via the PDC (i.e. specifiying "security=server" and "password server=" in the global section of your smb.conf file). -- Wolfgang Ratzka Phone: +49 6421 28 3531 FAX: +49 6421 28 6994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany ------------------------------Where do you want to go tomorrow? From paulle at microsoft.com Thu Apr 9 07:46:27 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3D94@red-msg-51.dns.microsoft.com> > ---------- > From: Wolfgang Ratzka[SMTP:ratzka@HRZ.Uni-Marburg.DE] > Reply To: ratzka@HRZ.Uni-Marburg.DE > Sent: Wednesday, April 08, 1998 11:32 PM > To: Paul Leach > Cc: Multiple recipients of list > Subject: RE: A question about NT Domains > > >>>>> "PL" == Paul Leach writes: > > PL> We have to have _some_ reason for people to buy NT servers. > > Ah, its a conspiracy. That's what I suspected all the time. > Let's just say we recognize no moral imperative requiring us to give away our designs, any more than our implementations. Whether we would have been smarter to have made specs for our domain controller protocols freely available, in order to make even more money -- I'd say there is an argument for that case, but for better or worse we chose not to. Paul From lkcl at switchboard.net Thu Apr 9 11:49:29 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <5CEA8663F24DD111A96100805FFE6587031E3D78@red-msg-51.dns.microsoft.com> Message-ID: On Thu, 9 Apr 1998, Paul Leach wrote: > Everyone is totally confusing a user logging in to a domain with a > workstation being a member of a domain. to clarify (possibly!): workstations have their own usernames / passwords with which they can verify, to the PDC, that they are in fact a member of the domain. why do you (samba-ntdom) think we had to extend the smbpasswd command? smbpasswd -add --machine WKSTA_NAME > Just the facts, ma'am: ta, paul :-) > A workstation can only be a member of one domain; a user account can exist > in only one domain. A human user can have many accounts. this is my understanding of the situation. i also believe, but would appreciate confirmation, that [one or more different] users can use the same named user account [in only one domain] and log in multiple times, to the same [one] domain. for example, you can log in from the same three locations: 1) the ctrl-alt-delete box 2) an exchange server 3) an SMBsessionsetupX (SMB file/print/IPC$ services) all three above pass the username / domain / password. > A user in domain A can log in to a WS in domain B if domain B trusts domain > A, and that user can access anything in either domain if they are on the ACL > for the object being accessed. [the object being, but not limited to: a file/directory; an IPC pipe; the right to log in from a physical machine; the ability to run as a service: there are of the order of twenty / thirty objects]. > Paul > > > -----Original Message----- > > From: Gerald W. Carter [mailto:cartegw@Eng.Auburn.EDU] > > Sent: Wednesday, April 08, 1998 12:22 PM > > To: Multiple recipients of list > > Subject: Re: A question about NT Domains > > > > > > Bruce Cook wrote: > > > > > > > Nope. Only member of one domain at a time. > > > > > > Ummm. Am I missing something ? > > > > > > What's that domain list box in the login dialog on your NT WS for ? 1) the local machine's accounts (under the workstation name) 2) the domain account (that your workstation is a member of) 3) trusted domains (that your PDC has a trust relationship with other PDCs) > > > > > > Are you saying that the samba domain browsing isn't working, or that > > > as user can't log onto any domain on the local network he chooses. > > > > > > I haven't installed as WS since 3.51 so I maybe misremembering > > > something) > > > > Hmmm...Unless I am missing something here as well. When you join a > > domain ( samba or otherwise ) you must leave the current > > domain to join > > another. The popup menu at the login prompt allows you to choose > > between the network domain or the local machine. and any trusted domains. > > > > > > > > j- > > ______________________________________________________________ > > __________ > > Gerald ( Jerry ) Carter > > Engineering Network Services Auburn > > University > > jerry@eng.auburn.edu > > http://www.eng.auburn.edu/users/cartegw > > > > "...a hundred billion castaways looking for a home." > > - Sting "Message in a > > Bottle" ( 1979 ) > > > From lkcl at switchboard.net Thu Apr 9 12:04:25 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <5CEA8663F24DD111A96100805FFE6587031E3D76@red-msg-51.dns.microsoft.com> Message-ID: On Thu, 9 Apr 1998, Paul Leach wrote: > > > > -----Original Message----- > > From: William Stuart [mailto:william@hae.com] > > Sent: Wednesday, April 08, 1998 12:28 PM > > To: Multiple recipients of list > > Subject: Re: A question about NT Domains > > > > > > REMEMBER: Microsoft operates on the philosophy of one person, one > > computer, using and accessing all Microsoft software. Very little > > has been done by Microsoft to accommodate multiple users > > using the same > > computer; just as very little has been done to interconnect > > NT with any > > other system (thus SAMBA). > > I don't understand this comment at all. > > Both NT and Win95 support serial reuse (many users, just one at a time) > pretty well (in my obviously biased opinion -- is that IMOBO?). All the um... not quite. firstly. microsoft products, in my experience (internet destroyer 4, net meeting 2.1, outlook express) are very good at sorting out their act by storing user preferences in the correct place in the registry, such that a profile actually _is_ a profile. [except that they quite often force the installation location to be a local drive, or worse don't ask you. worse, they ignore the changes made to c:\program files install dir in the registry, but that's a general hanging offence made by quite a few installation programs]. non-microsoft products, in my experience (ECSmail, netscape communicator 3 & 4, CUseeme, Internet Phone5) are total time wasters in this respect. the writers of the software assume that only one person is going to use the computer, therefore they can do what the xxxx they like WRONG. it _is_ possible, but a nuisance, to set up netscape 4 to save its prefs.js file to \\samba_server\homes\netscape but it would be better to have _all_ that info in the USER.DAT or NTuser.DAT user profile / registry section. is this a failure for microsoft to communicate the user preferences capability to developers? secondly. the registry settings in USER.DAT or NTuser.DAT overwrite the previous user's settings, leaving any settings _not_ in the current user's profile as-is. what _should_ happen is that the old user's settings should be totally wiped out prior to putting the new settings in. it is therefore possible for one user to screw up subsequent user's settings. > people sharing a Win95 machine have to totally trust one another, and all > the people sharing the NT machine have to trust the admin (but what's new), > and the NT machine needs to run NTFS and have some physical security if the > people sharing the machine are really untrustworthy. ah, i have another point i could mention on this... i'm *really* tempted, but i'm going to leave it. another list, another time, eh paul? :-) > With NT5/Hydra, NT will support multiple simultaneous users via WinTerms. excellent! you thinking of tackling multiple domains on the same box, too? luke From lkcl at switchboard.net Thu Apr 9 12:15:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <199804090642.IAA24520@pprz04.HRZ.Uni-Marburg.DE> Message-ID: On Thu, 9 Apr 1998, Wolfgang Ratzka wrote: > >>>>> "JH" == John Harper writes: > > JH> I now have just a minor administrative problem of managing 3 > JH> smbpasswd files - one on each server, and a concatentation of > JH> these 2 on the PDC (which must also include the machine > JH> entries -- it would be useful if smbpasswd could accept a flag > JH> specifying an alternate passwd file). I can probably keep it > JH> in sync by running a cron job every minute to pull the > JH> smbpasswd files off the servers. > > I think you could cut this down to one smbpasswd file (which still has > to stay in sync with the unix accounts on the student and the staff > machine) by authenticating samba access to the shares via the PDC > (i.e. specifiying "security=server" and "password server=" > in the global section of your smb.conf file). whou-hou. has anyone ever _used_ a samba PDC as a "password server" instead of an NT PDC? i've been holding off suggesting it to anyone just in case it's broken :-) :-) luke From lkcl at switchboard.net Thu Apr 9 12:16:59 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <5CEA8663F24DD111A96100805FFE6587031E3D94@red-msg-51.dns.microsoft.com> Message-ID: On Thu, 9 Apr 1998, Paul Leach wrote: > > > > ---------- > > From: Wolfgang Ratzka[SMTP:ratzka@HRZ.Uni-Marburg.DE] > > Reply To: ratzka@HRZ.Uni-Marburg.DE > > Sent: Wednesday, April 08, 1998 11:32 PM > > To: Paul Leach > > Cc: Multiple recipients of list > > Subject: RE: A question about NT Domains > > > > >>>>> "PL" == Paul Leach writes: > > > > PL> We have to have _some_ reason for people to buy NT servers. > > > > Ah, its a conspiracy. That's what I suspected all the time. > > > Let's just say we recognize no moral imperative requiring us to give away > our designs, any more than our implementations. > > Whether we would have been smarter to have made specs for our domain > controller protocols freely available, in order to make even more money -- > I'd say there is an argument for that case, but for better or worse we chose > not to. that's ok, paul: i'll do it. From ratzka at HRZ.Uni-Marburg.DE Thu Apr 9 12:44:38 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: References: Message-ID: <199804091244.OAA23082@pprz04.HRZ.Uni-Marburg.DE> >>>>> "LKCL" == Luke Kenneth Casson Leighton writes: LKCL> the registry settings in USER.DAT or NTuser.DAT overwrite LKCL> the previous user's settings, leaving any settings _not_ in LKCL> the current user's profile as-is. what _should_ happen is LKCL> that the old user's settings should be totally wiped out LKCL> prior to putting the new settings in. Can this be true? NTuser.DAT corresponds to the HKEY_CURRENT_USER branch of the registry tree. If you log out, that part is unloaded. If another user logs in, his NTuser.DAT is loaded. Of course, whatever you have changed in the registry outside your HKEY_CURRENT_USER will remain. >> With NT5/Hydra, NT will support multiple simultaneous users via >> WinTerms. LKCL> excellent! you thinking of tackling multiple domains on the LKCL> same box, too? They're introducing "Active Directory", adding an X.500-like hierarchy, which in turn should allow setups not entirely unlike multiple domains on one server. -- Wolfgang Ratzka Phone: +49 6421 28 3531 FAX: +49 6421 28 6994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany ------------------------------Where do you want to go tomorrow? From lkcl at switchboard.net Thu Apr 9 13:32:37 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <199804091244.OAA23082@pprz04.HRZ.Uni-Marburg.DE> Message-ID: On Thu, 9 Apr 1998, Wolfgang Ratzka wrote: > >>>>> "LKCL" == Luke Kenneth Casson Leighton writes: > > LKCL> the registry settings in USER.DAT or NTuser.DAT overwrite > LKCL> the previous user's settings, leaving any settings _not_ in > LKCL> the current user's profile as-is. what _should_ happen is > LKCL> that the old user's settings should be totally wiped out > LKCL> prior to putting the new settings in. > > Can this be true? NTuser.DAT corresponds to the HKEY_CURRENT_USER > branch of the registry tree. If you log out, that part is unloaded. If > another user logs in, his NTuser.DAT is loaded. Of course, whatever > you have changed in the registry outside your HKEY_CURRENT_USER will > remain. certainly for Win95, this is definitely not the case. when the user logs out, the "default" user.dat (c:\windows\user.dat - attributes r,s,h are set on this file) is loaded. this causes the classic problem apparent and confirmed as apparent in all versions of Win95 up to OSR2, for example, of locking the keyboard (you can press esc and tab: that's about all) in the user/password/domain dialog, if a user changes their settings to UK _after_ installing (by mistake) with the default of US keyboard. i suspect that the same thing happens with NT, namely that the "default user" NTuser.DAT is loaded in when a user logs out, rather than unloading the current HKEY_CURRENT_USER, as one might expect to happen. > >> With NT5/Hydra, NT will support multiple simultaneous users via > >> WinTerms. > > LKCL> excellent! you thinking of tackling multiple domains on the > LKCL> same box, too? > > They're introducing "Active Directory", adding an X.500-like > hierarchy, which in turn should allow setups not entirely unlike > multiple domains on one server. hm. not convinced. i'll find out soon enough, though. luke From gemelli at sssup.it Thu Apr 9 15:18:38 1998 From: gemelli at sssup.it (Paolo Bizzarri) Date: Tue Dec 2 02:23:57 2003 Subject: Releasing 0.2 of Samba Linux Networking Guide Message-ID: <352CE6CE.6FB9926F@sssup.it> Hello guys, I have uploaded version 0.2 of the Samba Linux Networking Guide to my site. You can download it from: http://camelot.sssup.it/pibizza/index.html The document has got a good feedback, so I will continue with this work. This version is still alpha, but it is starting to improve. Thanks a lot to David Collier-Brown and Chris Herlet for their comments. I have included them in this version. Thanks to everyone has sent me an e-mail on the guide itself, or has simply downloaded it. I will start to include documentation on the NTDOM stuff with the 0.3 version. Enjoy the reading. Ciao Paolo -- Paolo Bizzarri Retis Lab. Scuola Superiore S. Anna 56100 Pisa, Italy Tel: +39 50 883 450 E-Mail: gemelli@sssup.it From paulle at microsoft.com Thu Apr 9 17:05:45 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3D97@red-msg-51.dns.microsoft.com> > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@switchboard.net] > Sent: Thursday, April 09, 1998 4:49 AM > > > > A workstation can only be a member of one domain; a user > account can exist > > in only one domain. A human user can have many accounts. > > this is my understanding of the situation. i also believe, but would > appreciate confirmation, that [one or more different] users > can use the > same named user account [in only one domain] and log in > multiple times, to > the same [one] domain. I don't know if this is always true (there may be a way to set policy to prevent it), but I am currently logged in to the same domain using my one account, from all three of my machines. So I believe that what you said is true. Paul From paulle at microsoft.com Thu Apr 9 17:10:14 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3D98@red-msg-51.dns.microsoft.com> > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@switchboard.net] > Sent: Thursday, April 09, 1998 5:04 AM > On Thu, 9 Apr 1998, Paul Leach wrote: > > > > > > > > -----Original Message----- > > > From: William Stuart [mailto:william@hae.com] > > > Sent: Wednesday, April 08, 1998 12:28 PM > > > > Both NT and Win95 support serial reuse (many users, just > one at a time) > > pretty well (in my obviously biased opinion -- is that > IMOBO?). All the > > um... not quite. firstly. > > microsoft products, in my experience (internet destroyer 4, > net meeting > 2.1, outlook express) are very good at sorting out their act > by storing > user preferences in the correct place in the registry, such > that a profile > actually _is_ a profile. > [snip] > is this a failure for microsoft to communicate the user preferences > capability to developers? In some cases, e.g. Netscapes, I believe it was a desire to have Nav vary as little as possible between platforms -- and there is no registry on Unix. > > secondly. > > the registry settings in USER.DAT or NTuser.DAT overwrite the previous > user's settings, leaving any settings _not_ in the current > user's profile > as-is. what _should_ happen is that the old user's settings should be > totally wiped out prior to putting the new settings in. > > it is therefore possible for one user to screw up subsequent user's > settings. I don't understand this. USER.DAT will be a different file for different users. I think that what you say should only happen is a second user comes along and uses the same account as the first. Paul From egb at us.ibm.com Thu Apr 9 21:59:14 1998 From: egb at us.ibm.com (Ed Bradford) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5040200013823605000002L052*@MHS> My understanding is that applications (Netscape, IE, etc) are supposed to install all the default settings into the "default user" profile. Then when IE executes for the first time, it copies all the default user settings into a new location for the new user (in the user's profile). When the user subsequently modifies stuff it is saved in the user's profile, not the default user's profile. Those are the Microsoft recommendations. Policy can override by disallowing a save operation. Paul, of course, will correct me if I am wrong. Ed Bradford ---------------------- Forwarded by Ed Bradford/Raleigh/IBM on 04/09/98 06:49 PM --------------------------- samba-ntdom@samba.anu.edu.au on 04/09/98 01:22:31 PM Please respond to paulle@microsoft.com To: samba-ntdom@samba.anu.edu.au cc: Subject: RE: A question about NT Domains > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@switchboard.net] > Sent: Thursday, April 09, 1998 5:04 AM > On Thu, 9 Apr 1998, Paul Leach wrote: > > > > > > > > -----Original Message----- > > > From: William Stuart [mailto:william@hae.com] > > > Sent: Wednesday, April 08, 1998 12:28 PM > > > > Both NT and Win95 support serial reuse (many users, just > one at a time) > > pretty well (in my obviously biased opinion -- is that > IMOBO?). All the > > um... not quite. firstly. > > microsoft products, in my experience (internet destroyer 4, > net meeting > 2.1, outlook express) are very good at sorting out their act > by storing > user preferences in the correct place in the registry, such > that a profile > actually _is_ a profile. > [snip] > is this a failure for microsoft to communicate the user preferences > capability to developers? In some cases, e.g. Netscapes, I believe it was a desire to have Nav vary as little as possible between platforms -- and there is no registry on Unix. > > secondly. > > the registry settings in USER.DAT or NTuser.DAT overwrite the previous > user's settings, leaving any settings _not_ in the current > user's profile > as-is. what _should_ happen is that the old user's settings should be > totally wiped out prior to putting the new settings in. > > it is therefore possible for one user to screw up subsequent user's > settings. I don't understand this. USER.DAT will be a different file for different users. I think that what you say should only happen is a second user comes along and uses the same account as the first. Paul From egb at us.ibm.com Thu Apr 9 22:02:20 1998 From: egb at us.ibm.com (Ed Bradford) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5040200013823800000002L002*@MHS> This is also my understanding. Furthermore, unless domains have a trust relationship (administrator goes and establishes either a one way or two way trust relationship at each PDC), a user cannot have Single Sign on even in a pure Microsoft environment (unless the user name and password are identical). Paul will correct me if I am wrong about this. Ed Bradford ---------------------- Forwarded by Ed Bradford/Raleigh/IBM on 04/09/98 06:54 PM --------------------------- samba-ntdom@samba.anu.edu.au on 04/09/98 01:09:06 PM Please respond to paulle@microsoft.com To: samba-ntdom@samba.anu.edu.au cc: Subject: RE: A question about NT Domains > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@switchboard.net] > Sent: Thursday, April 09, 1998 4:49 AM > > > > A workstation can only be a member of one domain; a user > account can exist > > in only one domain. A human user can have many accounts. > > this is my understanding of the situation. i also believe, but would > appreciate confirmation, that [one or more different] users > can use the > same named user account [in only one domain] and log in > multiple times, to > the same [one] domain. I don't know if this is always true (there may be a way to set policy to prevent it), but I am currently logged in to the same domain using my one account, from all three of my machines. So I believe that what you said is true. Paul From ratzka at HRZ.Uni-Marburg.DE Fri Apr 10 08:47:03 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains References: <5040200013823605000002L052*@MHS> Message-ID: <352DDC87.1C134AE7@hrz.uni-marburg.de> Ed Bradford wrote: > > My understanding is that applications (Netscape, IE, etc) are supposed to > install all the default settings into the > "default user" profile. Then when IE executes for the first time, it copies all Basicly no. The Default User profile (especially it's registry hive NTUser.DAT) is not that easily accessible. It is only used when a new user who does not have a profile yet, logs into the system for the first time (or anytime a member of the GUEST groups logs into the system). The DEFAULT branch visible under HKEY_USERS is not related to the Default User profile. > the default user settings into a new location for the new user (in the user's > profile). When the user subsequently modifies stuff it is saved in the user's > profile, not the default user's profile. Those are the Microsoft > recommendations. Policy can override by disallowing a save operation. Paul, of > course, will correct me if I am wrong. -- Wolfgang Ratzka (per Modem von zu Hause) --Where do you want to go tomorrow? From lkcl at switchboard.net Fri Apr 10 12:33:26 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <5CEA8663F24DD111A96100805FFE6587031E3D98@red-msg-51.dns.microsoft.com> Message-ID: On Thu, 9 Apr 1998, Paul Leach wrote: > > the registry settings in USER.DAT or NTuser.DAT overwrite the previous > > user's settings, leaving any settings _not_ in the current > > user's profile > > as-is. what _should_ happen is that the old user's settings should be > > totally wiped out prior to putting the new settings in. > > > > it is therefore possible for one user to screw up subsequent user's > > settings. > > I don't understand this. USER.DAT will be a different file for different > users. I think that what you say should only happen is a second user comes > along and uses the same account as the first. ah, then i need to explain better. two or more users have identical profiles. say only one user installs a program which adds additional keys into the registry. those keys, as i understand it, will *not* be removed from HKEY_LOCAL_USER when subsequent users log in. therefore it is possible, say, for someone to install a program and mess up the workstation for all other users. does that make sense, and/or fit in with anyone else's experience? luke From Jean-Francois.Micouleau at utc.fr Fri Apr 10 12:56:22 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: Message-ID: On Fri, 10 Apr 1998, Luke Kenneth Casson Leighton wrote: > ah, then i need to explain better. two or more users have identical > profiles. say only one user installs a program which adds additional keys > into the registry. those keys, as i understand it, will *not* be removed > from HKEY_LOCAL_USER when subsequent users log in. under W95 or NT ? and why do you want to have one profile shared between multiples users ? > therefore it is possible, say, for someone to install a program and mess > up the workstation for all other users. > > does that make sense, and/or fit in with anyone else's experience? Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From jjorgens at bdsinc.com Fri Apr 10 14:19:02 1998 From: jjorgens at bdsinc.com (Jens B. Jorgensen) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains References: Message-ID: <352E2A56.22746A73@bdsinc.com> Luke Kenneth Casson Leighton wrote: > On Thu, 9 Apr 1998, Paul Leach wrote: > > > > the registry settings in USER.DAT or NTuser.DAT overwrite the previous > > > user's settings, leaving any settings _not_ in the current > > > user's profile > > > as-is. what _should_ happen is that the old user's settings should be > > > totally wiped out prior to putting the new settings in. > > > > > > it is therefore possible for one user to screw up subsequent user's > > > settings. > > > > I don't understand this. USER.DAT will be a different file for different > > users. I think that what you say should only happen is a second user comes > > along and uses the same account as the first. > > ah, then i need to explain better. two or more users have identical > profiles. say only one user installs a program which adds additional keys > into the registry. those keys, as i understand it, will *not* be removed > from HKEY_LOCAL_USER when subsequent users log in. > > therefore it is possible, say, for someone to install a program and mess > up the workstation for all other users. > > does that make sense, and/or fit in with anyone else's experience? Sure it makes sense. However, are you sure the settings aren't being stored under HKEY_LOCAL_MACHINE? There's nothing to stop the developer (except good instincts!) from storing all program configuration data there. -- Jens B. Jorgensen jjorgens@bdsinc.com From paulle at microsoft.com Fri Apr 10 17:09:43 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3DC2@red-msg-51.dns.microsoft.com> > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@switchboard.net] > Sent: Friday, April 10, 1998 5:33 AM > To: Multiple recipients of list; Paul Leach > Subject: RE: A question about NT Domains > > > On Thu, 9 Apr 1998, Paul Leach wrote: > > > > > I don't understand this. USER.DAT will be a different file > for different > > users. I think that what you say should only happen is a > second user comes > > along and uses the same account as the first. > > ah, then i need to explain better. two or more users have identical > profiles. say only one user installs a program which adds > additional keys > into the registry. those keys, as i understand it, will > *not* be removed > from HKEY_LOCAL_USER when subsequent users log in. I don't think so. HKEY_LOCAL_USER is a built in handle to the registry tree in one and only one user's USER.DAT -- changes to one user don't affect another user. From lkcl at switchboard.net Fri Apr 10 18:47:58 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: Message-ID: On Fri, 10 Apr 1998, Jean-Francois Micouleau wrote: > On Fri, 10 Apr 1998, Luke Kenneth Casson Leighton wrote: > > > ah, then i need to explain better. two or more users have identical > > profiles. say only one user installs a program which adds additional keys > > into the registry. those keys, as i understand it, will *not* be removed > > from HKEY_LOCAL_USER when subsequent users log in. > > under W95 or NT ? my experience is with Win95, but i expect the same for NT, and have been told that it is so by someone who runs NT admin training courses. > and why do you want to have one profile shared between multiples users ? you don't. how did you get that impression? i said multiple users with identical profiles, not multiple users sharing one profile. luke From lkcl at switchboard.net Fri Apr 10 18:53:12 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <352E2A56.22746A73@bdsinc.com> Message-ID: On Fri, 10 Apr 1998, Jens B. Jorgensen wrote: > Luke Kenneth Casson Leighton wrote: > > > On Thu, 9 Apr 1998, Paul Leach wrote: > > > > > > the registry settings in USER.DAT or NTuser.DAT overwrite the previous > > > > user's settings, leaving any settings _not_ in the current > > > > user's profile > > > > as-is. what _should_ happen is that the old user's settings should be > > > > totally wiped out prior to putting the new settings in. > > > > > > > > it is therefore possible for one user to screw up subsequent user's > > > > settings. > > > > > > I don't understand this. USER.DAT will be a different file for different > > > users. I think that what you say should only happen is a second user comes > > > along and uses the same account as the first. > > > > ah, then i need to explain better. two or more users have identical > > profiles. say only one user installs a program which adds additional keys > > into the registry. those keys, as i understand it, will *not* be removed > > from HKEY_LOCAL_USER when subsequent users log in. > > > > therefore it is possible, say, for someone to install a program and mess > > up the workstation for all other users. > > > > does that make sense, and/or fit in with anyone else's experience? > > Sure it makes sense. However, are you sure the settings aren't being stored > under HKEY_LOCAL_MACHINE? i am talking about what USER.DAT and NTuser.DAT does. if downloading profiles alters HKLM, then the answer to your question is yes. however, i do not know if this (profiles alter HKLM) occurs. luke From ratzka at HRZ.Uni-Marburg.DE Fri Apr 10 22:25:00 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains References: Message-ID: <352E9C3C.5DD01D0A@hrz.uni-marburg.de> Luke Kenneth Casson Leighton wrote: > my experience is with Win95, but i expect the same for NT, and have been > told that it is so by someone who runs NT admin training courses. On NT it is quite definitely not so. HKCU will always be loaded completely from the user's NTuser.dat file and unloaded again after logout. In fact HKCU is not a proper registry hive but a symbolic reference to the subkey of HKEY_USERS that corresponds to the current user. If more than one user is active on an NT machine (on plain vanilla NT this *is* possible if you have services running as a non-system user; on WinFrame or Hydra multiple users can be logged in) you will see several subkeys of HKU that correspond to the active users and don't interfere with each other. Of course some settings that a user can change do not go into the HKCU hive but into HKLM, most notably the screen resolution and the number of colours (you can use policies to prevent user's from changing these). Some applications put information that should go into HKCU into HKLM instead. (Hall of Shame: Netscape Communicator, Microsoft Office 97 [User dictionaries!]...). Others just use plain good old INI files in their program directory or even in \WINNT\SYSTEM32. Those changes will not be user specific but machine specific and those programs will cause trouble, when one tries to run them on WinFrame or Hydra... :-). Summarizing: Q: Will the next user inherit a previous user's additions to the HKCU registry hive? A: Quite definitely not. Q: Can a user foul up the configuration for the next user? A: Quite definitely yes! Q: Is this discussion out of place on the samba-ntdom list? A: Errr.... -- Wolfgang Ratzka (dialing in from home) From samba at aquasoft.com.au Fri Apr 10 23:29:23 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <352E9C3C.5DD01D0A@hrz.uni-marburg.de> Message-ID: Just for the sake of completeness I thought I'd add a bit to this. Let's be clear about which files affect registry changes (or contents). Under NT, open a command prompt interface: cd %SystemRoot%\System32\config dir The standard registry files are: Default - all component default settings System - all HKLM\System entries Software - all HKLM\Software entries Security - Domain/Machine releated User Rights & Privs. SAM - the Security Access Manager database (ie:Passwords etc.) These are used by EVERYTHING!! When a user logs in the following files get checked: 1) \\"Authenticating Server"\NETLOGON\NTConfig.Pol 2) %SystemRoot%\Profiles\Policies\NTConfig.Pol this one is a copy of the last NTConfig.Pol downloaded from (1) above - if available. 3) %SystemRoot%\Policies\%UserName%\NTUser.DAT The later, is first obtained from a profile server if the User_Init_Info passed from the Domain Logon Server specifies use of a roaming profile. If item (3) does NOT exist and/or NO default profile is available one gets created from the system default settings PLUS the last loaded file at item (2) above. The HKCU is always unique to the currently logged in user, BUT if the currently logged in user is using a shared profile that has NOT been made exclusive then on logout the HKCU will be written over the top of the source files. That is why Mandatory profiles are essential when sharing a roaming profile. Samba really ought to have a HOWTO for configuring a Roaming Profile server that sits on a samba share. The NT documentation is net very clear about this at all. Ask two NT "Experts" and you will get at least 4 opinions on roaming profiles!! (8->>) On Sat, 11 Apr 1998, Wolfgang Ratzka wrote: > Luke Kenneth Casson Leighton wrote: > > > my experience is with Win95, but i expect the same for NT, and have been > > told that it is so by someone who runs NT admin training courses. > > On NT it is quite definitely not so. HKCU will always be loaded completely from > the user's NTuser.dat file and unloaded again after logout. > In fact HKCU is not a proper registry hive but a symbolic reference to the subkey of > HKEY_USERS that corresponds to the current user. If more than one user > is active on an NT machine (on plain vanilla NT this *is* possible if you have > services running as a non-system user; on WinFrame or Hydra multiple users > can be logged in) you will see several subkeys of HKU that correspond to > the active users and don't interfere with each other. > > Of course some settings that a user can change do not go into the HKCU hive > but into HKLM, most notably the screen resolution and the number of colours > (you can use policies to prevent user's from changing these). > Some applications put information that should go into HKCU into HKLM instead. > (Hall of Shame: Netscape Communicator, Microsoft Office 97 [User dictionaries!]...). > Others just use plain good old INI files in their program directory or even > in \WINNT\SYSTEM32. Those changes will not be user specific but machine > specific and those programs will cause trouble, when one tries to run them > on WinFrame or Hydra... :-). > > Summarizing: > > Q: Will the next user inherit a previous user's additions > to the HKCU registry hive? > A: Quite definitely not. Correct. > > Q: Can a user foul up the configuration for the next user? > A: Quite definitely yes! See above. Yes, but not if correctly configured. > > Q: Is this discussion out of place on the samba-ntdom list? > A: Errr.... Errr... Really? I think it is. Do we, or do we not, want to help people to gain stable and dependable use of samba? > -- > Wolfgang Ratzka (dialing in from home) Cheers, John H Terpstra (Also from home!!!!) From BC3-AU at bigfoot.com Sat Apr 11 07:09:57 1998 From: BC3-AU at bigfoot.com (Bruce Cook) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: References: Message-ID: <199804110709.PAA19189@cletus.kintailrd> Luke Kenneth Casson Leighton writes: > On Fri, 10 Apr 1998, Jean-Francois Micouleau wrote: > > > On Fri, 10 Apr 1998, Luke Kenneth Casson Leighton wrote: > > > > > ah, then i need to explain better. two or more users have identical > > > profiles. say only one user installs a program which adds additional keys > > > into the registry. those keys, as i understand it, will *not* be removed > > > from HKEY_LOCAL_USER when subsequent users log in. > > > > under W95 or NT ? > > my experience is with Win95, but i expect the same for NT, and have been > told that it is so by someone who runs NT admin training courses. > > > and why do you want to have one profile shared between multiples users ? > > you don't. how did you get that impression? i said multiple users with > identical profiles, not multiple users sharing one profile. In my experience with both Win95 and NT, is that the HKEY_LOCAL_USER information is stored in USER.dat or NTuser.DAT for NT. ALL of this branch is in this file and there is no overlap between any two users (Unless you have '95 set up to use a single common profile). The HKEY_LOCAL_MACHINE branch is machine based, and shared by all users of that machine. [And now for a whole stack of caviets] 1. User start menu paths are not stored in the registry (obviously) they're a directory structure that located by settings in HKEY_LOCAL_USER. If you want start menues / desktop / favorites to be individual to a user you must set up your user registry so these can be located individually. The easiest tool to manage this is the policy editor. 2. When you log onto 'Doze 95, it has to find the user registry. If you have specified a common profile, a "default user" USER.DAT is used. If you have specified individualised profiles, then USER.DAT will be found by the following formula: 1. if NET USE x: /HOME was used at startup, try for x:\USER.DAT (where x: is any drive letter from A to Z. if no USER.DAT is found go to step 3 2. if no home is specified in a mapping, ...\windows\profiles\username\USER.DAT is used. If no USER.DAT exists go to step 3. 3. If neither of the previous two found a USER.DAT, then it will use a prototype USER.DAT which it will later save to the above specified path when the user logs out. The interesting thing here is that the prototype USER.DAT used here is actually a copy of the last USER.DAT used on this machine. (This may be the effect that the original poster is seeing) 4. As discussed above the start menu and desktop are specified in the registry contained within USER.DAT. When a new USER.DAT is created from a prototype, new directories are created for the start menu and desktop ACCORDING TO HOW THE COPIED PROTOTYPE DEFINES THEM. So if the prototype USER.DAT says that start menu is in H:\Start Menu but programs folder is C:\windows\start menu\programs, then the H:\start menu will be created, and the existing machine programs folder used. This means that is is important when creating roving profiles to get your prototype USER.DAT and general user directory structure set up exactly as you want it, and then make a copy of it that you know will be safe from modification. When creating a new user you then copy this prototype into the new user area, so that the new user doesn't just inherit what the previous user had. 3. When you log onto 'Doze NT, it has to find the user registry. NT is easier to see what's going on, but follows much the same rules as '95. The big difference being that 'NT gets it's profile location from the login server when it's logged in. (On an NT system have a look at user manager/user/profile - you will see that you can specify the user profile path) Under NT3.51 this profile path was a path to NTuser.DAT, on 4.0 this seems to be a path to a directory structure (haven't played with many NT4 servers) I'm not sure how this works in samba, as I haven't yet tried the NT_DOM stuff yet (Luke: I assume you have a keyword for this?) When an NT system find a user without a NTuser.DAT, it copies from a prototype that it stores especially for this purpose, so while unlike '95 the user doesn't get whatever happened last on the machine, the user will get a fairly minimalist configuration. 4. There are a *LOT* of reasons that the 'doze machine might not find USER.DAT and therefore default to a prototype. 1. Can't execute logon script & therefore no /HOME mapping (Most common) .Make sure the script exists .that you have your logon script set right .Netlogon share must exist .Protection/ownership of the script and share 2. no /HOME mapping in the logon script 3. no home path specified in /etc/smb.conf (Or no home mapping set up for that user in NT's user manager) 3. Protection/ownership of the user directory 4. protection/ownership of USER.DAT 5. basic networking problems .Is the networking available (Test it by manually mapping to both the user share and netlogon share) .Was the networking working during logon ? 6. Has it defaulted to a prototype, and then had you map the home directory afterwards ? - This will result in the bad prototype being written into the users home, and them being stuck with it, (Just replace USER.DAT again) 5. Interesting NOTE When '95 is performing the logon script, the HKEY_LOCAL_USERS has NOT been mapped from the USER.DAT. What has been mapped at this stage is the prototype registry (last one used). I assume the reason for this is that '95 is waiting for the logon script to complete so that it can identify where the user's home directory is. If at this point you attempt to do anything that uses the USER registry, (installing something for example or reading something from the user registry) you will actually be operating on the machine stored prototype profile not the user profile. This means that nothing will realy happen to the user setup (No menu items, no settings etc). To get around this you can name a process in the "run once" entries in the HKEY_LOCAL_MACHINE branch, and these "run once" processes will be executed once the USER.DAT is loaded, and all the user directories are accessible. To sum up: NET USE H: /HOME is the key to getting your user profiles loaded from a server. NET USE H: \\server\homes Won't get it right without a lot of stuffing about. Windoze '95 goes through a lot to bring you your user profile and if anything goes wrong during this process, it will drop back to using whatever profile was last used on the machine. I use too many commas. (Maybe somebody could put some of this into a userprofiles.txt in samba's doc/ area) From lkcl at regent.push.net Sat Apr 11 13:20:08 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <352E9C3C.5DD01D0A@hrz.uni-marburg.de> Message-ID: On Sat, 11 Apr 1998, Wolfgang Ratzka wrote: > Summarizing: > > Q: Will the next user inherit a previous user's additions > to the HKCU registry hive? > A: Quite definitely not. > > Q: Can a user foul up the configuration for the next user? > A: Quite definitely yes! thank you for clarifying. > Q: Is this discussion out of place on the samba-ntdom list? > A: Errr.... i was just thinking this. ok, we've got the answer. if we haven't it's end of discussion, people! luke From lkcl at regent.push.net Sat Apr 11 13:31:13 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: Message-ID: > Samba really ought to have a HOWTO for configuring a Roaming Profile > server that sits on a samba share. hm. there is a section in docs/DOMAIN.txt which describes the experience(s) of setting up profiles on Win95 and NT with Samba. > > > > Q: Is this discussion out of place on the samba-ntdom list? > > A: Errr.... > > Errr... Really? I think it is. Do we, or do we not, want to help people to > gain stable and dependable use of samba? ... the man has a point. ok, ignore my previous post on this thread! From lkcl at regent.push.net Sat Apr 11 13:35:53 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: <199804110709.PAA19189@cletus.kintailrd> Message-ID: > (Maybe somebody could put some of this into a userprofiles.txt in samba's doc/ area) bruce, i'm just so stunned and impressed i think i'll just export your message to a file and check it in right now. luke From lkcl at regent.push.net Sat Apr 11 14:00:12 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: Win95 / NT Profiles (was: RE: A question about NT Domains) In-Reply-To: <199804110709.PAA19189@cletus.kintailrd> Message-ID: ok, there's a new file docs/PROFILES.txt. the three (copyright) contributors are, at present: john terpestra, bruce cook and wolfgang ratzka. those people with cvs access could you possibly check out samba/docs/PROFILES.txt and review it. or, as: http://samba.anu.edu.au/cgi-bin/cvsweb/samba/docs/PROFILES.txt From lkcl at regent.push.net Sat Apr 11 16:30:28 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: Win95 / NT Profiles (was: RE: A question about NT Domains) Message-ID: ok, just received a couple of references regarding profiles. it would help enormously if someone could absorp and digest these into text readable form. http://www.microsoft.com/ntserver/library/prof_policies.exe http://www.microsoft.com/ntserver/guide/whitepapers.asp?A=2&B=11 i've also been told that the (new) doc is incomplete: Win95 checks the time/date stamps on the various user.dat files, and uses the latest one. this, he suggests, is a good reason to use mandatory profiles. luke From BC3-AU at bigfoot.com Sun Apr 12 03:24:08 1998 From: BC3-AU at bigfoot.com (Bruce Cook) Date: Tue Dec 2 02:23:57 2003 Subject: A question about NT Domains In-Reply-To: References: Message-ID: <199804120324.LAA23137@cletus.kintailrd> Luke Kenneth Casson Leighton writes: > > > (Maybe somebody could put some of this into a userprofiles.txt in samba's doc/ area) > > bruce, i'm just so stunned and impressed i think i'll just export your > message to a file and check it in right now. Thanks Luke, It came from years of having my nose bloodied by these interesting? products. From BC3-AU at bigfoot.com Sun Apr 12 04:04:28 1998 From: BC3-AU at bigfoot.com (Bruce Cook) Date: Tue Dec 2 02:23:57 2003 Subject: Win95 / NT Profiles (was: RE: A question about NT Domains) In-Reply-To: References: Message-ID: <199804120404.MAA23485@cletus.kintailrd> Luke Kenneth Casson Leighton writes: > ok, just received a couple of references regarding profiles. it would > help enormously if someone could absorp and digest these into text > readable form. > > http://www.microsoft.com/ntserver/library/prof_policies.exe > > http://www.microsoft.com/ntserver/guide/whitepapers.asp?A=2&B=11 > > i've also been told that the (new) doc is incomplete: Win95 checks the > time/date stamps on the various user.dat files, and uses the latest one. > this, he suggests, is a good reason to use mandatory profiles. Ah yes I knew there was something I forgot. here it is for completeness. When a user logs into a specific machine for the first time, they will be told that they've never logged into the machine, and would they like to store the user setting for future use. If the user answers NO, they will be nagged about this every time they log into the machine until they say YES. (How about it MS, could we possible do something about this feature?) When the user answers YES, thereafter upon logging out of the machine, a copy of the user's profile is also written onto the machines local disk for later use. When a user logs into a machine where his/her profile has previously been saved, a comparison is made between the date of the profile copy kept on the machine, and the date of the profile stored on the server. In theory the server date should be later or the same. If the local machine date is later than the server date, the client machine will tell you the the settings on the local machine are more recent than those of the server, and would you like to user them instead. This occurs for a couple of reasons: 1. Server not available when the user logs out 2. Date mismatch between the server and the client (I always use NET TIME \\server /SET /YES in my logon scripts) Logging in with NO server available. In some cases a client will want to log into a network with no server available. (Portables away from the office, or a dead server) This can only happen if the administrator has NOT set the machine to give access only upon password verification from the server. (If the admin has done this, it can be circumvented by restarting the machine in safe mode, and running poledit, or regedit and disabling that feature) If you are able to log in while the server is unavailable, you have two choices 1. Log in as a user that previously stored a profile (The password won't have to match unless the machine is set up to store passwords) 2. log in as the default user (bit the cancel button or escape key) If you choose to use your profile stored on the local machine, there are several things you should be wary of: 1. the profile stored on the machine will be a copy of the last profile used when you logged into THAT machine. You may get quite an old profile. 2. When you log out, that local profile is garunteed to be later than the one on the server, and if the server is available, or you later log into that machine when the server is available you could overwrite the good server profile with a bogus profile. Technique note: I set portable computers up so that they don't use roaming profiles, rather they have a single profile kept on the machine. This means that a user has the same desktop look an feel regardless of where they are. This follows the philosophy that laptops tend to be used by only one person. From samba at aquasoft.com.au Sun Apr 12 06:26:03 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:57 2003 Subject: Win95 / NT Profiles (was: RE: A question about NT Domains) In-Reply-To: <199804120404.MAA23485@cletus.kintailrd> Message-ID: Bruce, Please check the PROFILES.txt as it now stands - I added your additional comments. From lkcl at regent.push.net Mon Apr 13 13:43:37 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: Diabling Profile Caching on NT4.x (fwd) Message-ID: ---------- Forwarded message ---------- Date: Mon, 13 Apr 1998 07:22:18 -0400 From: Jerold Schulman Reply-To: jsi@cis.compuserve.com To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Diabling Profile Caching on NT4.x >From tip 106 at my NT Tips, Tricks and Registry Hacks at http://www.jsiinc.com/reghack.htm: 106 =BB Roaming profiles consume disk space. When a user with a roaming profile logs off a workstation, a copy of the profile is cached on the local hard drive. If other persons with roaming profiles use that workstation, disk space is being consumed to keep these cached profiles. To configure so that roaming profiles are not cached, edit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Edit or add value DeleteRoamingCache as type REG_DWORD. Set it to 1.=20 J.A. Terranson wrote: >=20 > For further information regarding this posting, please refer to the pos= t by > PETER BRUNDRETT on 2 April.. >=20 > We are running a heterogeneous network consisting of NT4/SP3++ PDC/BDC = and > several NT4S-SP3++ "Workstations" in addition to a large (and diverse) = number > of *nix boxen on our LAN, so we noted with great interest the above pos= ting > on how to disable caching by the NT nodes here. As posted, the key >=20 > HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon shoul= d have REG_SZ > entry of 0 >=20 > to disable local caching of user profiles by NT workstations. We have > implemented this registry change, and then deleted all locally cached > profiles, but it does not work. > Is this feature overridden by Roaming Profiles (as ALL of our NT4 profi= les > are)??? Assuming that my reading of the prior thread is correct, this = should > NOT be the case. >=20 > All our boxen are NT4 Server, SP3 plus all relevant hotfixes thru 1 Feb= 98. > (basically everything except LMFIX, the Zipdrive thing, and the 2gb RAM= fix). >=20 > J.A. Terranson > sysadmin@mfn.org --=20 Jerold Schulman - Microsoft BackOffice JSI, Inc. 1045 Essex Court, Alpharetta, GA 30004-3811 Orders:+1-800-585-9588 Phone:+1-770-475-3820 =20 Fax:+1-770-442-3820 Web Site: http://www.jsiinc.com Internet Mail:=20 jsi@cis.compuserve.com From daniel at med.up.pt Mon Apr 13 14:07:23 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:57 2003 Subject: Diabling Profile Caching on NT4.x (fwd) In-Reply-To: Message-ID: On Mon, 13 Apr 1998, Luke Kenneth Casson Leighton wrote: > When a user with a roaming profile logs off a workstation, a > copy of the profile is cached on the local hard drive. If > other persons with roaming > profiles use that workstation, disk space is being consumed > to keep these cached profiles. To configure so that roaming > profiles are not cached, > edit: > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\Winlogon > > Edit or add value DeleteRoamingCache as type REG_DWORD. Set > it to 1.=20 Since profiles are so "en vogue", I'll mention this little problem arouses to me: Ok, so I can tell Win NT to delete profiles (not cache them) which is a nice thing when some 200/300 students share the same PC's. The problem is that, still, NT downloads the profile and except for it being mandatory, it has no regard for disk quotas in the linux box (every writing in the desktop is actually to the "C drive", for example) and only when the profile should be updated the quotas have effect (efective writing in the "H drive" or whatever), possibly failing due to quota exceeding, and (haven't tried it) upon failing of the update of the roaming profile, since NT does not cache it, maybe some data loss happens here (files in the Desktop, etc.) ? My problem is that I'd like to give users non-mandatory profiles but have them use always their home drive (H: in this case), instead of them writing on the C drive as is the case of their profile (desktop, etc.). I do this in Win 95 by policies specifying their desktop to be h:\desktop and so forth for the Start Menu, etc. Can anyone do such a thing in Win NT? Thanks Daniel From jjm at iname.com Mon Apr 13 15:02:32 1998 From: jjm at iname.com (Johan Meiring) Date: Tue Dec 2 02:23:57 2003 Subject: Roaming profiles Message-ID: <19980413150310Z12621626-459+4058@samba.anu.edu.au> Hi, I have read numerous messages about roaming profiles and a few messages about a new profiles.txt. I have read though it and I think that it could do with a bit of organising :-). I rewrote the document completely and tried to include as much detail as possible. I didn't include it here as it is quite long. It can be seen at: http://users.iafrica.com/p/pc/pcs/profiles.txt Comments? Use it as you please by including it in the distribution, screaming at me, whatever you fancy? Thanks for an excellent product called samba Johan Meiring From lkcl at regent.push.net Mon Apr 13 15:24:56 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:57 2003 Subject: Roaming profiles In-Reply-To: <19980413150310Z12621626-459+4058@samba.anu.edu.au> Message-ID: On Tue, 14 Apr 1998, Johan Meiring wrote: > Hi, > > I have read numerous messages about roaming profiles and a few messages > about a new profiles.txt. > > I have read though it and I think that it could do with a bit of organising > :-). I rewrote the document completely and tried to include as much detail > as possible. ta! > I didn't include it here as it is quite long. It can be seen at: > > http://users.iafrica.com/p/pc/pcs/profiles.txt > > Comments? 1) in the e.g with POP3, can you put IMAP4 next to it as well? i hate POP3. 2) can you change all occurrences of "he" to "they"? 3) formatting issue: a) b) c) and 1) 2) 3) can you put a single line-break between these. 4) Win95 OSR2 (or is it Win97) with the new "active desktop" and "internet destroyer 4" _does_ have an "All Users" and "Default User" concept. 5) can you put "modified 13apr98"; leave the created date; put version 0.1; put all authors at the top; acknowledge all copyright holders. 6) ... "you have to create them using the System Policy editor" not "you have to create the"... 7) "if the supplied path is blank" not "if this supplied path is blank" 8) "if it exists, a path" not "if is exists"... 9) NTuser.DAT not NTUSer.DAT. oh, it could be NTUser.DAT: can't remember. 10) "if it is a new profile" not "is it is" 11) "If" not "IF". sorry: have to stop - wrists are hurting. luke From samba at aquasoft.com.au Mon Apr 13 15:38:42 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:57 2003 Subject: Roaming profiles In-Reply-To: <19980413150310Z12621626-459+4058@samba.anu.edu.au> Message-ID: Johan, I have looked at your document. In my notations I used %SystemRoot% in the path for a Windows NT machine. The reason is that if you run at a command prompt interface: echo %SystemRoot% it will ALWAYS return the install tree root of the currently active Windows NT installation. Since MS Windows users tend to install into any non-standard locations or even have mulitple Windows NT installations on one machine this is an important qualifier. The equivalent shorthand for Windows 95 is %Windir%. Also, I too had intended to revamp the document significantly. It needs to document the exact steps that a login process takes for both Windows 95 and for Windows NT. I think it may be best to deal with the two cases, Windows 9x and Windows NT logins entirely seperately. Also, it is possible to have a common profile for Windows 9x and for Windows NT - but Microsoft very strongly recommend against it. Self deletion of Windows NT Roaming (Roving) profiles should be handled via use of the System Policy Editor and put into the NTConfig.Pol file. Please note that the Policy filename can be case sensitive (unconfirmed reports). Windows NT Server comes with the System Policy Editor. In the case of Windows 9x the policy editor needs to be loaded from the CDRom and can be installed using "Control Panel"/"Add-Remove Software"/"Windows Setup", then "Have Disk", then point to the CDRom:\Admin\AppTools\Poledit. Please keep up the good work. Do complete what you have started. And above all - do contribute it. I will look at it some more over the next few days and will suggest more ammendments. Hope you see this through - people will love you for it! (;-) Cheers, John H Terpstra - Samba-Team On Tue, 14 Apr 1998, Johan Meiring wrote: > Hi, > > I have read numerous messages about roaming profiles and a few messages > about a new profiles.txt. > > I have read though it and I think that it could do with a bit of organising > :-). I rewrote the document completely and tried to include as much detail > as possible. > > I didn't include it here as it is quite long. It can be seen at: > > http://users.iafrica.com/p/pc/pcs/profiles.txt > > Comments? > > Use it as you please by including it in the distribution, screaming at me, > whatever you fancy? > > Thanks for an excellent product called samba > > Johan Meiring > From cartegw at Eng.Auburn.EDU Mon Apr 13 15:38:40 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:58 2003 Subject: Diabling Profile Caching on NT4.x (fwd) References: Message-ID: <35323180.993DE2D3@eng.auburn.edu> Daniel Fonseca wrote: > > The problem is that, still, NT downloads the profile and except for it > being mandatory, it has no regard for disk quotas in the linux box > (every writing in the desktop is actually to the "C drive", for > example) and only when the profile should be updated the quotas have > effect (efective writing in the "H drive" or whatever), possibly > failing due to quota exceeding, and (haven't tried it) upon failing of > the update of the roaming profile, since NT does not cache it, maybe > some data loss happens here (files in the Desktop, etc.) ? NT does cache the local profiles even if you set the previously listed registry key. I just sent another message to the list about this. > My problem is that I'd like to give users non-mandatory profiles but > have them use always their home drive (H: in this case), instead of > them writing on the C drive as is the case of their profile (desktop, > etc.). > > I do this in Win 95 by policies specifying their desktop to be > h:\desktop and so forth for the Start Menu, etc. Haven't tried this but look at Local User -> Windows NT Shell -> Custom folders in the policy editor. They currently default to %USERPROFILE%\... > > Can anyone do such a thing in Win NT? Hope this helps, j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From canfield at uindy.edu Mon Apr 13 15:53:22 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies Message-ID: <353234F1.4C4879D@uindy.edu> I've developed a rather odd problem. I have Samba with NTDOM installed and configured as a PDC, and three test machines. One is an NT Server, configured as standalone, and logging into my UINDY PDC. The other two are NTWorkstation, once again setup to log into the UINDY PDC. All systems have Service Pack 3 installed. I've created a system policy called NTCONFIG.POL and a batch file called LOGIN.BAT, both stored in the NETLOGON share. Here's the weird part: If I log into the domain using my NTServer machine, my home directory is not mounted, and I don't get the desktop settings, etc. that I created with the NTWKS machines. But, the system profile works, and locks the desktop up all nice and tidy. The batch file also runs here. Now, if I go to the Workstation machines, I can't get the batch file or the policy to apply, but I do get my roaming profile, and my home directory gets mounted properly. Any ideas? Relevant parts of my smb.conf are as follows: -------- logon path = \\%L\%U\profile logon drive = h: logon script = LOGON.BAT [homes] comment = Home Directories browseable = no writable = yes [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = no share modes = yes [Profiles] path = \\%N\%U\profiles browseable = no guest ok = yes ------------ Another, possibly unrelated question is: I would like to create a single hard drive image for all my machines on campus, however, there are certain programs that we do not have sufficient licensing to allow on every machine. Is there any way (yet) with Samba as a PDC to allow/disallow certain programs to run on certain machine, even though the program is on the drive? With a real PDC, I could probably do this with grouped policies, etc. This would also provide a handy backup. If one lab's network fails, we can move classes to another lab, and all the software is there... just change a policy or something. My goal is really to get the policies and profiles running on the Workstations. I only installed the server because I needed some of the utilities, but it happened to give some interesting information. Any help would be greatly appreciated! From lkcl at regent.push.net Mon Apr 13 15:57:02 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Roaming profiles In-Reply-To: Message-ID: > Please keep up the good work. yeah! > Do complete what you have started. please! can i suggest also that the review takes place on samba-docs? > Cheers, > John H Terpstra - Samba-Team > > On Tue, 14 Apr 1998, Johan Meiring wrote: > > > Hi, > > > > I have read numerous messages about roaming profiles and a few messages > > about a new profiles.txt. > > > > I have read though it and I think that it could do with a bit of organising > > :-). I rewrote the document completely and tried to include as much detail > > as possible. > > > > I didn't include it here as it is quite long. It can be seen at: > > > > http://users.iafrica.com/p/pc/pcs/profiles.txt > > > > Comments? > > > > Use it as you please by including it in the distribution, screaming at me, > > whatever you fancy? > > > > Thanks for an excellent product called samba > > > > Johan Meiring > > > From lkcl at regent.push.net Mon Apr 13 16:30:52 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: <353234F1.4C4879D@uindy.edu> Message-ID: dana, don't know about the nt srv / nt wks login differences, and i've never successfully used NTconfig.POL files. the question below, however, is easy. you set up an smb.conf file with "include = /usr/local/samba/lib/smb.conf.%some_suitable_macro" where some_suitable_macro is by NIS netgroup; by user group etc (see smb.conf for suitable %substs). in the new (included) file, you add another share. only users logging in from a specific machine, or only specific users (whatever substitution you choose) will see those smb.conf.something options. luke > Another, possibly unrelated question is: I would like to create a single > hard drive image for all my machines on campus, however, there are > certain programs that we do not have sufficient licensing to allow on > every machine. Is there any way (yet) with Samba as a PDC to > allow/disallow certain programs to run on certain machine, even though > the program is on the drive? With a real PDC, I could probably do this > with grouped policies, etc. This would also provide a handy backup. If > one lab's network fails, we can move classes to another lab, and all the > software is there... just change a policy or something. > > My goal is really to get the policies and profiles running on the > Workstations. I only installed the server because I needed some of the > utilities, but it happened to give some interesting information. Any > help would be greatly appreciated! > > From ratzka at HRZ.Uni-Marburg.DE Mon Apr 13 16:55:45 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:23:58 2003 Subject: Disabling Profile Caching on NT4.x Message-ID: <35324391.608FCF96@hrz.uni-marburg.de> Daniel Fonseca wrote: > > The problem is that, still, NT downloads the profile and except for it > being mandatory, it has no regard for disk quotas in the linux box (every > writing in the desktop is actually to the "C drive", for example) and only > when the profile should be updated the quotas have effect (efective > writing in the "H drive" or whatever), possibly failing due to quota > exceeding, and (haven't tried it) upon failing of the update of the > roaming profile, since NT does not cache it, maybe some data loss happens > here (files in the Desktop, etc.) ? Yes, of course, you loose, one alway looses ;-). > My problem is that I'd like to give users non-mandatory profiles but have > them use always their home drive (H: in this case), instead of them > writing on the C drive as is the case of their profile (desktop, etc.). Well there are some things that have their place in the profile (relatively small configuration files). Of course, sooner or later some user will be tempted to put a 10MByte The_Only_Copy_Of_My_PHD_Thesis.DOC onto the desktop, because it's such a nice and prominent place. Logged off once, logged back on again, and whoppe! The other problem is that a plain vanilla installation of MS Office 97 will by default place new documents into the "Personal Files" folder of the user's profile. (This might not be the exact name - I'm translating back from MS-Deutsch "Eigene Dateien"). > I do this in Win 95 by policies specifying their desktop to be h:\desktop > and so forth for the Start Menu, etc. > Can anyone do such a thing in Win NT? Yes ist is definitely possible. (see HKCU\Software\Microsoft\Windows\Current Version\Explorer\UserShellFolders) I've successfully tried to redirect at least the "Desktop" folder and the "Personal" folder, which should be redirected to the user's homedirectory ("%HOMEDRIVE%%HOMEPATH" on NT). -- Wolfgang Ratzka (per Modem von zu Hause) Where do you want to go tomorrow? From andre at lme.usp.br Mon Apr 13 17:12:13 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: <353234F1.4C4879D@uindy.edu> Message-ID: <3.0.1.32.19980413141213.00942480@ws10.lme.usp.br> Hello, There is a good text about troubleshooting Policies and Profiles at: http://www.usyd.edu.au/su/is/dts/DTSwinNTProfiles.html It helped me a lot when I were configuring de Profiles stuff in my Samba PDC. Although I didn't try to implement Policies ... Regards, Andre Gerhard Systems/Network Administrator Universidade de Sao Paulo - SP - Brazil From lkcl at regent.push.net Mon Apr 13 17:28:36 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: <3.0.1.32.19980413141213.00942480@ws10.lme.usp.br> Message-ID: On Tue, 14 Apr 1998, Andre Gerhard wrote: > Hello, > > There is a good text about troubleshooting Policies and Profiles at: > > http://www.usyd.edu.au/su/is/dts/DTSwinNTProfiles.html hm. looks useful! From jjm at iname.com Tue Apr 14 09:00:26 1998 From: jjm at iname.com (Johan Meiring) Date: Tue Dec 2 02:23:58 2003 Subject: canfield@uindy.edu Message-ID: <19980414091508Z12583143-445+4732@samba.anu.edu.au> Are you sure that the NT server is seeing the policy? remember that the policy need only be applied once to the machine. After that the machine will stay looking like that. It will only need to see the policy (ntconfig.pol) file again when you make a change to it, in order to see the change. >I've developed a rather odd problem. I have Samba with NTDOM installed >and configured as a PDC, and three test machines. One is an NT Server, >configured as standalone, and logging into my UINDY PDC. The other two >are NTWorkstation, once again setup to log into the UINDY PDC. All >systems have Service Pack 3 installed. I've created a system policy >called NTCONFIG.POL and a batch file called LOGIN.BAT, both stored in >the NETLOGON share. From canfield at uindy.edu Tue Apr 14 14:42:26 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies References: Message-ID: <353375D2.FD5E67C9@uindy.edu> After a little experimentation and extrapolating from some Win '95 related messages on the regular list, I think I've determined that Windows NT's "automatic" policy mode does not work with Samba. I don't quite understand this, because according to MS's guides, the Automatic mode just looks in \\PDC\NETLOGON\NTconfig.pol for the policy. However, when you switch to manual mode (e.g., pre-hack the registry) and specify this path, all is well. Go figure. My only guess is that maybe it has something to do with case-sensitivity, but I tried every reasonable variation of case as well. Is this worth listing as a bug? If for no other reason than to keep others from wasting an entire day trying to figure this out? Thanks Luke Kenneth Casson Leighton wrote: > On Tue, 14 Apr 1998, Andre Gerhard wrote: > > > Hello, > > > > There is a good text about troubleshooting Policies and Profiles at: > > > > http://www.usyd.edu.au/su/is/dts/DTSwinNTProfiles.html > > hm. looks useful! From lkcl at regent.push.net Tue Apr 14 14:54:03 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: <353375D2.FD5E67C9@uindy.edu> Message-ID: try NTconfig.POL. also, remember that samba doesn't support the NT SMBs yet. this could have something to do with it. also, it could be a time/date stamp issue: we've just gone over to BST again. if your TimeZone files are wrong (e.g on slackware 3.0) then the file time/date stamp will get screwed... On Wed, 15 Apr 1998, Dana Canfield wrote: > After a little experimentation and extrapolating from some Win '95 related > messages on the regular > list, I think I've determined that Windows NT's "automatic" policy mode > does not work with Samba. > I don't quite understand this, because according to MS's guides, the > Automatic mode just looks in \\PDC\NETLOGON\NTconfig.pol for the policy. > However, when you switch to manual mode (e.g., pre-hack the registry) and > specify this path, all is well. Go figure. My only guess is that maybe > it has something to do with case-sensitivity, but I tried every reasonable > variation of case as well. Is this worth listing as a bug? If for no > other reason than to keep others from wasting an entire day trying to > figure this out? > > Thanks > > Luke Kenneth Casson Leighton wrote: > > > On Tue, 14 Apr 1998, Andre Gerhard wrote: > > > > > Hello, > > > > > > There is a good text about troubleshooting Policies and Profiles at: > > > > > > http://www.usyd.edu.au/su/is/dts/DTSwinNTProfiles.html > > > > hm. looks useful! > > > From samba at aquasoft.com.au Tue Apr 14 15:02:40 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: <353375D2.FD5E67C9@uindy.edu> Message-ID: On Wed, 15 Apr 1998, Dana Canfield wrote: > After a little experimentation and extrapolating from some Win '95 related > messages on the regular > list, I think I've determined that Windows NT's "automatic" policy mode > does not work with Samba. I do not have any problems with it! > I don't quite understand this, because according to MS's guides, the > Automatic mode just looks in \\PDC\NETLOGON\NTconfig.pol for the policy. Note: The file name MUST be NTConfig.Pol! It tricked me up badly too! Even though NT is supposedly case preserving but NOT case sensitive - it seems it is! > However, when you switch to manual mode (e.g., pre-hack the registry) and > specify this path, all is well. Go figure. My only guess is that maybe > it has something to do with case-sensitivity, but I tried every reasonable There is NO need to hack a manual path! > variation of case as well. Is this worth listing as a bug? If for no > other reason than to keep others from wasting an entire day trying to > figure this out? I also found it necessary to set "share modes = no" in earlier versions of Samba. Also, NT apparently does NOT like any form of locking on the Profile data - go figure! > > Thanks > > Luke Kenneth Casson Leighton wrote: > > > On Tue, 14 Apr 1998, Andre Gerhard wrote: > > > > > Hello, > > > > > > There is a good text about troubleshooting Policies and Profiles at: > > > > > > http://www.usyd.edu.au/su/is/dts/DTSwinNTProfiles.html > > > > hm. looks useful! > > > From daniel at med.up.pt Tue Apr 14 15:14:57 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: <353375D2.FD5E67C9@uindy.edu> Message-ID: On Wed, 15 Apr 1998, Dana Canfield wrote: > After a little experimentation and extrapolating from some Win '95 related > messages on the regular > list, I think I've determined that Windows NT's "automatic" policy mode > does not work with Samba. > I don't quite understand this, because according to MS's guides, the > Automatic mode just looks in \\PDC\NETLOGON\NTconfig.pol for the policy. > However, when you switch to manual mode (e.g., pre-hack the registry) and > specify this path, all is well. Go figure. My only guess is that maybe > it has something to do with case-sensitivity, but I tried every reasonable > variation of case as well. Is this worth listing as a bug? If for no > other reason than to keep others from wasting an entire day trying to > figure this out? I'm sorry to contradict you, but I'm currently developing a (hopefully) stable environment in that way. My trick is this. I rehearse in one NT with local admin rights and poledit. In poledit I save the experimented policy as NTconfig.pol (case is important - it saves the file as NTconfig.POL by default) then I put this file in the PDC's netlogon share And every user gets those pre-defined settings! Fantastic! Of course, every workstation (default) has Automatic update in their Local Machine Registry. If only manual works for you, maybe you don't have automatic at all. Let me just explain the "colors" of the check boxes in poledit: White box means: "No" and Clear the setting if it was "yes" Grey box means: Leave it as it is in the original setting Checked box: definitely "yes" So, my guess is that (maybe) what you think to have as automatic is really greyed and it doesn't update at all; when you switch to manual, of course it should work. Hope to help, Daniel From lkcl at regent.push.net Tue Apr 14 15:14:35 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: Message-ID: On Wed, 15 Apr 1998, Samba Bugs wrote: > > On Wed, 15 Apr 1998, Dana Canfield wrote: > > > After a little experimentation and extrapolating from some Win '95 related > > messages on the regular > > list, I think I've determined that Windows NT's "automatic" policy mode > > does not work with Samba. > > I do not have any problems with it! > > > I don't quite understand this, because according to MS's guides, the > > Automatic mode just looks in \\PDC\NETLOGON\NTconfig.pol for the policy. > > Note: The file name MUST be NTConfig.Pol! It tricked me up badly too! > Even though NT is supposedly case preserving but NOT case sensitive - it > seems it is! oops, sorry dana: john's the authority, here :-) From cartegw at Eng.Auburn.EDU Tue Apr 14 15:26:39 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies References: <353375D2.FD5E67C9@uindy.edu> Message-ID: <3533802F.DA6B2ADF@eng.auburn.edu> Dana Canfield wrote: > > After a little experimentation and extrapolating from some Win '95 > related messages on the regular list, I think I've determined that > Windows NT's "automatic" policy mode does not work with Samba. > I don't quite understand this, because according to MS's guides, the > Automatic mode just looks in \\PDC\NETLOGON\NTconfig.pol for the > policy. However, when you switch to manual mode (e.g., pre-hack the > registry) and specify this path, all is well. Go figure. My only > guess is that maybe it has something to do with case-sensitivity, but I > tried every reasonable variation of case as well. Is this worth > listing as a bug? If for no other reason than to keep others from > wasting an entire day trying to figure this out? > Hmmm...They work fine for me. I can verify by this by the hidden shares are disabled on new workstations. my file is named ntconfig.pol and I have never had any problems with case in the filename. default case = lower is all i have in smb.conf j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Tue Apr 14 15:28:13 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies References: <353375D2.FD5E67C9@uindy.edu> <3533802F.DA6B2ADF@eng.auburn.edu> Message-ID: <3533808D.17E4FDA8@eng.auburn.edu> Gerald W. Carter wrote: > > Dana Canfield wrote: > > > > After a little experimentation and extrapolating from some Win '95 > > related messages on the regular list, I think I've determined that > > Windows NT's "automatic" policy mode does not work with Samba. > > I don't quite understand this, because according to MS's guides, the > > Automatic mode just looks in \\PDC\NETLOGON\NTconfig.pol for the > > policy. However, when you switch to manual mode (e.g., pre-hack the > > registry) and specify this path, all is well. Go figure. My only > > guess is that maybe it has something to do with case-sensitivity, but I > > tried every reasonable variation of case as well. Is this worth > > listing as a bug? If for no other reason than to keep others from > > wasting an entire day trying to figure this out? > > > > Hmmm...They work fine for me. I can verify by this by the hidden shares > are disabled on new workstations. my file is named ntconfig.pol and I > have never had any problems with case in the filename. > > default case = lower > > is all i have in smb.conf > Oopps. Also have preserve case = yes as well as 'default case = lower' j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From canfield at uindy.edu Tue Apr 14 16:54:03 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies References: <3533808D.17E4FDA8@eng.auburn.edu> Message-ID: <353394AB.953EFB71@uindy.edu> Well, this has gotten quite interesting! If I'm reading correctly, we have at least three people who insist that the policy files work only as ntconfig.pol, NTconfig.Pol, or NTconfig.pol. It seems that perhaps we should try to figure out what the factors involved here might be. Would it be unreasonable to ask if some people who have this working could post their smb.conf (at least the relevant parts) and what case they are using on the .pol file? My guess from reading all of this is that the profiles are indeed case sensitive, but various combinations of case sensitivity and/or file locking options may allow samba to try more than one case, and therefore work differently for different people. For example, let's say that NT really does expect NTconfig.Pol. If we preserve case and make it case sensitive, that's the only thing that should work. But, if we make samba default to lowercase and/or case insenstive, then maybe some other combinations work. Does that sound plausable? In any case, I would think this is an important function of the PDC branch, so we should probably spend some time figuring out exactly what is going on and document how to make it work properly. FWIW, the only case combination of those suggested that I did not try yesterday was NTconfig.Pol. Dana Gerald W. Carter wrote: > Gerald W. Carter wrote: > > > > Dana Canfield wrote: > > > > > > After a little experimentation and extrapolating from some Win '95 > > > related messages on the regular list, I think I've determined that > > > Windows NT's "automatic" policy mode does not work with Samba. > > > I don't quite understand this, because according to MS's guides, the > > > Automatic mode just looks in \\PDC\NETLOGON\NTconfig.pol for the > > > policy. However, when you switch to manual mode (e.g., pre-hack the > > > registry) and specify this path, all is well. Go figure. My only > > > guess is that maybe it has something to do with case-sensitivity, but I > > > tried every reasonable variation of case as well. Is this worth > > > listing as a bug? If for no other reason than to keep others from > > > wasting an entire day trying to figure this out? > > > > > > > Hmmm...They work fine for me. I can verify by this by the hidden shares > > are disabled on new workstations. my file is named ntconfig.pol and I > > have never had any problems with case in the filename. > > > > default case = lower > > > > is all i have in smb.conf > > > > Oopps. Also have > > preserve case = yes > > as well as 'default case = lower' > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) From nuno at lwp.ualg.pt Tue Apr 14 19:02:43 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: <3533808D.17E4FDA8@eng.auburn.edu> Message-ID: On 14-Apr-98 Gerald W. Carter wrote this and I have to respond: -> > -> > Hmmm...They work fine for me. I can verify by this by the hidden shares -> > are disabled on new workstations. my file is named ntconfig.pol and I -> > have never had any problems with case in the filename. -> > -> > default case = lower -> > -> > is all i have in smb.conf -> > -> -> Oopps. Also have -> -> preserve case = yes -> -> as well as 'default case = lower' -> Mine is ntconfig.pol, and it is working fine too. I also have these sets on smb.conf: short preserve case = yes preserve case = yes case sensitive = no ----- Nuno Andre Henriques Loureiro http://lwp.ualg.pt/~nuno PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 Finger nuno@lwp.ualg.pt for more info From nuno at lwp.ualg.pt Wed Apr 15 05:37:12 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:58 2003 Subject: Possible bug!? Message-ID: Hi.. About one mail I sent a week or 2 ago that was unreadable for some users, talking about a new option to smbstatus to control login times (smbstatus -t : patch at http://lwp.ualg.pt/~nuno/status.dif) that didn't work very well because of a samba or nt bug, I found something. The patch is based on homedir share, that I mount at every login time.It seems that after some minutes, or hours, with a lot of activity or not (I don't know),samba closes the share due to some internal error (see below). For more info read that 'unreadable' message I posted at http://samba.anu.edu.au/listproc/samba-ntdom/0338.html. Samba version I'm using is samba cvs main branch from April 4. --------------log.pc10----------------------------------------------------- 1998/04/14 13:02:59 pc10 (10.11.84.110) connect to service Profiles as user a9820 (uid=1 042,gid=111) (pid 3024) =============================================================== INTERNAL ERROR: Signal 11 in pid 3024 (1.9.18-HEAD) Please read the file BUGS.txt in the distribution =============================================================== 1998/04/14 13:05:54 pc10 (10.11.84.110) closed connection to service Profiles Last message was SMBtrans size=338 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=25 smb_pid=51966 smb_uid=101 smb_mid=10048 smt_wct=16 smb_vwv[0]=0 (0x0) smb_vwv[1]=262 (0x106) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=262 (0x106) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2049 (0x801) smb_bcc=271 [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... [010] 00 06 01 00 00 03 00 00 00 EE 00 00 00 00 00 02 ........ ........ [020] 00 D8 63 14 00 07 00 00 00 00 00 00 00 07 00 00 ..c..... ........ [030] 00 5C 00 5C 00 52 00 54 00 46 00 4D 00 00 00 88 .\.\.R.T .F.M.... [040] 8A B4 3C 95 75 05 00 00 00 00 00 00 00 05 00 00 ..<.u... ........ [050] 00 50 00 43 00 31 00 30 00 00 00 E0 92 F8 F9 FA .P.C.1.0 ........ [060] 00 23 63 C4 E9 CB 3B 6E E1 CF 50 33 35 04 FA FA .#c...;n ..P35... [070] 00 F8 D2 FF BF F2 D6 05 08 F4 CE FF BF 01 00 01 ........ ........ [080] 00 E4 FC FA 00 0C 00 0C 00 2A E0 14 00 00 00 00 ........ .*...... [090] 00 3B 8C 00 00 00 00 00 00 0C 00 0C 00 1C E0 14 .;...... ........ [0A0] 00 08 00 0A 00 F0 40 14 00 E2 D4 A4 1D 5A 70 21 ......@. .....Zp! [0B0] 9D E2 C5 1F 22 60 4E DA C1 08 29 60 4E 4F FE C8 ...."`N. ..)`NO.. [0C0] 50 E6 2A 9C E5 72 84 AD C3 06 00 00 00 00 00 00 P.*..r.. ........ [0D0] 00 06 00 00 00 53 00 45 00 47 00 4E 00 45 00 54 .....S.E .G.N.E.T [0E0] 00 06 00 00 00 00 00 00 00 06 00 00 00 61 00 31 ........ .....a.1 [0F0] 00 33 00 34 00 32 00 34 00 05 00 00 00 00 00 00 .3.4.2.4 ........ [100] 00 04 00 00 00 50 00 43 00 31 00 30 00 03 00 .....P.C .1.0... =============================================================== Dumping core in /usr/local/samba/var/corefiles api_fd_reply: INVALID PIPE HANDLE: 801 =============================================================== INTERNAL ERROR: Signal 11 in pid 3045 (1.9.18-HEAD) Please read the file BUGS.txt in the distribution =============================================================== Last message was SMBtrans size=338 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=12 smb_pid=51966 smb_uid=100 smb_mid=896 smt_wct=16 smb_vwv[0]=0 (0x0) smb_vwv[1]=262 (0x106) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=262 (0x106) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2049 (0x801) smb_bcc=271 [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... [010] 00 06 01 00 00 03 00 00 00 EE 00 00 00 00 00 02 ........ ........ [020] 00 D8 63 14 00 07 00 00 00 00 00 00 00 07 00 00 ..c..... ........ [030] 00 5C 00 5C 00 52 00 54 00 46 00 4D 00 00 00 88 .\.\.R.T .F.M.... [040] 8A B4 3C 95 75 05 00 00 00 00 00 00 00 05 00 00 ..<.u... ........ [050] 00 50 00 43 00 31 00 30 00 00 00 40 56 F8 F9 0A .P.C.1.0 ...@V... [060] 01 57 0F 34 AB 72 0B 9B D0 D8 50 33 35 04 FA 0A .W.4.r.. ..P35... [070] 01 B9 6E F6 77 00 00 14 00 00 00 00 00 01 00 01 ..n.w... ........ [080] 00 E4 FC 0A 01 0C 00 0C 00 12 66 14 00 00 00 00 ........ ..f..... [090] 00 58 8C 00 00 00 00 00 00 0C 00 0C 00 04 66 14 .X...... ......f. [0A0] 00 08 00 0A 00 F0 40 14 00 40 80 D3 1B 6A DF E6 ......@. .@...j.. [0B0] 32 A7 43 25 64 05 96 DF F0 F0 8A 48 4A C2 D5 DC 2.C%d... ...HJ... [0C0] 0A 29 DA 49 0F A8 C0 B7 61 06 00 00 00 00 00 00 .).I.... a....... [0D0] 00 06 00 00 00 53 00 45 00 47 00 4E 00 45 00 54 .....S.E .G.N.E.T [0E0] 00 06 00 00 00 00 00 00 00 06 00 00 00 61 00 31 ........ .....a.1 [0F0] 00 33 00 34 00 32 00 34 00 05 00 00 00 00 00 00 .3.4.2.4 ........ [100] 00 04 00 00 00 50 00 43 00 31 00 30 00 03 00 .....P.C .1.0... =============================================================== Dumping core in /usr/local/samba/var/corefiles api_fd_reply: INVALID PIPE HANDLE: 801 =============================================================== INTERNAL ERROR: Signal 11 in pid 3047 (1.9.18-HEAD) Please read the file BUGS.txt in the distribution =============================================================== Last message was SMBtrans size=338 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=12 smb_pid=51966 smb_uid=100 smb_mid=896 smt_wct=16 smb_vwv[0]=0 (0x0) smb_vwv[1]=262 (0x106) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=262 (0x106) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2049 (0x801) smb_bcc=271 [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... [010] 00 06 01 00 00 03 00 00 00 EE 00 00 00 00 00 02 ........ ........ [020] 00 D8 63 14 00 07 00 00 00 00 00 00 00 07 00 00 ..c..... ........ [030] 00 5C 00 5C 00 52 00 54 00 46 00 4D 00 00 00 88 .\.\.R.T .F.M.... [040] 8A B4 3C 95 75 05 00 00 00 00 00 00 00 05 00 00 ..<.u... ........ [050] 00 50 00 43 00 31 00 30 00 00 00 70 36 F8 F9 0A .P.C.1.0 ...p6... [060] 01 15 1F 30 2D 83 16 39 1F D9 50 33 35 04 FA 0A ...0-..9 ..P35... [070] 01 B9 6E F6 77 00 00 14 00 00 00 00 00 01 00 01 ..n.w... ........ [080] 00 E4 FC 0A 01 0C 00 0C 00 12 66 14 00 00 00 00 ........ ..f..... [090] 00 58 8C 00 00 00 00 00 00 0C 00 0C 00 04 66 14 .X...... ......f. [0A0] 00 08 00 0A 00 F0 40 14 00 E3 62 5B CB EC 45 AA ......@. ..b[..E. [0B0] 5C 53 E0 92 0B 8A 4D 5D 78 53 68 C0 9A 44 4F 90 \S....M] xSh..DO. [0C0] 64 DD 79 FE 60 27 1B 35 E9 06 00 00 00 00 00 00 d.y.`'.5 ........ [0D0] 00 06 00 00 00 53 00 45 00 47 00 4E 00 45 00 54 .....S.E .G.N.E.T [0E0] 00 06 00 00 00 00 00 00 00 06 00 00 00 61 00 31 ........ .....a.1 [0F0] 00 33 00 34 00 32 00 34 00 05 00 00 00 00 00 00 .3.4.2.4 ........ [100] 00 04 00 00 00 50 00 43 00 31 00 30 00 03 00 .....P.C .1.0... =============================================================== Dumping core in /usr/local/samba/var/corefiles api_fd_reply: INVALID PIPE HANDLE: 801 =============================================================== INTERNAL ERROR: Signal 11 in pid 3048 (1.9.18-HEAD) Please read the file BUGS.txt in the distribution =============================================================== Last message was SMBtrans size=338 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=12 smb_pid=51966 smb_uid=100 smb_mid=896 smt_wct=16 smb_vwv[0]=0 (0x0) smb_vwv[1]=262 (0x106) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=262 (0x106) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2049 (0x801) smb_bcc=271 [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... [010] 00 06 01 00 00 03 00 00 00 EE 00 00 00 00 00 02 ........ ........ [020] 00 D8 63 14 00 07 00 00 00 00 00 00 00 07 00 00 ..c..... ........ [030] 00 5C 00 5C 00 52 00 54 00 46 00 4D 00 00 00 88 .\.\.R.T .F.M.... [040] 8A B4 3C 95 75 05 00 00 00 00 00 00 00 05 00 00 ..<.u... ........ [050] 00 50 00 43 00 31 00 30 00 00 00 F0 32 F8 F9 3A .P.C.1.0 ....2..: [060] 01 6E 8B 47 68 DD 67 FC C6 EB 50 33 35 04 FA 3A .n.Gh.g. ..P35..: [070] 01 B9 6E F6 77 00 00 14 00 00 00 00 00 01 00 01 ..n.w... ........ [080] 00 E4 FC 3A 01 0C 00 0C 00 2A E0 14 00 00 00 00 ...:.... .*...... [090] 00 87 8C 00 00 00 00 00 00 0C 00 0C 00 1C E0 14 ........ ........ [0A0] 00 08 00 0A 00 F0 40 14 00 02 A3 42 5E 86 D4 02 ......@. ...B^... [0B0] 89 C0 81 C3 B7 81 C1 14 C4 E8 5E 86 0D 93 5A EB ........ ..^...Z. [0C0] 44 C4 6E 40 70 93 0B 63 C6 06 00 00 00 00 00 00 D.n@p..c ........ [0D0] 00 06 00 00 00 53 00 45 00 47 00 4E 00 45 00 54 .....S.E .G.N.E.T [0E0] 00 06 00 00 00 00 00 00 00 06 00 00 00 61 00 31 ........ .....a.1 [0F0] 00 33 00 34 00 32 00 34 00 05 00 00 00 00 00 00 .3.4.2.4 ........ [100] 00 04 00 00 00 50 00 43 00 31 00 30 00 03 00 .....P.C .1.0... =============================================================== Dumping core in /usr/local/samba/var/corefiles api_fd_reply: INVALID PIPE HANDLE: 801 =============================================================== INTERNAL ERROR: Signal 11 in pid 3050 (1.9.18-HEAD) Please read the file BUGS.txt in the distribution =============================================================== Last message was SMBtrans size=338 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=12 smb_pid=51966 smb_uid=100 smb_mid=896 smt_wct=16 smb_vwv[0]=0 (0x0) smb_vwv[1]=262 (0x106) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=262 (0x106) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2049 (0x801) smb_bcc=271 [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... [010] 00 06 01 00 00 03 00 00 00 EE 00 00 00 00 00 02 ........ ........ [020] 00 D8 63 14 00 07 00 00 00 00 00 00 00 07 00 00 ..c..... ........ [030] 00 5C 00 5C 00 52 00 54 00 46 00 4D 00 00 00 88 .\.\.R.T .F.M.... [040] 8A B4 3C 95 75 05 00 00 00 00 00 00 00 05 00 00 ..<.u... ........ [050] 00 50 00 43 00 31 00 30 00 00 00 70 52 F8 F9 3A .P.C.1.0 ...pR..: [060] 01 EA B8 28 18 CB 45 23 0E EB 50 33 35 04 FA 3A ...(..E# ..P35..: [070] 01 B9 6E F6 77 00 00 14 00 00 00 00 00 01 00 01 ..n.w... ........ [080] 00 E4 FC 3A 01 0C 00 0C 00 2A E0 14 00 00 00 00 ...:.... .*...... [090] 00 87 8C 00 00 00 00 00 00 0C 00 0C 00 1C E0 14 ........ ........ [0A0] 00 08 00 0A 00 F0 40 14 00 C7 1E 2E 52 4F 19 D5 ......@. ....RO.. [0B0] C0 C0 B2 2D 70 58 D5 C6 03 2D E3 EA 01 5A 97 3C ...-pX.. .-...Z.< [0C0] 0D C4 5D AE B7 4A 1F B1 01 06 00 00 00 00 00 00 ..]..J.. ........ [0D0] 00 06 00 00 00 53 00 45 00 47 00 4E 00 45 00 54 .....S.E .G.N.E.T [0E0] 00 06 00 00 00 00 00 00 00 06 00 00 00 61 00 31 ........ .....a.1 [0F0] 00 33 00 34 00 32 00 34 00 05 00 00 00 00 00 00 .3.4.2.4 ........ [100] 00 04 00 00 00 50 00 43 00 31 00 30 00 03 00 .....P.C .1.0... =============================================================== Dumping core in /usr/local/samba/var/corefiles api_fd_reply: INVALID PIPE HANDLE: 801 =============================================================== INTERNAL ERROR: Signal 11 in pid 3051 (1.9.18-HEAD) Please read the file BUGS.txt in the distribution =============================================================== Last message was SMBtrans size=338 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=12 smb_pid=51966 smb_uid=100 smb_mid=896 smt_wct=16 smb_vwv[0]=0 (0x0) smb_vwv[1]=262 (0x106) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=262 (0x106) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2049 (0x801) smb_bcc=271 [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... [010] 00 06 01 00 00 03 00 00 00 EE 00 00 00 00 00 02 ........ ........ [020] 00 D8 63 14 00 07 00 00 00 00 00 00 00 07 00 00 ..c..... ........ [030] 00 5C 00 5C 00 52 00 54 00 46 00 4D 00 00 00 88 .\.\.R.T .F.M.... [040] 8A B4 3C 95 75 05 00 00 00 00 00 00 00 05 00 00 ..<.u... ........ [050] 00 50 00 43 00 31 00 30 00 00 00 C0 0B F8 F9 1A .P.C.1.0 ........ [060] 01 6D 83 DE A0 B9 6A 64 07 42 51 33 35 04 FA 1A .m....jd .BQ35... [070] 01 B9 6E F6 77 00 00 14 00 00 00 00 00 01 00 01 ..n.w... ........ [080] 00 E4 FC 1A 01 0C 00 0C 00 82 2B 14 00 00 00 00 ........ ..+..... [090] 00 E6 8C 00 00 00 00 00 00 0C 00 0C 00 74 2B 14 ........ .....t+. [0A0] 00 08 00 0A 00 F0 40 14 00 C1 24 27 00 94 2F ED ......@. ..$'../. [0B0] 9C 7B 3B AE 99 8C 8F 0F FF 2B D9 E3 53 81 A1 04 .{;..... .+..S... [0C0] 51 7F D4 2D 5E 9E 45 78 FD 06 00 00 00 00 00 00 Q..-^.Ex ........ [0D0] 00 06 00 00 00 53 00 45 00 47 00 4E 00 45 00 54 .....S.E .G.N.E.T [0E0] 00 06 00 00 00 00 00 00 00 06 00 00 00 61 00 31 ........ .....a.1 [0F0] 00 33 00 34 00 32 00 34 00 05 00 00 00 00 00 00 .3.4.2.4 ........ [100] 00 04 00 00 00 50 00 43 00 31 00 30 00 03 00 .....P.C .1.0... =============================================================== Dumping core in /usr/local/samba/var/corefiles api_fd_reply: INVALID PIPE HANDLE: 801 (..sniped..) =============================================================== INTERNAL ERROR: Signal 11 in pid 3060 (1.9.18-HEAD) Please read the file BUGS.txt in the distribution =============================================================== Last message was SMBtrans size=338 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=12 smb_pid=51966 smb_uid=100 smb_mid=896 smt_wct=16 smb_vwv[0]=0 (0x0) smb_vwv[1]=262 (0x106) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=262 (0x106) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2049 (0x801) smb_bcc=271 [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... [010] 00 06 01 00 00 03 00 00 00 EE 00 00 00 00 00 02 ........ ........ [020] 00 D8 63 14 00 07 00 00 00 00 00 00 00 07 00 00 ..c..... ........ [030] 00 5C 00 5C 00 52 00 54 00 46 00 4D 00 00 00 88 .\.\.R.T .F.M.... [040] 8A B4 3C 95 75 05 00 00 00 00 00 00 00 05 00 00 ..<.u... ........ [050] 00 50 00 43 00 31 00 30 00 00 00 40 3D F8 F9 EF .P.C.1.0 ...@=... [060] 01 E2 65 65 5C 0D 57 59 81 49 51 33 35 04 FA EF ..ee\.WY .IQ35... [070] 01 B9 6E F6 77 00 00 14 00 00 00 00 00 01 00 01 ..n.w... ........ [080] 00 E4 FC EF 01 0C 00 0C 00 12 66 14 00 00 00 00 ........ ..f..... [090] 00 15 8D 00 00 00 00 00 00 0C 00 0C 00 04 66 14 ........ ......f. [0A0] 00 08 00 0A 00 F0 40 14 00 1C 30 C2 24 80 4C 90 ......@. ..0.$.L. [0B0] A2 90 BE F8 E8 FB 96 85 F5 AC 3A 59 75 28 46 AA ........ ..:Yu(F. [0C0] 9A 1E 27 94 83 56 C0 ED 64 06 00 00 00 00 00 00 ..'..V.. d....... [0D0] 00 06 00 00 00 53 00 45 00 47 00 4E 00 45 00 54 .....S.E .G.N.E.T [0E0] 00 06 00 00 00 00 00 00 00 06 00 00 00 61 00 31 ........ .....a.1 [0F0] 00 33 00 34 00 32 00 34 00 05 00 00 00 00 00 00 .3.4.2.4 ........ [100] 00 04 00 00 00 50 00 43 00 31 00 30 00 03 00 .....P.C .1.0... =============================================================== Dumping core in /usr/local/samba/var/corefiles api_fd_reply: INVALID PIPE HANDLE: 801 1998/04/14 13:11:51 pc10 (10.11.84.110) connect to service Profiles as user a13424 (uid= 1065,gid=111) (pid 3061) 1998/04/14 13:11:55 pc10 (10.11.84.110) connect to service Netlogon as user a13424 (uid= 1065,gid=111) (pid 3061) 1998/04/14 13:11:59 pc10 (10.11.84.110) connect to service a13424 as user a13424 (uid=10 65,gid=111) (pid 3061) 1998/04/14 13:22:54 pc10 (10.11.84.110) closed connection to service Netlogon 1998/04/14 14:29:52 pc10 (10.11.84.110) closed connection to service a13424 1998/04/14 14:29:53 pc10 (10.11.84.110) closed connection to service Profiles NT Password did not match ! Defaulting to Lanman NT Password did not match ! Defaulting to Lanman ------------------------------------------------------------------------------ ----- Nuno Andre Henriques Loureiro http://lwp.ualg.pt/~nuno PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 Finger nuno@lwp.ualg.pt for more info From baeumer at fokus.gmd.de Wed Apr 15 07:53:36 1998 From: baeumer at fokus.gmd.de (Christoph =?UNKNOWN-8BIT?Q?B=E4umer ?=) Date: Tue Dec 2 02:23:58 2003 Subject: reply to Possible bug!? in NTDOM Message-ID: <35346780.4BD876BF@fokus.gmd.de> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1751 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980415/d2a29a2e/smime.bin From daniel at med.up.pt Wed Apr 15 10:16:09 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:58 2003 Subject: Profiles & Policies In-Reply-To: Message-ID: On Wed, 15 Apr 1998, Nuno Loureiro wrote: > -> > default case = lower > -> preserve case = yes > -> > -> as well as 'default case = lower' > -> > > Mine is ntconfig.pol, and it is working fine too. > I also have these sets on smb.conf: > > short preserve case = yes > preserve case = yes > case sensitive = no > Ok, another one to the list, but my guess is that if you disable case sensitivity any form of ntconfig.pol will do. As for the rest, I'm yet to find the best configuration. >From the sample confs: # Be very careful with case sensitivity - it can break things! I have NTconfig.pol and have not defined any of the above settings (defaulting all the way) so: preserve case = no short preserve case = no default case = lower case sensitive = no Daniel From cartegw at Eng.Auburn.EDU Wed Apr 15 12:56:40 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:58 2003 Subject: Possible bug!? References: Message-ID: <3534AE88.80083DAE@eng.auburn.edu> Nuno Loureiro wrote: > > Hi.. > > About one mail I sent a week or 2 ago that was unreadable for some > users, talking about a new option to smbstatus to control login times > (smbstatus -t : patch at http://lwp.ualg.pt/~nuno/status.dif) that > didn't work very well because of a samba or nt bug, I found something. > > The patch is based on homedir share, that I mount at every > login time.It seems that after some minutes, or hours, with a lot of > activity or not (I don't know),samba closes the share due to some > internal error (see below). For more info read that 'unreadable' > message I posted at > http://samba.anu.edu.au/listproc/samba-ntdom/0338.html. > > Samba version I'm using is samba cvs main branch from April 4. > Nuno, What OS are you running on and what compiler did you use? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From nuno at lwp.ualg.pt Wed Apr 15 13:53:14 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:58 2003 Subject: Possible bug!? In-Reply-To: <3534AE88.80083DAE@eng.auburn.edu> Message-ID: On 15-Apr-98 Gerald W. Carter wrote this and I have to respond: -> Nuno Loureiro wrote: -> > -> > Hi.. -> > -> > About one mail I sent a week or 2 ago that was unreadable for some -> > users, talking about a new option to smbstatus to control login times -> > (smbstatus -t : patch at http://lwp.ualg.pt/~nuno/status.dif) that -> > didn't work very well because of a samba or nt bug, I found something. -> > -> > The patch is based on homedir share, that I mount at every -> > login time.It seems that after some minutes, or hours, with a lot of -> > activity or not (I don't know),samba closes the share due to some -> > internal error (see below). For more info read that 'unreadable' -> > message I posted at -> > http://samba.anu.edu.au/listproc/samba-ntdom/0338.html. -> > -> > Samba version I'm using is samba cvs main branch from April 4. -> > -> -> Nuno, -> -> What OS are you running on and what compiler did you use? Slackware Linux 3.4, gcc 2.7.2.3.. I'm gonna try Christopher's suggection. ----- Nuno Andre Henriques Loureiro http://lwp.ualg.pt/~nuno PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 Finger nuno@lwp.ualg.pt for more info From lkcl at regent.push.net Wed Apr 15 14:09:32 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Possible bug!? In-Reply-To: Message-ID: On Thu, 16 Apr 1998, Nuno Loureiro wrote: > > On 15-Apr-98 Gerald W. Carter wrote this and I have to respond: > > -> Nuno Loureiro wrote: > -> > > -> > Hi.. > -> > > -> > About one mail I sent a week or 2 ago that was unreadable for some > -> > users, talking about a new option to smbstatus to control login times > -> > (smbstatus -t : patch at http://lwp.ualg.pt/~nuno/status.dif) that > -> > didn't work very well because of a samba or nt bug, I found something. > -> > > -> > The patch is based on homedir share, that I mount at every > -> > login time.It seems that after some minutes, or hours, with a lot of > -> > activity or not (I don't know),samba closes the share due to some > -> > internal error (see below). For more info read that 'unreadable' > -> > message I posted at > -> > http://samba.anu.edu.au/listproc/samba-ntdom/0338.html. > -> > > -> > Samba version I'm using is samba cvs main branch from April 4. > -> > > -> > -> Nuno, > -> > -> What OS are you running on and what compiler did you use? > > Slackware Linux 3.4, gcc 2.7.2.3.. recompile without -O because there is a bug in that version of gcc. From mike.maltar at midata.com Wed Apr 15 15:44:50 1998 From: mike.maltar at midata.com (mike maltar) Date: Tue Dec 2 02:23:58 2003 Subject: Please remove my name from the listserve Message-ID: Remove From lkcl at regent.push.net Wed Apr 15 15:34:37 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Please remove my name from the listserve In-Reply-To: Message-ID: mike, send a message to listproc@samba.anu.edu.au, "unsubscribe samba-ntdom". see http://samba.anu.edu.au/listproc. ok? On Thu, 16 Apr 1998, mike maltar wrote: > Remove > From michel at nijenrode.nl Wed Apr 15 16:17:02 1998 From: michel at nijenrode.nl (Michel) Date: Tue Dec 2 02:23:58 2003 Subject: Browsing & win95... Message-ID: <199804151617.SAA21947@bordeaux.nijenrode.nl> Some strange stuff going on; I configured samba (on multiple interfaces) to be a master and a domain master browser. According to the log.nmb this all goes well for both subnets (and samba is a domain controller). Domain logons to the samba server go well from the win95 client, nmblookups go well, net view \\machine on the win95 works well.. But the samba servert doesn't show up in the environment. What's more... Everytime I configure the samba server's ip to be win95's wins server, this setting seems to be totally lost by the win95 workstation after every reboot... winipcfg then shows an ampty field for the primary wins server and the config'd server in the secondary field.... (and just wins disabled in the networking config). (and no, there are no (remote) reg- or policy updates). All this doesn't indicate a problem in samba but in the win95 workstation... but I have no clue - anyone who might know where to start looking for the problem ? Michel. -- Michel van der Laan - michel@nijenrode.nl http://www.nijenrode.nl/~michel From lkcl at regent.push.net Wed Apr 15 16:56:37 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Browsing & win95... In-Reply-To: <199804151617.SAA21947@bordeaux.nijenrode.nl> Message-ID: all these questions are standard samba questions: please re-post on samba@samba.anu.edu.au. this list is for the administration and development of samba as an NT Domain Controller. good luck! luke On Thu, 16 Apr 1998, Michel wrote: > > Some strange stuff going on; I configured samba (on multiple interfaces) > to be a master and a domain master browser. According to the log.nmb > this all goes well for both subnets (and samba is a domain controller). > > Domain logons to the samba server go well from the win95 client, > nmblookups go well, net view \\machine on the win95 works well.. > But the samba servert doesn't show up in the environment. What's more... > Everytime I configure the samba server's ip to be win95's wins server, > this setting seems to be totally lost by the win95 workstation after > every reboot... winipcfg then shows an ampty field for the primary > wins server and the config'd server in the secondary field.... > (and just wins disabled in the networking config). > (and no, there are no (remote) reg- or policy updates). > > All this doesn't indicate a problem in samba but in the win95 workstation... > but I have no clue - anyone who might know where to start looking > for the problem ? > > Michel. > > > -- > Michel van der Laan - michel@nijenrode.nl > http://www.nijenrode.nl/~michel > From cartegw at Eng.Auburn.EDU Wed Apr 15 16:27:28 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:58 2003 Subject: Browsing & win95... References: <199804151617.SAA21947@bordeaux.nijenrode.nl> Message-ID: <3534DFF0.56DDF1E8@eng.auburn.edu> Michel wrote: > > Some strange stuff going on; I configured samba (on multiple interfaces) > to be a master and a domain master browser. According to the log.nmb > this all goes well for both subnets (and samba is a domain controller). > > Domain logons to the samba server go well from the win95 client, > nmblookups go well, net view \\machine on the win95 works well.. > But the samba servert doesn't show up in the environment. What's more... > Everytime I configure the samba server's ip to be win95's wins server, > this setting seems to be totally lost by the win95 workstation after > every reboot... winipcfg then shows an ampty field for the primary > wins server and the config'd server in the secondary field.... > (and just wins disabled in the networking config). > (and no, there are no (remote) reg- or policy updates). > > All this doesn't indicate a problem in samba but in the win95 workstation... > but I have no clue - anyone who might know where to start looking > for the problem ? Since this is a WIndows 95 question, you really should post it to the regular samba mailing list. But since I'm here.... :) Windows 95 OSR2 and later seems to forget these things. If you will enter the WINS server's IP address oas the primary and secondary server then it should stay put. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Wed Apr 15 18:23:31 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: pam_ntdom 0.2 now available Message-ID: hi, pam_ntdom 0.2 is now running and actually tested, this time, with Linux-PAM-0.4/examples/blank. i don't know why the only username passed to pam_ntdom is 9316217 (i presume that this is something to do with testing?) but there you go. http://www.cb1.com/~lkcl/pam_ntdom/ andrew, pam_ntdom.tar.gz is now a symbolic link to the latest version: no need to update kernel.org's web site. for version 0.3, once i deal with a security issue (the default machine trust account password is the machine's name: we haven't reverse-engineered the mechanism to change the machine trust account yet) then i will move it onto samba.anu.edu.au. luke (samba team) From simon at atlantis.impulse.org Tue Apr 14 20:18:43 1998 From: simon at atlantis.impulse.org (Simon Richard Hall) Date: Tue Dec 2 02:23:58 2003 Subject: Security = user workaround Message-ID: <19980414211843.35193@atlantis.impulse.org> Hi, There is a fairly limited, and kludgy solution for this which may work for certain small networks. If you've got a linux box somewhere on your network you can install Mars ( free Netware 3.11 emulator ), which requires IPX, and use your Netware domain for user level authentication. Yeah, I know it's a real pain but it does work, and one or two of you might think it's worth the effort. I used to use mars for file sharing, but since 1.9.18ish samba's made huge improvements in speed and if it wasn't for the user-level control "problem" I'd ditch mars now. Hope this helps someone, Simon Hall. -- +----- -----+ Simon R. Hall is, amongst other identities, simonh@impulse.org +----- -----+ "Sometimes I wake up grumpy.. other times I let her sleep." From harper at banks.scar Thu Apr 16 03:39:13 1998 From: harper at banks.scar (John Harper) Date: Tue Dec 2 02:23:58 2003 Subject: machine inaccessible - how to fix?? Message-ID: <199804160339.XAA04143@scar.utoronto.ca> I know this question doesn't really belong in this list but on the other hand my troubles began when I was playing with NT domains served by Samba, so maybe someone else messed things up the same way.... I originally had my NT client doing domain logins to one Samab PDC called "banks" (which also offered some shares such as home dirs). This worked fine until I found out a client machine can only be in one domain. So I removed the NTDOM branch, put back the original Samba, and moved the PDC to another machine. I did a domain login from my NT client and it seemed to work ok (except I did not share homes, so it could not find the roaming profiles). But now when I attempt to connect to "banks" (the former PDC) through the Network 'hood I get the error message "machine is inaccessible. The storage control blocks have been destroyed". This happens for any user on this client. >From this client I can connect to any other Samba server, and any other client machine can connect to banks, and as well I can connect to banks from my client with net use. After the failed attempt to connect via the Net'hood a net use shows two IPC connections: \\Banks\IPC$ \\BANKS\IPC$ The Samba logs show nothing unusual (that I can understand - there are no error messages at any rate). I've reinstalled the samba client on banks, I've even changed the netbios name and it still doesn't work. I've converted my client back to it's original config without domain logins, and it still fails. I turned off the PDC - in fact everything is now back the way it was before I ever heard of NT domains..... it's still broke. I could move to another client machine, but if I trash that too, well.. I've had no responses from other groups; the M$ web site only references "storage control blocks" twice (once on a list of NT error codes....); no book on NT mentions this. So... has anyone ever heard of this? Is there a way to fix it short of re-installing NT? Thanks in advance. John Harper ------------------------------------ Academic Computing Coordinator University of Toronto at Scarborough harper@scar.utoronto.ca From lkcl at regent.push.net Thu Apr 16 12:36:42 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: machine inaccessible - how to fix?? In-Reply-To: <199804160339.XAA04143@scar.utoronto.ca> Message-ID: john, when a machine joins a domain, it is allocated a "machine trust account". on samba, you do this by running "smbpasswd -add --machine EACH_WORKSTATION'S_NAME". if these passwords get out of sync between the PDC and the workstation, then you will run into difficulties: the _machine_ not the user will be refused access to the domain. this is to stop people spoofing access from unauthorised machines. exactly how you recalibrate a machine to get it to rejoin a domain with a default password i wouldn't like to say: the techniques i used are inadviseable. i suggest you change the name of the NT workstation as the safest method, and re-join the domain with the new name. luke On Thu, 16 Apr 1998, John Harper wrote: > > I know this question doesn't really belong in this list but on the > other hand my troubles began when I was playing with NT domains served > by Samba, so maybe someone else messed things up the same way.... > > I originally had my NT client doing domain logins to one Samab PDC > called "banks" (which also offered some shares such as home > dirs). This worked fine until I found out a client machine can only be > in one domain. So I removed the NTDOM branch, put back the original > Samba, and moved the PDC to another machine. > > I did a domain login from my NT client and it seemed to work ok > (except I did not share homes, so it could not find the roaming > profiles). But now when I attempt to connect to "banks" (the former > PDC) through the Network 'hood I get the error message "machine is > inaccessible. The storage control blocks have been destroyed". This > happens for any user on this client. > > >From this client I can connect to any other Samba server, and any > other client machine can connect to banks, and as well I can connect > to banks from my client with net use. > > After the failed attempt to connect via the Net'hood a net use shows > two IPC connections: > \\Banks\IPC$ > \\BANKS\IPC$ > The Samba logs show nothing unusual (that I can understand - there are > no error messages at any rate). > > I've reinstalled the samba client on banks, I've even changed the > netbios name and it still doesn't work. I've converted my client back > to it's original config without domain logins, and it still fails. I > turned off the PDC - in fact everything is now back the way it was > before I ever heard of NT domains..... it's still broke. I could move > to another client machine, but if I trash that too, well.. > > I've had no responses from other groups; the M$ web site only > references "storage control blocks" twice (once on a list of NT error > codes....); no book on NT mentions this. > > So... has anyone ever heard of this? Is there a way to fix it short of > re-installing NT? > > Thanks in advance. > > John Harper > ------------------------------------ > Academic Computing Coordinator > University of Toronto at Scarborough > harper@scar.utoronto.ca > > > > From greg at Discreet.COM Thu Apr 16 13:18:09 1998 From: greg at Discreet.COM (Greg Dickie) Date: Tue Dec 2 02:23:58 2003 Subject: Samba PDC trashes NT PDC? Message-ID: Hi All, Haven't played with samba for awhile and man it's good to be back! I grabbed a cvs copy of NTDOM and set up a PDC a couple of days ago. Seems to work great except for profiles but I'll figure that out. The only problem is that our IS guys PDC (on another domain) seemed to get screwed up right around the time I was tweaking the samba PDC. They finally rebooted their machine but it consequently would not even boot (%$##%$# NT!). My question is "Has anyone seen this kind of behavior?" I don't know about any kind of restrictions on the number of PDCs (in different domains) on a subnet. Could it be some master browser conflict? Can NT be so badly done that something I do on the network can actually screw up the machin enough that a reboot can't fix it? Or is it just a coincidence? Any opinions? TIA, Greg --------------------------------------------------------------------- Greg Dickie Just A Guy* *from discreet logic Montreal (514) 954-7171 greg@discreet.com From cartegw at Eng.Auburn.EDU Thu Apr 16 13:40:06 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:58 2003 Subject: Samba PDC trashes NT PDC? References: Message-ID: <35360A36.BD72BFEC@eng.auburn.edu> Greg Dickie wrote: > > I grabbed a cvs copy of NTDOM and set up a PDC a couple of days ago. > Seems to work great except for profiles but I'll figure that out. The There has recently been a long thread on profiles on the list. Don't know if you caught it or not. Check the archives at http://samba.anu.edu.au/listproc/samba-ntdom > only problem is that our IS guys PDC (on another domain) seemed to get > screwed up right around the time I was tweaking the samba PDC. They > finally rebooted their machine but it consequently would not even boot > (%$##%$# NT!). My question is "Has anyone seen this kind of behavior?" > > I don't know about any kind of restrictions on the number of PDCs (in > different domains) on a subnet. Could it be some master browser > conflict? Can NT be so badly done that something I do on the network > can actually screw up the machin enough that a reboot can't fix it? Or > is it just a coincidence? I'm thinking this was just a coincidence but without some sort of pakcet dump between the two, this is just a hunch ;^) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From canfield at uindy.edu Thu Apr 16 14:28:04 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:58 2003 Subject: Group Memberships & ACL permissions? References: <19980414211843.35193@atlantis.impulse.org> Message-ID: <35361573.86947871@uindy.edu> Sorry to bug everyone again. Things are really starting to work well around here, but I have one more question. Could someone tell me what NT groups you are a member of when validated by a Samba PDC. I seem to have all sorts of problems when I try modifying the read/write permissions on the NT Workstation, even using Microsoft's own recommendations. My only guess right now is that users validated over the PDC aren't getting to be members of the standard "users" group (though "everyone" doesn't seem to be working right, either). Also, if anyone has a good, general list of how permissions should be set on the directories to make a realtively secure, Samba-authenticated NT 4.0 installation, I would be most appreciative. Thanks to everyone who has been so helpful the past week. Dana From cartegw at Eng.Auburn.EDU Thu Apr 16 14:49:34 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:58 2003 Subject: Group Memberships & ACL permissions? References: <35361573.86947871@uindy.edu> Message-ID: <35361A7E.B170FE91@eng.auburn.edu> Dana Canfield wrote: > > Sorry to bug everyone again. Things are really starting to work well > around here, but I have one more question. Could someone tell me what > NT groups you are a member of when validated by a Samba PDC. I seem to > have all sorts of problems when I try modifying the read/write > permissions on the NT Workstation, even using Microsoft's own > recommendations. My only guess right now is that users validated over > the PDC aren't getting to be members of the standard "users" group > (though "everyone" doesn't seem to be working right, either). See the domain admins parameter in smb.conf. By default the user is included in the user group I think. I verified this by revoking the right to shut down a local workstation from "users" and "everyone". Was then unable to shut down the machine as a domain user. Gave the right back to "Users" and could shut it down again. > Also, if anyone has a good, general list of how permissions should be > set on the directories to make a realtively secure, Samba-authenticated > NT 4.0 installation, I would be most appreciative. I have a script I use to secure lab machines. It is constantly evolving, but I can send it to you directly if you wish. Don't want to post it directly to the list here due to space. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Thu Apr 16 14:57:56 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Group Memberships & ACL permissions? In-Reply-To: <35361573.86947871@uindy.edu> Message-ID: On Fri, 17 Apr 1998, Dana Canfield wrote: > Sorry to bug everyone again. Things are really starting to work well around > here, but I have one more question. you're not bugging anyone: you're asking the right questions. > Could someone tell me what NT groups you > are a member of when validated by a Samba PDC. I seem to have all sorts of > problems when I try modifying the read/write permissions on the NT Workstation, > even using Microsoft's own recommendations. My only guess right now is that > users validated over the PDC aren't getting to be members of the standard > "users" group (though "everyone" doesn't seem to be working right, either). ok, i have added a _temporary_ set of parameters domain admin users = domain guest users = domain groups = actually, the last one is a lie: it's local alias groups, and takes text parameters or RID group numbers. there are prior postings on this one. > Also, if anyone has a good, general list of how permissions should be set on the > directories to make a realtively secure, Samba-authenticated NT 4.0 > installation, I would be most appreciative. at the moment, absolutely no idea. don't forget that we haven't added any code that maps between unix and NT groups, yet... luke From lkcl at regent.push.net Thu Apr 16 15:27:47 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: Message-ID: On Thu, 16 Apr 1998, Greg Dickie wrote: > > Hi All, > > Haven't played with samba for awhile and man it's good to be back! > > I grabbed a cvs copy of NTDOM and set up a PDC a couple of days ago. Seems to > work great except for profiles but I'll figure that out. The only problem is > that our IS guys PDC (on another domain) seemed to get screwed up right around > the time I was tweaking the samba PDC. They finally rebooted their machine but > it consequently would not even boot (%$##%$# NT!). My question is "Has anyone > seen this kind of behavior?" i haven't, and i have two NT PDCs and a samba PDC. > > I don't know about any kind of restrictions on the number of PDCs (in > different domains) on a subnet. none, up to the traffic limit. > Could it be some master browser conflict? not at all, because each PDC is a domain master browser for its own workgroup, and that's nothing to do with login stuff anyway. > Can > NT be so badly done that something I do on the network can actually screw up > the machin enough that a reboot can't fix it? Or is it just a coincidence? coincidence, i'd put it down to. until it happens again :-) please keep us informed. From lkcl at regent.push.net Thu Apr 16 15:30:35 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:58 2003 Subject: Group Memberships & ACL permissions? In-Reply-To: <35361A7E.B170FE91@eng.auburn.edu> Message-ID: On Fri, 17 Apr 1998, Gerald W. Carter wrote: > > recommendations. My only guess right now is that users validated over > > the PDC aren't getting to be members of the standard "users" group > > (though "everyone" doesn't seem to be working right, either). > > See the domain admins parameter in smb.conf. By default the user is > included in the user group I think. correct. they are excluded from users if they are in "domain guest users". they are not excluded from users if they are in "domain admin users". i think. haven't looked at that code for a while. > I verified this by revoking the > right to shut down a local workstation from "users" and "everyone". Was > then unable to shut down the machine as a domain user. Gave the right > back to "Users" and could shut it down again. yep! this caught me out when i was developing the code. a quick hack, and i didn't have to turn the machine off at the plug! > > Also, if anyone has a good, general list of how permissions should be > > set on the directories to make a realtively secure, Samba-authenticated > > NT 4.0 installation, I would be most appreciative. > > I have a script I use to secure lab machines. It is constantly > evolving, but I can send it to you directly if you wish. Don't want to > post it directly to the list here due to space. awww, spoil-sport, gerald :-) From cartegw at Eng.Auburn.EDU Thu Apr 16 16:03:21 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:58 2003 Subject: Group Memberships & ACL permissions? References: Message-ID: <35362BC9.67E76358@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > they are excluded from users if they are in "domain guest users". they > are not excluded from users if they are in "domain admin users". > > i think. haven't looked at that code for a while. >From Michael Keightley: > Do I have to change domain admins so users are in the Users group? I > found when I set a folder to be accessible only by group Users I > couldn't access it when I logged into the domain.... Hmmm...Luke I just got this question from michael. Seems that maybe domain users are not considered to be in the users group. If you don't remember off the top of your head, I can grep through the source to confirm / deny this. j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From x7currie at lab2.cc.wmich.edu Thu Apr 16 16:06:54 1998 From: x7currie at lab2.cc.wmich.edu (CURRIE KEVIN) Date: Tue Dec 2 02:23:58 2003 Subject: Group Memberships & ACL permissions? In-Reply-To: <35361A7E.B170FE91@eng.auburn.edu> Message-ID: > I have a script I use to secure lab machines. It is constantly > evolving, but I can send it to you directly if you wish. Don't want to > post it directly to the list here due to space. Could you please cc that to me as well... I'm about a week away from pushing a couple labs of computers to using samba as a PDC and I'd like everything to go as smooth as possible. Thanks, Kevin Currie From samba at aquasoft.com.au Thu Apr 16 16:22:15 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: Message-ID: Yes! If you turn on "domain logons = yes" and set the "os level = xx" up high enough you can cause every NT domain controller to shut down it's "net logon service" - very mean thing to do man! Not very nice! No! NT can be Soooooo bad! On Thu, 16 Apr 1998, Greg Dickie wrote: > > Hi All, > > Haven't played with samba for awhile and man it's good to be back! > > I grabbed a cvs copy of NTDOM and set up a PDC a couple of days ago. Seems to > work great except for profiles but I'll figure that out. The only problem is > that our IS guys PDC (on another domain) seemed to get screwed up right around > the time I was tweaking the samba PDC. They finally rebooted their machine but > it consequently would not even boot (%$##%$# NT!). My question is "Has anyone > seen this kind of behavior?" No, they didn't have to reboot did they? Oh, no. But, isn't that normal for NT? Sure it is! (;-)) Good reason to move to Samba I suspect. Maybe? > > > I don't know about any kind of restrictions on the number of PDCs (in > different domains) on a subnet. Could it be some master browser conflict? Can > NT be so badly done that something I do on the network can actually screw up > the machin enough that a reboot can't fix it? Or is it just a coincidence? No co-incidence! Plain fact. Microsoft devotees call that "Stable", "Production Quality", "Reliable", "Well backed", "Commercial". > > Any opinions? I am not normally opinionated, but today was not a good day! I had to take it out somewhere and then you came along. Aren't you sorry? From cartegw at Eng.Auburn.EDU Thu Apr 16 16:23:05 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:59 2003 Subject: Group Memberships & ACL permissions? References: Message-ID: <35363069.CBDD55F6@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > I have a script I use to secure lab machines. It is constantly > > evolving, but I can send it to you directly if you wish. Don't want > > to post it directly to the list here due to space. > > awww, spoil-sport, gerald :-) OK. Since I have had a couple of requests....I don't claim this to be prefect. If it breaks something...well you know the drill....Also remember that I am a control freak on my network so I generally try to lock down everything I can ( like have you every moved the %systemroot%\Fonts to %systemdrive%\Fonts? Weird things happen...) The igrant / grant / setowner utilities are ones I got from Pedastal softwqare ( $5 per copy for EDU sites ). You could probably use cacls.exe to do the same thing. I have found that I need to run the script anytime I add software which puts things in system32 due to the fact that Administrator will own the file and Everyone does not have RX permission. Anyways...Here goes....Note that some lines may be wrapped. May the source be with you :^) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) @echo off rem ######################################################### rem ## rem ## Script to set initial File permissions / ownership on rem ## College of Engineering student lab NT 4.0 Workstations rem ## rem ## Author : Gerald Carter rem ## jerry@eng.auburn.edu rem ## File created : Sometime in '97 rem ## Last update : March 27, 1998 rem ## rem ## Notes : USE THIS AT YOUR OWN RISK!! I AM NOT rem ## RESPONSIBLE FOR TIME LOST DUE TO ANYTHING rem ## THAT THIS SCRIPT DOES! rem ## rem ## The igrant / grant / setowner utilities are from rem ## Pedastal software rem ## http://www.pedestalsoftware.com/ntsec.htm rem ## Note that you could probably do the same type of rem ## script using the cacls.exe utility that comes with rem ## Windows NT. rem ## rem ######################################################### rem ******** Environment variables for script ******** set ROOTPERM=Administrators:all SYSTEM:all set OWNER="CREATOR OWNER:all" set LOGFILE=%SYSTEMROOT%\local\log\init-sec.log set LOCALBIN=%SYSTEMROOT%\local\bin rem ******** Set the ownership of the files ******** echo. echo Setting the ownership of... echo Root files %LOCALBIN%\setowner Administrators %SystemDrive%\ > %LOGFILE% echo %SYSTEMROOT% %LOCALBIN%\setowner -r Administrators %SYSTEMROOT% >> %LOGFILE% echo %SystemDrive%\Temp %LOCALBIN%\setowner Administrators %SystemDrive%\Temp >> %LOGFILE% rem ******** Set the permissions on the files ******** echo. echo. echo Setting the files permissions on... echo Root files %LOCALBIN%\igrant -clear %ROOTPERM% Everyone:rx %SystemDrive%\ >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% Everyone:rx %SystemDrive%\* >> %LOGFILE% echo %SYSTEMROOT% %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT% >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\* >> %LOGFILE% echo %SYSTEMROOT%\Config %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Config >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Config\* >> %LOGFILE% echo %SYSTEMROOT%\COOKIES %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\COOKIES >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\COOKIES\* >> %LOGFILE% echo %SYSTEMROOT%\Cursors %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Cursors >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Cursors\* >> %LOGFILE% echo %SYSTEMROOT%\forms %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\forms >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\forms\* >> %LOGFILE% echo %SYSTEMROOT%\fonts %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\fonts >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\fonts\* >> %LOGFILE% echo %SYSTEMROOT%\Help %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Help >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Help\* >> %LOGFILE% echo %SYSTEMROOT%\History %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\History >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\History\* >> %LOGFILE% echo %SYSTEMROOT%\Java %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Java >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Java\* >> %LOGFILE% echo %SYSTEMROOT%\Media %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Media >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\Media\* >> %LOGFILE% echo %SYSTEMROOT%\Profiles %LOCALBIN%\igrant -clear %ROOTPERM% Everyone:rwdx %SYSTEMROOT%\Profiles >> %LOGFILE% echo %SYSTEMROOT%\local %LOCALBIN%\igrant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\local >> %LOGFILE% %LOCALBIN%\grant -r -clear %ROOTPERM% Everyone:rx %SYSTEMROOT%\local\* >> %LOGFILE% echo %SYSTEMROOT%\System %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System\* >> %LOGFILE% echo %SYSTEMROOT%\System32 %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32 >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\* >> %LOGFILE% echo %SYSTEMROOT%\System32\dhcp %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\dhcp >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\dhcp\* >> %LOGFILE% echo %SYSTEMROOT%\System32\drivers %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\drivers >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\drivers\* >> %LOGFILE% echo %SYSTEMROOT%\System32\os2 %LOCALBIN%\igrant -clear -r %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\os2 >> %LOGFILE% %LOCALBIN%\grant -clear -r %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\os2\* >> %LOGFILE% echo %SYSTEMROOT%\System32\Repl %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\Repl >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\Repl\* >> %LOGFILE% echo %SYSTEMROOT%\System32\spool %LOCALBIN%\igrant -clear -r %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\spool >> %LOGFILE% %LOCALBIN%\grant -clear -r %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\spool\* >> %LOGFILE% echo %SYSTEMROOT%\System32\spool\Printers %LOCALBIN%\igrant -r -clear %ROOTPERM% %OWNER% Everyone:wxrd %SYSTEMROOT%\System32\spool\Printers >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:wxrd %SYSTEMROOT%\System32\spool\Printers\* >> %LOGFILE% echo %SYSTEMROOT%\System32\viewers %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\viewers >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\viewers\* >> %LOGFILE% echo %SYSTEMROOT%\System32\wins %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\wins >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rx %SYSTEMROOT%\System32\wins\* >> %LOGFILE% echo %SYSTEMROOT%\repair %LOCALBIN%\igrant -clear %ROOTPERM% %SYSTEMROOT%\repair >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %SYSTEMROOT%\repair\* >> %LOGFILE% echo %SYSTEMROOT%\System32\Config %LOCALBIN%\igrant -clear %ROOTPERM% %OWNER% Everyone:wx %SYSTEMROOT%\System32\Config >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:wx %SYSTEMROOT%\System32\Config\* >> %LOGFILE% echo %SYSTEMROOT%\System32\RAS %LOCALBIN%\igrant -r -clear %ROOTPERM% %OWNER% Everyone:wxrd %SYSTEMROOT%\System32\RAS >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:wxrd %SYSTEMROOT%\System32\RAS\* >> %LOGFILE% echo %SystemDrive%\Temp %LOCALBIN%\igrant -r -clear %ROOTPERM% %OWNER% Everyone:rwx %SystemDrive%\Temp >> %LOGFILE% %LOCALBIN%\grant -clear %ROOTPERM% %OWNER% Everyone:rwx %SystemDrive%\Temp\* >> %LOGFILE% GOTO end :end rem ######## end of init-sec.bat ################################## rem ############################################################### From greg at Discreet.COM Thu Apr 16 16:26:23 1998 From: greg at Discreet.COM (Greg Dickie) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: Message-ID: Aha, but is this true even if they are in different domains? It wouldn't be soo bad if a reboot fixed it but the damn machine was completely screwed afterward. Also my os level is default (0?) Thanks, Greg On 16-Apr-98 Samba Bugs wrote: > Yes! > > If you turn on "domain logons = yes" and set the "os level = xx" up high > enough you can cause every NT domain controller to shut down it's "net > logon service" - very mean thing to do man! Not very nice! No! > > NT can be Soooooo bad! > > On Thu, 16 Apr 1998, Greg Dickie wrote: > >> >> Hi All, >> >> Haven't played with samba for awhile and man it's good to be back! >> >> I grabbed a cvs copy of NTDOM and set up a PDC a couple of days ago. Seems >> to >> work great except for profiles but I'll figure that out. The only problem is >> that our IS guys PDC (on another domain) seemed to get screwed up right >> around >> the time I was tweaking the samba PDC. They finally rebooted their machine >> but >> it consequently would not even boot (%$##%$# NT!). My question is "Has >> anyone >> seen this kind of behavior?" > > No, they didn't have to reboot did they? Oh, no. But, isn't that normal > for NT? Sure it is! (;-)) Good reason to move to Samba I suspect. Maybe? > >> >> >> I don't know about any kind of restrictions on the number of PDCs (in >> different domains) on a subnet. Could it be some master browser conflict? >> Can >> NT be so badly done that something I do on the network can actually screw up >> the machin enough that a reboot can't fix it? Or is it just a coincidence? > > No co-incidence! Plain fact. Microsoft devotees call that "Stable", > "Production Quality", "Reliable", "Well backed", "Commercial". > >> >> Any opinions? > > I am not normally opinionated, but today was not a good day! > I had to take it out somewhere and then you came along. Aren't you sorry? --------------------------------------------------------------------- Greg Dickie Just A Guy* *from discreet logic Montreal (514) 954-7171 greg@discreet.com From gsalazar at ag.arizona.edu Thu Apr 16 16:25:46 1998 From: gsalazar at ag.arizona.edu (gsalazar) Date: Tue Dec 2 02:23:59 2003 Subject: FAQ sheet on using Samba/NTdom In-Reply-To: Message-ID: <000001bd6954$4f408640$dd2ac480@bengal.agforbes.arizona.edu> Is there a FAQ on setting all this up so that my Unix box and my NT can sychronize passwords and exist peacefully in the same domain. I'd appreciate any pointers to setting this up. Thanks. Gil Salazar Support Systems Analyst, Sr. ECAT, University of Arizona From samba at aquasoft.com.au Thu Apr 16 16:31:24 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: Message-ID: On Thu, 16 Apr 1998, Greg Dickie wrote: > > Aha, but is this true even if they are in different domains? No. Only affects the domain samba is a member of. If other domains have become affected, then are your post-SP3 fixes up to date? Are these machines reachable via the internet? Any trace of external attack? NT has a few holes and I wouldn't put it past some nasty type to exploit at will. > > It wouldn't be soo bad if a reboot fixed it but the damn machine was completely > screwed afterward. Also my os level is default (0?) Then samba is most likely NOT your problem. If it is we would all like to know! Cheers, John T. From pcc at llnl.gov Thu Apr 16 16:55:31 1998 From: pcc at llnl.gov (Phil Cox) Date: Tue Dec 2 02:23:59 2003 Subject: WAY OFF TOPIC, But I bet the answer is here... Message-ID: <3.0.5.32.19980416095531.009b1220@poptop.llnl.gov> All, I am in a pinch. I need the answer to a couple of questions: 1. If PDC fails, are there ANY tools which will promote a BDC automatically without ANY user intervention? What happens when/if the original PDC comes back on-line? 2. Using trust relationships, the PDC is the "point man" so to speak. If the PDC dies, CAN/WILL the BDC's maintain the trust relationships? Or does one of the BDC's need to promoted, then it will maintain the trust relationship? The answers are time critical, so any info is appreciated. Phil - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Computer Incident Advisory Capability (CIAC) Philip C. Cox (510)422-8193 (510)422-8564 ciac@llnl.gov pcc@llnl.gov ------------------------------------------------------------------- PGP fingerprint = 1A97 AB44 406A 77B7 3EA8 3B5B E3B5 BE73 Noteable Quote = "Do today what you want to be tomorrow." From cartegw at Eng.Auburn.EDU Thu Apr 16 16:59:38 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? References: Message-ID: <353638FA.37972F73@eng.auburn.edu> Samba Bugs wrote: > > Yes! > > If you turn on "domain logons = yes" and set the "os level = xx" up > high enough you can cause every NT domain controller to shut down it's > "net logon service" - very mean thing to do man! Not very nice! No! I'm assuming that mean in setting the domain of the samba server to be the same as the one for the NT PDC's. However, If samba PDC and the NT PDC are in two different domains, this should not be the case, correct? > that our IS guys PDC (on another domain) seemed to get screwed up > right around j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Thu Apr 16 16:47:32 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:59 2003 Subject: Group Memberships & ACL permissions? References: Message-ID: <35363624.31DFF4F5@whistle.com> CURRIE KEVIN wrote: > Could you please cc that to me as well... I'm about a week away > from pushing a couple labs of computers to using samba as a PDC and I'd > like everything to go as smooth as possible. > Just wanted to remind everyone on the Samba-ntdom list that they are on the 'bleeding' edge, and many of the things in the current code will be changing before it makes it to final release (so please don't use it for critical production servers, but you weren't going to do that anyway, were you :-). One comment on the current 'domain admins' etc. parameters that Luke has added - as he said, these will be 'temporary' parameters. Currently the prefered solution (when it gets coded up) will be to add a 'groupname map' parameter that points to a file containing the mappings between UNIX groups and NT groups (so wheel will map to the administrators group etc.). Likewise the format of the smbpasswd file is being changed (already has in the head cvs branch) to contain a time the password was last changed field. I'm going on about these changes as I don't want the domain code to get locked into early decisions that turn out not to be so good in practice. I want us to have the freedom to change these things as we work on the code without having to worry about 1000's of sites already using the earlier cvs code. Remember at the moment, using the domain code is 'caveat emptor' :-). Thanks for listening to my paranoid ramblings :-). Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From samba at aquasoft.com.au Thu Apr 16 17:06:18 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:59 2003 Subject: WAY OFF TOPIC, But I bet the answer is here... In-Reply-To: <3.0.5.32.19980416095531.009b1220@poptop.llnl.gov> Message-ID: On Fri, 17 Apr 1998, Phil Cox wrote: > All, > > I am in a pinch. I need the answer to a couple of questions: > > 1. If PDC fails, are there ANY tools which will promote a BDC automatically > without ANY user intervention? What happens when/if the original PDC comes > back on-line? BDCs are capable of maintaining stable domain operations during a PDC outage. Octapus produce a package that can help to provide automated domain controller fail-over. The other options to look at is Digital Clustering. Microsoft are also working on this issue. > > 2. Using trust relationships, the PDC is the "point man" so to speak. If > the PDC dies, CAN/WILL the BDC's maintain the trust relationships? Or does > one of the BDC's need to promoted, then it will maintain the trust > relationship? BDCs keep the ship afloat, but you must have a valid PDC for any domain administration. The simple answer is: you must promote a BDC to PDC using the server manager to get the ship fully under control again. When the original PDC comes back on air it will detect the PDC present (after elevation of a BDC to PDC of course) and will then back off pending manual intervention. The normal thing to do is to demote the original PDC to a BDC and then reboot. On rebooting it will now just join the domain again and then you can promote it back to PDC. > > The answers are time critical, so any info is appreciated. In some VERY large sites this type of failure has never casued me any stress. Just in case that is your concern. I hope I have answered the questions you were asking. Cheers, John H Terpstra - Samba-Team From cartegw at Eng.Auburn.EDU Thu Apr 16 17:08:57 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:59 2003 Subject: FAQ sheet on using Samba/NTdom References: <000001bd6954$4f408640$dd2ac480@bengal.agforbes.arizona.edu> Message-ID: <35363B29.B6F3268@eng.auburn.edu> gsalazar wrote: > > Is there a FAQ on setting all this up so that my Unix box > and my NT can sychronize passwords and exist peacefully in the same > domain. I'd appreciate any pointers to setting this up. The is a general FAQ at http://ww.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html As far as synchronizing passwords between /etc/passwd and smbpasswd, you might want to check the archives http://samba.anu.edu.au/listproc/samba-ntdom for recent threads on this topic. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From samba at aquasoft.com.au Thu Apr 16 17:13:07 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: <353638FA.37972F73@eng.auburn.edu> Message-ID: On Thu, 16 Apr 1998, Gerald W. Carter wrote: > Samba Bugs wrote: > > > > Yes! > > > > If you turn on "domain logons = yes" and set the "os level = xx" up > > high enough you can cause every NT domain controller to shut down it's > > "net logon service" - very mean thing to do man! Not very nice! No! > > I'm assuming that mean in setting the domain of the samba server to be > the same as the one for the NT PDC's. However, If samba PDC and the NT > PDC are in two different domains, this should not be the case, correct? To the best of my knowledge Samba will NOT affect any domain it is NOT a member of. If it doess, I have NEVER seem it. I run NT training classes and we often have three domains and a Samba server. I have jacked the samba os level up to 65 and over and turned on domain logons support and have had the NT network logon service shut down. I have also seen the winlogon process die a horible death once and that stops ALL logons! Have not been able to reproduce that one. The most reproducible way to get NT to shut down the net logon service is to reboot while Samba has the domain logon service running. Does it's dirty everytime. NT can not handle conflict on startup. > > > that our IS guys PDC (on another domain) seemed to get screwed up > > right around I hope that clears any ambiguity up. Cheers, John T. From greg at Discreet.COM Thu Apr 16 18:33:01 1998 From: greg at Discreet.COM (Greg Dickie) Date: Tue Dec 2 02:23:59 2003 Subject: Group Memberships & ACL permissions? In-Reply-To: Message-ID: uh ditto? On 16-Apr-98 CURRIE KEVIN wrote: >> I have a script I use to secure lab machines. It is constantly >> evolving, but I can send it to you directly if you wish. Don't want to >> post it directly to the list here due to space. > > Could you please cc that to me as well... I'm about a week away > from pushing a couple labs of computers to using samba as a PDC and I'd > like everything to go as smooth as possible. > > Thanks, > Kevin Currie > > --------------------------------------------------------------------- Greg Dickie Just A Guy* *from discreet logic Montreal (514) 954-7171 greg@discreet.com From greg at Discreet.COM Thu Apr 16 18:40:42 1998 From: greg at Discreet.COM (Greg Dickie) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: Message-ID: Thanks to everyone for confirming my suspicions. As someone famous once said "I didn't do it!" Greg On 16-Apr-98 Samba Bugs wrote: > > On Thu, 16 Apr 1998, Gerald W. Carter wrote: > >> Samba Bugs wrote: >> > >> > Yes! >> > >> > If you turn on "domain logons = yes" and set the "os level = xx" up >> > high enough you can cause every NT domain controller to shut down it's >> > "net logon service" - very mean thing to do man! Not very nice! No! >> >> I'm assuming that mean in setting the domain of the samba server to be >> the same as the one for the NT PDC's. However, If samba PDC and the NT >> PDC are in two different domains, this should not be the case, correct? > > To the best of my knowledge Samba will NOT affect any domain it is NOT a > member of. If it doess, I have NEVER seem it. I run NT training classes > and we often have three domains and a Samba server. I have jacked the > samba os level up to 65 and over and turned on domain logons support and > have had the NT network logon service shut down. I have also seen the > winlogon process die a horible death once and that stops ALL logons! Have > not been able to reproduce that one. > > The most reproducible way to get NT to shut down the net logon service is > to reboot while Samba has the domain logon service running. Does it's > dirty everytime. NT can not handle conflict on startup. > > >> >> > that our IS guys PDC (on another domain) seemed to get screwed up >> > right around > > > I hope that clears any ambiguity up. > > Cheers, > John T. --------------------------------------------------------------------- Greg Dickie Just A Guy* *from discreet logic Montreal (514) 954-7171 greg@discreet.com From canfield at uindy.edu Thu Apr 16 20:46:00 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:59 2003 Subject: What can we do to help? WAS: Re: Group Memberships & ACL permissions? References: <35363624.31DFF4F5@whistle.com> Message-ID: <35366E08.60D240C8@uindy.edu> Judging from the number of .edu addresses, I suspect that many of who are "going production" with the current CVS code are doing so because the decision has been made to use NT in labs or desktops in the next school year. We need to avoid setting up several WinNT servers just to switch back to Unix/Samba the following year when the code is "stable". So, my next set of questions are: 1) Is there any chance whatsoever that there might be "stable" NTDOMAIN release (even if it lacks some features) by maybe late July? 2) I'm trying to fix work on some documentation, but are there other things that us non-coders can be doing to help you guys along? I've vaguely picked up on the fact that you need some packet trace logs, etc. to reverse engineer some of these things. Would it be possible for someone to put together some instructions on how to do this, and what exactly you need? Please understand that I really do not mean this as a "how much longer?" post. It just seems to me that for a lot of the "early majority" schools, this is the year to switch to NT, and I'd hate to see us miss out on this opportunity by just a couple of months or so. Thanks DC Jeremy Allison wrote: > Just wanted to remind everyone on the Samba-ntdom list > that they are on the 'bleeding' edge, and many of the > things in the current code will be changing before > it makes it to final release (so please don't use > it for critical production servers, but you weren't > going to do that anyway, were you :-). > > Remember at the moment, using the domain code is > 'caveat emptor' :-). > > Thanks for listening to my paranoid ramblings :-). > > Jeremy Allison, > Samba Team. From jallison at whistle.com Thu Apr 16 21:26:14 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:59 2003 Subject: What can we do to help? WAS: Re: Group Memberships & ACL permissions? References: <35363624.31DFF4F5@whistle.com> <35366E08.60D240C8@uindy.edu> Message-ID: <35367776.42877E5C@whistle.com> Dana Canfield wrote: > > Judging from the number of .edu addresses, I suspect that many of who are > "going production" with the current CVS code are doing so because the decision > has been made to use NT in labs or desktops in the next school year. We need > to avoid setting up several WinNT servers just to switch back to Unix/Samba > the following year when the code is "stable". > > So, my next set of questions are: > > 1) Is there any chance whatsoever that there might be "stable" NTDOMAIN > release (even if it lacks some features) by maybe late July? Unlikely but possible. I'm planning that the next major release (1.9.19) will behave correctly as a domain client when run in a domain with an NT PDC, but not have the domain controller support turned on by default. > 2) I'm trying to fix work on some documentation, but are there other things > that us non-coders can be doing to help you guys along? I've vaguely picked > up on the fact that you need some packet trace logs, etc. to reverse engineer > some of these things. Would it be possible for someone to put together some > instructions on how to do this, and what exactly you need? > Probably not, as we have the logs we need, it now needs development work on the head tree to code up the features and test them. Once the feature set is stable, writing documentation will be a great help. Development is not paralellizable, I'm afraid, although bugfixing is. Also remember targeting the next release for users who have a NT PDC gives a much smaller feature set for us to aim at. The PDC work can continue in the background, but I want to get a stable Samba release that will do NT client domain logons when people access it ASAP, as there are many people who are being forced to go with NT servers just to fix the 'single sign-on' problem, and this is a larger set than the users who are trying to replace the PDC (at the moment - I have hopes this will change). > Please understand that I really do not mean this as a "how much longer?" > post. It just seems to me that for a lot of the "early majority" schools, > this is the year to switch to NT, and I'd hate to see us miss out on this > opportunity by just a couple of months or so. > I know - but it just isn't ready yet. Getting the original 'Welcome to the Samba domain' was an amazing feat, but it's only 10% of the work to make a Samba PDC a reality. I'm trying to plan how we can get there by building on a stable reputation. I don't want to give Samba the reputation as "that half-built thing that's always nearly a domain controller but not quite". I'm trying to set expectations of what we can do, and how best to plan for the day when we can announce the PDC code is stable (and get a big press blitz :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From joseph at cheek.com Thu Apr 16 21:45:17 1998 From: joseph at cheek.com (Joseph Cheek) Date: Tue Dec 2 02:23:59 2003 Subject: What can we do to help? WAS: Re: Group Memberships & ACL permissions? In-Reply-To: <35367776.42877E5C@whistle.com> Message-ID: keep up the good work, i look forward to the media blitz! plus i sure will love being able to sell linux into established ms shops as turnkey solutions 8-). joe Joseph Cheek, Director, Cheek Consulting Computer Network Solutions -- NetWare, Linux, and Internet consulting Novell and Caldera partners, supporter of Linux in business joseph@cheek.com, http://www.cheek.com/, (206) 282-2892 On Fri, 17 Apr 1998, Jeremy Allison wrote: > I don't want to give Samba the reputation as "that half-built > thing that's always nearly a domain controller but not quite". > > I'm trying to set expectations of what we can do, and how > best to plan for the day when we can announce the PDC code > is stable (and get a big press blitz :-). From lkcl at regent.push.net Thu Apr 16 22:59:31 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: Message-ID: On Fri, 17 Apr 1998, Greg Dickie wrote: > > Aha, but is this true even if they are in different domains? yes, i answered on that basis. if you had two PDCs (one an NT machine and the other a samba machine) then you would be as royally screwed as if you had two NT PDCs for the same domain. > It wouldn't be soo bad if a reboot fixed it but the damn machine was completely > screwed afterward. Also my os level is default (0?) that's a browsing parameter only, and is nothing to do with PDC functionality. lukes > Thanks, > > Greg > > On 16-Apr-98 Samba Bugs wrote: > > Yes! > > > > If you turn on "domain logons = yes" and set the "os level = xx" up high > > enough you can cause every NT domain controller to shut down it's "net > > logon service" - very mean thing to do man! Not very nice! No! > > > > NT can be Soooooo bad! > > > > On Thu, 16 Apr 1998, Greg Dickie wrote: > > > >> > >> Hi All, > >> > >> Haven't played with samba for awhile and man it's good to be back! > >> > >> I grabbed a cvs copy of NTDOM and set up a PDC a couple of days ago. Seems > >> to > >> work great except for profiles but I'll figure that out. The only problem is > >> that our IS guys PDC (on another domain) seemed to get screwed up right > >> around > >> the time I was tweaking the samba PDC. They finally rebooted their machine > >> but > >> it consequently would not even boot (%$##%$# NT!). My question is "Has > >> anyone > >> seen this kind of behavior?" > > > > No, they didn't have to reboot did they? Oh, no. But, isn't that normal > > for NT? Sure it is! (;-)) Good reason to move to Samba I suspect. Maybe? > > > >> > >> > >> I don't know about any kind of restrictions on the number of PDCs (in > >> different domains) on a subnet. Could it be some master browser conflict? > >> Can > >> NT be so badly done that something I do on the network can actually screw up > >> the machin enough that a reboot can't fix it? Or is it just a coincidence? > > > > No co-incidence! Plain fact. Microsoft devotees call that "Stable", > > "Production Quality", "Reliable", "Well backed", "Commercial". > > > >> > >> Any opinions? > > > > I am not normally opinionated, but today was not a good day! > > I had to take it out somewhere and then you came along. Aren't you sorry? > > --------------------------------------------------------------------- > Greg Dickie > Just A Guy* > *from discreet logic > Montreal > (514) 954-7171 > greg@discreet.com > From lkcl at regent.push.net Thu Apr 16 23:01:49 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: Message-ID: On Fri, 17 Apr 1998, Samba Bugs wrote: > Yes! > > If you turn on "domain logons = yes" and set the "os level = xx" up high > enough you can cause every NT domain controller to shut down it's "net > logon service" - very mean thing to do man! Not very nice! No! oo, john - i'm out of touch, so it seems. do you mean this occurs if you have an existing NT PDC and you then turn on a samba server in the same domain, with "domain logons = yes" and "os level = 33"? lukes From lkcl at regent.push.net Thu Apr 16 23:10:30 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: WAY OFF TOPIC, But I bet the answer is here... In-Reply-To: <3.0.5.32.19980416095531.009b1220@poptop.llnl.gov> Message-ID: it's not so off topic... On Fri, 17 Apr 1998, Phil Cox wrote: > All, > > I am in a pinch. I need the answer to a couple of questions: > > 1. If PDC fails, are there ANY tools which will promote a BDC automatically > without ANY user intervention? What happens when/if the original PDC comes > back on-line? > 2. Using trust relationships, the PDC is the "point man" so to speak. If > the PDC dies, CAN/WILL the BDC's maintain the trust relationships? Or does > one of the BDC's need to promoted, then it will maintain the trust > relationship? > > The answers are time critical, so any info is appreciated. ok. i _did_ add some code about six months ago which deliberately made N identically configured samba servers "fight" for the DOMAIN<1b> NetBIOS name every five minutes. what i did was got a group of samba servers to register DOMAIN<1b> - the PDC name - with the WINS server. if it didn't succeed, it didn't offer if anyone has two or three samba servers spare with automount home or volume mirroring across multiple machines, then could they test this? note that the only problem is the dependence on a single WINS server: that now becomes the point of failure. actually, just been thinking. a domain is just a workgroup with an account database attached to it. if you replicate (manually and *securely*) you private/smbpasswd file across all machines, and you have a common unix password database too (NIS?) then all and any machines that provide this same account database are "Domain Controllers" whether PDC or BDC. i don't like the idea of separate PDCs and BDCs. i _do_ like the idea of having several redundant PDCs... luke From samba at aquasoft.com.au Thu Apr 16 23:31:25 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:59 2003 Subject: Samba PDC trashes NT PDC? In-Reply-To: Message-ID: Oh yes! Always been that way! Argh! Cheers, John T. On Thu, 16 Apr 1998, Luke Kenneth Casson Leighton wrote: > On Fri, 17 Apr 1998, Samba Bugs wrote: > > > Yes! > > > > If you turn on "domain logons = yes" and set the "os level = xx" up high > > enough you can cause every NT domain controller to shut down it's "net > > logon service" - very mean thing to do man! Not very nice! No! > > oo, john - i'm out of touch, so it seems. do you mean this occurs if you > have an existing NT PDC and you then turn on a samba server in the same > domain, with "domain logons = yes" and "os level = 33"? > > lukes > From simon at atlantis.impulse.org Fri Apr 17 02:40:35 1998 From: simon at atlantis.impulse.org (Simon R. Hall) Date: Tue Dec 2 02:23:59 2003 Subject: Security = user workaround In-Reply-To: <81EA05D65B95CF11822500A0243D5404130D27@host66.creativedesign.com> Message-ID: On Thu, 16 Apr 1998, Ron Szeto wrote: > I like to understand what type of user level problems you are referring > to and why Samba can not fix them. --Ron [posting to list too, as I don't think I explained this at all well.. ] This is possibly a bit off-topic for this list, sorry. I don't read the main list ( life's too short and I don't get many "normal" samba problems I can't fix ). Set security = user in smb.conf. On a Win95 box, go to the Access Control tab on the Network control panel, and set User-level access control, and set the domain to your Samba domain. Go and share something.. you can't get a list of users and groups from the server, because it's not implemented. Go and install Mars, set your domain to whatever your pseudo-netware server is called, and hey-presto, a list of users and groups. Netware admin is left to you to work out.. +----- -----+ Simon R. Hall is, amongst other identities, simonh@impulse.org +----- -----+ "Sometimes I wake up grumpy.. other times I let her sleep." From danny at cs.huji.ac.il Fri Apr 17 09:26:02 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:59 2003 Subject: PDC authentication Message-ID: Dana Canfield wrote: > > Judging from the number of .edu addresses, I suspect that many of who are > "going production" with the current CVS code are doing so because the decision > has been made to use NT in labs or desktops in the next school year. We need > to avoid setting up several WinNT servers just to switch back to Unix/Samba > the following year when the code is "stable". > true, except that we are running labs with NT for the past year :-(, with a severly hacked GINA to allow us do do Unix authentication. I was expecting to switch to Samba-PDC this comming semester, but we couldn't finish the testing in time. I made some changes to the authentication scheme, so that we can have a unified-authentication for both MS & Unix. These changes rely on the fact that we have an Authentication-Server. All this is very local, and I don't expect it to be part of the standard samba code, but it would be (very) nice if some way is found to isolate the smb authentication routines so that a 'different' method can be used. As it is, I will be spending part of the weekend porting the changes - yet again - to the latest version, knowing that it won't be the last time. So if anyone of the developers is willing to help, I would be more than willing to cooperate. danny From lkcl at switchboard.net Fri Apr 17 12:18:35 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: TO DO List In-Reply-To: <352AFF66.D7EEE9A0@uindy.edu> Message-ID: On Wed, 8 Apr 1998, Dana Canfield wrote: > Since the others on the list have been too busy to complete the infamous > TO DO list, I took the liberty of starting it myself. Hope nobody hooray. > minds. You can find it at http://peng1.uindy.edu/samba/todo.html (this > is a sub-section of the yet-to-be-completed site I mentioned before). i will have a look as soon as british telecom reconnect the 2mb/s fibre optic line they trashed earlier today. > It's nothing fancy, and I'm going to need a lot of suggestions from the > techies of the group to make it very useful, but it's a start. I have > more time than tech skill, so I'll gladly keep it up to date if people > can send me suggestions/additions. sure! > When we get MySQL/PHP3 running solidly on this machine, it's a good combination, that. should be easy to do (a day?) > I will convert the page into a dynamic page > (something I *can* do, yippee!) that won't require further intervention. hurrah. or, you could modify / install jitterbug... > BTW, the "definitions" at the beginning were just pulled out of the > air. If anyone takes issue with them, or where an item is placed in the > lists, please tell me. In general, though, Luke will be the authority > on whether items are bugs, to-do's, or wishes. oo dear :-) luke From lkcl at regent.push.net Fri Apr 17 11:57:35 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: PDC authentication In-Reply-To: Message-ID: On Fri, 17 Apr 1998, Danny Braniss wrote: > Dana Canfield wrote: > > > > Judging from the number of .edu addresses, I suspect that many of who are > > "going production" with the current CVS code are doing so because the decision > > has been made to use NT in labs or desktops in the next school year. We need > > to avoid setting up several WinNT servers just to switch back to Unix/Samba > > the following year when the code is "stable". > > > > true, except that we are running labs with NT for the past year :-(, with a > severly hacked GINA to allow us do do Unix authentication. > > I was expecting to switch to Samba-PDC this comming semester, but we couldn't > finish the testing in time. > > I made some changes to the authentication scheme, so that we can have a > unified-authentication for both MS & Unix. These changes rely on the fact that > we have an Authentication-Server. All this is very local, and I don't expect it > to be part of the standard samba code, but it would be (very) nice if some > way is found to isolate the smb authentication routines so that a 'different' > method can be used. As it is, I will be spending part of the weekend porting > the changes - yet again - to the latest version, knowing that it won't be the > last time. ok. 1) send in the patches to samba-bugs: make sure they are all #ifdef'd so that you either use your database or you use private/smbpasswd but not both. i'll merge them into the main branch. jean-francois, once this is done, can you add a #ifdef for ldap and send me your current stuff, too? make sure it's exclusive. so you either use danny's database, or you use private/smbpasswd, or you use ldap. but definitely not in combination or in a fall-back manner. 2) use cvs - it will make your job of keeping things current a lot easier. From hangup at inkom.ru Fri Apr 17 13:04:47 1998 From: hangup at inkom.ru (Vladimir Senkov) Date: Tue Dec 2 02:23:59 2003 Subject: 1.9.19 when? Message-ID: <01bd6a01$664a5160$3e3ee8c1@hantenbain.comdiv.inkom.ru> Hello dear All, Do you know when 1.9.19 alphas will be avail? And will it contain NT PDC functionality at this time? Thanks, Vladimir Senkov -- hangup@inkom.ru NIC-SV306 From lkcl at regent.push.net Fri Apr 17 14:09:15 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: pam_ntdom 0.21 Message-ID: onwards and upwards: the ever increasing version numbers. same location: http://www.cb1.com/~lkcl/pam_ntdom/pam_ntdom.tar.gz an old bug in the client connection code (reversed the order of the called / calling names for the SMB connection) meant that NT servers rejected the connection. fixed this. also reduced the debug log level from 50 to 0 :-) i noticed in one of the other pam modules a "debug" parameter. is that an integer number, with 0 as critical debug info reporting only, and increasing upwards for more verbose info? luke From morgan at transmeta.com Fri Apr 17 15:29:06 1998 From: morgan at transmeta.com (Andrew Morgan) Date: Tue Dec 2 02:23:59 2003 Subject: pam_ntdom 0.21 In-Reply-To: References: Message-ID: <199804171529.IAA12785@blighty.transmeta.com> There are no specific recommendations. It is just hoped that modules will support it. http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-4.html What you suggest seems like a reasonable extension to me, although an alternative might be to use other keywords, warn/debug/verbose...? Cheers Andrew Luke Kenneth Casson Leighton writes: > Resent-Date: 17 Apr 1998 14:11:26 -0000 > Resent-Cc: recipient list not shown: ; > Resent-Message-ID: <"ZjB2L3.0.2B7.DCsDr"@mail2.redhat.com> > Resent-From: pam-list@redhat.com > Resent-Sender: pam-list-request@redhat.com > Date: Fri, 17 Apr 1998 14:09:15 +0000 (GMT) > From: Luke Kenneth Casson Leighton > To: PAM development list > cc: Samba Technical List , > Samba NT Domains Mailing List > Subject: pam_ntdom 0.21 > Reply-To: pam-list@redhat.com > > onwards and upwards: the ever increasing version numbers. same location: > http://www.cb1.com/~lkcl/pam_ntdom/pam_ntdom.tar.gz > > an old bug in the client connection code (reversed the order of the called > / calling names for the SMB connection) meant that NT servers rejected the > connection. fixed this. > > also reduced the debug log level from 50 to 0 :-) > > i noticed in one of the other pam modules a "debug" parameter. is that an > integer number, with 0 as critical debug info reporting only, and > increasing upwards for more verbose info? > > luke > > > -- > To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null From michael at hesta.com Fri Apr 17 15:35:08 1998 From: michael at hesta.com (Michael Verruto) Date: Tue Dec 2 02:23:59 2003 Subject: Roaming Profile problem Message-ID: <199804171535.LAA12869@corporate.hesta.com> We are running a very current compile of SAMBA on a OPENSTEP 4.2 server. All the login machines are NT4.0 with SP3. All works fine except for the roaming profiles. After the user logs out of the NT account, as I watch the log, SAMBA actually re-engages them, so if you then login again on the NT side, SAMBA locks you out of the profile use, and all hell brakes loose. Help! (I *did* look through the FAQ and man but did not find the info!) Thanks From lkcl at regent.push.net Fri Apr 17 15:42:32 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: pam_ntdom 0.21 In-Reply-To: <199804171529.IAA12785@blighty.transmeta.com> Message-ID: On Fri, 17 Apr 1998, Andrew Morgan wrote: > > There are no specific recommendations. It is just hoped that modules > will support it. > > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-4.html ta. ah, this mentions syslog. ok, that's fine: the DEBUG(level,(printf arguments)) macro can be redirected to do this. > What you suggest seems like a reasonable extension to me, although an > alternative might be to use other keywords, warn/debug/verbose...? the reason i mention it [a numerical value] is because it would fit in well with samba's existing logging system. "debug level = 1/2/3-200" is the equivalent of warn, debug, verbose-extremely verbose". > > Subject: pam_ntdom 0.21 > > Reply-To: pam-list@redhat.com > > > > onwards and upwards: the ever increasing version numbers. same location: > > http://www.cb1.com/~lkcl/pam_ntdom/pam_ntdom.tar.gz > > > > an old bug in the client connection code (reversed the order of the called > > / calling names for the SMB connection) meant that NT servers rejected the > > connection. fixed this. > > > > also reduced the debug log level from 50 to 0 :-) > > > > i noticed in one of the other pam modules a "debug" parameter. is that an > > integer number, with 0 as critical debug info reporting only, and > > increasing upwards for more verbose info? > > > > luke From jallison at whistle.com Fri Apr 17 17:02:59 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:59 2003 Subject: 1.9.19 when? References: <01bd6a01$664a5160$3e3ee8c1@hantenbain.comdiv.inkom.ru> Message-ID: <35378B43.3F54BC7E@whistle.com> Vladimir Senkov wrote: > Do you know when 1.9.19 alphas will be avail? > And will it contain NT PDC functionality at this time? > Ok - current plans for releases. 1.9.19 alpha's will contain two major new things - the SWAT GUI config tool, still being worked on by Andrew, and a new security type, security=domain. The security=domain will allow Samba servers to be full NT domain members (not PDCs) and allow them to transparently authenticate to an NT PDC in the same way that NT does - moving closer to the 'one account database' holy grail. Now there is one technical detail that is still being worked on to make this work (machine account password changing), once it does I'll start coding up the new security type. All this will probably take a month or two, so expect new alpha releases sometime after that. In the meantime, work will continue on the real PDC functionality, but this work is much harder, mainly as once you announce you have PDC functions to NT machines, they start changing the way they talk to you in doing *everything* (browsing, printing etc.). Once we have a stable PDC in test we'll start announcing Samba-2 alpha releases. The reason we're doing it this way is that getting the full PDC functionality will take a while, and we have to do the domain client functionality anyway, so it's easier to get that done first, and release it to people who already have NT PDCs to use, than sit on it all for months awaiting full PDC functionality. Hope you agree with the plan, let us know what you think. Cheers, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From mk at quadstone.co.uk Fri Apr 17 17:16:14 1998 From: mk at quadstone.co.uk (Michael Keightley) Date: Tue Dec 2 02:23:59 2003 Subject: logging in allowed with no password Message-ID: <5204.199804171716@subnode.quadstone.co.uk> We have several PCs with Domain Logins via Samba. On these machines you don't have to give a password to login. When you login it doesn't give you access to network drives, it seems to be a bit like hitting ESCAPE on Windows 95. Is this meant to happen? How can I change Samba/the PC so you have to give your password before you can login? Michael _________ Michael Keightley Email: mk@quadstone.co.uk Systems Manager Tel: +44 131 220 4491 Quadstone Ltd Fax: +44 131 220 4492 16 Chester Street Edinburgh EH3 7RA, Scotland From mk at quadstone.co.uk Fri Apr 17 17:30:04 1998 From: mk at quadstone.co.uk (Michael Keightley) Date: Tue Dec 2 02:23:59 2003 Subject: have to set "oplocks = false" for Word Message-ID: <5259.199804171730@subnode.quadstone.co.uk> I have had to set "oplocks = false" in the homes section of my smb.conf otherwise when I try to open an existing word document from a network drive I get the error: "Word failed reading from the file (xxxx) Please restore the network connection or replace the floppy or disk and retry" I am using BRANCH_NTDOM version of samba. This doesn't happen with 1.9.18p4. Anyone got any ideas? Michael _________ Michael Keightley Email: mk@quadstone.co.uk Systems Manager Tel: +44 131 220 4491 Quadstone Ltd Fax: +44 131 220 4492 16 Chester Street Edinburgh EH3 7RA, Scotland From cartegw at Eng.Auburn.EDU Fri Apr 17 18:01:09 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:23:59 2003 Subject: have to set "oplocks = false" for Word References: <5259.199804171730@subnode.quadstone.co.uk> Message-ID: <353798E5.7614B855@eng.auburn.edu> Michael Keightley wrote: > > I have had to set "oplocks = false" in the homes section of my smb.conf > otherwise when I try to open an existing word document from a network > drive I get the error: > > "Word failed reading from the file (xxxx) > Please restore the network connection or > replace the floppy or disk and retry" > > I am using BRANCH_NTDOM version of samba. This doesn't happen with > 1.9.18p4. Anyone got any ideas? > I would get the latest cvd version of the main branch. The NTDOM has been merged in for the most part. This seemed to get rid of some file problems I had with BRANCH_NTDOM. No file corruption but a copy with /v would fail the verify ( although nothing would be wrong with the file itself ). j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Fri Apr 17 18:02:40 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:23:59 2003 Subject: logging in allowed with no password References: <5204.199804171716@subnode.quadstone.co.uk> Message-ID: <35379940.3A9F3190@eng.auburn.edu> Michael Keightley wrote: > > We have several PCs with Domain Logins via Samba. On these machines you > don't have to give a password to login. When you login it doesn't give > you access to network drives, it seems to be a bit like hitting ESCAPE > on Windows 95. Is this meant to happen? How can I change Samba/the PC > so you have to give your password before you can login? > Check out the notes on USE_ARCFOUR. This is necessary to Samb PDC to validate the login. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From daniel at med.up.pt Fri Apr 17 18:51:33 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:59 2003 Subject: lp_services problem Message-ID: Hi there, Here's another problem... I've already made some nice things with user profiles, namely making them write to their Home Drive instead of their locally stored profile, which I erase upon logoff. My problem now comes to the printers share: >From smb.log: Processing section "[printers]" doing parameter comment = All Printers doing parameter path = /var/spool/samba doing parameter browseable = yes doing parameter printable = yes doing parameter print command = /usr/bin/lpr -P%p %s ; rm %s doing parameter lpq command = /usr/bin/lpq -P%p doing parameter lprm command = /usr/bin/lprm -P%p %j pm_process() returned Yes lp_servicenumber: couldn't find lp adding printer service lp lp_servicenumber: couldn't find lpt1 adding printer service lpt1 lp_servicenumber: couldn't find lpt2 adding printer service lpt2 adding IPC service lp_file_list_changed() /etc/printcap: lp:lp=/dev/lp1:sd=/var/spool/lpd:sh lpt1:\ :rm=193.136.35.250:\ :rp=LPT1:\ :mx=0: lpt2:\ :rm=193.136.35.250:\ :rp=LPT2:\ :mx=0: I can print from the Unix box ok, as a regular user also and not only as root. Also I have /dev/null chmod'd 777 (after reading the docs :-) I can see the shares from any PC, by browsing the PDC. But when trying to print all my attempts fail, even with smbclient: /usr/local/samba/bin/smbclient '\\adamastor\lpt1' -P -U daniel Added interface ip=193.136.35.46 bcast=193.136.35.255 nmask=255.255.255.0 startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error was No such file or directory Server time is Wed Apr 15 15:19:41 1998 Timezone is UTC+1.0 Password: Domain=[BIM] OS=[Unix] Server=[Samba 1.9.18-HEAD] security=user smb: \> print /etc/HOSTNAME ERRDOS - ERRnoaccess (Access denied.) opening printer for HOSTNAME smb: \> I get this error with any file and not just /etc/HOSTNAME I got main branch samba by CVS , using Slackware 3.4, stripped all "-O" in the Makefile (wouldn't compile otherwise) and I don't know what else to do. Any Help? Is it a bug? TIA, Daniel From mathewss at nutech.com Fri Apr 17 23:44:56 1998 From: mathewss at nutech.com (mathewss@nutech.com) Date: Tue Dec 2 02:23:59 2003 Subject: Loss of WinNT 4.0 PDC moving to Samba. Message-ID: Well after an uptime of 120 days my pdc (a 486 66 1.6gig) died. this is the second one i have had the first was mixed in with existing systems (web servers etc) and was a real pain when it died. backup pdc didnt seem to help me. in the end i replaced it with a new one the 486. now im back to square 1. i have samba with the ntdom up and running works fine (Good job people.) here is my problem. The last time i lost my pdc all of the profiles i had for all of my systems were messed up and not recoverable. after building a new pdc i had to remove each system from the domain and back on the domain again and in the process i lost the profiles (well most of it) i was able to recover some by copying folders under the \profile\ path. So here is my Q. im back in the same place again but before i go and mess with all of my boxes i would like to know if anyone has a good procedure for recovering the existing profiles.. I tried haveing my new samba pdc impersonate the old pdc by setting the SID to the same as the old one :( that didnt seem to work. Any ideas on what i should do. or should i just take my lumps and move on... Best regards Sean M Nu Tech. From canfield at uindy.edu Sat Apr 18 02:15:55 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:23:59 2003 Subject: 1.9.19 when? References: <35378B43.3F54BC7E@whistle.com> Message-ID: <35380CDB.BF33CDE8@uindy.edu> Just a couple of questions (somewhat related to my earlier message). I'm sure we all realize it's a bad idea, but there are several of us using the PDC code in production. Even with it's current basic functionality it does what we (meaning my campus) need to get us by for now. So the questions I have are: 1) 1.9.19 will still contain the current level of NTPDC functionality, right? 2) Assuming 1), is it safe to assume that whatever NTDOM functionality exists at the point of 1.9.19's release will be of "release" quality (except for the fact that user/group methodologies may get a major overhaul)? 3) From a developer's point of view, do you forsee any major problems being encountered for us who are using in production (particularly as of the 1.9.19 release). As before, I don't mean to sound like I'm asking you to rush things along or anything, I'm just trying to discern the lesser of two evils: Buying, installing, and licensing several WinNT Servers to get us through our first year, or going production with alpha-ish software on our existing Linux Alpha. Personally, I have a terrible habit of going with the "it works now, why shouldn't it keep working?" philosphy when it comes to software. It's impressive how far the NTDOM stuff has come in just a few months. It seems to provide the basic services of authentication and home directory/profile service pretty well. Personally, I'd be happy with the code as it stands as a "first release," and the only thing I'm really anxious for is seeing how the user/group stuff matures. BTW, am I the only one who thinks commentable, scriptable, controllable configuration files really rock compared to graphical interfaces that require you to point and click to enter everything? (Just a quick NT Server dig.) ;-) Thanks guys, Dana Jeremy Allison wrote: > Vladimir Senkov wrote: > > Do you know when 1.9.19 alphas will be avail? > > And will it contain NT PDC functionality at this time? > > > > Ok - current plans for releases. > > 1.9.19 alpha's will contain two major new things > - the SWAT GUI config tool, still being worked on > by Andrew, and a new security type, security=domain. > > The security=domain will allow Samba servers to > be full NT domain members (not PDCs) and allow > them to transparently authenticate to an NT PDC > in the same way that NT does - moving closer to > the 'one account database' holy grail. > > Now there is one technical detail that is still > being worked on to make this work (machine account > password changing), once it does I'll start coding > up the new security type. > > All this will probably take a month or two, so > expect new alpha releases sometime after that. > > In the meantime, work will continue on the real > PDC functionality, but this work is much harder, > mainly as once you announce you have PDC functions > to NT machines, they start changing the way they > talk to you in doing *everything* (browsing, > printing etc.). > > Once we have a stable PDC in test we'll start > announcing Samba-2 alpha releases. > > The reason we're doing it this way is that > getting the full PDC functionality will take > a while, and we have to do the domain client > functionality anyway, so it's easier to get > that done first, and release it to people > who already have NT PDCs to use, than sit > on it all for months awaiting full PDC > functionality. > > Hope you agree with the plan, let us know > what you think. > > Cheers, > > Jeremy Allison, > Samba Team. > > -- > -------------------------------------------------------- > Buying an operating system without source is like buying > a self-assembly Space Shuttle with no instructions. > -------------------------------------------------------- From lkcl at regent.push.net Sat Apr 18 16:46:08 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: Loss of WinNT 4.0 PDC moving to Samba. In-Reply-To: Message-ID: sean, this is something that we want to tackle, at a later date. you _will_ need, if you lose an NT PDC's SAM database, to have all the machines re-join the domain, because each workstation has its own "trust account" and therefore a password. this gets changed once per week. luke On Sat, 18 Apr 1998 mathewss@nutech.com wrote: > > Well after an uptime of 120 days my pdc (a 486 66 1.6gig) > died. this is the second one i have had the first was mixed > in with existing systems (web servers etc) and was a real > pain when it died. backup pdc didnt seem to help me. in the > end i replaced it with a new one the 486. now im back > to square 1. i have samba with the ntdom up and running > works fine (Good job people.) here is my problem. > The last time i lost my pdc all of the profiles i had > for all of my systems were messed up and not recoverable. > after building a new pdc i had to remove each system from > the domain and back on the domain again and in the process > i lost the profiles (well most of it) i was able to recover > some by copying folders under the \profile\ path. > So here is my Q. im back in the same place again but > before i go and mess with all of my boxes i would like > to know if anyone has a good procedure for recovering > the existing profiles.. I tried haveing my new samba > pdc impersonate the old pdc by setting the SID to the > same as the old one :( that didnt seem to work. Any > ideas on what i should do. or should i just take my lumps > and move on... > > Best regards > Sean M > Nu Tech. > > > From lkcl at regent.push.net Sat Apr 18 17:45:11 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: 1.9.19 when? In-Reply-To: <35380CDB.BF33CDE8@uindy.edu> Message-ID: On Sat, 18 Apr 1998, Dana Canfield wrote: > Just a couple of questions (somewhat related to my earlier message). > I'm sure we all realize it's a bad idea, but there are several of us > using the PDC code in production. Even with it's current basic > functionality it does what we (meaning my campus) need to get us by for > now. So the questions I have are: > > 1) 1.9.19 will still contain the current level of NTPDC functionality, > right? mmmmmm. yep! > 2) Assuming 1), is it safe to assume that whatever NTDOM functionality > exists at the point of 1.9.19's release will be of "release" quality > (except for the fact that user/group methodologies may get a major > overhaul)? mmmm.... nooo, i wouldn't say so. it will probably be enabled by "domain controller = yes", and would be unannounced. those people on this list prepared to use it on the basis that it's not quite ready, but provides sufficient basic stuff as-is, fine. > 3) From a developer's point of view, do you forsee any major problems > being encountered for us who are using in production (particularly as of > the 1.9.19 release). mmmm... file properties and such, as we've already seen. as people use this, so the problems crop up. we get to understand them, and deal with them. that's the best we can offer: this is quote free unquote software so there aren't actually any quote employed unquote developers on it: just people who will find a means and a way to keep working on it because it feels GOOD! > As before, I don't mean to sound like I'm asking you to rush things > along or anything, no, but the priorities change a bit... > It's impressive how far the NTDOM stuff has come in just a few months. > It seems to provide the basic services of authentication and home > directory/profile service pretty well. Personally, I'd be happy with > the code as it stands as a "first release," and the only thing I'm > really anxious for is seeing how the user/group stuff matures. we will definitely be warning people if there's anything that goes into the cvs tree that could break things. if it will take significant time, then another branch will be opened. the "alpha" series has almost turned into "betas". so if you want to stay semi-stable, stick with 19alphaNNs or 19pNs... > BTW, am I the only one who thinks commentable, scriptable, controllable > configuration files really rock compared to graphical interfaces that > require you to point and click to enter everything? not at all: i bet you get paid more, too. From lkcl at regent.push.net Sun Apr 19 01:22:26 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: PAM for NT Domains (0.22) Message-ID: pam_ntdom is now available from the samba source repository, using cvs or cvs-web. see http://samba.anu.edu.au/cvs.html and http://samba.anu.edu.au/cgi-bin/cvsweb/pam_ntdom luke (samba team) From mk at quadstone.co.uk Sun Apr 19 11:39:08 1998 From: mk at quadstone.co.uk (Michael Keightley) Date: Tue Dec 2 02:23:59 2003 Subject: have to set "oplocks = false" for Word In-Reply-To: Gerald Carter's message of Fri, 17 Apr 1998 13:01:09 -0500 Message-ID: <8619.199804191139@subnode.quadstone.co.uk> > Michael Keightley wrote: > > > > I have had to set "oplocks = false" in the homes section of my smb.conf > > otherwise when I try to open an existing word document from a network > > drive I get the error: > > > > "Word failed reading from the file (xxxx) > > Please restore the network connection or > > replace the floppy or disk and retry" > > > > I am using BRANCH_NTDOM version of samba. This doesn't happen with > > 1.9.18p4. Anyone got any ideas? > > > > I would get the latest cvd version of the main branch. The NTDOM has > been merged in for the most part. This seemed to get rid of some file > problems I had with BRANCH_NTDOM. No file corruption but a copy with /v > would fail the verify ( although nothing would be wrong with the file > itself ). One thing that is missing from the main branch is being able to add a machine to the password file using `smbpasswd -add -m '. The -m option is missing.... Michael _________ Michael Keightley Email: mk@quadstone.co.uk Systems Manager Tel: +44 131 220 4491 Quadstone Ltd Fax: +44 131 220 4492 16 Chester Street Edinburgh EH3 7RA, Scotland From cartegw at Eng.Auburn.EDU Sun Apr 19 12:21:47 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:59 2003 Subject: have to set "oplocks = false" for Word In-Reply-To: <8619.199804191139@subnode.quadstone.co.uk> Message-ID: On Sun, 19 Apr 1998, Michael Keightley wrote: > > One thing that is missing from the main branch is being able to add a machine > to the password file using `smbpasswd -add -m '. The -m option > is missing.... > Umm...Don't think so. It's in there. When's the last time you updated the main branch source. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Sun Apr 19 17:37:39 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: dce/rpc long buffers Message-ID: this message cross-posted to: - samba-technical@samba.anu.edu.au - samba-ntdom@samba.anu.edu.au - cifs@discuss.microsoft.com i am implementing the combination of SMBreadX / SMBtrans which is used to transfer dce/rpc calls across an SMB IPC$ pipe. an important observation has been made which is kinda crucial, and simplifies implementations of client and server quite considerably. namely, that the file offset in the SMBreadX is totally ignored by the server. if you set the file offset to 0x1000000 (in BRANCH_NTDOM's smbclient for example) it makes absolutely no difference to the results obtained from an NT server. anyone else currently implementing dce/rpc over SMB (whether under NDA or not :-) is advised to confirm this for themselves. presumably, as the data is transferred, an internal data offset is clocked up by the data length contained in the SMBreadX. the NT clients still hand out a file offset in the SMBreadXs and clock it up when sending multiple SMBreadXs in order to obtain a dce/rpc fragment, but they _reset_ this back to zero on the next fragment. this is additional but unfortunately misleading evidence, as i originally supposed that the SMBreadX file offset was reset to zero by the client for a reason: the offset was relative to the start of the current fragment. not at all: that is just coincidental. it would have been nice to have known this four months ago. luke From lkcl at regent.push.net Sun Apr 19 18:45:53 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. Message-ID: hi - i think i've got it. _this_ time :-) so, if anyone wants to put about... 30 to 300 shares into smb.conf, or view more than the silly limit of about 8 users in USRMGR.EXE, i think samba is up to it. luke From lkcl at regent.push.net Sun Apr 19 19:10:35 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:59 2003 Subject: crash in LsarLookupSids - symptoms: file permission problems Message-ID: the creation of the names in LsarLookupSids is causing a core dump: i am investigating. the symptoms are that you cannot view permissions on a file; also if you log in a user several times, you first get the profile copied to %systemroot%\profiles\user then user.000 then user.001 etc etc, because LsarLookupSids is part of the process of resolving file permissions... luke From mathewss at nutech.com Sun Apr 19 20:55:28 1998 From: mathewss at nutech.com (mathewss@nutech.com) Date: Tue Dec 2 02:24:00 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. In-Reply-To: Message-ID: On Mon, 20 Apr 1998, Luke Kenneth Casson Leighton wrote: > hi - i think i've got it. _this_ time :-) so, if anyone wants to put > about... 30 to 300 shares into smb.conf, or view more than the silly limit > of about 8 users in USRMGR.EXE, i think samba is up to it. > > luke > I wasnt aware that usrmgr.exe would even work. When i attempt to run it i have been getting this "The Remote Procedure Call Failed" from user manager for domains.. My CVS tree is only hmm maybe 5 days old. did i miss something ? Regards Sean M From canfield at uindy.edu Sun Apr 19 21:29:12 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:00 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. References: Message-ID: <353A6CA8.4A5E3523@uindy.edu> OK, this has me a bit confused now. When you say that this is fixed in BRANCH_NTDOM, do you mean that we need to actually get the BRANCH_NTDOM again from CVS, or were you just referring to the latest CVS version of Samba? My understanding was that the BRANCH_NTDOM CVS tree was dead and that future work would be occurring in the main branch, but although people have said most of the NTDOM functionality had been ported to the main branch, there really has been no official announcement to say "Hey everyone, stop using BRANCH NT_DOM!!" Sorry if I missed something somewhere. Thanks! Luke Kenneth Casson Leighton wrote: > hi - i think i've got it. _this_ time :-) so, if anyone wants to put > about... 30 to 300 shares into smb.conf, or view more than the silly limit > of about 8 users in USRMGR.EXE, i think samba is up to it. > > luke From canfield at uindy.edu Sun Apr 19 21:35:04 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:00 2003 Subject: have to set "oplocks = false" for Word References: Message-ID: <353A6E08.475A2EF6@uindy.edu> He might be getting confused by the way smbpasswd seems to work. I've noticed that if you don't run smbpasswd as root, it won't let you use the -m option (probably a good thing, of course) and even when you do run as root, if you do an smbpasswd -h, it has no mention of the -m option. This may be perfectly acceptable behavior, but maybe it should be documented somewhere? I don't think the man page even mentions it. This is from memory, so the details might be wrong, but that's generally how I recall it worked. Dana Gerald W. Carter wrote: > On Sun, 19 Apr 1998, Michael Keightley wrote: > > > > > One thing that is missing from the main branch is being able to add a machine > > to the password file using `smbpasswd -add -m '. The -m option > > is missing.... > > > > Umm...Don't think so. It's in there. When's the last time you updated > the main branch source. > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Sun Apr 19 21:43:05 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. In-Reply-To: <353A6CA8.4A5E3523@uindy.edu> Message-ID: On Sun, 19 Apr 1998, Dana Canfield wrote: > OK, this has me a bit confused now. When you say that this is fixed in > BRANCH_NTDOM, do you > mean that we need to actually get the BRANCH_NTDOM again from CVS, or were you > just referring > to the latest CVS version of Samba? latest cvs version of samba, the latest BRANCH_NTDOM cvs version of samba, not the latest main-branch cvs version of samba. > My understanding was that the > BRANCH_NTDOM CVS tree > was dead and that future work would be occurring in the main branch, but > although people have > said most of the NTDOM functionality had been ported to the main branch, there > really has been no > official announcement to say "Hey everyone, stop using BRANCH NT_DOM!!" ok, the story is that until _both_ smbclient and smbd are moved over to the main branch, i am reluctant to work on smbclient (in BRANCH_NTDOM) and smbd (in the main branch). therefore, i am still working in BRANCH_NTDOM - for about another two days. i just decided to add all the BRANCH_NTDOM smbclient code in such a way that it can be compiled completely separately from the current (legacy) smbclient code, pending proper testing / review. the reason i have had to do this is because BRANCH_NTDOM smbclient has dce/rpc code in it; the main branch smbclient does not, and cannot be made to do so. luke > Sorry if I missed something somewhere. > > Thanks! > > Luke Kenneth Casson Leighton wrote: > > > hi - i think i've got it. _this_ time :-) so, if anyone wants to put > > about... 30 to 300 shares into smb.conf, or view more than the silly limit > > of about 8 users in USRMGR.EXE, i think samba is up to it. > > > > luke > > > From lkcl at regent.push.net Sun Apr 19 21:46:28 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. In-Reply-To: Message-ID: On Mon, 20 Apr 1998 mathewss@nutech.com wrote: > > > On Mon, 20 Apr 1998, Luke Kenneth Casson Leighton wrote: > > > hi - i think i've got it. _this_ time :-) so, if anyone wants to put > > about... 30 to 300 shares into smb.conf, or view more than the silly limit > > of about 8 users in USRMGR.EXE, i think samba is up to it. > > > > luke > > > I wasnt aware that usrmgr.exe would even work. When > i attempt to run it i have been getting this > "The Remote Procedure Call Failed" > from user manager for domains.. how many users do you have in it? which version of samba? > My CVS tree is only hmm maybe 5 days old. which tag? against BRANCH_NTDOM, usrmgr.exe should give you a list of users, and SRVMGR.EXE should give you a list of machines. luke From lkcl at regent.push.net Sun Apr 19 22:44:19 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: crash in LsarLookupSids - symptoms: file permission problems In-Reply-To: Message-ID: On Mon, 20 Apr 1998, Luke Kenneth Casson Leighton wrote: > the creation of the names in LsarLookupSids is causing a core dump: i am > investigating. > > the symptoms are that you cannot view permissions on a file; also if you > log in a user several times, you first get the profile copied to > %systemroot%\profiles\user then user.000 then user.001 etc etc, because > LsarLookupSids is part of the process of resolving file permissions... ok, there has been some confusion between LsarLookupRIDs and LsarLookupSIDs. i will look at separating these two properly tomorrow, and hopefully coax an LsarLookupRIDs call out of NT :-). to get a LsarLookupSIDs call (and a core dump :-) you do File | Properties | Security | Permissions and the dialog there initiates a lookup of the SID to a name to display. luke From D.Bannon at latrobe.edu.au Mon Apr 20 08:02:33 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:00 2003 Subject: What about arcfour now ? In-Reply-To: <35363B29.B6F3268@eng.auburn.edu> Message-ID: <3.0.3.32.19980420180233.00829870@bioserve.biochem.latrobe.edu.au> Whats the story about ARCFOUR.C ? I know it had to be manually added in to the early versions but 'believed' that it was now included in the cvs main branch ? Is that so ? I noticed in archives that Gerald Carter told someone to look at the notes "USE_ARCFOUR" but I cannot find any notes like these ! The (NTDOMAIN) FAQ seems to be off the air at present, machine is there, but it does not want to talk web, hm.... David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From cartegw at Eng.Auburn.EDU Mon Apr 20 12:53:40 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:00 2003 Subject: What about arcfour now ? References: <3.0.3.32.19980420180233.00829870@bioserve.biochem.latrobe.edu.au> Message-ID: <353B4554.52C29DD0@eng.auburn.edu> David Bannon wrote: > > Whats the story about ARCFOUR.C ? I know it had to be manually added in > to the early versions but 'believed' that it was now included in the > cvs main branch ? Is that so ? In the main branch, the code is self sufficient. If you use BRANCH_NTDOM, you will need to get the arcfour.[c|h] files. > I noticed in archives that Gerald Carter told someone to look at the > notes "USE_ARCFOUR" but I cannot find any notes like these ! Sorry. Should have been more specific. Check the list archives for information on arcfour ( and for the files themselves ) http://samba.anu.edu.au/listproc/samba-ntdom > The (NTDOMAIN) FAQ seems to be off the air at present, machine is > there, but it does not want to talk web, hm.... Strange...Out of my hands really (i'm not the webmaster here ) but if you are still having problems this morning, I can look into them. I assume you're talking about the "sorely needed to be updated" FAQ at my page :) I'll work on it some today. Really! I promise this time. As always. Corrections welcome. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Mon Apr 20 14:17:01 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:00 2003 Subject: have to set "oplocks = false" for Word References: <353A6E08.475A2EF6@uindy.edu> Message-ID: <353B58DD.EAA22CF8@eng.auburn.edu> Dana Canfield wrote: > > He might be getting confused by the way smbpasswd seems to work. I've > noticed that > > if you don't run smbpasswd as root, it won't let you use the -m option > (probably a good thing, of course) and even when you do run as root, > if you do an smbpasswd -h, it has nomention of the -m option. > This may be perfectly acceptable behavior, but maybe it should be > documented somewhere? I don't think the man page even mentions it. > This is from memory, so the details might be wrong, but that's > generally how I recall it worked. [root@mymachine local]12$ /etc/local/smbpasswd -h Usage is : /etc/local/smbpasswd [-D DEBUGLEVEL] [-a] [-d] [-m] [-n] [username] [password] /etc/local/smbpasswd: [-R ] [-D DEBUGLEVEL] [-r machine] [username] [password] /etc/local/smbpasswd: [-h] Ummm...Again I'm confused. Either way though. Both BRANCH_NTDOM and the main branch will support 'smbpasswd -a -m MACHINE' to add a machine account to smbpasswd file. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Mon Apr 20 17:17:35 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:00 2003 Subject: have to set "oplocks = false" for Word References: <8619.199804191139@subnode.quadstone.co.uk> Message-ID: <353B832F.284797A9@whistle.com> Michael Keightley wrote: > > One thing that is missing from the main branch is being able to add a machine > to the password file using `smbpasswd -add -m '. The -m option > is missing.... > Fixed that ages ago (oh.... sometime last week I think :-). Remember, on the main branch you're moving in Internet time :-) :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at regent.push.net Mon Apr 20 17:45:23 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: crash in LsarLookupSids - symptoms: file permission problems In-Reply-To: Message-ID: On Sun, 19 Apr 1998, Luke Kenneth Casson Leighton wrote: > the creation of the names in LsarLookupSids is causing a core dump: i am > investigating. > > the symptoms are that you cannot view permissions on a file; also if you > log in a user several times, you first get the profile copied to > %systemroot%\profiles\user then user.000 then user.001 etc etc, because > LsarLookupSids is part of the process of resolving file permissions... the LsarLookupSids response is _completely_ screwy. i'm working my way through it... From jallison at whistle.com Mon Apr 20 17:44:02 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:00 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. References: <353A6CA8.4A5E3523@uindy.edu> Message-ID: <353B8962.2C67412E@whistle.com> Dana Canfield wrote: > > My understanding was that the > BRANCH_NTDOM CVS tree > was dead and that future work would be occurring in the main branch, but > although people have > said most of the NTDOM functionality had been ported to the main branch, there > really has been no > official announcement to say "Hey everyone, stop using BRANCH NT_DOM!!" > Ok - "Hey everyone, stop using BRANCH NT_DOM!!" It really only exists for Luke to do experiments. Cheers, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Mon Apr 20 19:02:26 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:00 2003 Subject: have to set "oplocks = false" for Word References: <353B832F.284797A9@whistle.com> Message-ID: <353B9BC1.5F408D8D@eng.auburn.edu> Jeremy Allison wrote: > > > One thing that is missing from the main branch is being able to add a > > machine to the password file using `smbpasswd -add -m '. > > The -m option is missing.... > > > > Fixed that ages ago (oh.... sometime last week I think :-). > Remember, on the main branch you're moving in Internet > time :-) :-). > Jeremy, After playing around some and e-mailing back and forth with Michael, it seems that something is broken in the smbpasswd utility. Here's the output from the source I compiled about 5 minutes ago ( updated just prior to that ). [root@nowhere /etc]30$ ./smbpasswd -a -m testmachine ./smbpasswd: User "testmachine$" was not found in system password file. This worked about two weeks ago I know because I am still using the binary compiled from then. Is this new expected behavior? I know there was talk of machine account in /etc/passwd but I never thought anything happened with it yet. I guess all of the comes just after the "OK - Everyone stop using BRANCH_NTDOM" :-) Thanks again, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Mon Apr 20 19:10:27 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:00 2003 Subject: have to set "oplocks = false" for Word References: <353B832F.284797A9@whistle.com> <353B9BC1.5F408D8D@eng.auburn.edu> Message-ID: <353B9DA3.6F5992E1@whistle.com> Gerald Carter wrote: > > > [root@nowhere /etc]30$ ./smbpasswd -a -m testmachine > ./smbpasswd: User "testmachine$" was not found in system password file. > > This worked about two weeks ago I know because I am still using the > binary compiled from then. Is this new expected behavior? I know there > was talk of machine account in /etc/passwd but I never thought anything > happened with it yet. > Yes it is intended behaviour - this is something I added into the main branch. It seemed to me that ensuring a machine account had a corresponding entry in /etc/passwd was a good idea - to ensure that all machine account entries are unique, not only within smbpasswd, but within the UNIX password system also. This may be important at a future date, and didn't seem a particularly onerous requirement. I'm trying to tidy up the smbpasswd interfaces somewhat to allow people to add different backend (ldap,gdbm etc.) databases that scale better than the flat file we have now. Note that the docs/usage lag somewhat behind the implementation. This will be the case for a while until we start getting much closer to a real release. Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Mon Apr 20 19:37:29 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:00 2003 Subject: have to set "oplocks = false" for Word References: <353B832F.284797A9@whistle.com> <353B9BC1.5F408D8D@eng.auburn.edu> <353B9DA3.6F5992E1@whistle.com> Message-ID: <353BA3F9.95784D42@eng.auburn.edu> Jeremy Allison wrote: > > Gerald Carter wrote: > > > > > > [root@nowhere /etc]30$ ./smbpasswd -a -m testmachine > > ./smbpasswd: User "testmachine$" was not found in system password file. > > > Yes it is intended behaviour - this is something I added > into the main branch. It seemed to me that ensuring a > machine account had a corresponding entry in /etc/passwd > was a good idea - to ensure that all machine account > entries are unique, not only within smbpasswd, but within > the UNIX password system also. This may be important at > a future date, and didn't seem a particularly onerous > requirement. I'm trying to tidy up the smbpasswd interfaces > somewhat to allow people to add different backend (ldap,gdbm > etc.) databases that scale better than the flat file we > have now. > > Note that the docs/usage lag somewhat behind the implementation. > This will be the case for a while until we start getting > much closer to a real release. > OK. I have updated the online FAQ a little to include this and a few other things. Corrections / additions welcome. http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Mon Apr 20 20:34:15 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. In-Reply-To: <353B8962.2C67412E@whistle.com> Message-ID: On Tue, 21 Apr 1998, Jeremy Allison wrote: > Dana Canfield wrote: > > > > My understanding was that the > > BRANCH_NTDOM CVS tree > > was dead and that future work would be occurring in the main branch, but > > although people have > > said most of the NTDOM functionality had been ported to the main branch, there > > really has been no > > official announcement to say "Hey everyone, stop using BRANCH NT_DOM!!" > > > > > Ok - "Hey everyone, stop using BRANCH NT_DOM!!" > > It really only exists for Luke to do experiments. yeah. "hey everyone, stop using BRANCH_NTDOM!!" From jallison at whistle.com Mon Apr 20 21:13:17 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:00 2003 Subject: 1.9.19 when? References: <35380CDB.BF33CDE8@uindy.edu> Message-ID: <353BBA6D.19A13460@whistle.com> Dana Canfield wrote: > > Just a couple of questions (somewhat related to my earlier message). > I'm sure we all realize it's a bad idea, but there are several of us > using the PDC code in production. Even with it's current basic > functionality it does what we (meaning my campus) need to get us by for > now. So the questions I have are: > > 1) 1.9.19 will still contain the current level of NTPDC functionality, > right? Yes - we will try to make sure that nothing that currently works in the main branch is broken for 1.9.19. > 2) Assuming 1), is it safe to assume that whatever NTDOM functionality > exists at the point of 1.9.19's release will be of "release" quality > (except for the fact that user/group methodologies may get a major > overhaul)? No - it is not safe to assume that. The PDC code in 1.9.19 will be whatever ships as part of the 1.9.19 release. It may contain unfinished experimental features, and (if I get to it) will be #ifdefed out by default to stop people depending on it. To my mind "release" quality code is a feature that we have tested, and are happy to advertise as part of the supported release. The current plan is that the PDC code will not be in that feature set for 1.9.19. When we have a working PDC we'll be calling it Samba-2 and shouting it out to the press as much as we can. For 1.9.19 I won't even *mention* the PDC code in the release notes. > 3) From a developer's point of view, do you forsee any major problems > being encountered for us who are using in production (particularly as of > the 1.9.19 release). > No I don't see any problems. If you are working with the code you have now, 1.9.19 shouldn't break anything you already have. > As before, I don't mean to sound like I'm asking you to rush things > along or anything, I'm just trying to discern the lesser of two evils: > Buying, installing, and licensing several WinNT Servers to get us > through our first year, or going production with alpha-ish software on > our existing Linux Alpha. Personally, I have a terrible habit of going > with the "it works now, why shouldn't it keep working?" philosphy when > it comes to software. > Yeah, I know what you mean. I certainly want it to keep working, and this list is a great help in that. The problem is that official Samba 'releases' are used by many people who are not able to support 'experimental' features. Now we leave them in the official releases so people on this list can keep the functionality they need, but I never try and pre-announce functionality, as the wider audience will then (reasonably) expect it to work :-). > It's impressive how far the NTDOM stuff has come in just a few months. > It seems to provide the basic services of authentication and home > directory/profile service pretty well. Personally, I'd be happy with > the code as it stands as a "first release," and the only thing I'm > really anxious for is seeing how the user/group stuff matures. > Yes, I know *you* could support it as a first release, but many of our users could not (What do you mean it crashes when I use user manager? Why can't I look at the share info? Why doesn't the security tab work... etc). Cheers & thanks for your help & patience, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From canfield at uindy.edu Tue Apr 21 00:16:56 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:00 2003 Subject: Disabling Profile Caching on NT4.x References: <35324391.608FCF96@hrz.uni-marburg.de> Message-ID: <353BE578.B63F59EF@uindy.edu> Out of curiosity, is there any way to get around this problem with a real NT PDC? I know NTWorkstation doesn't support quotas, but does NTServer? Does MS just assume that your servers have infinite space? Just wondering. Dana Wolfgang Ratzka wrote: > Daniel Fonseca wrote: > > > > The problem is that, still, NT downloads the profile and except for it > > being mandatory, it has no regard for disk quotas in the linux box (every > > writing in the desktop is actually to the "C drive", for example) and only > > when the profile should be updated the quotas have effect (efective > > writing in the "H drive" or whatever), possibly failing due to quota > > exceeding, and (haven't tried it) upon failing of the update of the > > roaming profile, since NT does not cache it, maybe some data loss happens > > here (files in the Desktop, etc.) ? > > Yes, of course, you loose, one alway looses ;-). > > > My problem is that I'd like to give users non-mandatory profiles but have > > them use always their home drive (H: in this case), instead of them > > writing on the C drive as is the case of their profile (desktop, etc.). > > Well there are some things that have their place in the profile (relatively > small configuration files). Of course, sooner or later some user will be tempted > to put a 10MByte The_Only_Copy_Of_My_PHD_Thesis.DOC onto the desktop, because > it's such a nice and prominent place. Logged off once, logged back on again, > and whoppe! > > The other problem is that a plain vanilla installation of MS Office 97 will > by default place new documents into the "Personal Files" folder of the user's > profile. (This might not be the exact name - I'm translating back from > MS-Deutsch "Eigene Dateien"). > > > I do this in Win 95 by policies specifying their desktop to be h:\desktop > > and so forth for the Start Menu, etc. > > > Can anyone do such a thing in Win NT? > > Yes ist is definitely possible. > (see HKCU\Software\Microsoft\Windows\Current Version\Explorer\UserShellFolders) > I've successfully tried to redirect at least the "Desktop" folder and > the "Personal" folder, which should be redirected to the user's homedirectory > ("%HOMEDRIVE%%HOMEPATH" on NT). > -- > Wolfgang Ratzka (per Modem von zu Hause) > Where do you want to go tomorrow? From mathewss at nutech.com Tue Apr 21 04:00:09 1998 From: mathewss at nutech.com (mathewss@nutech.com) Date: Tue Dec 2 02:24:00 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. In-Reply-To: Message-ID: On Tue, 21 Apr 1998, Luke Kenneth Casson Leighton wrote: > On Tue, 21 Apr 1998, Jeremy Allison wrote: !!!!!SNIP!!!!! > > > > > > Ok - "Hey everyone, stop using BRANCH NT_DOM!!" > > > > It really only exists for Luke to do experiments. > > yeah. "hey everyone, stop using BRANCH_NTDOM!!" > ummm :/ well isnt that just a joy.. ok then a multiple choice question for ya .. 1. The cvs branch i loaded a week ago is A. not as current as say the main SAMBA CVS for PDC support. B. the only place to go if you want to have a samba pdc I dont mind a few bugs and want to help contirbute with my small net i can do this without worry of pissin people off. (Only myself )... So a pointer on where to keep up to date would be good. REgarsd Sean M From lkcl at regent.push.net Tue Apr 21 03:58:58 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: possibly fixed dce/rpc long headers in smbd, BRANCH_NTDOM. In-Reply-To: Message-ID: On Mon, 20 Apr 1998 mathewss@nutech.com wrote: > > > On Tue, 21 Apr 1998, Luke Kenneth Casson Leighton wrote: > > > On Tue, 21 Apr 1998, Jeremy Allison wrote: > !!!!!SNIP!!!!! > > > > > > > > > Ok - "Hey everyone, stop using BRANCH NT_DOM!!" > > > > > > It really only exists for Luke to do experiments. > > > > yeah. "hey everyone, stop using BRANCH_NTDOM!!" > > > ummm :/ well isnt that just a joy.. ok then a multiple > choice question for ya .. > > 1. The cvs branch i loaded a week ago is > A. not as current as say the main SAMBA CVS for PDC support. > B. the only place to go if you want to have a samba pdc uh... i'd recommend keeping off of BRANCH_NTDOM. i've just checked in the code needed for long dce/rpc responses, in the main branch. From ratzka at HRZ.Uni-Marburg.DE Tue Apr 21 06:48:55 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:24:00 2003 Subject: Disabling Profile Caching on NT4.x In-Reply-To: <353BE578.B63F59EF@uindy.edu> References: <35324391.608FCF96@hrz.uni-marburg.de> <353BE578.B63F59EF@uindy.edu> Message-ID: <199804210648.IAA04300@pprz04.HRZ.Uni-Marburg.DE> >>>>> "DC" == Dana Canfield writes: DC> Out of curiosity, is there any way to get around this problem DC> with a real NT PDC? I know NTWorkstation doesn't support DC> quotas, but does NTServer? Does MS just assume that your DC> servers have infinite space? Just wondering. In a way, Samba (PDC or not) is better at supporting quotas than any NT machine, as it will automatically use the quota support of the underlying OS. Regarding NT: quotas are among the many things promised for "The Next Version To Come [TM]". Currently you have to rely on 3rd party software to support them. [Remembering that the first releases of Sun's Solaris 2 didn't support quotas either (it gave you nice mysterious crashes if you tried to use them) my suspicion is that quotas are mainly for the academic clientele and therefore generally not too high on the priority lists (Talking to support people who didn't know what quotas are or whether they work or not certainly added to this impression... ).] Please note, however, that NT's strategy for server-based profiles will always have problems with quotas or any disk space limitations: The profiles are copied from the server when the user logs in, and copied back to the server when the user logs out. If during the user's session the size of the user's (local) profile directory tree should have grown beyond the space available on the server, there will be a problem... One could consider a setup, where the physical disk space on the NT system partition is limited, so that the above situation cannot arise. But I don't want to know what other performance problems you are going to run into, when space on "C:" is running low. So the only viable strategy is to relocate those parts of the user's environment that might possibly become large. This would be the desktop folder, the Personal folder ("Eigene Dateien" in German NT) and possibly the AppData folder ("Anwendungsdaten" in German NT). To achive that, either directly modify the values in the key "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" to point directly to locations in the user's home directory (or rather use the policy editor to do that.) -- Wolfgang Ratzka Phone: +49 6421 28 3531 FAX: +49 6421 28 6994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany ------------------------------Where do you want to go tomorrow? From lkcl at regent.push.net Tue Apr 21 07:41:00 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: dynamic dns server for unix wanted Message-ID: does anyone know where i can get GPL source for a dynamic dns server from? does such a beast exist? please reply direct if you get this message only on the samba digest. thank you! luke From lkcl at regent.push.net Tue Apr 21 08:06:27 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: Disabling Profile Caching on NT4.x In-Reply-To: <199804210648.IAA04300@pprz04.HRZ.Uni-Marburg.DE> Message-ID: > One could consider a setup, where the physical disk space on the NT > system partition is limited, so that the above situation cannot > arise. But I don't want to know what other performance problems you > are going to run into, when space on "C:" is running low. i'd call having your MEMORY.DMP file overwriting the %systemroot% partition (turning it into raw) because you ran out of swap space on the same drive "a performance problem", yes. warning: don't ever run %systemroot% as NTFS on NT 4 server with not enough space for a kernel dump on a crash. or disable the memory dump. luke From daniel at med.up.pt Tue Apr 21 10:33:33 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:00 2003 Subject: Disabling Profile Caching on NT4.x In-Reply-To: <199804210648.IAA04300@pprz04.HRZ.Uni-Marburg.DE> Message-ID: On Tue, 21 Apr 1998, Wolfgang Ratzka wrote: > In a way, Samba (PDC or not) is better at supporting quotas than any > NT machine, as it will automatically use the quota support of the > underlying OS. Regarding NT: quotas are among the many things > promised for "The Next Version To Come [TM]". Currently you have to > rely on 3rd party software to support them. Just try to do that on an NT Server and watch the performance (from poor to plain misery) go down. > > [Remembering that the first releases of Sun's Solaris 2 didn't support > quotas either (it gave you nice mysterious crashes if you tried to use > them) my suspicion is that quotas are mainly for the academic > clientele and therefore generally not too high on the priority lists > (Talking to support people who didn't know what quotas are or whether > they work or not certainly added to this impression... ).] To my knowledge, the way NT SysAdmins work with free-space problems, is one of two: 1) Buy more disks; 2) Use NT's on-the-fly compression feature on the users homes until *everybody* is compressed and then use Rule 1) and 2) again :-) > So the only viable strategy is to relocate those parts of the user's > environment that might possibly become large. This would be the > desktop folder, the Personal folder ("Eigene Dateien" in German NT) > and possibly the AppData folder ("Anwendungsdaten" in German NT). > To achive that, either directly modify the values in the key > "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" > to point directly to locations in the user's home directory > (or rather use the policy editor to do that.) Ok. I've done this with success but would just like to post here something that bugged me until a noticed a detail in the docs. I had mapped h:\Profile\Desktop to be the local profile's desktop, thus bypassing NT's locally (C:) stored user profile. The problem that happened is that NT would erase everything I put on the Desktop after logoff. The reason for this I discovered in a detail in the docs. NT updates the profile by *deleting* the roaming part and copying the local one. So being that these two were the same directory, NT would erase it and copy an empty directory onto itself. (duh!) My advise: Just keep the *custom* roaming directories off of the same Roaming profile ones. This is also a good thing to do be done since you could run out of disk quota while updating the roaming desktop (no chance for a "user prompt" on what to do), and in a scenario (mine) where you don't locally cache profiles, we were in for data loss. I'm preparing some extra-documentation on all these hacks I've done (including making the Custom Start Menus (those beneath the user's) and the Custom Desktop Icons (those the user can't delete) stored centrally in the PDC instead of having to have them on each machine) but it won't be ready until my work in here has cooled off. I think I'll call it: "How to make NT's misfeatures (my name for it's bugs) work for you" If any doubt, e-mail me. Hope to help, Daniel Fonseca Sysadmin for Oporto's University Med School http://www.med.up.pt From jdblair at uab.edu Tue Apr 21 12:19:11 1998 From: jdblair at uab.edu (John D. Blair) Date: Tue Dec 2 02:24:00 2003 Subject: dynamic dns server for unix wanted References: Message-ID: <353C8EBF.8A5594D@uab.edu> Luke Kenneth Casson Leighton wrote: > > does anyone know where i can get GPL source for a dynamic dns server from? > does such a beast exist? > > please reply direct if you get this message only on the samba digest. > thank you! The latest version of bind (8.1.2) implements dynamic dns. I'm pretty certain bind is available under a Berkeley license, which isn't GPL, but is not incompatible with GPL. bind is currently developed by the Internet Software Consortium. More info is at http://www.isc.org/bind.html . -john. --------------------------------------------------------------------- John D. Blair (sys|net)admin, the university computer center mailto:jdblair@uab.edu u. of alabama at birmingham phoneto:(205) 975-7123 (my other car is a cdr) --------------------------------------------------------------------- From ratzka at HRZ.Uni-Marburg.DE Tue Apr 21 13:27:40 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:24:00 2003 Subject: Disabling Profile Caching on NT4.x In-Reply-To: References: Message-ID: <199804211327.PAA21532@pprz04.HRZ.Uni-Marburg.DE> >>>>> "df" == Daniel Fonseca writes: df> The problem that happened is that NT would erase everything I df> put on the Desktop after logoff. The reason for this I df> discovered in a detail in the docs. NT updates the profile by df> *deleting* the roaming part and copying the local one. So df> being that these two were the same directory, NT would erase df> it and copy an empty directory onto itself. (duh!) Well, in order to allow people to delete stuff from their profile tree and reflect this in the server copy, NT just has to do it this way. So don't blame them ;-). -- Wolfgang Ratzka Phone: +49 6421 28 3531 FAX: +49 6421 28 6994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany ------------------------------Where do you want to go tomorrow? From eparis at ven.ra.rockwell.com Tue Apr 21 13:38:40 1998 From: eparis at ven.ra.rockwell.com (Eloy A. Paris) Date: Tue Dec 2 02:24:00 2003 Subject: BRANCH_NTDOM or main branch? Message-ID: <6hi7h0$i4a$2@zeus.ven.ra.rockwell.com> Hi, just wanted to know what people are using for NTDOM support, the old BRANCH_NTDOM or the main branch? Thanks, E.- -- Eloy A. Paris Information Technology Department Rockwell Automation de Venezuela Telephone: +58-2-9432311 Fax: +58-2-9431645 From daniel at med.up.pt Tue Apr 21 13:52:33 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:00 2003 Subject: Disabling Profile Caching on NT4.x In-Reply-To: <199804211327.PAA21532@pprz04.HRZ.Uni-Marburg.DE> Message-ID: On Tue, 21 Apr 1998, Wolfgang Ratzka wrote: > >>>>> "df" == Daniel Fonseca writes: > > df> The problem that happened is that NT would erase everything I > df> put on the Desktop after logoff. The reason for this I > df> discovered in a detail in the docs. NT updates the profile by > df> *deleting* the roaming part and copying the local one. So > df> being that these two were the same directory, NT would erase > df> it and copy an empty directory onto itself. (duh!) > > Well, in order to allow people to delete stuff from their profile tree > and reflect this in the server copy, NT just has to do it this way. > So don't blame them ;-). Really?? Do you think that's the way that mirrors work? :-) Oh yeah... NT isn't optimized for speed... in fact if you have a roaming profile of some (let's keep it down) 20 Mb, then it's wiser to delete everything and put it back again... even if it's exactly the same (they heard of timestamps, checksums, etc?). Oh yeah... the Micro$oft way... let's get out and come on again. It's like you said "NT just has to do it this way"! :-) Just a thought... no pun intended... no flaming please... Daniel Fonseca Sysadmin for Oporto's University Med School http://www.med.up.pt From paul at argo.demon.co.uk Tue Apr 21 18:06:03 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:00 2003 Subject: Machine password encrypted by admin password in SP3? Message-ID: <199804211906.UAA20768@argo.demon.co.uk> Paul Leach says (I think) that from SP3 when a workstation joins a domain from the client side, i.e. "use this account to add machine to domain", it will encrypt a new random machine password instead of setting it to the default (hostname in unicode). Can someone confirm this as it has implications for a Samba PDC. To confirm it, can someone try adding an SP3 workstation to an SP3 PDC and see what the password gets set to *before* the workstation reboots. You can use lsadump (anyone got a compiled copy of the LSA secrets program I sent to ntbugtraq months ago? it would be useful for the FAQ), or you can use pwdump to dump the SAM on the PDC and compare with the password in a Samba smbpasswd file for a hostname$ account. Cheers, Paul From paul at argo.demon.co.uk Tue Apr 21 20:46:56 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:00 2003 Subject: Machine password encrypted by admin password in SP3? In-Reply-To: Your message of "Tue, 21 Apr 1998 13:35:42 PDT." <5CEA8663F24DD111A96100805FFE6587031E3E95@red-msg-51.dns.microsoft.com> Message-ID: <199804212146.WAA21992@argo.demon.co.uk> paulle@microsoft.com said: > You have to add the workstation to the DC _from the workstation_ by > specifying the name of an account with the right to create machine accounts > and its password. Usually, that's an admin. If you add the account at the > PDC (or remotely to the PDC from a workstation already in the domain) it > will create a well known password (the machine name) for the new machine. Errr, that's exactly what I thought I said. That's what I'd like someone to confirm as I don't have access to an NT domain at the moment. > That's not what we're talking about here. What isn't? Paul From paul at argo.demon.co.uk Tue Apr 21 20:55:15 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:00 2003 Subject: Machine password encrypted by admin password in SP3? In-Reply-To: Your message of "Tue, 21 Apr 1998 13:35:42 PDT." <5CEA8663F24DD111A96100805FFE6587031E3E95@red-msg-51.dns.microsoft.com> Message-ID: <199804212155.WAA22044@argo.demon.co.uk> paulle@microsoft.com said: > You have to add the workstation to the DC _from the workstation_ by > specifying the name of an account with the right to create machine accounts > and its password. Usually, that's an admin. If you add the account at the > PDC (or remotely to the PDC from a workstation already in the domain) it > will create a well known password (the machine name) for the new machine. > That's not what we're talking about here. So, since in SP2 or less you didn't do this, the SP3 workstation has to be compatible with a non-SP3 PDC. So presumably if I'm listening on the wire I can forge a negative acknowledgement to the presumably new RPC that requests a secure machine password change, as long as I can reply quicker than the SP3 PDC? Then the SP3 workstation would end up with password=hostname? Paul From D.Bannon at latrobe.edu.au Wed Apr 22 00:12:44 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:00 2003 Subject: Disabling Profile Caching on NT4.x In-Reply-To: <199804210648.IAA04300@pprz04.HRZ.Uni-Marburg.DE> Message-ID: <3.0.3.32.19980422101244.00826cd0@bioserve.biochem.latrobe.edu.au> At 16:58 21/04/1998 +1000, Wolfgang Ratzka wrote: >Please note, however, that NT's strategy for server-based profiles >will always have problems with quotas or any disk space limitations: >The profiles are copied from the server when the user logs in, and >copied back to the server when the user logs out. >... if size of the user's (local) profile directory tree should >have grown beyond the space available on the server, there will be a >problem... But the users does (might ?) get a warning, read on .... I was conserned that as these files get bigger and bigger, each logon and logout gets slower and slower and duplicates of the files are scattered over every machine in use. Pretty difficult to get users to individually log out of shared computers with the increasing overhead that involves. For our application, W95 option of no profiles is much quicker (read usable), less wastefull of disk space and safer. ("All uses of this PC use the same desktop and preferences settings"). I looked for a way to get samba to force this onto a NTWS by changing ownership of the profile tree after its first appearance. However, NTWS detects my fiddling and flashes warnings up to the user. I assume the same warnings would appear if disk quota was exceeded (again, while copying a profile back to the server). Could we have a (samba) option that lies to the NTWS, says "Yeah, I saved it all for you" and does not do so. Users can be made understand that things left on desktop are not saved and learn to put their files in their homes dir. David. ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From aperrin at demog.Berkeley.EDU Tue Apr 21 23:39:14 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:00 2003 Subject: Error 0 on smbpasswd command (1.9.19-prealpha) Message-ID: So close, yet so far away.... Using today's version (CVS'ed today at about 10:00 am Pacific time), version 1.9.19-prealpha, we have solved the problem of NT Workstations being unable to talk to encrypted shares -- unclear how, but it seems to be possible that it's due to our smbpasswd file having been a symbolic link. In any case, that secion of the problem is solved. Now, however, I am unable to use smbpasswd (the program) if there is already an smbpasswd (the file) in place; witness: #@boserup:/usr/LOCAL/samba/private>ls -la total 6 drwxrwxrwx 2 root other 512 Apr 21 16:04 . drwxr-xr-- 7 root other 512 Apr 21 15:01 .. -rw------- 1 root other 0 Apr 21 16:04 smbpasswd #@boserup:/usr/LOCAL/samba/bin>./smbpasswd -a aperrin doing parameter log file = /var/log/samba.%m.log doing parameter wins support = no doing parameter os level = 100 doing parameter preferred master = yes doing parameter load printers = no doing parameter hide dot files = no doing parameter revalidate = yes doing parameter printing = bsd doing parameter default service = homes doing parameter encrypt passwords = yes doing parameter domain logons = yes doing parameter domain sid = S-1-5-21-123-456-789 pm_process() returned Yes lp_servicenumber: couldn't find homes lp_servicenumber: couldn't find printers codepage_initialise: client code page = 850 load_client_codepage: loading codepage 850. New SMB password: Retype new SMB password: startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd ./smbpasswd: Failed to open password file /usr/LOCAL/samba/private/smbpasswd. ./smbpasswd: Error 0 BUT if I delete smbpasswd: #@boserup:/usr/LOCAL/samba/bin>./smbpasswd -a aperrin doing parameter log file = /var/log/samba.%m.log doing parameter wins support = no doing parameter os level = 100 doing parameter preferred master = yes doing parameter load printers = no doing parameter hide dot files = no doing parameter revalidate = yes doing parameter printing = bsd doing parameter default service = homes doing parameter domain logons = yes doing parameter domain sid = S-1-5-21-123-456-789 pm_process() returned Yes lp_servicenumber: couldn't find homes lp_servicenumber: couldn't find printers codepage_initialise: client code page = 850 load_client_codepage: loading codepage 850. New SMB password: Retype new SMB password: startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd startsmbpwent: unable to open file /usr/LOCAL/samba/private/smbpasswd startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd get_smbpwd_entry: search by name: aperrin startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd getsmbpwent: skipping comment or blank line getsmbpwent: end of file reached getsmbpwent: end of file reached. endsmbpwent: closed password file. startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd getsmbpwent: skipping comment or blank line getsmbpwent: end of file reached getsmbpwent: end of file reached. endsmbpwent: closed password file. endsmbpwent: closed password file. ./smbpasswd: Added user aperrin. This pattern holds for adding user or machine accounts; it also holds for changing the password in an existing entry. Any advice will be much appreciated! --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From jallison at whistle.com Tue Apr 21 23:26:58 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:00 2003 Subject: Machine password encrypted by admin password in SP3? References: <199804211906.UAA20768@argo.demon.co.uk> Message-ID: <353D2B42.28CC1042@whistle.com> Paul Ashton wrote: > > Paul Leach says (I think) that from SP3 when a workstation joins a > domain from the client side, i.e. "use this account to add machine > to domain", it will encrypt a new random machine password instead of > setting it to the default (hostname in unicode). Can someone > confirm this as it has implications for a Samba PDC. > Done the experiment (last night in fact). Paul Leach is wrong. It still leaves the lame password (hostname in unicode) as the secret. Yes, I'm afraid the only way to securely add a NT machine to a domain is to do it on a private net. I have actually been spending a significant amount of time trying to get around this hideous security hole and still interoperate with an NT PDC with the Samba domain client code. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From aperrin at demog.Berkeley.EDU Tue Apr 21 23:44:52 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:00 2003 Subject: Machine Account is Inaccessible (1.9.19-prealpha) Message-ID: I am well aware that this is 'bleeding-edge' stuff, so I'm posting these findings partially to assist development and partially because it'd be very cool to have it working :). FYI, our setup is Solaris 2.6, NIS distribution, NT 4.0 SP3 clients. I'm consistently getting "The machine account does not exist or is inaccessible" errors when trying to join the domain. There is a machine password line in ~samba/private; it's for KITAGAWA$ (the client's name is kitagawa), password kitagawa, and it's in /etc/passwd as well. Domain name is SANDBOX Server is Netbios Name SHOVEL, DNS name BOSERUP Client is Netbios & DNS name KITAGAWA Logs (level 10) of the attempt and failure of the connection can be found at http://demog.berkeley.edu/~aperrin/samba.join-failure.log Any advice will be much appreciated! --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From canfield at uindy.edu Wed Apr 22 04:15:08 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:00 2003 Subject: Disabling Profile Caching on NT4.x References: <3.0.3.32.19980422101244.00826cd0@bioserve.biochem.latrobe.edu.au> Message-ID: <353D6ECC.214E9C1B@uindy.edu> In this case, why not just lock the desktop, rather than implementing more workarounds in Samba? David Bannon wrote: > Could we have a (samba) option that lies to the NTWS, says "Yeah, I saved > it all for you" and does not do so. Users can be made understand that > things left on desktop are not saved and learn to put their files in their > homes dir. > > David. From paul at argo.demon.co.uk Wed Apr 22 09:56:39 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:00 2003 Subject: Machine password encrypted by admin password in SP3? In-Reply-To: Your message of "Wed, 22 Apr 1998 09:47:53 +1000." <353D2B42.28CC1042@whistle.com> Message-ID: <199804221056.LAA26176@argo.demon.co.uk> jallison@whistle.com said: > Yes, I'm afraid the only way to securely add a NT machine > to a domain is to do it on a private net. I have actually > been spending a significant amount of time trying to > get around this hideous security hole and still > interoperate with an NT PDC with the Samba domain client > code. Maybe the next security hotfix will come with a piece of crossed UTP :-) Paul From lkcl at regent.push.net Wed Apr 22 12:47:53 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: Machine password encrypted by admin password in SP3? In-Reply-To: <199804212146.WAA21992@argo.demon.co.uk> Message-ID: On Wed, 22 Apr 1998, Paul Ashton wrote: > > paulle@microsoft.com said: > > > You have to add the workstation to the DC _from the workstation_ by > > specifying the name of an account with the right to create machine accounts > > and its password. what this does over-the-wire is to open a \PIPE\samr with NTLMSSP encryption, and add an LSA_USER_INFO_21 structure with ACB_WKSTRUST, an account of MACHINE$ and a random password. > > Usually, that's an admin. If you add the account at the > > PDC (or remotely to the PDC from a workstation already in the domain) it > > will create a well known password (the machine name) for the new machine. From lkcl at regent.push.net Wed Apr 22 12:49:22 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: Machine password encrypted by admin password in SP3? In-Reply-To: <199804212155.WAA22044@argo.demon.co.uk> Message-ID: On Wed, 22 Apr 1998, Paul Ashton wrote: > > paulle@microsoft.com said: > > You have to add the workstation to the DC _from the workstation_ by > > specifying the name of an account with the right to create machine accounts > > and its password. Usually, that's an admin. If you add the account at the > > PDC (or remotely to the PDC from a workstation already in the domain) it > > will create a well known password (the machine name) for the new machine. > > That's not what we're talking about here. > > So, since in SP2 or less you didn't do this, the SP3 workstation has > to be compatible with a non-SP3 PDC. So presumably if I'm listening > on the wire I can forge a negative acknowledgement to the presumably > new RPC that requests a secure machine password change, as long > as I can reply quicker than the SP3 PDC? Then the SP3 workstation > would end up with password=hostname? you would be dealing with \PIPE\samr opened using NTLMSSP, paul, which makes life a little more tricky. From lkcl at regent.push.net Wed Apr 22 12:58:49 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:00 2003 Subject: Machine password encrypted by admin password in SP3? In-Reply-To: <353D2B42.28CC1042@whistle.com> Message-ID: hm. so, a \PIPE\samr connection is made (securely - NTLMSSP) and a non-random password is added? oh well. On Wed, 22 Apr 1998, Jeremy Allison wrote: > Paul Ashton wrote: > > > > Paul Leach says (I think) that from SP3 when a workstation joins a > > domain from the client side, i.e. "use this account to add machine > > to domain", it will encrypt a new random machine password instead of > > setting it to the default (hostname in unicode). Can someone > > confirm this as it has implications for a Samba PDC. > > > > Done the experiment (last night in fact). Paul Leach > is wrong. It still leaves the lame password (hostname > in unicode) as the secret. > > Yes, I'm afraid the only way to securely add a NT machine > to a domain is to do it on a private net. I have actually > been spending a significant amount of time trying to > get around this hideous security hole and still > interoperate with an NT PDC with the Samba domain client > code. ah, jeremy: i have to add some code to the PAM pam_ntdom to do this. i was suggested to cache the 16 byte password in /etc/security/clientpasswd. how would this fit in, say, with going for /usr/local/samba/private/clientpasswd in samba and /etc/security/clientpasswd in pam_ntdom? use the code in smbpass.c because you might have multiple NetBIOS names on the same machine. you might even want to use the same file in smbfs, volker, and cache user / share passwords! From lkcl at regent.push.net Wed Apr 22 13:06:16 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: Machine Account is Inaccessible (1.9.19-prealpha) In-Reply-To: Message-ID: > I'm consistently getting "The machine account does not exist or is > inaccessible" errors when trying to join the domain. There is a machine > password line in ~samba/private; it's for KITAGAWA$ (the client's name is > kitagawa), password kitagawa, and it's in /etc/passwd as well. ok, did you set the ACB info to [W]? (jeremy, this is the new format, isn't it?) i notice that a SMBsessionsetupX by KITAGAWA$ is _accepted_. this could only happen if there was a mistake or something. can you send *just* the kitagawa$ private/smbpasswd line, and your smb.conf file? remember to change the ip addresses to x.x.x.x and y.y.y.y etc! > > Domain name is SANDBOX > Server is Netbios Name SHOVEL, DNS name BOSERUP > Client is Netbios & DNS name KITAGAWA > > Logs (level 10) of the attempt and failure of the connection can be found > at http://demog.berkeley.edu/~aperrin/samba.join-failure.log > > Any advice will be much appreciated! > > --------------------------------------------------------------------- > Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support > Department of Demography - University of California at Berkeley > 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA > http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 > From cartegw at Eng.Auburn.EDU Wed Apr 22 13:47:00 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:01 2003 Subject: Machine Account is Inaccessible (1.9.19-prealpha) References: Message-ID: <353DF4D4.4D4BA4BC@eng.auburn.edu> Andrew Perrin - Demography wrote: > > I'm consistently getting "The machine account does not exist or is > inaccessible" errors when trying to join the domain. There is a > machine password line in ~samba/private; it's for KITAGAWA$ (the > client's name is kitagawa), password kitagawa, and it's in /etc/passwd > as well. > > Domain name is SANDBOX > Server is Netbios Name SHOVEL, DNS name BOSERUP > Client is Netbios & DNS name KITAGAWA > I think this is the problem. In the three files source/lib/rpc/server/srv_wkssvc.c:create_wks_info_100() source/lib/rpc/server/srv_srvsvc.c:srv_reply_net_srv_get_info() source/lib/rpc/server/srv_netlog.c:api_net_sam_logon() There is a call which sets the name returned to be the DNS name. Since the DNS name and NetBIOS name are different, this breaks things. I my case, I was running a second samba server acting as the PDC. The login script would not run because it was trying to get a reponse from the server on the primary interface. You can either try changing the NetBIOS name to the DNS name. Or comment out the call to get_myname(myname, NULL) in the 3 functions listed above. Since myname is a global variable that should already have the NetBIOS name in it, commenting out these calls should be of no consequence. In fact, they probably should not be there at all unless the myname string is empty. This has been reported to samba bugs. [snip] api_rpc_command: api_srvsvc_rpc op 0x15 - api_rpc_command: SRV_NET_SRV_GET_INFO 000018 srv_io_q_net_srv_get_info fcd10 ptr_srv_name : 0102f194 00001c smb_io_unistr2 fcd10 uni_max_len: 00000009 fcd10 undoc : 00000000 fcd10 uni_str_len: 00000009 fcd10 buffer : .\.\.S.H.O.V.E.L.. fcd10 switch_value : 00000065 srv_net_srv_get_info: 864 make_srv_info_101 struni2: 62 6f 73 65 72 75 70 struni2: 53 61 6d 62 61 20 31 2e 39 2e 31 39 2d 70 72 65 61 6c 70 68 61 make_srv_r_net_srv_get_info 000000 srv_io_r_net_srv_get_info 000000 srv_io_info_ctr ctr fd5d0 switch_value: 00000065 fd5d0 ptr_srv_ctr : 00000001 000008 srv_io_info_101 sv101 fd5d0 platform_id : 000001f4 fd5d0 ptr_name : 00000001 fd5d0 ver_major : 00000005 fd5d0 ver_minor : 00000004 fd5d0 srv_type : 0004100b fd5d0 ptr_comment : 00000001 000020 smb_io_unistr2 uni_name fd5d0 uni_max_len: 00000008 fd5d0 undoc : 00000000 fd5d0 uni_str_len: 00000008 fd5d0 buffer : .b.o.s.e.r.u.p.. ^^^^^^^^^^^^^^^ 00003c smb_io_unistr2 uni_comment fd5d0 uni_max_len: 00000016 fd5d0 undoc : 00000000 fd5d0 uni_str_len: 00000016 fd5d0 buffer : .S.a.m.b.a. .1...9...1.9.-.p.r.e.a.l.p.h.a.. fd5d0 status : 00000000 [snip] Let me know if this fixes things. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Wed Apr 22 14:04:57 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: Machine password encrypted by admin password in SP3? In-Reply-To: Message-ID: On Wed, 22 Apr 1998, Luke Kenneth Casson Leighton wrote: > On Wed, 22 Apr 1998, Paul Ashton wrote: > > > > > paulle@microsoft.com said: > > > > > You have to add the workstation to the DC _from the workstation_ by > > > specifying the name of an account with the right to create machine accounts > > > and its password. > > what this does over-the-wire is to open a \PIPE\samr with NTLMSSP > encryption, and add an LSA_USER_INFO_21 structure with ACB_WKSTRUST, an > account of MACHINE$ and a random password. oops! sorry: because it's encrypted, we don't _know_ that it's a random password. so, i should say, it sends account information which, following this (unknown) transaction, it can be demonstrated that a workstation is considered to be a member of the DC's domain. luke From aperrin at demog.Berkeley.EDU Wed Apr 22 16:17:30 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:01 2003 Subject: Machine Account is Inaccessible (1.9.19-prealpha) In-Reply-To: <353DF4D4.4D4BA4BC@eng.auburn.edu> Message-ID: No dice, I'm afraid -- I changed the netbios name back to boserup (both explicitly and just by commenting out the netbios name line in smb.conf) and got the same result; if anyone's interested, the new log is in http://demog.berkeley.edu/~aperrin/samba.join-failure2.log . Per other requests, I'm posting here (1) the KITAGAWA$ line from smbpasswd; (2) the smb.conf file; and (3) browse.dat, which shows that the SANDBOX domain is served by BOSERUP. NOTE: the other issue I posted yesterday -- smbpasswd the program reporting unable to open smbpasswd the file on all operations except the first one -- seems like it could be related (seems that way to me, at least). Has anybody else run into this? (1) KITAGAWA$ line from smbpasswd: KITAGAWA$:777001:49BCCAA45054D4057584248B8D2C9F9E:4735AC61CC09367750946E6ADC840FA4:[W]:LCT-353D2A0A: (2) smb.conf: #@boserup:/usr/LOCAL/samba/lib>cat smb.conf [global] workgroup = SANDBOX ; netbios name = SHOVEL smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 10 log file = /var/log/samba.%m.log wins support = no os level = 100 preferred master = yes load printers = no hide dot files = no revalidate = yes printing = bsd default service = homes encrypt passwords = yes domain logons = yes domain sid = S-1-5-21-123-456-789 ; security = share [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no create mask = 0775 Comment = Home Directory (%U) [test] guest ok = no read only = no browseable = yes wide links = yes printable = no path = /usr/LOCAL/samba-test Comment = Sandbox (3) browse.dat: #@boserup:/usr/LOCAL/samba/var/locks>cat browse.dat "SANDBOX" c0001000 "BOSERUP" "SANDBOX" "BOSERUP" 40049b0b "Samba 1.9.19-prealpha" "SANDBOX" --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Wed, 22 Apr 1998, Gerald Carter wrote: > Andrew Perrin - Demography wrote: > > > > I'm consistently getting "The machine account does not exist or is > > inaccessible" errors when trying to join the domain. There is a > > machine password line in ~samba/private; it's for KITAGAWA$ (the > > client's name is kitagawa), password kitagawa, and it's in /etc/passwd > > as well. > > > > Domain name is SANDBOX > > Server is Netbios Name SHOVEL, DNS name BOSERUP > > Client is Netbios & DNS name KITAGAWA > > > > I think this is the problem. In the three files > > source/lib/rpc/server/srv_wkssvc.c:create_wks_info_100() > source/lib/rpc/server/srv_srvsvc.c:srv_reply_net_srv_get_info() > source/lib/rpc/server/srv_netlog.c:api_net_sam_logon() > > There is a call which sets the name returned to be the DNS name. Since > the DNS name and NetBIOS name are different, this breaks things. I my > case, I was running a second samba server acting as the PDC. The login > script would not run because it was trying to get a reponse from the > server on the primary interface. > > You can either try changing the NetBIOS name to the DNS name. Or > comment out the call to get_myname(myname, NULL) in the 3 functions > listed above. Since myname is a global variable that should already > have the NetBIOS name in it, commenting out these calls should be of no > consequence. In fact, they probably should not be there at all unless > the myname string is empty. > > This has been reported to samba bugs. > > [snip] > api_rpc_command: api_srvsvc_rpc op 0x15 - api_rpc_command: > SRV_NET_SRV_GET_INFO > 000018 srv_io_q_net_srv_get_info > fcd10 ptr_srv_name : 0102f194 > 00001c smb_io_unistr2 > fcd10 uni_max_len: 00000009 > fcd10 undoc : 00000000 > fcd10 uni_str_len: 00000009 > fcd10 buffer : .\.\.S.H.O.V.E.L.. > fcd10 switch_value : 00000065 > srv_net_srv_get_info: 864 > make_srv_info_101 > struni2: 62 6f 73 65 72 75 70 > struni2: 53 61 6d 62 61 20 31 2e 39 2e 31 39 2d 70 72 65 61 6c 70 68 61 > make_srv_r_net_srv_get_info > 000000 srv_io_r_net_srv_get_info > 000000 srv_io_info_ctr ctr > fd5d0 switch_value: 00000065 > fd5d0 ptr_srv_ctr : 00000001 > 000008 srv_io_info_101 sv101 > fd5d0 platform_id : 000001f4 > fd5d0 ptr_name : 00000001 > fd5d0 ver_major : 00000005 > fd5d0 ver_minor : 00000004 > fd5d0 srv_type : 0004100b > fd5d0 ptr_comment : 00000001 > 000020 smb_io_unistr2 uni_name > fd5d0 uni_max_len: 00000008 > fd5d0 undoc : 00000000 > fd5d0 uni_str_len: 00000008 > fd5d0 buffer : .b.o.s.e.r.u.p.. > ^^^^^^^^^^^^^^^ > 00003c smb_io_unistr2 uni_comment > fd5d0 uni_max_len: 00000016 > fd5d0 undoc : 00000000 > fd5d0 uni_str_len: 00000016 > fd5d0 buffer : .S.a.m.b.a. > 1...9...1.9.-.p.r.e.a.l.p.h.a.. > fd5d0 status : 00000000 > [snip] > > > Let me know if this fixes things. > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From jallison at whistle.com Wed Apr 22 16:20:30 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:01 2003 Subject: Machine password encrypted by admin password in SP3? References: Message-ID: <353E18CE.59E2B600@whistle.com> Luke Kenneth Casson Leighton wrote: > > what this does over-the-wire is to open a \PIPE\samr with NTLMSSP > encryption, and add an LSA_USER_INFO_21 structure with ACB_WKSTRUST, an > account of MACHINE$ and a random password. > It's not random. That's the problem. It's the machine name in unicode in lower case. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From harper at banks.scar.utoronto.ca Wed Apr 22 19:10:33 1998 From: harper at banks.scar.utoronto.ca (John Harper) Date: Tue Dec 2 02:24:01 2003 Subject: domain logons and netlogon share Message-ID: <353E40A9.6C70@lake.scar.utoronto.ca> I've configured a Samba PDC to autheticate domain logons, it all seems to work. I also configured a netlogon share as suggested in the Blair book - a root preexec runs a script to create a logon bat file on the fly and log the connection, and a postexec cleans up the bat file and logs the logout. But the connection/disconnection of this share does not seem to entirely correspond to my actually doing a domain login/logout on the client NTSP3 machine. And it is not consistent, which is most frustrating. For example, I login and the bat file is created and a log made. I then logout and sometimes the postexec script does not run, the bat file is left around and no logout message is recorded (and if this happens, my next login does not trigger the preexec script). If I leave things alone for a while, then eventually the postexec will run, but it could be several minutes after I really logged out. But other times, when I log out (perhaps after being connected for only a few seconds), the postexec does run.... The samba log files show that sometimes the netlogon share is not being disconnected right away, and if the preexec is missing it's because the share was not connected to on logon. I'm guessing the client workstation is somehow holding onto the share, but this seems silly - when I logout I expect the connection to be wholly gone. Is there a way to fix this?? I'm also wondering what happens if I've set the dead time parameter - will the netlogon share be dropped sometime during a real session, thus showing an early logout time? Thanks John Harper ------------------------------------ Academic Computing Coordinator University of Toronto at Scarborough harper@scar.utoronto.ca From jallison at whistle.com Wed Apr 22 16:31:49 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:01 2003 Subject: Machine password encrypted by admin password in SP3? References: Message-ID: <353E1B75.1CFBAE39@whistle.com> Luke Kenneth Casson Leighton wrote: > > ah, jeremy: i have to add some code to the PAM pam_ntdom to do this. i > was suggested to cache the 16 byte password in /etc/security/clientpasswd. > > how would this fit in, say, with going for > /usr/local/samba/private/clientpasswd in samba and > /etc/security/clientpasswd in pam_ntdom? > > use the code in smbpass.c because you might have multiple NetBIOS names on > the same machine. you might even want to use the same file in smbfs, > volker, and cache user / share passwords! Well, the code I am adding to the head branch will store the machine account for netbios name NNNN in domain DDDD in the file : /usr/local/samba/private/DDDD.NNNN.mac - allowing machine passwords for different NetBIOS names and domains. The format of the file will be something like : 32 byte ascii representation of passwd. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:TLC-YYYYYYY ^ last change time since Jan 1st 1970. Maybe you'll want to use the same format. Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at regent.push.net Wed Apr 22 20:46:16 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: Machine password encrypted by admin password in SP3? In-Reply-To: <353E1B75.1CFBAE39@whistle.com> Message-ID: On Wed, 22 Apr 1998, Jeremy Allison wrote: > Luke Kenneth Casson Leighton wrote: > > > > ah, jeremy: i have to add some code to the PAM pam_ntdom to do this. i > > was suggested to cache the 16 byte password in /etc/security/clientpasswd. > > > > how would this fit in, say, with going for > > /usr/local/samba/private/clientpasswd in samba and > > /etc/security/clientpasswd in pam_ntdom? > > > > use the code in smbpass.c because you might have multiple NetBIOS names on > > the same machine. you might even want to use the same file in smbfs, > > volker, and cache user / share passwords! > > Well, the code I am adding to the head branch will > store the machine account for netbios name NNNN in > domain DDDD in the file : > > /usr/local/samba/private/DDDD.NNNN.mac > > - allowing machine passwords for different NetBIOS > names and domains. The format of the file will be > something like : > > 32 byte ascii representation of passwd. > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:TLC-YYYYYYY > ^ > last change time > since Jan 1st 1970. > > Maybe you'll want to use the same format. nah - i'll just steal the code :-) From jallison at whistle.com Wed Apr 22 16:38:48 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:01 2003 Subject: Machine Account is Inaccessible (1.9.19-prealpha) References: <353DF4D4.4D4BA4BC@eng.auburn.edu> Message-ID: <353E1D18.FF6D5DF@whistle.com> Gerald Carter wrote: > > I think this is the problem. In the three files > > source/lib/rpc/server/srv_wkssvc.c:create_wks_info_100() > source/lib/rpc/server/srv_srvsvc.c:srv_reply_net_srv_get_info() > source/lib/rpc/server/srv_netlog.c:api_net_sam_logon() > > There is a call which sets the name returned to be the DNS name. Since > the DNS name and NetBIOS name are different, this breaks things. I my > case, I was running a second samba server acting as the PDC. The login > script would not run because it was trying to get a reponse from the > server on the primary interface. > > You can either try changing the NetBIOS name to the DNS name. Or > comment out the call to get_myname(myname, NULL) in the 3 functions > listed above. Since myname is a global variable that should already > have the NetBIOS name in it, commenting out these calls should be of no > consequence. In fact, they probably should not be there at all unless > the myname string is empty. > Indeed you are completely correct. I am fixing this in the head branch. Thanks, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From D.Bannon at latrobe.edu.au Thu Apr 23 03:28:23 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:01 2003 Subject: Adding machine with smbpasswd In-Reply-To: Message-ID: <3.0.3.32.19980423132823.00830b40@bioserve.biochem.latrobe.edu.au> All this talk about adding a machine over the wire... All I want to do is add it locally ! There was mention a while ago about the option to add a machine being added to smbpasswd programme. The option is recognised but does not appear to be acted upon correctly. Looking at the source, when the -m option is used, the next parameter (the machine name) is stored in a variable, user_name, has its $ appended but is then used in a getpwnam(user_name) which of course fails, returns NULL, we exit saying 'cannot find in passwd list'. Have I got the syntax wrong ?? The man page doesn't know about it yet. I used : smbpasswd -m machine and smbpasswd -a -m machine Any suggestions ? David. ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From johanh at fusion.kth.se Thu Apr 23 06:54:33 1998 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:24:01 2003 Subject: Browsing broken in main CVS branch Message-ID: Hi I just updated my CVS tree of Samba (running as a PDC) today. Now browsing and logonscripts doesn't work. smbclient -L gives the right names of the shares, but NT 4 Sp3 (English version) does only view |" for the shares. Accessing the shares with typing the names work fine. Any ideas? TIA Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ From cartegw at Eng.Auburn.EDU Thu Apr 23 12:50:07 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:01 2003 Subject: Adding machine with smbpasswd References: <3.0.3.32.19980423132823.00830b40@bioserve.biochem.latrobe.edu.au> Message-ID: <353F38FF.41D2E9EE@eng.auburn.edu> David Bannon wrote: > > All this talk about adding a machine over the wire... > > All I want to do is add it locally ! There was mention a while ago > about the option to add a machine being added to smbpasswd programme. > The option is recognised but does not appear to be acted upon > correctly. > > Looking at the source, when the -m option is used, the next parameter > (the machine name) is stored in a variable, user_name, has its $ > appended but is then used in a getpwnam(user_name) which of course > fails, returns NULL, we exit saying 'cannot find in passwd list'. > > Have I got the syntax wrong ?? The man page doesn't know about it yet. > I used : > > smbpasswd -m machine and > smbpasswd -a -m machine > This is correct. I asked Jeremy about this recently. Two options. The first and accepted solution is to create a standard Unix account ( with a shell of /bin/false or something like that ) for the machine name andm then run the smbpasswd -a -m MACHINE. The second solution which will work for the time being but not guarenteed to work in the future is to creta a user account with the machine_name password and then edit the smbpasswd file to set the necessary fields ( ie. the [W] field ). It is forseeable in the future that it will be necessary to have a unix account for each machine. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Thu Apr 23 12:55:52 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:01 2003 Subject: Browsing broken in main CVS branch References: Message-ID: <353F3A58.B251058@eng.auburn.edu> Johan Hedin wrote: > > Hi > > I just updated my CVS tree of Samba (running as a PDC) today. Now > browsing and logonscripts doesn't work. smbclient -L gives the right > names of the shares, but NT 4 Sp3 (English version) does only view |" > for the shares. Accessing the shares with typing the names work fine. > Any ideas? > Don't suppose you are running multiple samba servers on the same machine for this are you? Just checking before I spew out a response :-) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From johanh at fusion.kth.se Thu Apr 23 12:57:59 1998 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:24:01 2003 Subject: Browsing broken in main CVS branch In-Reply-To: <353F3A58.B251058@eng.auburn.edu> Message-ID: On Thu, 23 Apr 1998, Gerald Carter wrote: > Johan Hedin wrote: > > > > Hi > > > > I just updated my CVS tree of Samba (running as a PDC) today. Now > > browsing and logonscripts doesn't work. smbclient -L gives the right > > names of the shares, but NT 4 Sp3 (English version) does only view |" > > for the shares. Accessing the shares with typing the names work fine. > > Any ideas? > > > > Don't suppose you are running multiple samba servers on the same machine > for this are you? Just checking before I spew out a response :-) > No I have two samba servers on two different Solaris 2.6 boxes. > > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From lkcl at regent.push.net Thu Apr 23 13:12:34 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: Adding machine with smbpasswd In-Reply-To: <353F38FF.41D2E9EE@eng.auburn.edu> Message-ID: On Thu, 23 Apr 1998, Gerald Carter wrote: > David Bannon wrote: > > > > All this talk about adding a machine over the wire... > > > > All I want to do is add it locally ! There was mention a while ago > > about the option to add a machine being added to smbpasswd programme. > > The option is recognised but does not appear to be acted upon > > correctly. > > > > Looking at the source, when the -m option is used, the next parameter > > (the machine name) is stored in a variable, user_name, has its $ > > appended but is then used in a getpwnam(user_name) which of course > > fails, returns NULL, we exit saying 'cannot find in passwd list'. > > > > Have I got the syntax wrong ?? The man page doesn't know about it yet. > > I used : > > > > smbpasswd -m machine and > > smbpasswd -a -m machine > > > > This is correct. I asked Jeremy about this recently. Two options. The > first and accepted solution is to create a standard Unix account ( with > a shell of /bin/false or something like that ) for the machine name andm > then run the smbpasswd -a -m MACHINE. > > The second solution which will work for the time being but not > guarenteed to work in the future is to creta a user account with the > machine_name password and then edit the smbpasswd file to set the > necessary fields ( ie. the [W] field ). > > It is forseeable in the future that it will be necessary to have a unix > account for each machine. what i would ideally like to see happen is to be able to either specify the unix UID on the smbpasswd command line, or for smbpasswd to read the "map username=" parameter for mapping the NT name to a UNIX name. the username file should be able to contain this: nobodymc = machine1$ machine2$ wks3$ guest pcguest root = administrator. luke From cartegw at Eng.Auburn.EDU Thu Apr 23 13:26:19 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:01 2003 Subject: Machine Account is Inaccessible (1.9.19-prealpha) References: Message-ID: <353F417B.94AF6F29@eng.auburn.edu> Andrew Perrin - Demography wrote: > > [global] [snip] > ; security = share After lookinh a but more ( you have have already tried this ) but security must be set to 'user' for domain logins to work. The default settings is to 'share'. What happens when you set /'security = user'? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From aperrin at demog.Berkeley.EDU Thu Apr 23 13:51:22 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:01 2003 Subject: Machine Account is Inaccessible (1.9.19-prealpha) In-Reply-To: <353F417B.94AF6F29@eng.auburn.edu> Message-ID: DOH! Thanks - it's working great now. Still the problem with smbpasswd though -- can't get it to manipulate the file, so my max is one line :(. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Thu, 23 Apr 1998, Gerald Carter wrote: > Andrew Perrin - Demography wrote: > > > > [global] > [snip] > > ; security = share > > After lookinh a but more ( you have have already tried this ) but > security must be set to 'user' for domain logins to work. The default > settings is to 'share'. What happens when you set /'security = user'? > > > > > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From mk at quadstone.co.uk Thu Apr 23 16:05:22 1998 From: mk at quadstone.co.uk (Michael Keightley) Date: Tue Dec 2 02:24:01 2003 Subject: Can't connect to printer via PDC Message-ID: <25379.199804231605@subnode.quadstone.co.uk> Hi, I have two Solaris 2.6 machines running samba. One is the PDC running the main branch version which I copied using CVS last week. The other is using 1.9.18p3. When I try to setup a printer by selecting the printer via Network Neighborhood it works fine from the machine running 1.9.18p3. But when I select the printer from the PDC machine it comes up with the error: "Could not connect the printer. The printer name is invalid" The smb.conf for both machines contains: [global] ..... printcap name = lpstat ..... [printers] printing = sysv path = /home/samba_pearl/var/spool/public public = yes writable = no printable = yes Is there something broken, or am I doing something wrong? Is it because it's the domain controller? Michael _________ Michael Keightley Email: mk@quadstone.co.uk Systems Manager Tel: +44 131 220 4491 Quadstone Ltd Fax: +44 131 220 4492 16 Chester Street Edinburgh EH3 7RA, Scotland From johanh at fusion.kth.se Thu Apr 23 16:14:36 1998 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:24:01 2003 Subject: Browsing broken in main CVS branch In-Reply-To: Message-ID: Sorry to have bothered you. It was my misstake. Did not "make clean" before "make" after the "cvs update". Now browsing works again, but netlogon does still not work. I'll look more to see if I missconfigured anything. Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ On Thu, 23 Apr 1998, Johan Hedin wrote: > I just updated my CVS tree of Samba (running as a PDC) today. Now browsing > and logonscripts doesn't work. smbclient -L gives the right names of the > shares, but NT 4 Sp3 (English version) does only view |" for the shares. > Accessing the shares with typing the names work fine. Any ideas? From jallison at whistle.com Thu Apr 23 16:24:18 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:01 2003 Subject: Adding machine with smbpasswd References: <3.0.3.32.19980423132823.00830b40@bioserve.biochem.latrobe.edu.au> Message-ID: <353F6B32.52BFA1D7@whistle.com> David Bannon wrote: > Looking at the source, when the -m option is used, the next parameter (the > machine name) is stored in a variable, user_name, has its $ appended but is > then used in a getpwnam(user_name) which of course fails, returns NULL, we > exit saying 'cannot find in passwd list'. > When adding machine accounts, you now need to add the machine account name (including the '$') to the local UNIX password database. This is to ensure that we have a valid uid - RID mapping for all machine accounts. Sorry, it's not in the docs yet - I'm still working on the 1.9.19prealpha code. Working out what the code does from the code & the CVS commit messages is one of the challenges of being on the HEAD branch I'm afraid :-). Fixing the docs will come last, sorry. > Have I got the syntax wrong ?? The man page doesn't know about it yet. I > used : smbpasswd -a -m machine is the correct syntax. Hope this helps, Jeremy Allison. Samba Team. -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Thu Apr 23 17:03:25 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:01 2003 Subject: Can't connect to printer via PDC References: <25379.199804231605@subnode.quadstone.co.uk> Message-ID: <353F745D.77D1518C@eng.auburn.edu> Michael Keightley wrote: > > Hi, > I have two Solaris 2.6 machines running samba. One is the PDC running > the main branch version which I copied using CVS last week. The other is > using 1.9.18p3. When I try to setup a printer by selecting the printer > via Network Neighborhood it works fine from the machine running 1.9.18p3. > But when I select the printer from the PDC machine it comes up with > the error: > "Could not connect the printer. The printer name is invalid" > Have you looked at the question regarding printing in th on-line FAQ? ( http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html ) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From Jean-Francois.Micouleau at utc.fr Thu Apr 23 17:25:46 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:01 2003 Subject: Can't connect to printer via PDC In-Reply-To: <25379.199804231605@subnode.quadstone.co.uk> Message-ID: On Fri, 24 Apr 1998, Michael Keightley wrote: > Hi, > I have two Solaris 2.6 machines running samba. One is the PDC running > the main branch version which I copied using CVS last week. The other is > using 1.9.18p3. When I try to setup a printer by selecting the printer > via Network Neighborhood it works fine from the machine running 1.9.18p3. > But when I select the printer from the PDC machine it comes up with > the error: > "Could not connect the printer. The printer name is invalid" It's not possible right now with samba PDC. Look at the FAQ, a workaround explains how to print. Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From cartegw at Eng.Auburn.EDU Thu Apr 23 19:42:54 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:01 2003 Subject: Error 0 on smbpasswd command (1.9.19-prealpha) References: Message-ID: <353F99BE.21BE43EB@eng.auburn.edu> Andrew Perrin - Demography wrote: > > Now, however, I am unable to use smbpasswd (the program) if there is > already an smbpasswd (the file) in place; witness: > > #@boserup:/usr/LOCAL/samba/private>ls -la > total 6 > drwxrwxrwx 2 root other 512 Apr 21 16:04 . > drwxr-xr-- 7 root other 512 Apr 21 15:01 .. > -rw------- 1 root other 0 Apr 21 16:04 smbpasswd > First thing is to change the permission on /usr/LOCAL/samba/private from drwxrwxrwx to dr-x------ for security reasons. > #@boserup:/usr/LOCAL/samba/bin>./smbpasswd -a aperrin [snip] > startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd > /smbpasswd: Failed to open password file > /usr/LOCAL/samba/private/smbpasswd. > /smbpasswd: Error 0 [snip] > BUT if I delete smbpasswd: > #@boserup:/usr/LOCAL/samba/bin>./smbpasswd -a aperrin [snip] > /smbpasswd: Added user aperrin. > > This pattern holds for adding user or machine accounts; it also holds > for changing the password in an existing entry. I dunno about this part. The only that comes to mind is if the file is locked. Can you write an C program and try to open smbpasswd for writing and see what a stat() call gives? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From ink at inconnu.isu.edu Thu Apr 23 20:03:06 1998 From: ink at inconnu.isu.edu (Craig Kelley) Date: Tue Dec 2 02:24:01 2003 Subject: SAMBA-NTDOM digest 140 In-Reply-To: <19980423192447Z12637383-445+12323@samba.anu.edu.au> Message-ID: > It is forseeable in the future that it will be necessary to have a unix > account for each machine. Could we use the finger information in passwd (fifth field) for information about the machine (its password perhaps?) so as to avoid From aperrin at demog.Berkeley.EDU Thu Apr 23 20:15:14 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:01 2003 Subject: Status of our 1.9.19-prealpha Installation Message-ID: Many thanks to everyone who's responded to the issues I posted over the past few days. We've made quite a bit of progress today; current status follows. Environment: Server: Solaris 2.6 (Sparc), NIS, Samba 1.9.19-prealpha, BOSERUP Clients: NT 4.0, SP3 We can currently log into our domain ("SANDBOX") from an NT client ("KITAGAWA") and authenticate user and password. It appears that, at the moment, the server's netbios and DNS names must be the same. We cannot access shares on BOSERUP (the domain server); it seems to authenticate domain logins and browse requests fine, but rejects share requests with "invalid username/password for ". However, shares with guest ok = yes seem to work fine, reverting to the guest privilege. This includes [netlogon]; it works if (and only if) guest ok is set to yes. Also, time service returns "access denied." HOWEVER... if we start Samba-1.9.18p4 on another machine (BLAKE), put it in the SANDBOX workgroup, and set BOSERUP's smb.conf to look there for home and profile directories, we get full service: profiles, automatic home directories, etc. So, remaining issues we have run into: 1.) It appears that the netbios and DNS names must be the same for domain control; 2.) ../samba/bin/smbpasswd still is unable to manipulate the smbpasswd file except on the first try; all subsequent tries return Error 0. However, using it with the -r option (smbpasswd -r boserup ) allows changing it fine; just can't add. 3.) We are unable to access shares on the domain controller except as nobody. 4.) Minor issue: the Makefile seems to have created permissions to restrictive on ../samba/var/locks/browse.dat; had to open them up a bit to allow browsing. Again, many thanks -- this is looking really good. smb.conf from the domain controller side follows: #@boserup:/usr/LOCAL/samba/lib>cat smb.conf [global] workgroup = SANDBOX smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 10 log file = /var/log/samba.%m.log wins support = no wins server = 128.32.163.196 os level = 100 domain master = yes time server = true unix realname = yes preferred master = yes load printers = no hide dot files = no revalidate = yes default service = homes encrypt passwords = yes domain logons = yes domain sid = S-1-5-21-123-456-789 security = user ; The following deal with roaming profiles. Currently configured to send ; them to utility\username as drive Z:. logon drive = z: logon home = \\blake\%U logon path = \\blake\%U\.ntprofile logon script = init.bat [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no create mask = 0775 Comment = Home Directory (%U) [test] guest ok = yes read only = no browseable = yes wide links = yes printable = no path = /usr/LOCAL/samba-test Comment = Sandbox Test Share [netlogon] path = /usr/LOCAL/netlogon writeable = no guest ok = yes --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From cartegw at Eng.Auburn.EDU Thu Apr 23 21:07:57 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:01 2003 Subject: Status of our 1.9.19-prealpha Installation References: Message-ID: <353FADAD.FB43F75E@eng.auburn.edu> > #@boserup:/usr/LOCAL/samba/lib>cat smb.conf > [global] > ; The following deal with roaming profiles. Currently configured to > ; them to utility\username as drive Z:. > logon drive = z: Not a good idea. The Netlogon share is normally mounted as Z: during startup. This could cause you problems later. > logon home = \\blake\%U > logon path = \\blake\%U\.ntprofile For reasons that have been stated before on this and the main samba list, you don't want to put the profile anywhere in \\server\%U\... Make a separate share instead something like \\server\profile\%U The [homes] share is treated differently than all other shares. These suggestions are **not** directly related to your problem I think. Just observations. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From csibug at svi.com.ph Fri Apr 24 00:32:24 1998 From: csibug at svi.com.ph (csibug@svi.com.ph) Date: Tue Dec 2 02:24:01 2003 Subject: No subject Message-ID: <482565F0.0002E1A7.00@mail.svi.com.ph> Subscribe From csibug at metallicafan.com Sat Apr 25 09:10:42 1998 From: csibug at metallicafan.com (csibug@metallicafan.com) Date: Tue Dec 2 02:24:01 2003 Subject: no subject Message-ID: <19980424090826Z12597158-456+12959@samba.anu.edu.au> Subscribe ________________________________ Get Your FREE Email From MyOwnEmail.com From aperrin at demog.Berkeley.EDU Fri Apr 24 17:45:36 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:01 2003 Subject: SMBPasswd in NTDOM Message-ID: Can anyone enlighten me as to the role of the last field in the smbpasswd file in ntdom (LCT-*)? Because of the problem we're having (previously posted) with smbpasswd being unable to manipulate the smbpasswd file, I tried simply bypassing it and adding entries without that final field; they seem to work okay but I'd love some confirmation that I'm not doing irreparable harm.... --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From jallison at whistle.com Fri Apr 24 18:07:51 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:01 2003 Subject: SMBPasswd in NTDOM References: Message-ID: <3540D4F7.7566F4CF@whistle.com> Andrew Perrin - Demography wrote: > > Can anyone enlighten me as to the role of the last field in the smbpasswd > file in ntdom (LCT-*)? Because of the problem we're having (previously > posted) with smbpasswd being unable to manipulate the smbpasswd file, I > tried simply bypassing it and adding entries without that final field; > they seem to work okay but I'd love some confirmation that I'm not doing > irreparable harm.... > LCT- is my invention - it stands for 'Last Change Time' and is a standard UNIX timestamp (seconds since Jan 1 1970) encoded as 8 HEX bytes in ascii. It's not used at present but will be used for timing out passwords and knowing when to change the machine account password etc. I'll document all this new stuff when I do the docs review & update for the 1.9.19alpha1 release (no date yet - still coding frantically :-). Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cbray at comp.uark.edu Fri Apr 24 21:06:51 1998 From: cbray at comp.uark.edu (Chris Bray) Date: Tue Dec 2 02:24:01 2003 Subject: domain admin syntax? In-Reply-To: <353FADAD.FB43F75E@eng.auburn.edu> Message-ID: I've been wanting to use the usrmgr.exe app to change my name from to something a tad more descriptive, and was wondering what the proper syntax for that command is? (I've been reading the list archives, faqs, etc and haven't stumbled across this bit of info). And while I'm asking, what's the syntax for "domain groups" and "domain guest"? This is the conf line I've used: domain admin users = cbray I login to a workstation in the domain as cbray, and when I try and change info on a user, I get this error: "The system call level is not correct." Everything else works great...roaming profiles, logins, encrypted password, etc... Great work guys! Thanks, - chris ============================================================================= Chris Bray | Alpha Geek @ MultiMedia Resource Center, cbray@comp.uark.edu | Computing Services, University of Arkansas ICQ# 6830763 | http://www.uark.edu/~cbray/ ============================================================================= Unix _is_ user friendly - it's just selective about who its friends are... ============================================================================= From lkcl at regent.push.net Fri Apr 24 21:14:28 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: dce/rpc long buffers Message-ID: this message cross-posted to: samba-ntdom samba-technical hooray. finally. got it: long buffers. turns out that the SMBreadX offset is _completely_ ignored, which vastly simplifies client and server code. it is now possible to put horrendous quantities of shares in smb.conf (i have tried with 128 shares, each of which has a comment of about 80 chars in length: this requires 4 separate SMBreadX calls). it should also be possible to use USRMGR.EXE to view accounts. HOWEVER: i have found that this is a bit iffy, but that is due to other reasons, not the data transfer. luke From lkcl at regent.push.net Fri Apr 24 21:19:34 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: domain admin syntax? In-Reply-To: Message-ID: On Sat, 25 Apr 1998, Chris Bray wrote: > I've been wanting to use the usrmgr.exe app to change my name from > to something a tad more descriptive, and was wondering > what the proper syntax for that command is? (I've been reading > the list archives, faqs, etc and haven't stumbled across this bit > of info). time to look at code or net monitor traces then, chris :-) ok, we support the NetrServerGetInfo call (lib/rpc/server/srv_srvsvc.c) but do not support NetrServerSetInfo call. this is mainly because it would require some means to write back to smb.conf, which is not supported in samba yet. ah, i must write a message about this. > And while I'm asking, what's the syntax for "domain groups" and > "domain guest"? > > This is the conf line I've used: > > domain admin users = cbray that's correct. > I login to a workstation in the domain as cbray, and when I try and > change info on a user, I get this error: > > "The system call level is not correct." we haven't implemented any "changing" code yet - it's all read-only. as per my post a couple of minutes ago, you should be able to view (read-only) the accounts of an unlimited number of users. > Everything else works great...roaming profiles, logins, encrypted password, etc... > Great work guys! cheers :-) From cbray at comp.uark.edu Fri Apr 24 22:13:59 1998 From: cbray at comp.uark.edu (Chris Bray) Date: Tue Dec 2 02:24:01 2003 Subject: domain admin syntax? In-Reply-To: Message-ID: > we haven't implemented any "changing" code yet - it's all read-only. as > per my post a couple of minutes ago, you should be able to view > (read-only) the accounts of an unlimited number of users. Is there any way to change it via UNIX (like in a config file or something like that), so I can have the user's name be something other than "Full Name"? Thanks, Chris ============================================================================= Chris Bray | Alpha Geek @ MultiMedia Resource Center, cbray@comp.uark.edu | Computing Services, University of Arkansas ICQ# 6830763 | http://www.uark.edu/~cbray/ ============================================================================= Unix _is_ user friendly - it's just selective about who its friends are... ============================================================================= From lkcl at regent.push.net Fri Apr 24 22:20:53 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: domain admin syntax? In-Reply-To: Message-ID: On Fri, 24 Apr 1998, Chris Bray wrote: > > we haven't implemented any "changing" code yet - it's all read-only. as > > per my post a couple of minutes ago, you should be able to view > > (read-only) the accounts of an unlimited number of users. > > Is there any way to change it via UNIX (like in a config file or something > like that), so I can have the user's name be something other than > "Full Name"? he he. not yet. From pcc at llnl.gov Fri Apr 24 21:30:05 1998 From: pcc at llnl.gov (Phil Cox) Date: Tue Dec 2 02:24:01 2003 Subject: NT authentication in a domain, need clarification Message-ID: <3.0.5.32.19980424143005.00974be0@poptop.llnl.gov> I have some confusion WRT authenticating in a domain. Here are the scenerios, and my understanding of how the authentication happens. Client : NT4 WS Server: NT4 PDC: NT4 Assume user has already authenticated to the domain on the client and is now attempting to access a share. BTW: Where is the access token stored on the domain logon? The workstation or the PDC (then replicated)? Both? 1. Client to PDC share: Client sends an SMB negotioation request to PDC. PDC responds. Client then sends an SMB session request to PDC. PDC issues challenge, client encrypts with stored OWF, and returns it to PDC. PDC verifies it. Issues & stores an access token and an associated UID. PDC returns UID to client. Client uses UID in all subsequent SMB packets to the PDC. 2. Client to Server share: Client sends an SMB negotioation request to server. Server responds.Client then sends an SMB session request to Server. Server send authentication request to PDC. PDC issues challenge to server. Server forwards that challenge to client. Client encrypts with stored OWF, and returns it to server. Server forwards it to PDC. PDC verifies it, says "ok" to server. Server issues & stores an access token and an associated UID. Server returns UID to client. Client uses UID in all subsequent SMB packets to the Server. **I was told that this is not correct. Can someone please give me a pointer to the nitty gritty. Phil - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Computer Incident Advisory Capability (CIAC) Philip C. Cox (510)422-8193 (510)422-8564 ciac@llnl.gov pcc@llnl.gov ------------------------------------------------------------------- PGP fingerprint = 1A97 AB44 406A 77B7 3EA8 3B5B E3B5 BE73 Noteable Quote = "Do today what you want to be tomorrow." From lkcl at regent.push.net Fri Apr 24 22:58:46 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: NT authentication in a domain, need clarification In-Reply-To: <3.0.5.32.19980424143005.00974be0@poptop.llnl.gov> Message-ID: On Sat, 25 Apr 1998, Phil Cox wrote: > I have some confusion WRT authenticating in a domain. Here are the > scenerios, and my understanding of how the authentication happens. > > Client : NT4 WS > Server: NT4 > PDC: NT4 > Assume user has already authenticated to the domain on the client and is > now attempting to access a share. > > BTW: Where is the access token stored on the domain logon? The workstation > or the PDC (then replicated)? Both? > > 1. Client to PDC share: > Client sends an SMB negotioation request to PDC. PDC responds. Client then > sends an SMB session request to PDC. PDC issues challenge, client encrypts > with stored OWF, and returns it to PDC. PDC verifies it. Issues & stores an > access token and an associated UID. PDC returns UID to client. Client uses > UID in all subsequent SMB packets to the PDC. correct. > 2. Client to Server share: > Client sends an SMB negotioation request to server. Server responds.Client > then sends an SMB session request to Server. Server send authentication > request to PDC. PDC issues challenge to server. Server forwards that > challenge to client. Client encrypts with stored OWF, and returns it to > server. Server forwards it to PDC. PDC verifies it, says "ok" to server. > Server issues & stores an access token and an associated UID. Server > returns UID to client. Client uses UID in all subsequent SMB packets to the > Server. correct! > **I was told that this is not correct. tell them i suggested they stare at packets for a few days, as a penance. if they give you a hard time, tell them that they have to run the above scenario and send me a netmonitor trace of it, with a fully annotated explanation of what's going on. > Can someone please give me a pointer to the nitty gritty. the "verification" mechanism, of forwarding the OWF to the server, is called "pass-through" authentication. there are two forms of this 1) documented in CIFS - you specify pass-through in the SMBsessionsetupX or something. 2) send a "network" (type 0x3) version of an LsaSamLogon not an "interactive" version. the difference is that in the interactive login the password is both 16 byte LM and the NT hashes; in the network login, the "password" is the challenge (generated by the "Server: NT4" above) and the two 24 byte OWF responses (generated by the client in response to the challenge, and received by the server in the SMBsessionsetupX response). the PDC then responds to the LsaSamLogon with login details or "NT_STATUS_WRONG_PASSWORD". as you can see, this is not particularly secure if one of your routers are compromised: the packet can be hijacked and modified... luke From canfield at uindy.edu Sat Apr 25 05:16:24 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:01 2003 Subject: TO DO Back & Updated References: Message-ID: <354171A8.B336A486@uindy.edu> The To-Do list is back up at http://peng1.uindy.edu/samba/todo.html There have been a few updates, and I'd appreciate if anyone who is familiar with NT Server could check the list to see if it is a fairly complete list of what needs to be done in order for Samba to be an NT Server equivalent. Thanks, Dana Luke Kenneth Casson Leighton wrote: > this message cross-posted to: > > samba-ntdom > samba-technical > > hooray. finally. got it: long buffers. turns out that the SMBreadX > offset is _completely_ ignored, which vastly simplifies client and server > code. > > it is now possible to put horrendous quantities of shares in smb.conf (i > have tried with 128 shares, each of which has a comment of about 80 chars > in length: this requires 4 separate SMBreadX calls). > > it should also be possible to use USRMGR.EXE to view accounts. HOWEVER: i > have found that this is a bit iffy, but that is due to other reasons, not > the data transfer. > > luke From aperrin at demog.Berkeley.EDU Mon Apr 27 21:55:55 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:01 2003 Subject: admin users & groups Message-ID: I looked back at the archive and couldn't find an answer for the query about the right syntax for "domain groups =". Any ideas? Thx- Andy --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From pcc at ntsinc.com Tue Apr 28 05:23:10 1998 From: pcc at ntsinc.com (Phil Cox) Date: Tue Dec 2 02:24:01 2003 Subject: Old Topic: Re: NT Security Alert: (was Re: NTDOM: SamLogon validation...) In-Reply-To: <199802030847.IAA09676@mail.bogo.co.uk> Message-ID: <3.0.5.32.19980427222310.0098e400@ntsinc.com> A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 2761 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980427/07df18c3/attachment.bin From lkcl at regent.push.net Tue Apr 28 13:37:31 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: Old Topic: Re: NT Security Alert: (was Re: NTDOM: SamLogon In-Reply-To: <3.0.5.32.19980427222310.0098e400@ntsinc.com> Message-ID: phil, the "pass-through" authentication described in the cifs documentation has absolutely nothing to do with dce/rpc "network" logins that achieve exactly the same end-result. if the conversations i had with paul ashton at around the time we worked out what the dce/rpc "network" logins tie in with the message below (03/02/98) then referring to the cifs documentation is misleading: paul is referring to the dce/rpc "network" logins not the cifs documentation. luke On Tue, 28 Apr 1998, Phil Cox wrote: > At 07:50 PM 2/3/98 +1100, Paul Ashton wrote: > > >At 01:18 03/02/98 , Paul Ashton wrote: > > >>From a quick look at a packet trace, the original client that wishes > > >>to access a share does an SMB negotiate and receives an 8 byte > challenge, > > >>it then does a session setup & X with a 24 byte challenge response. > The > > >>The SMB server then forwards the challenge and the response to the > PDC > > >>without encryption. The PDC confirms whether the response was valid > and > > >>if so, returns the password hash to the SMB server (rc4 encrypted) so > > >>that the SMB server could then forward the hash to other servers on > > >>behalf of the client. > > > > > >This means that anybody passively listening to the LAN can turn > > >any NTLM challenge response sequence into a password equivalent! > > >Just forward the challenge and response of a sniffed packet to an > > >NT DC and it will send you the password equivalent. > > > Just a clarification for myself. It seems to me that the challenge can't > be replayed, because it must be the challenge that was sent during the > "server to PDC" SMB negotiate portion of the pass-through authentication > (steps 4-6 below)? Since this challenge is originated from the PDC (step > 5), the server should not be able to just send it a > challenge/challenge-response pair for validation. Is this not correct? > Any clarification is appreciated. > > > >From the CIFS Logon and Pass Through spec: > > The steps involved in pass through authentication are: > > > 1 The CIFS client sends a negotiate SMB to the CIFS server > > 2 The CIFS server verifies the cached Domain Controller name (as > > described above) > > 3 If the cached name is invalid, the CIFS server does a Domain Controller > Discovery > > 4 The CIFS server sends a NEGOTIATE SMB to the Domain Controller > > 5 The NEGOTIATE response along with the challenge is saved by the CIFS > server > > 6 The CIFS server sends a NEGOTIATE response (to client) using the saved > challenge > > 7 The CIFS client computes the challenge response as detailed in the CIFS > specification, and then challenge response is sent as part of a > SessionSetupAndX SMB > > 8 The CIFS server extracts the challenge response from above SMB > > 9 The CIFS server sends it's own SessionSetupAndX SMB to the domain > > controller using the extracted challenge response > > 10 The Domain Controller sends a SessionSetupAndX response to the CIFS > server. This response will be successful if the CIFS client had > > provided the correct response. > > 11 The CIFS server tears down the session with the Domain Controller > > that was established using user credentials. This is accomplished by > means of a LogOffAndX SMB. > > 12 The CIFS server sends a SessionSetupAndX response to the CIFS client. > This response is based upon the response from the Domain Controller. > > > > > Phil Cox > From paul at argo.demon.co.uk Tue Apr 28 12:46:56 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:01 2003 Subject: Old Topic: Re: NT Security Alert: (was Re: NTDOM: SamLogon validation...) In-Reply-To: Your message of "Mon, 27 Apr 1998 22:23:10 PDT." <3.0.5.32.19980427222310.0098e400@ntsinc.com> Message-ID: <199804281346.OAA23360@argo.demon.co.uk> > Just a clarification for myself. It seems to me that the challenge can't > be replayed, because it must be the challenge that was sent during the > "server to PDC" SMB negotiate portion of the pass-through authentication > (steps 4-6 below)? Since this challenge is originated from the PDC (step > 5), the server should not be able to just send it a > challenge/challenge-response pair for validation. Is this not correct? > Any clarification is appreciated. Your conclusion would seem to be correct in the context of the information you quoted. My observation was based purely on viewing the NetLogonSamLogon type=Network RPC between a file server and a PDC. If this has to be related to a previously sent challenge from the PDC then you may be correct. It was discussed on ntbugtraq and Paul Leach did not say that it would not work. I've never tried it though. Luke? I don't see why the challenge would be in the RPC and not just the challenge response if that were the case. Paul From lkcl at regent.push.net Tue Apr 28 14:07:00 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:01 2003 Subject: Old Topic: Re: NT Security Alert: (was Re: NTDOM: SamLogon validation...) In-Reply-To: <199804281346.OAA23360@argo.demon.co.uk> Message-ID: On Wed, 29 Apr 1998, Paul Ashton wrote: > > > Just a clarification for myself. It seems to me that the challenge can't > > be replayed, because it must be the challenge that was sent during the > > "server to PDC" SMB negotiate portion of the pass-through authentication > > (steps 4-6 below)? Since this challenge is originated from the PDC (step > > 5), the server should not be able to just send it a > > challenge/challenge-response pair for validation. Is this not correct? > > Any clarification is appreciated. > > Your conclusion would seem to be correct in the context of the > information you quoted. My observation was based purely on > viewing the NetLogonSamLogon type=Network RPC between a file server > and a PDC. If this has to be related to a previously sent challenge > from the PDC then you may be correct. It was discussed on ntbugtraq > and Paul Leach did not say that it would not work. I've never tried > it though. Luke? nah, me neither. i tend not to get involved in protocol weakness analysis stuff unless i'm writing protocols myself. the things i am interested in are working out existing (undocumented and important) protocols, and implementing them, weaknessess or not. however, in your paragraph above, exactly what has to be related to a previously sent challenge? luke From paul at argo.demon.co.uk Tue Apr 28 13:21:36 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:02 2003 Subject: Old Topic: Re: NT Security Alert: (was Re: NTDOM: SamLogon validation...) In-Reply-To: Your message of "Tue, 28 Apr 1998 14:07:00 -0000." Message-ID: <199804281421.PAA23831@argo.demon.co.uk> Luke said: > however, in your paragraph above, exactly what has to be related to a > previously sent challenge? 4 The CIFS server sends a NEGOTIATE SMB to the Domain Controller 5 The NEGOTIATE response along with the challenge is saved by the CIFS server 6 The CIFS server sends a NEGOTIATE response (to client) using the saved challenge 7 The CIFS client computes the challenge response as detailed in the CIFS specification, and then challenge response is sent as part of a SessionSetupAndX SMB 8 The CIFS server extracts the challenge response from above SMB 9 The CIFS server sends it's own SessionSetupAndX SMB to the domain controller using the extracted challenge response I don't think this is the case in an NT domain. It would be easy to check to see if the CIFS server does do the final SS&X, but I think it does a NetLogonSamLogon with its *own* challenge instead. I'm sure Paul Leach will correct me if I'm wrong. Paul From cartegw at Eng.Auburn.EDU Tue Apr 28 15:53:28 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server Message-ID: <3545FB78.C1B892D0@eng.auburn.edu> I finally got around to testing this out and thought everyone would find the results fairly interesting ( as well as their implications ). Some basic testing between a Samba 1.9.18p4 and and Samba PDC indicates that **it is possible** to use a Samba PDC as a password server for other samba servers :) I tested this by setting security = server password server = xxx.xxx.xxx.xxx (ip address of server1) on a normal 1.9.18p4 server ( server2 ) whichc was prividing files / printers ( no domain logins for 95 or NT though ). server1 is a Samba PDC running the cvs distribution of the main branch. 'net use X: \\server2\apps' went through without a hitch! Here an exceprt from the smbd log ---------log.smb----------------------------------------- Connecting to xxx.xxx.xxx.xxx at port 139 connected to password server xxx.xxx.xxx.xxx got session password server OK using password server validation Selected protocol NT LM 0.12 04/28/1998 10:37:19 Transaction 2 of length 133 [......snip......] switch message SMBsesssetupX (pid 2092) Domain=[LENORE] NativeOS=[Windows NT 1381] NativeLanMan=[] sesssetupX:name=[cartegw] trying NetWkstaUserLogon with password server 131 NetWkstaUserLogon success password server 131 accepted the password ---------------------------------------------------------- Hmmm...so what does this exactly imply. Well there should be no need to distribute the smbpasswd to remote servers using rdist or anything else. Simply setup your Samba PDC in a tight security room, make it accessible only from certain machines and by certain users using ssh or something like that and then point all you samba server towards it for validation. Someone should test my theory, but the initial tests look promising. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Tue Apr 28 16:06:28 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Old Topic: Re: NT Security Alert: (was Re: NTDOM: SamLogon validation...) In-Reply-To: <199804281421.PAA23831@argo.demon.co.uk> Message-ID: > 9 The CIFS server sends it's own SessionSetupAndX SMB to the domain > controller using the extracted challenge response just noticed something. "9 the cifs server sends it is own SS&X" does not make sense. surely this should be "9 the cifs server sends its own SS&X". From lkcl at regent.push.net Tue Apr 28 16:16:36 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: <3545FB78.C1B892D0@eng.auburn.edu> Message-ID: On Wed, 29 Apr 1998, Gerald Carter wrote: > I finally got around to testing this out and thought everyone would find > the results fairly interesting ( as well as their implications ). > > Some basic testing between a Samba 1.9.18p4 and and Samba PDC indicates > that **it is possible** to use a Samba PDC as a password server for > other samba servers :) > > I tested this by setting > > security = server > password server = xxx.xxx.xxx.xxx (ip address of server1) ah. you have to watch out for this "password server" specifies the NetBIOS name of the server to connect to. the NetBIOS session setup only works [if you specify the ip address] because samba unconditionally accepts NetBIOS connections with any called name: it's the only NetBIOS server allowed to run on an ip address. if you specify password server = ip.address.of.ntsrv then this will fail unless the netbios name of the nt server is its own ip address. > Hmmm...so what does this exactly imply. Well there should be no need to > distribute the smbpasswd to remote servers using rdist or anything > else. this is _really_ good to know. also, gerald, jeremy is working on "security = domain". this will do an LsaSamLogon with type "network" login to the password server, instead of an SMBnegprot/SMBsessetupX in pass-through mode. in other words, samba servers will be able to be members of a samba domain. luke From jallison at whistle.com Tue Apr 28 16:36:59 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server References: <3545FB78.C1B892D0@eng.auburn.edu> Message-ID: <354605AB.3F54BC7E@whistle.com> Gerald Carter wrote: > > > Hmmm...so what does this exactly imply. Well there should be no need to > distribute the smbpasswd to remote servers using rdist or anything > else. Simply setup your Samba PDC in a tight security room, make it > accessible only from certain machines and by certain users using ssh or > something like that and then point all you samba server towards it for > validation. > Yes, this should definately work. The other benefit is that if that Samba PDC is also the NIS master and the other Samba servers are NIS clients then you have one machine that is the single account master for all users (look, look, the Holy Grail, in Camelot ! Shhh. it's only a model :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Tue Apr 28 16:52:28 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server References: Message-ID: <3546094C.26B33F9E@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > > I tested this by setting > > > > security = server > > password server = xxx.xxx.xxx.xxx (ip address of server1) > > ah. you have to watch out for this "password server" specifies the > NetBIOS name of the server to connect to. the NetBIOS session setup > only works [if you specify the ip address] because samba > unconditionally accepts NetBIOS connections with any called name: it's > the only NetBIOS server allowed to run on an ip address. Yup. I was working off of vague memories of the docs. You are correct. I just set the "password server = NetBIOS_name_of_Samba_pdc" and things resolved correctly. The validation still worked. > if you specify password server = ip.address.of.ntsrv then this will > fail unless the netbios name of the nt server is its own ip address. But because Samba will accept an IP address in the sessions setup it does work? Is that what you were saying previsouly? If the password server was a NT box, then it would reject the sessions setup because it was expecting a NetBIOS name for the request. Correct? > this is _really_ good to know. also, gerald, jeremy is working on > "security = domain". this will do an LsaSamLogon with type "network" > login to the password server, instead of an SMBnegprot/SMBsessetupX in > pass-through mode. > > in other words, samba servers will be able to be members of a samba > domain. Cool! :) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Tue Apr 28 16:55:28 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server References: <3545FB78.C1B892D0@eng.auburn.edu> <354605AB.3F54BC7E@whistle.com> Message-ID: <35460A00.1F7A499C@eng.auburn.edu> Jeremy Allison wrote: > > Yes, this should definately work. The other benefit is that > if that Samba PDC is also the NIS master and the other Samba > servers are NIS clients then you have one machine that is the > single account master for all users (look, look, the Holy > Grail, in Camelot ! Shhh. it's only a model :-). > > Jeremy. Holy single logon, Batman! You right! I'm assuming that you are talking about being able to update the NIS maps ( unix accounts ) when you update the smbpasswd entries. Is this correct? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Tue Apr 28 17:04:39 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server References: <3545FB78.C1B892D0@eng.auburn.edu> <354605AB.3F54BC7E@whistle.com> <35460A00.1F7A499C@eng.auburn.edu> Message-ID: <35460C27.41C67EA6@whistle.com> Gerald Carter wrote: > > Holy single logon, Batman! You right! I'm assuming that you are > talking about being able to update the NIS maps ( unix accounts ) when > you update the smbpasswd entries. Is this correct? > Indeed. You would set up the smbd to sync unix passwords and call a local program that set's a users password as root, then does a make in the yp domain directory to push the changed password out to the NIS slaves. You still end up with two password files, but users in both have the same password. Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From paul at argo.demon.co.uk Tue Apr 28 16:32:17 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: Your message of "Wed, 29 Apr 1998 03:20:40 +1000." <35460C27.41C67EA6@whistle.com> Message-ID: <199804281732.SAA26625@argo.demon.co.uk> jallison@whistle.com said: > Indeed. You would set up the smbd to sync unix passwords > and call a local program that set's a users password as > root, then does a make in the yp domain directory to push > the changed password out to the NIS slaves. > > You still end up with two password files, but users in > both have the same password. Just one small problem. I never progressed the password change protocol from NT client to DC. I figured out how to disable the RC4 (?) encryption of the RPC by sending a certain type of NTLMSSP response, but not what the RC4 key was. Have you gotten anywhere with that Jeremy? If the RPC isn't encrypted then I verified that the password change protocol is as documented, incidentally exposing a little hole in that the LM hash is used to encrypt the new password even if LM-FIX has been applied to disable the use of it. Paul From jallison at whistle.com Tue Apr 28 17:42:34 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server References: <199804281732.SAA26625@argo.demon.co.uk> Message-ID: <3546150A.167EB0E7@whistle.com> Paul Ashton wrote: > > Just one small problem. I never progressed the password > change protocol from NT client to DC. I figured out how > to disable the RC4 (?) encryption of the RPC by sending > a certain type of NTLMSSP response, but not what the RC4 > key was. Have you gotten anywhere with that Jeremy? > > If the RPC isn't encrypted then I verified that the > password change protocol is as documented, incidentally > exposing a little hole in that the LM hash is used to > encrypt the new password even if LM-FIX has been applied > to disable the use of it. > Yes, I have that fixed and checked into the main branch (domain client password changing). It's not an arc4 encrypt, but a des encrypt with the 8 byte session key used as two 7 byte des keys (the second key is zero filled) to encrypt the md4 hash of the new machine password. Look at the code in api_net_srv_pwset() in lib/rpc/server/srv_netlog.c. The relevent call is cred_hash3(). NT machines are happily changing their own passwords to a Samba PDC :-). Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From Jean-Francois.Micouleau at utc.fr Tue Apr 28 18:03:21 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: <35460C27.41C67EA6@whistle.com> Message-ID: On Wed, 29 Apr 1998, Jeremy Allison wrote: > Indeed. You would set up the smbd to sync unix passwords > and call a local program that set's a users password as > root, then does a make in the yp domain directory to push > the changed password out to the NIS slaves. > > You still end up with two password files, but users in > both have the same password. > And how do you change the samba encrypted password from a NIS client workstation ? yppasswd send the password already encrypted to the yppasswdd daemon. Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From jallison at whistle.com Tue Apr 28 18:10:04 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server References: Message-ID: <35461B7C.15FB7483@whistle.com> Jean-Francois Micouleau wrote: > > And how do you change the samba encrypted password from a NIS client > workstation ? > You can't (at least using the method used by smbd). You have to change them on the NIS server, as root. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at regent.push.net Tue Apr 28 18:52:26 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: <3546094C.26B33F9E@eng.auburn.edu> Message-ID: On Wed, 29 Apr 1998, Gerald Carter wrote: > Luke Kenneth Casson Leighton wrote: > > > > > I tested this by setting > > > > > > security = server > > > password server = xxx.xxx.xxx.xxx (ip address of server1) > > > > ah. you have to watch out for this "password server" specifies the > > NetBIOS name of the server to connect to. the NetBIOS session setup > > only works [if you specify the ip address] because samba > > unconditionally accepts NetBIOS connections with any called name: it's > > the only NetBIOS server allowed to run on an ip address. > > Yup. I was working off of vague memories of the docs. You are > correct. I just set the "password server = NetBIOS_name_of_Samba_pdc" > and things resolved correctly. The validation still worked. > > > if you specify password server = ip.address.of.ntsrv then this will > > fail unless the netbios name of the nt server is its own ip address. > > But because Samba will accept an IP address in the sessions setup it > does work? correct. > Is that what you were saying previsouly? yep. > If the password > server was a NT box, then it would reject the sessions setup because it > was expecting a NetBIOS name for the request. Correct? yep. > > in other words, samba servers will be able to be members of a samba > > domain. > > Cool! :) yeah! From lkcl at regent.push.net Tue Apr 28 18:54:35 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: <199804281732.SAA26625@argo.demon.co.uk> Message-ID: On Wed, 29 Apr 1998, Paul Ashton wrote: > jallison@whistle.com said: > > Indeed. You would set up the smbd to sync unix passwords > > and call a local program that set's a users password as > > root, then does a make in the yp domain directory to push > > the changed password out to the NIS slaves. > > > > You still end up with two password files, but users in > > both have the same password. > > Just one small problem. I never progressed the password > change protocol from NT client to DC. I figured out how > to disable the RC4 (?) encryption of the RPC by sending > a certain type of NTLMSSP response, but not what the RC4 > key was. Have you gotten anywhere with that Jeremy? > jeremy took a look at this: the two 516 byte thingies tell him all he needs to know: the nt password change is identical to the one used on win95. so we can do it, we can, we can! From pcc at ntsinc.com Tue Apr 28 19:01:02 1998 From: pcc at ntsinc.com (Phil Cox) Date: Tue Dec 2 02:24:02 2003 Subject: What is the User Account System (UAS)? Message-ID: <3.0.5.32.19980428120102.009add20@ntsinc.com> The more I look into this domain authentication, the more confused I become. While reading MS KB Article Q78209, I read: The Netlogon service is executed to replicate the user accounts system (UAS) database between a primary domain controller (PDC), a backup domain controller (BDC), and member servers, and to validate logons to the logical domain the servers are in. I am assuming that the user accounts system is referring to the SAM and info in the NetLogon share. I am reading this to be the "domain syncronization of the SAM & other associated domain info" goes to the BDC's (which makes sense) BUT ALSO the member servers?????? Where am I going wrong here? Under what (if any) circumstances do memeber servers take part in the syncronization of a domain? Lost in a haze of gray, Phil From lkcl at regent.push.net Tue Apr 28 18:55:10 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: <3546150A.167EB0E7@whistle.com> Message-ID: > > NT machines are happily changing their own passwords to a Samba PDC :-). hee hee hee From paul at argo.demon.co.uk Tue Apr 28 18:46:06 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:02 2003 Subject: What is the User Account System (UAS)? In-Reply-To: Your message of "Wed, 29 Apr 1998 05:06:18 +1000." <3.0.5.32.19980428120102.009add20@ntsinc.com> Message-ID: <199804281946.UAA28173@argo.demon.co.uk> pcc@ntsinc.com said: > The more I look into this domain authentication, the more confused I > become. You're not the only one. The only way you get to understand this is to disassemble it. > While reading MS KB Article Q78209, I read: > > The Netlogon service is executed to replicate the user accounts system > (UAS) database between a primary domain controller (PDC), a backup domain > controller (BDC), and member servers, and to validate logons to the > logical domain the servers are in. Gobbledygook. > I am assuming that the user accounts system is referring to the SAM and > info in the NetLogon share. I am reading this to be the "domain > syncronization of the SAM & other associated domain info" goes to the BDC's > (which makes sense) BUT ALSO the member servers?????? Where am I going > wrong here? Under what (if any) circumstances do memeber servers take part > in the syncronization of a domain? I think UAS==SAM here. I think there is a typo after BDC, I think it should be "and for member servers, to validate logons to ...." Take a look at the resource kit utility NLTEST. If you really want to see what's going on with netlogon, you have to copy a checked build version of netlogon.dll and set the DBFlags registry key. See the archives. Paul From jallison at whistle.com Tue Apr 28 19:55:01 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:02 2003 Subject: What is the User Account System (UAS)? References: <3.0.5.32.19980428120102.009add20@ntsinc.com> Message-ID: <35463415.ABD322C@whistle.com> Phil Cox wrote: > > The more I look into this domain authentication, the more confused I > become. While reading MS KB Article Q78209, I read: > > The Netlogon service is executed to replicate the user accounts system > (UAS) database between a primary domain controller (PDC), a backup domain > controller (BDC), and member servers, and to validate logons to the > logical domain the servers are in. > > I am assuming that the user accounts system is referring to the SAM and > info in the NetLogon share. I am reading this to be the "domain > syncronization of the SAM & other associated domain info" goes to the BDC's > (which makes sense) BUT ALSO the member servers?????? Where am I going > wrong here? Under what (if any) circumstances do memeber servers take part > in the syncronization of a domain? > Never. Member servers authenticate against PDCs/BDCs but do not get the account details. I know this 'cos I just got the code working (in a testbed harness) to do domain authentication from a UNIX client to a Samba PDC. Now to test against an NT PDC and then check in the 'security=domain' code :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From todd at edge.cis.mcmaster.ca Tue Apr 28 20:12:46 1998 From: todd at edge.cis.mcmaster.ca (Todd Pfaff) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: Message-ID: On Wed, 29 Apr 1998, Jean-Francois Micouleau wrote: > On Wed, 29 Apr 1998, Jeremy Allison wrote: > > > Indeed. You would set up the smbd to sync unix passwords > > and call a local program that set's a users password as > > root, then does a make in the yp domain directory to push > > the changed password out to the NIS slaves. > > > > You still end up with two password files, but users in > > both have the same password. > > > > And how do you change the samba encrypted password from a NIS client > workstation ? > > yppasswd send the password already encrypted to the yppasswdd daemon. you can use smbpasswd, rather than passwd or yppasswd, to set both the samba password and the nis password on a remote samba password server. smbpasswd -r nis-master-server-host i'm using this method already but i'm using nisgina on my nt workstations, not a samba pdc (not yet, but eventually i will). i use the following settings on my samba password server which is also my nis master server: security = user unix password sync = yes passwd program = /bin/passwd -r files %u; cd /var/yp; make passwd passwd chat = *New\spassword:* "%n\n" *new\spassword:* "%n\n" *updated\spasswd* . *pushed\spasswd* this works under solaris 2.5. all other samba servers use this nis master server as the samba password server. what i suggested in a previous posting is that smbpasswd use the smb.conf password server setting so that the -r option was not necessary. according to what i've been reading here today, this should all work just as well when the samba server is a pdc and: samba pdc = smb password server = nis master server hurray! -- Todd Pfaff \ Email: pfaff@mcmaster.ca Computing and Information Services \ Voice: (905) 525-9140 x22920 ABB 132 \ FAX: (905) 528-3773 McMaster University \ Hamilton, Ontario, Canada L8S 4M1 \ From canfield at uindy.edu Tue Apr 28 21:24:28 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: Message-ID: <000101bd72ec$06a95190$1a1c08c7@canfield.uindy.edu> All this talk about passwords leads me to ask the question... Are there any plans for an "official" way to get Unix users into the smbpasswd file? Without resorting to patched GINA (which is impractical if you need to use the Netware GINA anyway), the only way I can think of is to tell users that the first time they log into an NT machine, they need to log in as a guest (with restricted permissions), then run telnet to the Unix machine, then change their password. Does anyone know of a better way? I realize this would be a (bigger) problem even with a "real" NT server. Another thing I couldn't quite understand from the smb.conf file is the password chat stuff. Am I correct in understanding that this can be used to tell Samba to change the user's unix password when it receives a request to change the smb password? If so, is there a place to specify which passwd command to use? Thanks all! Dana From lanejohn at cps.msu.edu Tue Apr 28 21:38:06 1998 From: lanejohn at cps.msu.edu (John R Lane) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: <000101bd72ec$06a95190$1a1c08c7@canfield.uindy.edu> References: <000101bd72ec$06a95190$1a1c08c7@canfield.uindy.edu> Message-ID: <199804282138.RAA24186@canterbury.cps.msu.edu> Dana> All this talk about passwords leads me to ask the Dana> question... Are there any plans for an "official" way to get Dana> Unix users into the smbpasswd file? Without resorting to Dana> patched GINA (which is impractical if you need to use the Dana> Netware GINA anyway), the only way I can think of is to tell Dana> users that the first time they log into an NT machine, they Dana> need to log in as a guest (with restricted permissions), Dana> then run telnet to the Unix machine, then change their Dana> password. Does anyone know of a better way? I realize this It would seem that one could use PAM (for those running Solaris or RH Linux, at least) on the unix side and have it relay a user's (correct) password to the samba server. Not pretty, but ... has anyone done this? Of course, this would mean they would have to log into a unix box first. jrl. (Sorry if this is off-topic.) System Manager Department of Computer Science Michigan State University From HUY_DO at hp-santaclara-om3.om.hp.com Tue Apr 28 22:44:11 1998 From: HUY_DO at hp-santaclara-om3.om.hp.com (HUY_DO@hp-santaclara-om3.om.hp.com) Date: Tue Dec 2 02:24:02 2003 Subject: Unsatisfy with the mailing list Message-ID: Hi, Regardless of how great samba is, the mailing list is SUCK *~?#!! I tried, tried and tried (like a dozen times) to unsubscribe from this mailing list and still receiving messages. I saw one person even beg for it, I think the administrator needs to look into this problem. Huy Do Software Engineer Hewlett Packard Co. R&D Department - NetServer Division From lkcl at regent.push.net Tue Apr 28 23:39:32 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: What is the User Account System (UAS)? In-Reply-To: <199804281946.UAA28173@argo.demon.co.uk> Message-ID: On Wed, 29 Apr 1998, Paul Ashton wrote: > > pcc@ntsinc.com said: > > The more I look into this domain authentication, the more confused I > > become. > > You're not the only one. The only way you get to understand this is > to disassemble it. oo, don't say that: disassembly is only legal if it's for interoperability reasons :-) > > While reading MS KB Article Q78209, I read: > > > > The Netlogon service is executed to replicate the user accounts system > > (UAS) database between a primary domain controller (PDC), a backup domain > > controller (BDC), and member servers, and to validate logons to the > > logical domain the servers are in. > > Gobbledygook. the first part is factually incorrect. \PIPE\NETLOGON is for logins; \PIPE\samr is for SAM replication. ah, they are referring to \PIPE\NETLOGON _not_ the [netlogon] share that you load policies and batch files from. that's why it's confusing. > > I am assuming that the user accounts system is referring to the SAM and > > info in the NetLogon share. I am reading this to be the "domain > > syncronization of the SAM & other associated domain info" goes to the BDC's > > (which makes sense) BUT ALSO the member servers?????? Where am I going > > wrong here? Under what (if any) circumstances do memeber servers take part > > in the syncronization of a domain? > > I think UAS==SAM here. that's what i assume, which means the above statement is wrong: \PIPE\samr is used for sam replication. > Take a look at the resource kit utility NLTEST. this gives you information, and it's really for test / understanding purposes. it doesn't actually do anything useful / critical. for example, NLTEST sends an LsaAuth command _not_ an LsaAuth2 when doing a "LsaSamLogon" test. From lkcl at regent.push.net Tue Apr 28 23:42:11 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: Message-ID: > according to what i've been reading here today, this should all work just > as well when the samba server is a pdc and: > > samba pdc = smb password server = nis master server > > hurray! we should really sell this *hard* - i look forward to reviewing the press release for 1.9.19 :-) From lkcl at regent.push.net Tue Apr 28 23:43:42 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: <199804282138.RAA24186@canterbury.cps.msu.edu> Message-ID: > jrl. (Sorry if this is off-topic.) it's not off-topic at all From lkcl at regent.push.net Tue Apr 28 23:44:49 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server In-Reply-To: <199804282138.RAA24186@canterbury.cps.msu.edu> Message-ID: [cross-posting to samba-ntdom and pam-list] On Wed, 29 Apr 1998, John R Lane wrote: > Dana> All this talk about passwords leads me to ask the > Dana> question... Are there any plans for an "official" way to get > Dana> Unix users into the smbpasswd file? Without resorting to > Dana> patched GINA (which is impractical if you need to use the > Dana> Netware GINA anyway), the only way I can think of is to tell > Dana> users that the first time they log into an NT machine, they > Dana> need to log in as a guest (with restricted permissions), > Dana> then run telnet to the Unix machine, then change their > Dana> password. Does anyone know of a better way? I realize this > > It would seem that one could use PAM (for those running Solaris or RH > Linux, at least) on the unix side and have it relay a user's (correct) > password to the samba server. oo. that's an excellent idea. > Not pretty, but ... has anyone done > this? Of course, this would mean they would have to log into a unix > box first. not necessarily... From lkcl at regent.push.net Tue Apr 28 23:47:06 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Unsatisfy with the mailing list In-Reply-To: Message-ID: hi huy, sorry: are you unsubscribing from exactly the same place you subscribed from? from what i see of your email address, you _may_ be logging in from multiple machines (hp-santaclara-om3; hp-santaclara-om2 etc?) send a message to samba-bugs@samba.anu.edu.au with a starting subject of "UNSUBSCRIBE: please!!!" and one of the administrators (i can't) will pick this up and deal with it, ok? sorry for the inconvenience. luke On Wed, 29 Apr 1998 HUY_DO@hp-santaclara-om3.om.hp.com wrote: > Hi, > > Regardless of how great samba is, the mailing list is SUCK *~?#!! > > I tried, tried and tried (like a dozen times) to unsubscribe from this > mailing list and still receiving messages. > > I saw one person even beg for it, I think the administrator needs to > look into this problem. > > Huy Do > Software Engineer > Hewlett Packard Co. > R&D Department - NetServer Division > > From paul at argo.demon.co.uk Tue Apr 28 22:55:15 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:02 2003 Subject: What is the User Account System (UAS)? In-Reply-To: Your message of "Tue, 28 Apr 1998 23:39:32 -0000." Message-ID: <199804282355.AAA29894@argo.demon.co.uk> lkcl@regent.push.net said: > > > The Netlogon service is executed to replicate the user accounts system > > > (UAS) database between a primary domain controller (PDC), a backup domain > > > controller (BDC), and member servers, and to validate logons to the > > > logical domain the servers are in. > the first part is factually incorrect. \PIPE\NETLOGON is for logins; > \PIPE\samr is for SAM replication. ah, they are referring to > \PIPE\NETLOGON _not_ the [netlogon] share that you load policies and batch > files from. > > that's why it's confusing. No, they are referring to the Netlogon *service*, i.e. "net start netlogon". Paul From tridge at samba.anu.edu.au Wed Apr 29 00:30:05 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:02 2003 Subject: Unsatisfy with the mailing list In-Reply-To: (HUY_DO@hp-santaclara-om3.om.hp.com) References: Message-ID: <19980429003015Z12583765-458+16487@samba.anu.edu.au> > Regardless of how great samba is, the mailing list is SUCK *~?#!! > > I tried, tried and tried (like a dozen times) to unsubscribe from this > mailing list and still receiving messages. Was it really that hard to follow the instructions given in the URL shown in the header of every message sent to this list? > I saw one person even beg for it, I think the administrator needs to > look into this problem. If people can't be bothered to read the initial sign-on message, and can't be bothered to read the X-URL header and can't be bothered to try http://samba.anu.edu.au to see the instructions there then how am I supposed to help them??? Do I send personal faxes to each person in case they might want to unsubscribe?? Certainly you don't expect me to monitor the mail logs for misspelled or misdirected requests? Currently the mail logs on samba are 2GB after a month. Maybe I should forward them to you. Andrew From farrar at parc.xerox.com Wed Apr 29 00:03:49 1998 From: farrar at parc.xerox.com (Keith Farrar) Date: Tue Dec 2 02:24:02 2003 Subject: What is the User Account System (UAS)? Message-ID: <98Apr28.170353pdt."57094"@envy.parc.xerox.com> UAS == LanManager term for "user accounts database". SAM == Win NT term for "user accounts database". The knowledge base articles on older NT (3.1) security and the LanMan to NT migration docs sometimes mix UAS and SAM together. Technet claims "The SAM is a superset of UAS functionality." -kaf From william at hae.com Wed Apr 29 03:45:50 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:02 2003 Subject: Slogans Message-ID: <000001bd7321$4dd8a2c0$5b80b3cc@agamemnon.wyse.com> In light of your recent password changing victory, I thought up a few slogans for the PDC when it's released: SAMBA... Only your sysadmin knows for sure. Not your Big Brother's PDC. Pretty Damn Cool! ALSO: With the recent password breakthrough what's left? By my count: Spools usermgr.exe (more than read-only) machine account creation from workstation (if planned) Anything I'm missing? William From lkcl at regent.push.net Wed Apr 29 05:37:59 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: Slogans In-Reply-To: <000001bd7321$4dd8a2c0$5b80b3cc@agamemnon.wyse.com> Message-ID: On Wed, 29 Apr 1998, William Stuart wrote: > In light of your recent password changing victory, I thought up a few > slogans for the PDC when it's released: > > SAMBA... > > Only your sysadmin knows for sure. > Not your Big Brother's PDC. > Pretty Damn Cool! > > ALSO: > > With the recent password breakthrough what's left? > > By my count: > > Spools jean-f's onto that. > usermgr.exe (more than read-only) > machine account creation from workstation (if planned) these two are tied together: once you can add/modify user accounts, machine accounts are also user accounts with a $ on the end, so there's no difference > > Anything I'm missing? for full stand-alone PDC functionality that makes sliced bread a bacteriologist's dream when it's 4 weeks old: nothing i can think of... From D.Bannon at latrobe.edu.au Wed Apr 29 05:52:23 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:02 2003 Subject: User Manager for Domains In-Reply-To: <000001bd7321$4dd8a2c0$5b80b3cc@agamemnon.wyse.com> Message-ID: <3.0.3.32.19980429155223.0082f900@bioserve.biochem.latrobe.edu.au> Am I right in saying that usermgr.exe is working, at least readonly ? (mine is not !) I can do a 'net users /domain' and see everyone but User Manager for Domains tells me that 'Unable to browse the selected domain because : "The tag is invalid" ' Is there a trick to getting this going ? And if its going, will the readonly facilities allow me to authorise (samba) domain users to use the RAS services on the NT server ? David. ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From lkcl at regent.push.net Wed Apr 29 06:02:41 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: User Manager for Domains In-Reply-To: <3.0.3.32.19980429155223.0082f900@bioserve.biochem.latrobe.edu.au> Message-ID: On Wed, 29 Apr 1998, David Bannon wrote: > > Am I right in saying that usermgr.exe is working, at least readonly ? sort-of :-) > (mine is not !) > > I can do a 'net users /domain' and see everyone but User Manager for > Domains tells me that > > 'Unable to browse the selected domain because : "The tag is invalid" ' > > Is there a trick to getting this going ? And if its going, will the > readonly facilities allow me to authorise (samba) domain users to use the > RAS services on the NT server ? remote access server. no idea. what does RAS do? can you (or anyone else) send me a packet trace of what happens with RAS server / client interaction? whether we display information in USRMGR.EXE or not will have absolutely nothing to do with the functionality that will be provided. lukes From D.Bannon at latrobe.edu.au Wed Apr 29 07:30:30 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:02 2003 Subject: User Manager for Domains In-Reply-To: References: <3.0.3.32.19980429155223.0082f900@bioserve.biochem.latrobe.edu.au> Message-ID: <3.0.3.32.19980429173030.0082fa40@bioserve.biochem.latrobe.edu.au> At 06:02 29/04/1998 +0000, Luke Kenneth Casson Leighton wrote: >On Wed, 29 Apr 1998, David Bannon wrote: > >> >> Am I right in saying that usermgr.exe is working, at least readonly ? > >remote access server. no idea. what does RAS do? ... Dial in access over a modem. No, sorry, did not make myself clear. I need to use usrmgr.exe to tell the nt server to allow these users access to ras. In my case, usrmgr fails to list the users, so preventing then from being added to the Modem_Users group. I suspect from the messages I have seen, if I get the users added to the Modem group, then they will authenticate OK. David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From lkcl at regent.push.net Wed Apr 29 07:39:41 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: User Manager for Domains In-Reply-To: <3.0.3.32.19980429173030.0082fa40@bioserve.biochem.latrobe.edu.au> Message-ID: On Wed, 29 Apr 1998, David Bannon wrote: > At 06:02 29/04/1998 +0000, Luke Kenneth Casson Leighton wrote: > >On Wed, 29 Apr 1998, David Bannon wrote: > > > >> > >> Am I right in saying that usermgr.exe is working, at least readonly ? > > > >remote access server. no idea. what does RAS do? ... > Dial in access over a modem. > > > > No, sorry, did not make myself clear. I need to use usrmgr.exe to tell the > nt server to allow these users access to ras. In my case, usrmgr fails to > list the users, so preventing then from being added to the Modem_Users group. > > I suspect from the messages I have seen, if I get the users added to the > Modem group, then they will authenticate OK. right, then i need to know what the RID of the "modem group" is, from a packet trace or some other lookup. then you can add "domain groups = the RID" in the smb.conf file (whatever) and you've done exactly the same thing. luke From johanh at fusion.kth.se Wed Apr 29 09:05:41 1998 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:24:02 2003 Subject: Need help with logon scripts Message-ID: Hi We are using Samba PDC on Solaris 2.6 here, and it works fine. However I can't get logon scripts to work. It did work before, but after a resent sync to the Samba main CVS tree, it stopped working. I have updated the code this morning. Any ideas what I'm doing wrong. TIA Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ >From smb.conf: domain logons = yes logon drive = h: logon script = STARTUP.BAT unix realname = yes ... ; Logon scripts [netlogon] comment = logon scripts browseable = yes path = /usr/local/samba-nt/lib/netlogon public = no read only = yes Contents of /usr/local/samba-nt/lib/netlogon (NFS readonly): -rw-r--r-- 1 root other 118 Apr 7 12:24 STARTUP.BAT lrwxrwxrwx 1 root other 11 Mar 31 15:38 STARTUP.CMD -> STARTUP.BAT -rw-r--r-- 1 root other 114 Apr 7 12:24 startup.unix -rw-r--r-- 1 root other 28 Mar 31 15:37 startup.unix~ STARTUP.BAT generated by unix2dos < startup.unix > STARTUP.BAT From lkcl at regent.push.net Wed Apr 29 10:23:32 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:02 2003 Subject: User Manager for Domains In-Reply-To: <3.0.3.32.19980429173030.0082fa40@bioserve.biochem.latrobe.edu.au> Message-ID: On Wed, 29 Apr 1998, David Bannon wrote: > At 06:02 29/04/1998 +0000, Luke Kenneth Casson Leighton wrote: > >On Wed, 29 Apr 1998, David Bannon wrote: > > > >> > >> Am I right in saying that usermgr.exe is working, at least readonly ? > > > >remote access server. no idea. what does RAS do? ... > Dial in access over a modem. > > > > No, sorry, did not make myself clear. I need to use usrmgr.exe to tell the > nt server to allow these users access to ras. then that implies that you are using an nt server to add nt workstation users to an nt domain, does it not? which means that samba is not involved in any way. if you are using usrmgr.exe on an nt domain to add samba domain users, then this is not possible as this requires a trust relationship to be established between the nt domain and the samba domain, which has not been investigated. luke From is04797 at salleURL.edu Wed Apr 29 11:33:30 1998 From: is04797 at salleURL.edu (Viktu Pons Colomer) Date: Tue Dec 2 02:24:02 2003 Subject: Problem with filenames Message-ID: Hi. I'm absolutelly new in Samba, and I've a big problem, but don't know if it is a configuration problem. I have a Samba PDC installed on a server which acts as anonymous ftp. In the public directory of the ftp i have diferent programs for installations, such as office, win95, and shareware programs. My problem is when i try to install some of this programs. For example, I have VisualC++ V5 in a directory called /home/ftp/pub/Win95/programing/VisualC and is configured in smb.conf as [Masters] path = /home/ftp/pub If i install VisualC it works, but having Office97 in /home/ftp/pub/Win95/suites/Office97 when i try to run install.exe Nt Server 4.0 says it can't find install.exe in \\SERVER\Masters\Win95\Suites\Office97\install.exe It works in Win95, but not in NT 4.0 Spanish version. And these are not the only examples, some programs installs and others not. I have tried to copy the office's install.exe in /home/ftp/pub and then it works. Any ideas? THANKS!!! ----------------------------------------------------------------------------- Viktu Pons Colomer Col.laborador del Centre de Serveis Inform?tics CSI Department of Computer Science Escola d'Enginyeria la Salle Telf: 07 972026 Universitat Ramon Llull E-mail: is04797@els.url.es Passeig Bonanova,8 viktu@grn.es 08022-Barcelona ----------------------------------------------------------------------------- From Jean-Marie.Chretien at ibt.univ-angers.fr Wed Apr 29 11:41:07 1998 From: Jean-Marie.Chretien at ibt.univ-angers.fr (Jean-Marie.Chretien@ibt.univ-angers.fr) Date: Tue Dec 2 02:24:02 2003 Subject: Problem with filenames Message-ID: > Hi. I'm absolutelly new in Samba, and I've a big problem, but don't know > if it is a configuration problem. > > I have a Samba PDC installed on a server which acts as anonymous ftp. In > the public directory of the ftp i have diferent programs for > installations, such as office, win95, and shareware programs. > My problem is when i try to install some of this programs. For example, I > have VisualC++ V5 in a directory called > /home/ftp/pub/Win95/programing/VisualC > and is configured in smb.conf as > [Masters] > path = /home/ftp/pub > > If i install VisualC it works, but having Office97 in > /home/ftp/pub/Win95/suites/Office97 > when i try to run install.exe Nt Server 4.0 says it can't find install.exe > in \\SERVER\Masters\Win95\Suites\Office97\install.exe > I already noticed such a problem. It's a problem with capital letters in 8.3 directory as Win95 and Suites. Several options in smb.conf can be used to tune the way samba works with case. These options are "case sensitive" "default case" "preserve case" "short preserve case" With "preserve case=yes" and "short preserve case=no", the case is preserved for long filenames while 8.3 filenames are lowered. With these options, a 8.3 unix file with capitals can accessed from an nt workstation and new 8.3 files are lowered. But if a program uses a path with a 8.3 directory with a capital it doesn't work. I don't know why it's probably a bug. With "preserve case=no" and "short preserve case=no", the case is not preserved at all. With these options, you can open a unix file with capitals but all new files are lowered. Jean-Marie Chretien _____________________________________________________________________________ UNIVERSITE D'ANGERS Institut de Biologie Theorique _________________ 10, Rue A. Bocquel __ __ ___ __/ 49100 ANGERS - FRANCE / / \ / / / /___/ / / e-mail: chretien@ibt.univ-angers.fr / / \ / / fax: (33) 241.72.34.46 _/ /_____/ /_/ phone: (33) 241.72.34.34 WWW: htpp://www.ibt.univ-angers.fr/~chretien _____________________________________________________________________________ From cartegw at Eng.Auburn.EDU Wed Apr 29 13:05:21 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:02 2003 Subject: User Manager for Domains References: Message-ID: <35472591.C2289A35@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > then that implies that you are using an nt server to add nt > workstation users to an nt domain, does it not? which means that > samba is not involved in any way. > > if you are using usrmgr.exe on an nt domain to add samba domain users, > then this is not possible as this requires a trust relationship to be > established between the nt domain and the samba domain, which has not > been investigated. > Luke, I think what David is saying is that he has a NT server which is prividing RAS service for users. Once someone dials into the RAS server, it contacts the PDC to authenticate and the user must be a member of the "Modem Group" to be validated. Don't think what we are discussing has anything to do with trust relationships. Also this would imply that the NT group mapping was in place so that you could use User Mgr to add users to group. BTW...I haven't had a chance to dig into this but how does NT handle membership in multiple groups? For example, in unix you have a primary group and then secondary groups. Since the smbpasswd has no GID in the user's entry, how will this work? Also, after looking at the name_to_rid() function you mentioned previsouly, I am assuming that the user credentials you pass back only contain one group RID (gid + 1000). Does an NT server pass back the information in the same way or is there a structure containing all the groups of which the user is a member? I have been meaning to look through the header files for the structures and stuff but.... BTW again....I got a bounced message from your new e-mail address yesterday. Figured this was the best way to let you know. David, I don't believe that the granularity / control of NT groups which you need is implemented. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From mjone4 at amfam.com Wed Apr 29 13:12:53 1998 From: mjone4 at amfam.com (Michael Jones) Date: Tue Dec 2 02:24:02 2003 Subject: Problem with filenames In-Reply-To: Message-ID: <000001bd7370$8555dc50$687b400a@mxj004pc.amfam.com> Heheh, this is actually a problem with Office97! happens on novell AND microsoft servers. You need to map a drive to the toplevel directory of the Office97 flat in order to install over the network. go figure. I had this same problem a few months ago with a novell 3.12 file server. And one word of advice.. Do a custom install and make sure to deselect the Office Assistant ;) - -----Original Message----- From: samba-ntdom@samba.anu.edu.au [mailto:samba-ntdom@samba.anu.edu.au]On Behalf Of Viktu Pons Colomer Sent: Wednesday, April 29, 1998 5:41 AM To: Multiple recipients of list Subject: Problem with filenames Hi. I'm absolutelly new in Samba, and I've a big problem, but don't know if it is a configuration problem. I have a Samba PDC installed on a server which acts as anonymous ftp. In the public directory of the ftp i have diferent programs for installations, such as office, win95, and shareware programs. My problem is when i try to install some of this programs. For example, I have VisualC++ V5 in a directory called /home/ftp/pub/Win95/programing/VisualC and is configured in smb.conf as [Masters] path = /home/ftp/pub If i install VisualC it works, but having Office97 in /home/ftp/pub/Win95/suites/Office97 when i try to run install.exe Nt Server 4.0 says it can't find install.exe in \\SERVER\Masters\Win95\Suites\Office97\install.exe It works in Win95, but not in NT 4.0 Spanish version. And these are not the only examples, some programs installs and others not. I have tried to copy the office's install.exe in /home/ftp/pub and then it works. Any ideas? THANKS!!! ---------------------------------------------------------------------------- - Viktu Pons Colomer Col.laborador del Centre de Serveis Inform?tics CSI Department of Computer Science Escola d'Enginyeria la Salle Telf: 07 972026 Universitat Ramon Llull E-mail: is04797@els.url.es Passeig Bonanova,8 viktu@grn.es 08022-Barcelona ---------------------------------------------------------------------------- - From canfield at uindy.edu Wed Apr 29 16:57:05 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:02 2003 Subject: User Manager for Domains References: Message-ID: <35475BE1.435276A4@uindy.edu> For clarification, if you set domain groups = xxx, then all users who are authenticated are placed in that NT group, right? If so, sould someone post a list of some of the more popular group RID's (at least users) for those of us who don't know how to glean them from packet traces? Thanks! Luke Kenneth Casson Leighton wrote: > right, then i need to know what the RID of the "modem group" is, from a > packet trace or some other lookup. then you can add "domain groups = the > RID" in the smb.conf file (whatever) and you've done exactly the same > thing. > > luke From canfield at uindy.edu Wed Apr 29 17:18:09 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:02 2003 Subject: Samba PDC as a password server References: Message-ID: <354760D1.EDE5376D@uindy.edu> Luke Kenneth Casson Leighton wrote: > [cross-posting to samba-ntdom and pam-list] > > On Wed, 29 Apr 1998, John R Lane wrote: > > It would seem that one could use PAM (for those running Solaris or RH > > Linux, at least) on the unix side and have it relay a user's (correct) > > password to the samba server. > > oo. that's an excellent idea. For a few more days, I've got a spare machine that I could try this out with. My PAM skillsare horrendous (see below), but if anyone wants to give me an idea of how to go about this, I can try it out and see if it works. OFF TOPIC ALERT: This brings up another question/problem. I assume this setup would use PAM_NTDOM somehow, right? Has anyone tried it with a really large passwd file? I'm extremely cautious of PAM right now. When I first installed Linux on our systems, I didn't notice that PAM authentication with pam_pwdb took well over a second to validate a user (our password file is over 2000 users). This may not seem like long, but we service about 50-80 POP3 connections per minute. As you can guess, the system bogged down to a halt within about 15 minutes. Switching to pam_unix_* more or less fixed the problem, but it's still not as fast as a POP server compiled without PAM support. (I'm certainly open to the possibility that this might be a configuration error, but RedHat had no suggestions, either.) My concern is that if PAM_NTDOM isn't lightning-fast, it may not be feasible for large installations to use it for Samba authentication across multiple machines, which is kind of the point, right? (BTW, this is the only time I've encountered any "scalability problems with Linux", which seems to be the popular vague ciriticism of it right now.) > > Not pretty, but ... has anyone done > > this? Of course, this would mean they would have to log into a unix > > box first. > > not necessarily... I just love these vague two-word optimisms from Luke. They really keep the wheels turning on this list. "Well, Luke said it wasn't impossible, so there must be a way..." ;-) Dana From jallison at whistle.com Wed Apr 29 23:34:54 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:02 2003 Subject: New security=domain code. Message-ID: <3547B91E.13728473@whistle.com> Ok all, I have just checked in a bunch of code to the head branch that allows Samba to act as a member of an NT domain. It's fiddly to set up and not at all documented as yet... The (very) brief notes : Do a build with the current head branch (note that the Makefile has changed, you will have to use the new one), kill all running smbd/nmbds and then set the following in your smb.conf : security=domain password server= workgroup= Next, log onto the NT PDC as Administrator, and add the Samba machine to the domain using user manager for domains. The NetBIOS name you add *must* be the same name that smbd gets for itself in global_myname variable (ie. the same name you would set by the parameter "netbios name=", or the first component of the DNS name). Then, as root do : smbpasswd -j (making sure you're using the smbpasswd you just built :-). This should change the machine account password for the new machine in the domain (in a horribly insecure way, but it's the NT domain security implementation, what can you do :-). What this does is it stores the machine account password in the file: DOMAIN.NETBIOS_MACHINE_NAME.mac in the same directory as the smbpasswd file would be (it creates the file on success). If this step fails, or you wish to see debug output, type smbpasswd -D 100 -j instead of the command above. Note that when doing security=domain, as opposed to setting Samba up as a PDC, you do *not* need to have a machine account in the smbpasswd file, indeed you don't need to have an smbpasswd file at all if you don't want any local users. Now re-start smbd/nmbd. Go to another NT box (not the PDC, although it could be) and type: net use * \\\ /user:\ * Where : = NetBIOS name of Samba server. = share you wish to connect to on Samba server. = Name of the NT Domain you just added the Samba server to. = Username in the NT Domain that you wish to connect as. You will be prompted for the password - enter the password for the given user in the given NT domain. If all goes well you will get a drive mapped. If it fails, there should be a message in the log.smb file showing why the authentication to the NT PDC didn't work, or crank up the smbd debug log level to get more details. Note that the user must still exist in the unix account database (usually /etc/passwd) as Samba uses this to map the correct uid to the user. Note though, that all password authentication is being done down the secure channel to the NT PDC. (You can see the details if you start smbd with a high debug level :-). If you're feeling *really* adventurous, then set the password server= parameter to point to your Samba PDC, and add the Samba server into the Samba PDC domain in the same way as normal (note that the Samba PDC smbd must be running the same cvs code level - ie. the current head branch - for this to work). The domain client Samba server will work to a Samba PDC in exactly the same way, documented above (look ma, no NT :-). If you do have a smbpasswd file containing user accounts on the Samba server setup with security=domain, you can select authentication to these passwords by replacing the NTDOMAIN name with the Samba server NetBIOS name in the example above, eg. net use * \\\ /user:\ * This is exactly the same as the local SAM account database on an NT workstation or server that isn't a PDC/BDC. Now I'm going on vacation for 4 days - so have fun with the new code and I'll try and pick up the pieces on Monday when I return :-). Cheers, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Thu Apr 30 00:50:38 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:02 2003 Subject: Slight correction..... Message-ID: <3547CADE.2C67412E@whistle.com> To the document describing how to set up security=domain. I wrote : "Next, log onto the NT PDC as Administrator, and add the Samba machine to the domain using user manager for domains." of course that *should* be : "Next, log onto the NT PDC as Administrator, and add the Samba machine to the domain using *Server* manager for domains." Doh (in my best Homer Simpson voice :-), sorry. Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From johanh at fusion.kth.se Thu Apr 30 08:45:46 1998 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:24:02 2003 Subject: Need help with logon scripts In-Reply-To: Message-ID: Hi again Updating the CVS tree this morning did make logon scripts work again. Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ From lkcl at regent.push.net Thu Apr 30 12:26:14 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: User Manager for Domains In-Reply-To: <35472591.C2289A35@eng.auburn.edu> Message-ID: On Wed, 29 Apr 1998, Gerald Carter wrote: > Luke Kenneth Casson Leighton wrote: > > > > then that implies that you are using an nt server to add nt > > workstation users to an nt domain, does it not? which means that > > samba is not involved in any way. > > > > if you are using usrmgr.exe on an nt domain to add samba domain users, > > then this is not possible as this requires a trust relationship to be > > established between the nt domain and the samba domain, which has not > > been investigated. > > > > Luke, > > I think what David is saying is that he has a NT server which is > prividing RAS service for users. Once someone dials into the RAS > server, it contacts the PDC to authenticate and the user must be a > member of the "Modem Group" to be validated. oookkkk... then all that is required is to know the RID of the "Modem Group" and add it to "domain groups = " parameter in smb.conf... > Don't think what we are discussing has anything to do with trust > relationships. Also this would imply that the NT group mapping was in > place so that you could use User Mgr to add users to group. that is not necessary: the domain groups parameter does exactly the functional equivalent of that [adding users to a group] i hope :-) From lkcl at regent.push.net Thu Apr 30 12:52:28 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: User Manager for Domains In-Reply-To: <35475BE1.435276A4@uindy.edu> Message-ID: On Wed, 29 Apr 1998, Dana Canfield wrote: > For clarification, if you set domain groups = xxx, then all users who are > authenticated are placed in that NT group, right? i should hope so :-) > If so, sould someone post a list of some of the more popular group RID's (at least > users) for those of us who don't know how to glean them from packet traces? yes, that would be most helpful. i already have the list from winnt.h, but i was not aware that there are more: things like "modem users". > Thanks! > > > Luke Kenneth Casson Leighton wrote: > > > right, then i need to know what the RID of the "modem group" is, from a > > packet trace or some other lookup. then you can add "domain groups = the > > RID" in the smb.conf file (whatever) and you've done exactly the same > > thing. > > > > luke > > > From lkcl at regent.push.net Thu Apr 30 13:01:55 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: Samba PDC as a password server In-Reply-To: <354760D1.EDE5376D@uindy.edu> Message-ID: > This brings up another question/problem. I assume this setup would use > PAM_NTDOM somehow, right? uh... dunno. > Has anyone tried it with a really large passwd file? I'm extremely cautious > of PAM right now. i'm cc'ing your message to the pam list, because this issue has just been raised there: your experiences, dana, will be useful feedback, and i am sure that someone on the pam list will let you (us) know if any performance improvements in pam_pwdb (or other) have been made. > When I first > installed Linux on our systems, I didn't notice that PAM authentication with > pam_pwdb took well over a second > to validate a user (our password file is over 2000 users). This may not seem > like long, but we service about 50-80 > POP3 connections per minute. As you can guess, the system bogged down to a > halt within about 15 minutes. > Switching to pam_unix_* more or less fixed the problem, but it's still not > as fast as a POP server compiled without > PAM support. (I'm certainly open to the possibility that this might be a > configuration error, but RedHat had no > suggestions, either.) My concern is that if PAM_NTDOM isn't lightning-fast, do you consider 12-15 packet exchanges totalling about 10k of network traffic just to verify one user to be "lightning fast", regardless of the system it is implemented on (samba or NT)? because this is what happens. the LsaSamLogon response alone can be anything between 500 and 800 bytes, and the rest of the traffic is just to establish "common ground" etc. From lkcl at regent.push.net Thu Apr 30 13:03:58 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: Samba PDC as a password server In-Reply-To: <354760D1.EDE5376D@uindy.edu> Message-ID: > > > Not pretty, but ... has anyone done > > > this? Of course, this would mean they would have to log into a unix > > > box first. > > > > not necessarily... > > I just love these vague two-word optimisms from Luke. ta dana. he he. i'm sorry: i've been on a few late nights, recently. i was referring to some (currently vague) plans going round my head to turn linux into nt, going so far as providing full nt login capabilities, using pams as a jumping point. but more is needed than just pams: pams only do usernames, nothing else. > They really keep the > wheels turning on this list. > "Well, Luke said it wasn't impossible, so there must be a way..." ;-) > > Dana > From lkcl at regent.push.net Thu Apr 30 13:04:43 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: Slowness w/ large passwd file (fwd) Message-ID: dana, here is a relevant message from the pam-list. ---------- Forwarded message ---------- Date: Wed, 29 Apr 1998 20:46:54 +0200 From: Kristof Van Damme Reply-To: pam-list@redhat.com To: pam-list@redhat.com Subject: Re: Slowness w/ large passwd file Resent-Date: 29 Apr 1998 17:50:14 -0000 Resent-From: pam-list@redhat.com Resent-cc: recipient.list.not.shown:; Michael K. Johnson wrote: > > "Kristof Van Damme" writes: > >Just confirming the phenomenon here. About 8 months ago we needed a > >major CPU upgrade to overcome the problem on a machine with 9000 > >acounts. > >We are now reaching 18.000 accounts and are faced with the same > >problem. > > Are you using passwd files or NIS? passwd > Have you tried using the pam_unix modules? They are reportedly faster > than pwdb at this time (pwdb has more features). Eeh... on a stock RHL 5.0 I get: [dlerror: /lib/security/pam_unix_auth.so: undefined symbol: crypt] trying those modules. Think I'm gonna compile a pamless POP daemon. See what difference that makes. Aeneas -- ===================================================================== Kristof Van Damme No Limits NV kvd@nli.be DesguinLei 6 3000 Antwerpen ===================================================================== From lkcl at regent.push.net Thu Apr 30 13:16:41 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: CVS update: samba/source/lib/rpc/server (fwd) Message-ID: fyi the way that this will be used is to have: encrypted passwords = no update encrypted = yes for a few days, have everyone log in with their clear-text password, and a private/smbpasswd file will automatically be generated. then switch to encrypted passwords = yes update encrypted = no and voila. if you were feeling _really_ adventurous you could have: include = smb.conf.%M and have one file smb.conf.MACHINE_CT (clear-text for short) with encrypted passwords = no update encrypted = yes and another file smb.conf.MACHINE with the other stuff in... luke ---------- Forwarded message ---------- Date: Thu, 30 Apr 1998 11:44:18 +1000 From: Jeremy Allison To: Multiple recipients of list Subject: CVS update: samba/source/lib/rpc/server Date: Thursday April 30, 1998 @ 11:39 Author: jra Update of /data/cvs/samba/source/lib/rpc/server In directory samba:/tmp/cvs-serv91/lib/rpc/server Modified Files: srv_netlog.c Log Message: Added patch from Bruce Tenison to allow encrypted passwords to be stored over time, allowing a smbpasswd file migration. Adds new parameter "update encrypted". Will also add to 1.9.18 branch. Docs update to follow. Jeremy. From eppinette at nlu.edu Thu Apr 30 13:41:19 1998 From: eppinette at nlu.edu (Chance W. Eppinette) Date: Tue Dec 2 02:24:03 2003 Subject: Initial info on Samba? Message-ID: <35487F7F.4C681F32@nlu.edu> Hello, We are getting ready to setup some small 6-12 station labs in some of our Dorms. We will be using the thin-client scenario where the clients will be served from a CITRIX NT box for most applications. We have a fairly large SUN box where all student accounts are located for email, web purposes, etc. We would like to be able to make the thin-client logon authentication back to the NT box be in sync with the user account on the SUN box. Also, we would like for any specific profiles, such as Netscape settings, application settings, etc, to be resident with the SUN account. Also any files created with WINTEL environment would be saved back to shares on the SUN box. I kindof gather that SAMBA can do this, but I would really appreciate any backup of this. Also if anyone out there is doing this or something similar, could you feel us in on any hurdles we need to be looking for? Thanks for any info, Chance Eppinette -- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ | | | Chance W. Eppinette Northeast Louisiana University | | Network Manager Computing Center | | Monroe, LA 71209 | | email: eppinette@nlu.edu | | phone: (318) 342-5021 fax: (318) 342-5018 | | office: Admin 1-155A "G R A Y V I P E R" | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ From lkcl at regent.push.net Thu Apr 30 13:48:15 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: Initial info on Samba? In-Reply-To: <35487F7F.4C681F32@nlu.edu> Message-ID: hi chance, yes samba (backed up with some shell scripts) can do this, have a look at the archives on http://samba.anu.edu.au/listproc and also ask the same question on samba@samba.anu.edu.au: there are several thousand people on that list, whereas there are only about 400 on samba-ntdom. good luck! luke On Thu, 30 Apr 1998, Chance W. Eppinette wrote: > Hello, > > We are getting ready to setup some small 6-12 station labs in some > of our Dorms. We will be using the thin-client scenario where the > clients will be served from a CITRIX NT box for most applications. > We have a fairly large SUN box where all student accounts are located > for email, web purposes, etc. > We would like to be able to make the thin-client logon authentication > back to the NT box be in sync with the user account on the SUN box. > Also, we would like for any specific profiles, such as Netscape > settings, application settings, etc, to be resident with the > SUN account. Also any files created with WINTEL environment would be > saved back to shares on the SUN box. > > I kindof gather that SAMBA can do this, but I would really appreciate > any backup of this. Also if anyone out there is doing this or something > similar, could you feel us in on any hurdles we need to be looking for? > > Thanks for any info, > Chance Eppinette > -- > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ > | | > | Chance W. Eppinette Northeast Louisiana University | > | Network Manager Computing Center | > | Monroe, LA 71209 | > | email: eppinette@nlu.edu | > | phone: (318) 342-5021 fax: (318) 342-5018 | > | office: Admin 1-155A "G R A Y V I P E R" | > | | > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ > From canfield at uindy.edu Thu Apr 30 13:56:37 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:03 2003 Subject: Samba PDC as a password server References: Message-ID: <35488315.382F8F8F@uindy.edu> Luke Kenneth Casson Leighton wrote: > > Has anyone tried it with a really large passwd file? I'm extremely cautious > > of PAM right now. > > i'm cc'ing your message to the pam list, because this issue has just been > raised there: your experiences, dana, will be useful feedback, and i am > sure that someone on the pam list will let you (us) know if any > performance improvements in pam_pwdb (or other) have been made. As I mentioned before, I've got a large environment and a machine in which I can do *some* experimentation, so if it helps anyone, I'm willing to test some things. > > PAM support. (I'm certainly open to the possibility that this might be a > > configuration error, but RedHat had no > > suggestions, either.) My concern is that if PAM_NTDOM isn't lightning-fast, > > do you consider 12-15 packet exchanges totalling about 10k of network > traffic just to verify one user to be "lightning fast", regardless of the > system it is implemented on (samba or NT)? > > because this is what happens. the LsaSamLogon response alone can be > anything between 500 and 800 bytes, and the rest of the traffic is just to > establish "common ground" etc. Let me clarify my concern: It sounds as though (despite the security risks), most of us are looking for a method to allow our users to have a single logon. Assuming we want to use NT on the desktops, that means we need to use NT-style encryption since NT encrypts beforesending. Now, if we want to try to eliminate duplicate password files we need to find some way to make Unix authenticate to the NT passwords. We can do that with PAM_NTDOM, but this means that ALL authentication has to go through this module. Considering the overhead mentioned above, it sounds as though this might not be such a great idea if you are serving a lot of users through a lot of services. Initially, it may not sound as though two password files are such a bad thing. But my biggest concern is that none of the schemes I've seen so far have a contingency in case one password change is successful, but the other one fails. We would need to go back and un-change the first one, making for a rather complex scheme. The only "tidy" solution I can think of that might keep overhead low is to create some kind of "pam_smbdb". This would work just like pam_pwdb, but would work with NT-style encryption, meaning you could yank out /etc/passwd and replace it with the contents of smbpasswd. Does anyone know if there is a way to format the smbpasswd file that wouldn't break the system calls such as getpwnam(), getpwuid(), etc.? What happens if we tack this on to the end of a "standard" passwd file line (with a standard password replaced by an NT-style password)? Am I way off base on this? Dana From cartegw at Eng.Auburn.EDU Thu Apr 30 14:09:07 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:03 2003 Subject: Initial info on Samba? References: <35487F7F.4C681F32@nlu.edu> Message-ID: <35488603.2EDBA642@eng.auburn.edu> Chance, You shoudl orbably forward you questions to the main samba mailing list. This one really is for dealing with the devleopment of Samba as a PDC for NT domains. jerry Chance W. Eppinette wrote: > > Hello, > > We are getting ready to setup some small 6-12 station labs in some > of our Dorms. We will be using the thin-client scenario where the > clients will be served from a CITRIX NT box for most applications. > We have a fairly large SUN box where all student accounts are located > for email, web purposes, etc. > We would like to be able to make the thin-client logon authentication > back to the NT box be in sync with the user account on the SUN box. > Also, we would like for any specific profiles, such as Netscape > settings, application settings, etc, to be resident with the > SUN account. Also any files created with WINTEL environment would be > saved back to shares on the SUN box. > > I kindof gather that SAMBA can do this, but I would really appreciate > any backup of this. Also if anyone out there is doing this or something > similar, could you feel us in on any hurdles we need to be looking for? > > Thanks for any info, > Chance Eppinette > -- > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ > | | > | Chance W. Eppinette Northeast Louisiana University | > | Network Manager Computing Center | > | Monroe, LA 71209 | > | email: eppinette@nlu.edu | > | phone: (318) 342-5021 fax: (318) 342-5018 | > | office: Admin 1-155A "G R A Y V I P E R" | > | | > +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From daniel at med.up.pt Thu Apr 30 14:08:15 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:03 2003 Subject: Initial info on Samba? In-Reply-To: <35487F7F.4C681F32@nlu.edu> Message-ID: On Thu, 30 Apr 1998, Chance W. Eppinette wrote: > I kindof gather that SAMBA can do this, but I would really appreciate > any backup of this. Also if anyone out there is doing this or something > similar, could you feel us in on any hurdles we need to be looking for? Yes. All that and more can be made with Samba. Regarding Netscape's personalized settings, all you have to is configure it to pick up it's profile (Netscape Communicator 4) from each user's home mapping drive (mine is the H:\Netscape directory). That way Netscape can be fooled to use only one profile which is different for every user, since every Home drive is connected upon logon. You have much more work waiting for some tidbits, but it's all a matter of pulling back your sleeves and digging in the mud. Check the archives of this list for some more general info: http://samba.anu.edu.au/listproc/samba-ntdom Hope to help, Daniel Fonseca Sysadmin for Med School - UP http://www.med.up.pt From eppinette at nlu.edu Thu Apr 30 14:29:53 1998 From: eppinette at nlu.edu (Chance W. Eppinette) Date: Tue Dec 2 02:24:03 2003 Subject: SUMMARY: Initial info on Samba? Message-ID: <35488AE1.9CF9B3C1@nlu.edu> I figured I would go ahead and quickly summarize about my question. Several people of already responded to me that what I ask is possible but I should direct my questions to samba@samba. I already feel more comfortable about our tasks. > Hello, > > We are getting ready to setup some small 6-12 station labs in some > of our Dorms. We will be using the thin-client scenario where the > clients will be served from a CITRIX NT box for most applications. > We have a fairly large SUN box where all student accounts are located > for email, web purposes, etc. > We would like to be able to make the thin-client logon authentication > back to the NT box be in sync with the user account on the SUN box. > Also, we would like for any specific profiles, such as Netscape > settings, application settings, etc, to be resident with the > SUN account. Also any files created with WINTEL environment would be > saved back to shares on the SUN box. > > I kindof gather that SAMBA can do this, but I would really appreciate > any backup of this. Also if anyone out there is doing this or something > similar, could you feel us in on any hurdles we need to be looking for? > Thank you. -- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ | | | Chance W. Eppinette Northeast Louisiana University | | Network Manager Computing Center | | Monroe, LA 71209 | | email: eppinette@nlu.edu | | phone: (318) 342-5021 fax: (318) 342-5018 | | office: Admin 1-155A "G R A Y V I P E R" | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ From lkcl at regent.push.net Thu Apr 30 16:35:54 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: PAM and NT'ed Linux .. In-Reply-To: <199804301458.HAA21845@blighty.transmeta.com> Message-ID: On Thu, 30 Apr 1998, Andrew Morgan wrote: > Luke Kenneth Casson Leighton writes: > > On Thu, 30 Apr 1998, Dave Airlie wrote: > > > I have seen your posting about there being a problem with Linux becoming > > > NT'ed, due to the incompleteness of PAM, > > > > > > I am just wondering how much work it would be to allow > > > > > > DOMAIN\USERNAME as a username for most programs and then have the PAM > > > module get this string and work it out from there .... > > > > funnily enough i've been thinking EXACTLY the same thing for a few days!!! > > > > > I might play around with this idea with pam_smb later on today to see ... > > > > > > Does anyone on the pam_list have any reason why a username of that type > > > might cause problems ? > > > > it might have to be turned into a real user, but that can be done by > > modifying the PAM_USER_DATA (or whatever) data field. does anyone on the > > pam_list have any problem / issue with _that_, and in particular, will it > > cause problems for applications? > > I probably would have some comments and suggestions, I just do not > understand what you are talking about! Please could you elaborate? > Are you trying to make a module that will plug into login, for > example? If so, what would I as an applicant user see in the way of > prompts and what would login need to support in order to work? based on pam_unix, it would be identical to the login / logout system, but would potentially _change_ the username that the user actually logged in as. e.g from \\DOMAIN\lkcl to lkcl_dom (or just to guest or nobody) e.g from Administrator to root such that you do Linux 2.0.30 regent login: Administrator Password: ..... Last Login: some_time_ago bash% whoami root bash% From ink at inconnu.isu.edu Thu Apr 30 16:53:27 1998 From: ink at inconnu.isu.edu (Craig Kelley) Date: Tue Dec 2 02:24:03 2003 Subject: SAMBA-NTDOM digest 149 In-Reply-To: <19980430094628Z12632785-460+18177@samba.anu.edu.au> Message-ID: On Thu, 30 Apr 1998 Jeremy Allison wrote: > net use * \\\ /user:\ * After issuing this command, NT comes back with: ------- D:\>net use * \\inconnu\cdrom /user:rxnet\ink * Type the password for \\inconnu\cdrom: System error 86 has occurred. The specified network password is not correct. ------- The samba log complains that it couldn't logon to the PDC as the guest user: ------- cli_net_sam_logon: NT_STATUS_WRONG_PASSWORD domain_client_validate: unable to validate password for user guest in domain to Domain controller DURBY. Error was NT_STATUS_WRONG_PASSWORD. -------- Am I missing something about setting up a guest account on our PDC? From canfield at uindy.edu Thu Apr 30 17:01:42 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:03 2003 Subject: CVS update: samba/source/lib/rpc/server (fwd) References: Message-ID: <3548AE76.45C3BC7E@uindy.edu> This is a great feature. It at least eliminates the lurking dilemna of getting the majority of users into the system. But, I do have two quick questions (sorry, I'm one of those that will jump, but wants to carry 6 parachutes...): 1) Using this feature just requires changing a registry setting in NT4 SP3 to use clear-text, right? 2) If so, are there are known problems running cleartext on SP3 besides the "decreased security"? Thanks all, it's getting exponentially better every day! Luke Kenneth Casson Leighton wrote: > fyi the way that this will be used is to have: > > encrypted passwords = no > update encrypted = yes > > for a few days, have everyone log in with their clear-text password, and > a private/smbpasswd file will automatically be generated. > > then switch to > > encrypted passwords = yes > update encrypted = no > > and voila. > > if you were feeling _really_ adventurous you could have: > > include = smb.conf.%M > > and have one file smb.conf.MACHINE_CT (clear-text for short) > with > > encrypted passwords = no > update encrypted = yes > > and another file smb.conf.MACHINE > > with the other stuff in... > > luke > > ---------- Forwarded message ---------- > Date: Thu, 30 Apr 1998 11:44:18 +1000 > From: Jeremy Allison > To: Multiple recipients of list > Subject: CVS update: samba/source/lib/rpc/server > > Date: Thursday April 30, 1998 @ 11:39 > Author: jra > > Update of /data/cvs/samba/source/lib/rpc/server > In directory samba:/tmp/cvs-serv91/lib/rpc/server > > Modified Files: > srv_netlog.c > Log Message: > Added patch from Bruce Tenison to allow encrypted > passwords to be stored over time, allowing a smbpasswd file migration. > Adds new parameter "update encrypted". > Will also add to 1.9.18 branch. > Docs update to follow. > Jeremy. From btenison at rstc.cc.al.us Thu Apr 30 17:08:45 1998 From: btenison at rstc.cc.al.us (R Bruce Tenison) Date: Tue Dec 2 02:24:03 2003 Subject: FW: CVS update: samba/source/lib/rpc/server Message-ID: One slight modification to this. Make sure that the smbpasswd file exists, and has entries for those people who have entries in the /etc/passwd file. (Make the smbpasswd file with the mksmbpasswd.sh script to start.) If an entry doesn't exist in the smbpasswd file and exists in the passwd file, the server will not create the smbpasswd file entry. Bruce -----Original Message----- From: samba@samba.anu.edu.au [mailto:samba@samba.anu.edu.au] On Behalf Of Luke Kenneth Casson Leighton Sent: Thursday, April 30, 1998 8:24 AM To: Multiple recipients of list Subject: CVS update: samba/source/lib/rpc/server (fwd) fyi the way that this will be used is to have: encrypted passwords = no update encrypted = yes for a few days, have everyone log in with their clear-text password, and a private/smbpasswd file will automatically be generated. then switch to encrypted passwords = yes update encrypted = no and voila. if you were feeling _really_ adventurous you could have: include = smb.conf.%M and have one file smb.conf.MACHINE_CT (clear-text for short) with encrypted passwords = no update encrypted = yes and another file smb.conf.MACHINE with the other stuff in... luke ---------- Forwarded message ---------- Date: Thu, 30 Apr 1998 11:44:18 +1000 From: Jeremy Allison To: Multiple recipients of list Subject: CVS update: samba/source/lib/rpc/server Date: Thursday April 30, 1998 @ 11:39 Author: jra Update of /data/cvs/samba/source/lib/rpc/server In directory samba:/tmp/cvs-serv91/lib/rpc/server Modified Files: srv_netlog.c Log Message: Added patch from Bruce Tenison to allow encrypted passwords to be stored over time, allowing a smbpasswd file migration. Adds new parameter "update encrypted". Will also add to 1.9.18 branch. Docs update to follow. Jeremy. From morgan at transmeta.com Thu Apr 30 18:23:32 1998 From: morgan at transmeta.com (Andrew Morgan) Date: Tue Dec 2 02:24:03 2003 Subject: PAM and NT'ed Linux .. In-Reply-To: References: <199804301458.HAA21845@blighty.transmeta.com> Message-ID: <199804301823.LAA09568@blighty.transmeta.com> Luke Kenneth Casson Leighton writes: > based on pam_unix, it would be identical to the login / logout system, but > would potentially _change_ the username that the user actually logged in > as. > > e.g from \\DOMAIN\lkcl to lkcl_dom (or just to guest or nobody) > e.g from Administrator to root > > such that you do > > Linux 2.0.30 > > regent login: Administrator > Password: ..... > > Last Login: some_time_ago > bash% whoami > root > bash% This is not hard. In fact, I think it is one of the things pam is designed to make easy. The pam notion of who is being authenticated is contained in the PAM_USER item. How this item is filled is something a module has a lot of control over. The default is for the application to supply this value when you call pam_start, or for a module to make use of the PAM_PROMPT item and call pam_get_user(). Alternatively, if your module wants to explicitly prompt for: login: me domain [default=here]: there password: XXXX and then translate the me/there combination into a local (UNIX) username with the appropriate credentials, it can. All it does is pam_set_item(..PAM_USER...) with the appropriate UNIX username. It can then verify that XXX is the right password for the user and return success or failure as appropriate. With "correctly" PAMified applications, this will likely "just work". You may have problems with things like ftpd and popd whose protocols are so restrictive that they don't support arbitrary user prompting... Cheers Andrew From D.Bannon at latrobe.edu.au Thu Apr 30 23:40:26 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:03 2003 Subject: User Manager for Domains In-Reply-To: References: <3.0.3.32.19980429173030.0082fa40@bioserve.biochem.latrobe.edu.au> Message-ID: <3.0.3.32.19980501094026.00832100@bioserve.biochem.latrobe.edu.au> At 07:39 29/04/1998 +0000, Luke Kenneth Casson Leighton wrote: >> Dial in access over a modem. >right, then i need to know what the RID of the "modem group" is, from a >packet trace or some other lookup. Cool. I have checked the nt server, it has no intention of telling me what the MODEM_USERS RID is. (if I needed to know that, I would have been born with the information coded into my genes...., thanks Bill) Can you refer me to to some instructions on how to do a packet trace ? Please ! David. ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From glauche at plum.de Sat Apr 11 10:38:37 1998 From: glauche at plum.de (Michael Glauche) Date: Tue Dec 2 02:26:05 2003 Subject: Attempt to locate null printername! Internal error? Message-ID: <00b101bd6535$fce3c6e0$cf3b8286@prangh> Hi, I got a couple of this messages in samba-log.smb, and samba refusing domain logons. A restart of samba solved the problem, but what is it ? Using CVS head samba from around 24.3. regards, Michael