From oldano at inrete.it Sun Feb 1 17:22:47 1998 From: oldano at inrete.it (Luca Oldano) Date: Tue Dec 2 02:23:46 2003 Subject: No subject Message-ID: <001c01bd2f36$1a295de0$1e095797@local.inrete.it> subscribe ___________________________ Luca Oldano oldano@inrete.it INRETE s.a.s. From lkcl at switchboard.net Sun Feb 1 20:46:28 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: SamLogon validation of one workstation to another via a PDC. Message-ID: a piece of the puzzle of NT Domains is attached, which needs solving. this packet is activated when a user of one NT workstation accesses a second NT workstation, the second NT workstation being a member of a domain. it is therefore a critically important part of the NT 3.5 / 4.0 Domain protocol, as it allows a user on one workstation to access files on another workstation, securely. the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses (LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and SMBsessionsetupX between the first and second NT workstations are sent to the PDC, in the DCE/RPC packet shown below. presumably the challenge / responses are two-way obfuscated. the PDC decrypts the challenge and responses (presumably) and then does a standard SMB password validate, as if it had issued the SMBnegprot response, and received the SMBsessionsetupX query itself. does anyone know what obfuscation / encryption is used to encode the challenge and responses in the packet below? luke (samba team) Luke Kenneth Casson Leighton Samba and Network Development Network Monitor trace Sun 02/01/98 17:54:51 \\regent\root\info\sam_challenge.txt ************************************************************************************************************************************************************ Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr 32 8.914 KNIGHT REGENT R_LOGON RPC Client call logon:NetrLogonSamLogon(..) KNIGHT REGENT IP + FRAME: Base frame properties + ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + IP: ID = 0x9205; Proto = TCP; Len: 458 + TCP: .AP..., len: 418, seq: 1442186-1442603, ack:2491898253, win: 8313, src: 1032 dst: 139 (NBT Session) + NBT: SS: Session Message, Len: 414 + SMB: C transact TransactNmPipe, FID = 0x801 + MSRPC: c/o RPC Request: call 0x6 opnum 0x2 context 0x0 hint 0x13A R_LOGON: RPC Client call logon:NetrLogonSamLogon(..) R_LOGON: LOGONSRV_HANDLE LogonServer = \\REGENT R_LOGON: wchar_t ComputerName = KNIGHT R_LOGON: PNETLOGON_AUTHENTICATOR Authenticator {..} R_LOGON: NETLOGON_CREDENTIAL Credential {..} R_LOGON: CHAR data [..] = 89 97 14 C1 23 C6 7B BB R_LOGON: DWORD timestamp = 886355494 (0x34D4B626) R_LOGON: PNETLOGON_AUTHENTICATOR ReturnAuthenticator {..} R_LOGON: NETLOGON_CREDENTIAL Credential {..} R_LOGON: CHAR data [..] = B9 6E F6 77 00 00 14 00 R_LOGON: DWORD timestamp = 0 (0x0) R_LOGON: NETLOGON_LOGON_INFO_CLASS LogonLevel = 2 (0x2) R_LOGON: PNETLOGON_LEVEL LogonInformation {..} R_LOGON: Switch Value = 2 (0x2) R_LOGON: PNETLOGON_NETWORK_INFO LogonNetwork {..} R_LOGON: NETLOGON_LOGON_IDENTITY_INFO Identity {..} R_LOGON: UNICODE_STRING LogonDomainName {..} R_LOGON: USHORT Length = 10 (0xA) R_LOGON: USHORT MaximumLength = 10 (0xA) R_LOGON: USHORT * Buffer = 1388208 (0x152EB0) R_LOGON: ULONG ParameterControl = 2 (0x2) R_LOGON: OLD_LARGE_INTEGER LogonId {..} R_LOGON: ULONG LowPart = 35800 (0x8BD8) R_LOGON: LONG HighPart = 0 (0x0) R_LOGON: UNICODE_STRING UserName {..} R_LOGON: USHORT Length = 8 (0x8) R_LOGON: USHORT MaximumLength = 8 (0x8) R_LOGON: USHORT * Buffer = 1388218 (0x152EBA) R_LOGON: UNICODE_STRING Workstation {..} R_LOGON: USHORT Length = 16 (0x10) R_LOGON: USHORT MaximumLength = 16 (0x10) R_LOGON: USHORT * Buffer = 1388226 (0x152EC2) R_LOGON: LM_CHALLENGE LmChallenge {..} R_LOGON: CHAR data [..] = FB DA 8B 7F 9B 0B C1 9E R_LOGON: STRING NtChallengeResponse {..} R_LOGON: USHORT Length = 24 (0x18) R_LOGON: USHORT MaximumLength = 24 (0x18) R_LOGON: PCHAR Buffer = 1388242 (0x152ED2) R_LOGON: STRING LmChallengeResponse {..} R_LOGON: USHORT Length = 24 (0x18) R_LOGON: USHORT MaximumLength = 24 (0x18) R_LOGON: PCHAR Buffer = 1388266 (0x152EEA) R_LOGON: USHORT * Buffer [..] = 0054 0045 0053 0054 0033 R_LOGON: USHORT * Buffer [..] = 006C 006B 0063 006C R_LOGON: USHORT * Buffer [..] = 005C 005C 0052 0045 0047 0045 004E 0054 R_LOGON: PCHAR Buffer [..] = 42 4C FF D2 71 BB 8F 24 4B 9F 86 8B A7 A3 DA D3 96 14 88 45 7E BB B5 28 R_LOGON: PCHAR Buffer [..] = 5D F4 44 C6 A2 CC DE 7E 22 5F C2 F6 B4 C6 3B 2D C1 CF B0 29 F5 D4 92 2E R_LOGON: NETLOGON_VALIDATION_INFO_CLASS ValidationLevel = 3 (0x3) 00000: 00 C0 5C 03 12 1E 00 80 C8 81 8F 9D 08 00 45 00 ..\...........E. 00010: 01 CA 92 05 40 00 80 06 B1 B7 C2 9F 18 18 C2 9F ....@........... 00020: 18 1A 04 08 00 8B 00 16 01 8A 94 87 59 8D 50 18 ............Y.P. 00030: 20 79 B5 F8 00 00 00 00 01 9E FF 53 4D 42 25 00 y.........SMB%. 00040: 00 00 00 18 03 00 00 00 00 00 00 00 00 00 00 00 ................ 00090: B8 CE .. 000A0: 14 00 09 00 00 00 00 00 00 00 09 00 00 00 5C 00 ..............\. 000B0: 5C 00 52 00 45 00 47 00 45 00 4E 00 54 00 00 00 \.R.E.G.E.N.T... 000C0: C9 11 B4 3C 95 75 07 00 00 00 00 00 00 00 07 00 ...<.u.......... 000D0: 00 00 4B 00 4E 00 49 00 47 00 48 00 54 00 00 00 ..K.N.I.G.H.T... 000E0: 00 00 F8 F9 49 01 89 97 14 C1 23 C6 7B BB 26 B6 ....I.....#.{.&. 000F0: D4 34 04 FA 49 01 B9 6E F6 77 00 00 14 00 00 00 .4..I..n.w...... 00100: 00 00 02 00 02 00 28 FD 49 01 0A 00 0A 00 B0 2E ......(.I....... 00110: 15 00 02 00 00 00 D8 8B 00 00 00 00 00 00 08 00 ................ 00120: 08 00 BA 2E 15 00 10 00 10 00 C2 2E 15 00 FB DA ................ 00130: 8B 7F 9B 0B C1 9E 18 00 18 00 D2 2E 15 00 18 00 ............... 00140: 18 00 EA 2E 15 00 05 00 00 00 00 00 00 00 05 00 ................ 00150: 00 00 54 00 45 00 53 00 54 00 33 00 45 00 04 00 ..T.E.S.T.3.E... 00160: 00 00 00 00 00 00 04 00 00 00 6C 00 6B 00 63 00 ..........l.k.c. 00170: 6C 00 08 00 00 00 00 00 00 00 08 00 00 00 5C 00 l.............\. 00180: 5C 00 52 00 45 00 47 00 45 00 4E 00 54 00 18 00 \.R.E.G.E.N.T... 00190: 00 00 00 00 00 00 18 00 00 00 42 4C FF D2 71 BB ..........BL..q. 001A0: 8F 24 4B 9F 86 8B A7 A3 DA D3 96 14 88 45 7E BB .$K..........E~. 001B0: B5 28 18 00 00 00 00 00 00 00 18 00 00 00 5D F4 .(............]. 001C0: 44 C6 A2 CC DE 7E 22 5F C2 F6 B4 C6 3B 2D C1 CF D....~"_....;-.. 001D0: B0 29 F5 D4 92 2E 03 00 .)...... From lkcl at switchboard.net Mon Feb 2 18:13:41 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: provide group/user list In-Reply-To: References: Message-ID: hi ari, this is something that will need to be addressed. if you have access to an NT server, it would be very helpful if you could generate an example packet trace. BRANCH_NTDOM at present has sufficient code in it to fool the win95 client to allow "user level" security on shares, but insufficient to allow you to view users / groups on a share. luke (samba team) On Mon, 2 Feb 1998, Ari wrote: > Can samba-1.9.17p2 provide a group and user list? I found it not > mentioned in any doc or faq. > What I want is the share mode of my win95-boxes in user-level security and > that requires this user list. > When trying to get the list from the samba server, win95 can't find one. > Can I do this with 1.9.17p2, or will it work with 1.9.18 or BRANCH-NTDOM? > > I case the log (level 3) is of use: > ---- > 01/31/98 02:56:33 Transaction 515 of length 99 > switch message SMBtrans (pid 13011) > trans <\PIPE\LANMAN> data=0 params=19 setup=0 > Got API command 13 of form > (tdscnt=0,tpscnt=19,mdrcnt=66,mprcnt=6) > Doing RNetServerGetInfo > 01/31/98 02:56:33 Transaction 516 of length 82 > switch message SMBtrans (pid 13011) > trans <\PIPE\SAMR> data=0 params=0 setup=2 > named pipe command on 0x53 setup1=0 > 01/31/98 02:56:33 error packet at line 3118 cmd=37 (SMBtrans) eclass=2 > ecode=65535 > ---- > > Thanks > Ari > > -- > Who am I? And, if so, how many? > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From paul at argo.demon.co.uk Tue Feb 3 00:08:29 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: SamLogon validation of one workstation to another via a PDC. In-Reply-To: Message-ID: <199802030010.AAA23033@mail.bogo.co.uk> At 20:10 01/02/98 , Luke Kenneth Casson Leighton wrote: >the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses >(LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and >SMBsessionsetupX between the first and second NT workstations are sent to >the PDC, in the DCE/RPC packet shown below. presumably the challenge / >responses are two-way obfuscated. No they aren't. >the PDC decrypts the challenge and responses (presumably) and then does a >standard SMB password validate, as if it had issued the SMBnegprot >response, and received the SMBsessionsetupX query itself. > >does anyone know what obfuscation / encryption is used to encode the >challenge and responses in the packet below? None. From a quick look at a packet trace, the original client that wishes to access a share does an SMB negotiate and receives an 8 byte challenge, it then does a session setup & X with a 24 byte challenge response. The The SMB server then forwards the challenge and the response to the PDC without encryption. The PDC confirms whether the response was valid and if so, returns the password hash to the SMB server (rc4 encrypted) so that the SMB server could then forward the hash to other servers on behalf of the client. Codeable Luke? Paul From paul at argo.demon.co.uk Tue Feb 3 08:45:16 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:46 2003 Subject: NT Security Alert: (was Re: NTDOM: SamLogon validation...) In-Reply-To: <199802030010.AAA23033@mail.bogo.co.uk> Message-ID: <199802030847.IAA09676@mail.bogo.co.uk> At 01:18 03/02/98 , Paul Ashton wrote: >From a quick look at a packet trace, the original client that wishes >to access a share does an SMB negotiate and receives an 8 byte challenge, >it then does a session setup & X with a 24 byte challenge response. The >The SMB server then forwards the challenge and the response to the PDC >without encryption. The PDC confirms whether the response was valid and >if so, returns the password hash to the SMB server (rc4 encrypted) so >that the SMB server could then forward the hash to other servers on >behalf of the client. This means that anybody passively listening to the LAN can turn any NTLM challenge response sequence into a password equivalent! Just forward the challenge and response of a sniffed packet to an NT DC and it will send you the password equivalent. The only thing you need is access to a workstation trust account name and password. You will have this if you have administrative access to your own machine or if you listen to a workstation joining a domain for the first time. I think Luke's smbclient mods can be coded to exploit this. Luke? Paul From andre at lme.usp.br Tue Feb 3 16:46:01 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: Connecting to a printer - name invalid ? Message-ID: <3.0.1.32.19980203134601.00927e20@ws10.lme.usp.br> Hello everybody, I am trying to connect to a printer that exists in my Linux PDC Samba server, from an NT 4.0 workstation machine. When I select the printer and click OK (after doing Add Printer, selecting Network Printer Server and clicking on the name of the printer) the following message appears: "Could not connect to the printer. The printer name is invalid" I have the latest NTDOM samba version, including the updates that synchronizes it with the Samba 1.9.18p2 release. Any help will be appreciated, Andre Gerhard Systems/Network Administrator Universidade de Sao Paulo - Sao Paulo - Brazil From lkcl at switchboard.net Tue Feb 3 16:37:53 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: NT Security Alert: (was Re: NTDOM: SamLogon validation...) In-Reply-To: <199802030847.IAA09676@mail.bogo.co.uk> Message-ID: On Tue, 3 Feb 1998, Paul Ashton wrote: > At 01:18 03/02/98 , Paul Ashton wrote: > >From a quick look at a packet trace, the original client that wishes > >to access a share does an SMB negotiate and receives an 8 byte challenge, > >it then does a session setup & X with a 24 byte challenge response. The > >The SMB server then forwards the challenge and the response to the PDC > >without encryption. The PDC confirms whether the response was valid and > >if so, returns the password hash to the SMB server (rc4 encrypted) so > >that the SMB server could then forward the hash to other servers on > >behalf of the client. > > This means that anybody passively listening to the LAN can turn > any NTLM challenge response sequence into a password equivalent! > Just forward the challenge and response of a sniffed packet to an > NT DC and it will send you the password equivalent. > > The only thing you need is access to a workstation trust account > name and password. You will have this if you have administrative > access to your own machine or if you listen to a workstation > joining a domain for the first time. > I think Luke's smbclient mods can be coded to exploit this. Luke? yes, it could. oh dear. i'll implement "Network" Logons, first. then the code will be there. two days, ok? luke From lkcl at switchboard.net Tue Feb 3 16:13:25 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: SamLogon validation of one workstation to another via a PDC. In-Reply-To: <199802030010.AAA23033@mail.bogo.co.uk> Message-ID: On Tue, 3 Feb 1998, Paul Ashton wrote: > At 20:10 01/02/98 , Luke Kenneth Casson Leighton wrote: > >the 8 byte challenge (LmChallenge) and 24 byte lm and nt responses > >(LmChallengeResponse and NtChallengeResponse) of the SMBnegprot and > >SMBsessionsetupX between the first and second NT workstations are sent to > >the PDC, in the DCE/RPC packet shown below. presumably the challenge / > >responses are two-way obfuscated. > > No they aren't. whoops. > >the PDC decrypts the challenge and responses (presumably) and then does a > >standard SMB password validate, as if it had issued the SMBnegprot > >response, and received the SMBsessionsetupX query itself. > > > >does anyone know what obfuscation / encryption is used to encode the > >challenge and responses in the packet below? > > None. From a quick look at a packet trace, the original client that wishes > to access a share does an SMB negotiate and receives an 8 byte challenge, > it then does a session setup & X with a 24 byte challenge response. The > The SMB server then forwards the challenge and the response to the PDC > without encryption. The PDC confirms whether the response was valid and > if so, returns the password hash to the SMB server (rc4 encrypted) so > that the SMB server could then forward the hash to other servers on > behalf of the client. > > Codeable Luke? easy. i'm half way there, taking things slowly. i'll probably have a check-in in a couple of days. luke From lkcl at switchboard.net Tue Feb 3 18:00:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: Connecting to a printer - name invalid ? Message-ID: hi andre, you may be falling foul of the lack of dce/rpc support for printers in BRANCH_NTDOM at the moment. i need to implement that pipe. luke > >Hello everybody, > > >I am trying to connect to a printer that exists in my Linux PDC Samba >server, from an NT 4.0 workstation machine. > >When I select the printer and click OK (after doing Add Printer, >selecting Network Printer Server and clicking on the name of the printer) the >following message appears: > >"Could not connect to the printer. The printer name is invalid" > >I have the latest NTDOM samba version, including the updates that synchronizes >it with the Samba 1.9.18p2 release. > > >Any help will be appreciated, > > >Andre Gerhard >Systems/Network Administrator >Universidade de Sao Paulo - Sao Paulo - Brazil > From baugh at east.isx.com Tue Feb 3 18:46:10 1998 From: baugh at east.isx.com (Earl Baugh) Date: Tue Dec 2 02:23:46 2003 Subject: Just wondering... Message-ID: <199802031846.NAA08636@east.isx.com> So far, it looks like this work is only available as a PAM. Is there any plans on making it available on any of the other Samba supported platforms (notably on Solaris??) I'd be willing to "test" it in that environment... Earl From cartegw at Eng.Auburn.EDU Tue Feb 3 18:59:05 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:46 2003 Subject: Just wondering... In-Reply-To: <199802031846.NAA08636@east.isx.com> Message-ID: On Wed, 4 Feb 1998, Earl Baugh wrote: > > So far, it looks like this work is only available > as a PAM. Is there any plans on making it available > on any of the other Samba supported platforms (notably > on Solaris??) I'd be willing to "test" it in that > environment... > I have it running on Solaris 2.5.1 with no major difficulties. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From RReybok at EXAMNYC.lehman.com Tue Feb 3 19:07:29 1998 From: RReybok at EXAMNYC.lehman.com (Reybok, Richard K) Date: Tue Dec 2 02:23:46 2003 Subject: Just wondering... Message-ID: well, solaris 2.6 supports PAM now, so I'm sure it could be ported. as for other OS's, without PAM, you would wind up having to replace every binary that needs to access user information because there is no underlying API. As an example, i wrote a quick replacement for /bin/login on my solaris 2.5 box to log me in using my domain account. quick & dirty, but it worked. -rich > -----Original Message----- > From: baugh@east.isx.com [SMTP:baugh@east.isx.com] > Sent: Tuesday, February 03, 1998 1:48 PM > To: Multiple recipients of list > Subject: Just wondering... > > > So far, it looks like this work is only available > as a PAM. Is there any plans on making it available > on any of the other Samba supported platforms (notably > on Solaris??) I'd be willing to "test" it in that > environment... > > Earl From baugh at east.isx.com Tue Feb 3 19:12:28 1998 From: baugh at east.isx.com (Earl Baugh) Date: Tue Dec 2 02:23:46 2003 Subject: Just wondering... Message-ID: <199802031912.OAA08836@east.isx.com> Actually, I have a Solaris 2.6 machine (which is my personal SS10) or access to at least one Solaris 2.5.1 machine (here at work) where I could "play" with this. I guess it just wasn't clear to me where I would get the code (the only reference I saw in the listproc archive was the PAM one...) So, where on the samba site to I get it? Apparently folks have it up and running under Solaris 2.5 too.. Earl >From RReybok@EXAMNYC.lehman.com Tue Feb 3 14:08:15 1998 >From: "Reybok, Richard K" >To: "'baugh@east.isx.com'" , > Multiple recipients of list >Subject: RE: Just wondering... >Date: Tue, 3 Feb 1998 14:07:29 -0500 >X-Priority: 3 >MIME-Version: 1.0 > >well, solaris 2.6 supports PAM now, so I'm sure it could be ported. >as for other OS's, without PAM, you would wind up having to replace >every binary that needs to access user information because there is no >underlying API. As an example, i wrote a quick replacement for >/bin/login on my solaris 2.5 box to log me in using my domain account. >quick & dirty, but it worked. > >-rich > >> -----Original Message----- >> From: baugh@east.isx.com [SMTP:baugh@east.isx.com] >> Sent: Tuesday, February 03, 1998 1:48 PM >> To: Multiple recipients of list >> Subject: Just wondering... >> >> >> So far, it looks like this work is only available >> as a PAM. Is there any plans on making it available >> on any of the other Samba supported platforms (notably >> on Solaris??) I'd be willing to "test" it in that >> environment... >> >> Earl > From paul at argo.demon.co.uk Tue Feb 3 18:50:48 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:46 2003 Subject: Just wondering... In-Reply-To: <199802031846.NAA08636@east.isx.com> Message-ID: <886531866.103093.0@argo.demon.co.uk> At 18:47 03/02/98 , Earl Baugh wrote: >So far, it looks like this work is only available >as a PAM. Is there any plans on making it available >on any of the other Samba supported platforms (notably >on Solaris??) I'd be willing to "test" it in that >environment... The PAMs are related but seperate. I run (and wrote) a Samba PDC on Solaris. The domain control support should work on any Samba platform, barring bugs. Paul From paul at argo.demon.co.uk Tue Feb 3 19:35:47 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:46 2003 Subject: Just wondering... In-Reply-To: <199802031912.OAA08836@east.isx.com> Message-ID: <886534643.2014679.0@argo.demon.co.uk> At 19:13 03/02/98 , Earl Baugh wrote: >So, where on the samba site to I get it? > >Apparently folks have it up and running under Solaris 2.5 too.. See http://mailhost.cb1.com/~lkcl/ntdom/ntdom-unix.txt and the rest of Luke's home page for current and background information. As mentioned in the ntdom-unix.txt you need to retrieve the relevant CVS branch. Basically, look at http://samba.anu.edu.au/cvs.html (typo in Luke's page) and then issue cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login once, then cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co -r BRANCH_NTDOM samba After the first time, you only get incremental diffs. Paul From paul at argo.demon.co.uk Tue Feb 3 21:14:12 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: Connecting to a printer - name invalid ? In-Reply-To: <3.0.1.32.19980203134601.00927e20@ws10.lme.usp.br> Message-ID: <886540470.205741.0@argo.demon.co.uk> At 15:47 03/02/98 , Andre Gerhard wrote: >When I select the printer and click OK (after doing Add Printer, >selecting Network Printer Server and clicking on the name of the printer) the >following message appears: > >"Could not connect to the printer. The printer name is invalid" Andre, do you have 18p2 compiled that doesn't contain NTDOMAIN support? I'm sure the attempt to connect to the spoolss named pipe falls back to SMBs if it can't be opened. To confirm this, you need to know whether the exact same config file works without ntdom support compiled in. Paul From cartegw at Eng.Auburn.EDU Wed Feb 4 17:12:13 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:46 2003 Subject: No PDC found Message-ID: <34D8A16D.F0395C3F@eng.auburn.edu> [...friendly greeting prior to question....] Hey folks! [...now that that's out of the way...just kidding....] I have the latest BRANCH_NTDOM ( updated to 1.9.18p2 ) compiled installed and running fine with no problem except.... When I run at the default debug level ( 1 i think ) the NT Wks complains about the PDC fot the Domain not being available. However, the user profile and validation still works fine?! ( i defined USE_ARCFOUR in the compile ) If I run at a debug level of about 5 the NT Wks goes through fine ( logins scripts and all ). Could anyone elaborate on this? I am assumig their is a race condition somewhere but have not been able to find it yet ( because I can't crank up the debug levels to look at what it broken ) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Wed Feb 4 17:21:55 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:46 2003 Subject: No PDC found References: <34D8A16D.F0395C3F@eng.auburn.edu> Message-ID: <34D8A3B3.DBA956C9@eng.auburn.edu> Gerald W. Carter wrote: > > I have the latest BRANCH_NTDOM ( updated to 1.9.18p2 ) compiled > installed and running fine with no problem except.... > > When I run at the default debug level ( 1 i think ) the NT Wks complains > about the PDC fot the Domain not being available. However, the user > profile and validation still works fine?! ( i defined USE_ARCFOUR in the > compile ) > > If I run at a debug level of about 5 the NT Wks goes through fine ( > logins scripts and all ). Sorry. Forgot to say OS : Solaris 2.5.1 Arch : SparcUltra j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Wed Feb 4 18:12:04 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: No PDC found In-Reply-To: <34D8A16D.F0395C3F@eng.auburn.edu> Message-ID: gerald, hm. you wanna try compiling with -g -g instead of -O? or at least, without -O? check your compilation directory and /tmp: see that there aren't any temporary files left behind by gcc as evidence of it core-dumping. luke On Thu, 5 Feb 1998, Gerald W. Carter wrote: > [...friendly greeting prior to question....] > > Hey folks! > > [...now that that's out of the way...just kidding....] > > I have the latest BRANCH_NTDOM ( updated to 1.9.18p2 ) compiled > installed and running fine with no problem except.... > > When I run at the default debug level ( 1 i think ) the NT Wks complains > about the PDC fot the Domain not being available. However, the user > profile and validation still works fine?! ( i defined USE_ARCFOUR in the > compile ) is there an smbd core dump anywhere at all? how about doing an attach to the process, using gdb, and seeing if there's anything odd going on? running tcpdump / netmonitor to see what's being sent on the wire and what isn't? > If I run at a debug level of about 5 the NT Wks goes through fine ( > logins scripts and all ). > > Could anyone elaborate on this? I am assumig their is a race condition > somewhere but have not been able to find it yet ( because I can't crank > up the debug levels to look at what it broken ) > > > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Wed Feb 4 18:20:54 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: Just wondering... In-Reply-To: <199802031846.NAA08636@east.isx.com> Message-ID: references: http://mailhost.cb1.com/~lkcl/pam_ntdom http://www.kernel.org/pub/linux/libs/pam/index.html PAMs compile for slackware, redhat and solaris. insert pam_ntdom into the appropriate module directory. follow instructions on kernel.org's site. you will be able to authenticate against a PDC (samba or NT) using this module. as with pam_smb, the account must exist in the unix domain, and must have the same user name. to answer your question as i understand it (i am confused by the context of "this work"). pam_ntdom and BRANCH_NTDOM are being developed in parallel. BRANCH_NTDOM definitely works, allowing NT workstations to log in to a UNIX server. pam_ntdom will allow a UNIX user to log in to a PDC (whether NT or Samba). luke On Wed, 4 Feb 1998, Earl Baugh wrote: > > So far, it looks like this work is only available > as a PAM. Is there any plans on making it available > on any of the other Samba supported platforms (notably > on Solaris??) I'd be willing to "test" it in that > environment... > > Earl > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Wed Feb 4 18:24:45 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: Just wondering... In-Reply-To: <886534643.2014679.0@argo.demon.co.uk> Message-ID: On Wed, 4 Feb 1998, Paul Ashton wrote: > At 19:13 03/02/98 , Earl Baugh wrote: > >So, where on the samba site to I get it? > > > >Apparently folks have it up and running under Solaris 2.5 too.. > > See http://mailhost.cb1.com/~lkcl/ntdom/ntdom-unix.txt and the > rest of Luke's home page for current and background information. > As mentioned in the ntdom-unix.txt you need to retrieve the > relevant CVS branch. > > Basically, look at http://samba.anu.edu.au/cvs.html (typo in > Luke's page) and then issue > cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login > once, then > cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co -r BRANCH_NTDOM samba > After the first time, you only get incremental diffs. occasionally, this messes up. it is recommended that if you get compilation errors, to delete the source and re-check out (or in a new directory). also, for those people interested in keeping up-to-date with the check-ins, subscribe to samba-cvs (an odd list: 2 to 30 messages a day, averaging around 3). see http://samba.anu.edu.au/listproc. hopefully i've spelt things right, this time... luke-the-fool Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Wed Feb 4 18:26:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: Connecting to a printer - name invalid ? In-Reply-To: <886540470.205741.0@argo.demon.co.uk> Message-ID: here are some notes i made earlier today about the \PIPE\spoolss service. it looks like a major task (two weeks' work): dce/rpc printer support. looks comprehensive and excessive. notes on packet trace: it starts off with a \spoolss pipe on 12345678-1234-abcd-ef00-0123456789ab. the bind response is to 045d888a-eb1c-c911-9fe808002b104860, version 0x02. rpcs then follow: - unidentified (as yet) opcode 0x45 with server, username, machine. etc. response contains a 20 byte HND. presumably this call is an open. - RpcGetPrinterData (0x26) UiSingleJobStatusString. hm. type, data, needed. what's this all about? - RpcRemoteFindFirstPrinterChangeNotificationEx (0x41) more printer spooling pipe opening. again. - RpcSetAllocFailCount (0x43) - contains printer handle + fail count response alloc count, free count, failcounthit. - RpcReplyOpenPrinter (0x3a) - contains machine, key for remote printer (alloccount from above) response undecoded. - RpcFindClosePrinterChangeNotification (0x38). contains printer handle. presumably the findfirstprtchg response contained the handle. - RpcReplyClosePrinter (0x3c) - contains handle. response: ok. BUT there is a file close from the client at the same time. response might be delayed until the server responds to the SMBclose. oops. - RpcClosePrinter (0x1d) - close printer handle. response: ok. close \spoolss. and this is with no printers! From cartegw at Eng.Auburn.EDU Wed Feb 4 20:01:07 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:46 2003 Subject: No PDC found References: Message-ID: <34D8C903.73FF337D@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > hm. you wanna try compiling with -g -g instead of -O? or at least, > without -O? check your compilation directory and /tmp: see that there > aren't any temporary files left behind by gcc as evidence of it > core-dumping. compiled using gcc 2.7.2 with -g flag ( was not using -O previously ). Works fine but the memory size if fairly large ;) > is there an smbd core dump anywhere at all? how about doing an attach > to the process, using gdb, and seeing if there's anything odd going on? > running tcpdump / netmonitor to see what's being sent on the wire and > what isn't? No core dumps. Haven't had a chance to look at packet dumps yet. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Wed Feb 4 20:52:43 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: pass-through authentication in NT Domains. Message-ID: a few days ago, i posted a NETLOGON message - a SAM Logon packet which uses "pass through" technology, but for NT / NT interaction, not non-NT / NT interaction. i asked if anyone knew anything about this, and whether the data was encrypted. well, after examining some surrounding traffic (SMBnegprot and SMBsessionsetupX) it turns out that the SMBnegprot response (with the 8 byte challenge) and the SMBsessionsetupX request (with the LM and NT 24 byte responses) are not encrypted. so, coding this up was pretty trivial. as a result, a Samba PDC can now verify a user from one NT workstation (or in fact _any_ smb client that uses NT / LM encrypted passwords) that attempts to access a second workstation's shares, where the second workstation is a member of the Samba PDC's domain. client-side code is to follow. again, this will be pretty trivial. as of yet, however, we can only speculate as to why the response packet "User Session Key" is filled in with a 16 byte value, and why the "Expansion Room" is filled in with an 8 byte value. these values are the same size as the 16 byte long-term password and the 8 byte credential chain's session key. maybe there's either some recursion possible, or you need these for a "Network" SAM Logoff. or password changing. all speculation. luke Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From michel at nijenrode.nl Wed Feb 4 21:14:17 1998 From: michel at nijenrode.nl (Michel) Date: Tue Dec 2 02:23:46 2003 Subject: Also no PDC found Message-ID: <199802042114.WAA19335@bordeaux.nijenrode.nl> I seem to have somewhat of the same problem with NT machine finding the domain controller; in default debug level, nmdb's log reports processing a logon package with code 7 (querypdc) twice every once in a while (starting ofcourse when I want to change the machine to the samba domain). Higher debug levels do not reveal alot, and I definitely don't get any SAM-notices. Tcpdump shows that netbios services are bound to port 137/138 though (maybe the higher debug doesnt show more as it seems to stall as soon as the logfile hits 56k). Not getting any SAM messages, I tried to fiddle with the netbios name resolving, but that seems to work fine anyways. The docs mention having to add a line to smbpasswd for every machine, then a line that it's no longer needed =). Do I or don't I ? (what this line exactly looks like is a bit obscure in the docs). Any suggestions, or any notices from the debug's that I need to pay explicit attention to ? Michel. -- Michel van der Laan - michel@nijenrode.nl http://www.nijenrode.nl/~michel From paul at argo.demon.co.uk Wed Feb 4 21:33:40 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:46 2003 Subject: Also no PDC found In-Reply-To: <199802042114.WAA19335@bordeaux.nijenrode.nl> Message-ID: <199802042134.VAA29130@ns.uk.ibm.net> At 21:15 04/02/98 , Michel wrote: >The docs mention having to add a line to smbpasswd for every machine, >then a line that it's no longer needed =). Do I or don't I ? >(what this line exactly looks like is a bit obscure in the docs). You do need it. I think Luke took out the line saying you didn't need to do it. HOSTNAME$:uid:LMHASH:NTHASH:80 with the password set to "hostname" in lower case. If you use the old format with the home directory etc., you'll end up with the account type being set to 0 due to atoi() or strtol() changing alpha input to 0. As a general debugging aid, if you also have access to MSDN or SMS, microsoft's netmon network sniffer decodes a lot of proprietary protocols that other sniffers don't, including a lot of MS RPCs including the domain control ones. It will often quickly indicate why somethings failing. You'll also be horrified to see how wasteful of your network bandwidth it is... Paul From Jean-Francois.Micouleau at utc.fr Wed Feb 4 21:44:22 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:46 2003 Subject: Also no PDC found In-Reply-To: <199802042114.WAA19335@bordeaux.nijenrode.nl> Message-ID: On Thu, 5 Feb 1998, Michel wrote: > The docs mention having to add a line to smbpasswd for every machine, > then a line that it's no longer needed =). Do I or don't I ? > (what this line exactly looks like is a bit obscure in the docs). the line must exist. It looks like: joker$:301:8D6C948F63B4E826AAD3B435B51404EE: 86B3A8B1D8DE8B3C2406A673B37EC063:machine joker:/home/joker:/bin/tcsh it have to be on a single line, i split it for readability. to create it, the easy way is: 1) add a line in /etc/passwd the corresponding line to the above is: joker$::301:300:machine joker:/home/joker:/bin/tcsh 2) run smbpasswd as smbpasswd -add joker$ joker you can remove the line from /etc/passwd. hope it helps. > > Any suggestions, or any notices from the debug's that I need to pay > explicit attention to ? > > Michel. > ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From paul at argo.demon.co.uk Thu Feb 5 12:34:08 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:46 2003 Subject: NTDOM: pass-through authentication in NT Domains. In-Reply-To: Message-ID: <199802051234.MAA37694@ns.uk.ibm.net> At 20:10 04/02/98 , Luke Kenneth Casson Leighton wrote: >as of yet, however, we can only speculate as to why the response packet >"User Session Key" is filled in with a 16 byte value, and why the >"Expansion Room" is filled in with an 8 byte value. The UserSessionKey contains MD4(nthash) post SP3 and maybe LM-FIX, and first8bytes(lmhash)|8 zeroes, previously. ExpansionRoom contains first8bytes(lmhash) always. Both are encrypted with the current RC4 session key. Paul From lkcl at switchboard.net Thu Feb 5 18:45:34 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found In-Reply-To: <199802042134.VAA29130@ns.uk.ibm.net> Message-ID: On Thu, 5 Feb 1998, Paul Ashton wrote: > At 21:15 04/02/98 , Michel wrote: > >The docs mention having to add a line to smbpasswd for every machine, > >then a line that it's no longer needed =). Do I or don't I ? > >(what this line exactly looks like is a bit obscure in the docs). > > You do need it. I think Luke took out the line saying you didn't > need to do it. > > HOSTNAME$:uid:LMHASH:NTHASH:80 > with the password set to "hostname" in lower case. i think the 80 on the end needs to be :0080: - the code expects 4 bytes _and_ the terminating colon. 0x0080 is ACB_WKSTRUST account (see source/lib/rpc/includes/ use grep). > If you use the old format with the home directory etc., you'll end > up with the account type being set to 0 due to atoi() or strtol() > changing alpha input to 0. > > As a general debugging aid, if you also have access to MSDN or SMS, > microsoft's netmon network sniffer decodes a lot of proprietary > protocols that other sniffers don't, including a lot of MS > RPCs including the domain control ones. It will often quickly > indicate why somethings failing. You'll also be horrified to > see how wasteful of your network bandwidth it is... yep, and yep! From lkcl at switchboard.net Thu Feb 5 18:47:36 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found In-Reply-To: Message-ID: On Thu, 5 Feb 1998, Jean-Francois Micouleau wrote: > On Thu, 5 Feb 1998, Michel wrote: > > > The docs mention having to add a line to smbpasswd for every machine, > > then a line that it's no longer needed =). Do I or don't I ? > > (what this line exactly looks like is a bit obscure in the docs). > > the line must exist. It looks like: > > joker$:301:8D6C948F63B4E826AAD3B435B51404EE: > 86B3A8B1D8DE8B3C2406A673B37EC063:machine joker:/home/joker:/bin/tcsh > > it have to be on a single line, i split it for readability. > > to create it, the easy way is: > > 1) add a line in /etc/passwd > the corresponding line to the above is: > joker$::301:300:machine joker:/home/joker:/bin/tcsh > > 2) run smbpasswd as > smbpasswd -add joker$ joker ah. actually, adding a unix user joker$ is a _good_ idea. you might want to make sure that you don't have a login shell, but you might want to have a home directory. i may end up putting some info in a ~.smbpasswd file... luke From cartegw at Eng.Auburn.EDU Fri Feb 6 16:27:06 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found References: Message-ID: <34DB39DA.E8AC4B5@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > > > > HOSTNAME$:uid:LMHASH:NTHASH:80 > > with the password set to "hostname" in lower case. > > i think the 80 on the end needs to be :0080: - the code expects 4 bytes > _and_ the terminating colon. 0x0080 is ACB_WKSTRUST account (see > source/lib/rpc/includes/ use grep). Godd news is that after changing the machine account entries in smbpasswd to match the new format, the problems I prefviously reported go away. [snip] When I run at the default debug level ( 1 i think ) the NT Wks complains about the PDC fot the Domain not being available. However, the user profile and validation still works fine?! ( i defined USE_ARCFOUR in the compile ) If I run at a debug level of about 5 the NT Wks goes through fine ( logins scripts and all ). [end] I didn't see any references to this new format in the docs. Did I miss it somewhere? j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Fri Feb 6 17:58:44 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: printing Message-ID: hi, i just wanted to let you know that, having seen some nt workstation / server printer interaction, i am now picking my jaw off the floor and revising my estimates, even of getting a simple print job to an nt machine. there are lots of apis: approximately 60. a quickview on spoolss.dll shows exactly how many, and what they are. fortunately, all of them are documented with NetMonitor. it is therefore an unchallenging, unexciting and necessary task to put functionality behind all of these. unexciting as compared to nt domain authentication, that is, but no less necessary. i haven't found a way to force an NT machine to back down to using the SMBtrans2 calls, once you make it think you're talking to another NT machine. that's not to say that there isn't a way. maybe if you get a certain sub-set (printer enumeration for example) then once you go beyond that, it can thunk down to actually doing the print-jobs using SMBtrans2 calls. the reasoning behind this being that there are key APIs which are implemented as a group of RPCs. if you start implementing one of those as an MSRPC call, you _must_ implement the rest. if you do not, then you _must_ implement them all as SMBtrans2 calls... we'll see. luke Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Fri Feb 6 18:04:42 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: lots of subscribers Message-ID: you will be pleased to know that _already_ we have 270 non-concealed subscribers to the samba domain list. don't all say "hi" at once :-) luke From lkcl at switchboard.net Fri Feb 6 18:42:32 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: Win NT workstation and Samba PDC In-Reply-To: Message-ID: santosh, i took the liberty of cc'ing the reply to the samba ntdomain list, as these are the kinds of questions that are going to be asked repeatedly. On Thu, 5 Feb 1998, Santosh Krishnan x2815 wrote: > Hi, > > Thanks a lot. I got my PDC to work. It looks like I wasn't doing > anything wrong. Is a DNS required for samba to work? The first time, I > tried the ntdom thing on a disconnected network, with no name server. > That's when I asked you the dozen questions. I finally gave up and went > to my production machine and tried it out. It works great. Can you > confirm my assumption? ok, for you to answer this question yourself, try running 1.9.18p2 on the "disconnected network" server. i expect it to fail. try asking on the samba digest (not the samba-ntdom one) for help resolving this. > On another note, now that I have users logging into my server via NT > workstation, is there a smbgroups file or something that allows me to > specify NT groups, or do I have to use the UNIX groups? both, although it's pretty basic at the moment. "domain groups" and "domain admin users" and "domain guest users" are the current parameters. > Reason I ask is > that I read that Server Manager for Domains can be used to view the users > on the Samba server. However, here's what it tells me: > > The tag is invalid ... do you want to select another domain to administer? ah, this is because i've messed things up :-) i have to deal with "large" responses. if you had very few accounts (about four) then it would work. > At this point, I have logged in as myself, who has no admin rights. there is no protection at the moment. anyone can run this and obtain user and server profile information. luke From lkcl at switchboard.net Fri Feb 6 19:19:56 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: NTDOM: progress/bugs OFFTOPIC: news. Message-ID: hi, news: i'm off for a week. i may be back mid-week, maybe later (11th feb or so). i'm now off numerous lists, including the samba one, but not the samba-ntdom or cifs ones. ntdomains: 1) printing looks like it's going to be a pain (see archives for previous post, from today). in the mean-time, you can't print from a samba NTDOM server, so would have to put printers on a 1.9.18p2 server instead. or run two samba servers off the same physical machine, but off separate ip addresses. 2) there's a bug in the dce/rpc code (actually, it's unfinished and i don't have time to fix it right now) which means that responses greater than about... 1 to 3k are garbage. this will particularly hit large NetShareEnum responses and "User Manager" and "Server Manager" for domains, with more than about... 4 to 8 users. 3) some people on this list may be waiting to see if there is better documentation available. could those people who have successfully managed to get up-and-running please help those who haven't? 4) paul (blackman) would you be so good as to see if putting a message at the bottom of each posting saying "archives are at http://samba.anu.edu.au/listproc" is easily possible, like the cifs list does? other people, please, if you are reading this, please check the archives before posting on a particular issue: your question may have been answered already. have fun! luke From andre at lme.usp.br Fri Feb 6 20:21:04 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:47 2003 Subject: Printing from a NT Workstation - a hack In-Reply-To: Message-ID: <3.0.1.32.19980206172104.00919ad0@ws10.lme.usp.br> Hello, To print from a NT Workstation connected to a PDC Samba Server, you can do the following: Log locally in the NT Workstation as administrator and install the printer locally (not as a server printer) as lpt1. Then, log in the Samba domain and execute the command: net use lpt1: \\SERVER\lp0 Where: SERVER: name of the PDC Samba Server lp0: name of the printer in the Samba Server (from [printers]) Doing this you will be able to print from programs like MSOffice, Wordpad etc. Andre Gerhard Systems/Network Administrator Universidade de Sao Paulo - SP - Brazil From jgarber at eng.utoledo.edu Fri Feb 6 19:54:26 1998 From: jgarber at eng.utoledo.edu (jeremy garber) Date: Tue Dec 2 02:23:47 2003 Subject: NTDOM: Bug report clarification Message-ID: <199802061954.OAA21070@bacchus.eng.utoledo.edu.eng.utoledo.edu> I downloaded the latest (I think) BRANCH_NTDOM code on Wednesday (02/04/1998). I had to make several changes to the Makefile to get it to complete. Solaris 2.5.1. Should I report those fixes on this list or submit them to samba-bugs? Jeremy Garber Computer Engineer (whatever the heck that is) Engineering College Computing The University of Toledo jgarber@eng.utoledo.edu From cartegw at Eng.Auburn.EDU Fri Feb 6 20:08:28 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: NTDOM: Bug report clarification References: <199802061954.OAA21070@bacchus.eng.utoledo.edu.eng.utoledo.edu> Message-ID: <34DB6DBC.F8CAC6A5@eng.auburn.edu> jeremy garber wrote: > > I downloaded the latest (I think) BRANCH_NTDOM code on Wednesday > (02/04/1998). I had to make several changes to the Makefile to get it to > complete. Solaris 2.5.1. > > Should I report those fixes on this list or submit them to samba-bugs? > Are you referring to the addition of smbgetpass.o to smbd and nmbd linking? That was the only one I had to chnage for a clean compile ( under Solaris 2.5.1 of course ). In answer to your question, I belive that they should be reported to samba-bugs with the Subject beginning with NTDOM: j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From bvinarsk at qntm.com Fri Feb 6 20:29:28 1998 From: bvinarsk at qntm.com (Boris Vinarsky) Date: Tue Dec 2 02:23:47 2003 Subject: Samba and HP Advanced Server/9000 Message-ID: <199802062029.MAA23076@blin.asic> Hello everybody, Does anybody has any experience with HP Advanced Server/9000 (http://www.hp.com/gsy/advanced.html) ? HP claims that: Advanced Server/9000 is an HP-UX-based network operating system fully compatible with Microsoft networking technology. It interoperates seamlessly with systems running Microsoft Windows NT Server and Workstation. Advanced Server/9000 can be deployed as the primary domain controller in a network comprising other Advanced Servers or Windows NT Servers. It also can act as a backup domain controller for other Advanced Servers or Windows NT Server computers. Thank you, Boris Vinarsky ------------------------------------------- Boris Vinarsky, SysAdmin, ASIC, Quantum 408-324-7253, boris@asic.qntm.com ------------------------------------------- From jgarber at eng.utoledo.edu Fri Feb 6 20:23:14 1998 From: jgarber at eng.utoledo.edu (jeremy garber) Date: Tue Dec 2 02:23:47 2003 Subject: NTDOM: Bug report clarification Message-ID: <199802062023.PAA21075@bacchus.eng.utoledo.edu.eng.utoledo.edu> > jeremy garber wrote: > > > > I downloaded the latest (I think) BRANCH_NTDOM code on Wednesday > > (02/04/1998). I had to make several changes to the Makefile to get it to > > complete. Solaris 2.5.1. > > > > Should I report those fixes on this list or submit them to samba-bugs? > > > > Are you referring to the addition of smbgetpass.o to smbd and nmbd > linking? That was the only one I had to chnage for a clean compile ( > under Solaris 2.5.1 of course ). > > In answer to your question, I belive that they should be reported to > samba-bugs with the Subject beginning with NTDOM: > > > j- > > -- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > Yes, I added smbgetpass.o to the definition of UTILOBJ. Probably not the best place to put it, but it worked. Yes, I haven't had a great deal of exposure to makefiles. Also had to add the definition of ARCFOUR_OBJ. Shouldn't there at least be a comment and stub for us to fill in? I'm not complaining... just trying to help out. Luke did respond privately that samba-bugs is appropriate. Jeremy From nanik95 at indosat.net.id Sat Feb 7 09:33:08 1998 From: nanik95 at indosat.net.id (Nanik) Date: Tue Dec 2 02:23:47 2003 Subject: SMB Info Message-ID: <02ae53100100728MAIL2@indosat.net.id> Dear friends, Where could I find information about the SMB (Server Message Block) Protocol ? Thanks a lot Regards Nanik From nanik95 at indosat.net.id Sat Feb 7 09:42:17 1998 From: nanik95 at indosat.net.id (Nanik) Date: Tue Dec 2 02:23:47 2003 Subject: Sorry...newbie question. Message-ID: <02a033500100728MAIL2@indosat.net.id> Dear friends, Please forgive me for my ignorant question, can anybody tell me what is SAMBA ?? Thanks a lot Regards Nanik From cartegw at Eng.Auburn.EDU Sat Feb 7 15:09:39 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: SMB Info In-Reply-To: <02ae53100100728MAIL2@indosat.net.id> Message-ID: On Sat, 7 Feb 1998, Nanik wrote: > Dear friends, > > Where could I find information about the SMB (Server Message Block) > Protocol ? > RFC 1001 and 1002 and the files in /docs/ of the samba distribution are very good. Samba is software that allows a Unix box to serve files / printers to SMB clients ( ie. microsoft ). Also can be set up as a domain controller for Windows 95 / NT clients. Perhaps you would find more general information on Samba in the samba@samba.anu.edu.au list. See http://samba.anu.edu.au/listproc for more info on the list server. j ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From paul at argo.demon.co.uk Mon Feb 9 13:23:18 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:47 2003 Subject: Todo list Message-ID: <199802091325.NAA24143@mail.bogo.co.uk> I thought I'd try and enumerate some of the things that need doing and hopefully get some volunteers to look into them, or at least provide comments and pointers on them. 1. A FAQ - There's Luke's home page and some other docs in samba/docs to be used as a start, but it would be nice if it was all pulled together to start a regularly posted FAQ to this list. 2. PDC-BDC replication We know that all the sensitive parts of the protocol are encrypted with a known RC4 key, but there are quite a few RPCs that need investigating and implementing for PDC-BDC replication (which may also apply to general replication). These include NetDatabaseSync2() and NetDatabaseDeltas(), plus some named pipe netbios "announce change to uas or sam" stuff. 3. Password changing. There seems to be dozens of ways to do this and the various mechanisms are documented in some of the cifs documents, microsoft ppp chap extensions, and other places. NetServerPasswordSet() should be an easy one that we haven't got around to yet. The nice one to have would be the CTRL-ALT-DEL password change one as that provides a plaintext password to the server in order that it can be quality checked. Decoding that one means that we can synchonise password databases with /etc/passwd providing the password is changed on the NT machine. 4. Web front ends to configuration management data. Until the whole protocol is implemented, it would be easier having a front end to new workstation creation, password changing, etc., so that RPCs for user manager for domains and others don't all have to be implemented (plus you get to be able to admin from Unix/Mac/win3.1). 5. Printing. As Luke pointed out, the whole of the spoolss named pipe subsystem needs to be implemented. This is quite a job. It would be nice to do so that printer drivers can be downloaded to workstations as in 95's PRINTER$ system (I'm assuming NT does this with RPCs). 6. Other subsystems. MS netmon lists R_DRSUAPI, R_INTERNET, R_LOGON, R_LSARPC, R_REMOTEAUTO, R_RXDS, R_SRVSVC, R_WINSIF, R_WINSPOOL as MSRPC services. It would be useful documenting to what extent each is known about, what exports (dumpbin/exports, quickview) are in the associated DLLs, etc. www.ntinternals.com winobj and nthandleex give you interesting info on which process is handling which named pipe, i.e. winlogon has the winreg named pipe open. 7. Tools. A description of the various tools that can be used to examine NT and network traffic and lists of resources with information. e.g. netmon, sourcer, softice, www.ntinternals.com, msdn, nt resource kit. For people more comfortable debugging Unix, did you know that the AT&T port of the NT domain control system is called Advanced Server for Unix, and the SCO version of this (AFPS) can be obtained for $20 as part of their educational and personal releases of Unixware? 8. Migration utilities. "How to migrate from your legacy NT server to Samba" :-). A step by step process on extracting the domain SID, user information with pwdump or pwdump2 (Todd Sabin's program that extracts password hashes even after SYSKEY has been installed by injecting a DLL into lsass.exe) and how to structure this into smb.conf. Anything else people would like to see? Any comments? Any volunteers? Cheers, Paul From cartegw at Eng.Auburn.EDU Mon Feb 9 13:58:11 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: Todo list References: <199802091325.NAA24143@mail.bogo.co.uk> Message-ID: <34DF0B73.108CF7A5@eng.auburn.edu> Paul Ashton wrote: > > 1. A FAQ - There's Luke's home page and some other docs in > samba/docs to be used as a start, but it would be nice > if it was all pulled together to start a regularly > posted FAQ to this list. > > 3. Password changing. There seems to be dozens of ways to > do this and the various mechanisms are documented in > some of the cifs documents, microsoft ppp chap extensions, > and other places. NetServerPasswordSet() should be an > easy one that we haven't got around to yet. The nice > one to have would be the CTRL-ALT-DEL password change > one as that provides a plaintext password to the server > in order that it can be quality checked. Decoding that > one means that we can synchonise password databases > with /etc/passwd providing the password is changed on > the NT machine. > I start looking at these hopefully this afternoon. Anybody want to help? j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From michel at nijenrode.nl Mon Feb 9 14:23:28 1998 From: michel at nijenrode.nl (Michel) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found In-Reply-To: Your message of "Thu, 05 Feb 1998 08:35:29 +1100." <199802042134.VAA29130@ns.uk.ibm.net> Message-ID: <199802091423.PAA18686@bordeaux.nijenrode.nl> > > You do need it. I think Luke took out the line saying you didn't > need to do it. > > HOSTNAME$:uid:LMHASH:NTHASH:80 > with the password set to "hostname" in lower case. [snip] Well I did that, and modified it too :0080: as well... Still no luck (unable to locate the domain controller for this domain). Then, rather than using the system's tcpdump, I used tcpdump-smb. Then something frightning happened: The NT Wks queries for the PDC of the domain (or at least I think so), and then samba replies with: 15:04:27.265907 elzas.nijenrode.nl.netbios-ns > quebec.nijenrode.nl.netbios-ns: >>> NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST TrnID=0x83A8 OpCode=0 NmFlags=0x58 Rcode=3 QueryCount=0 AnswerCount=1 AuthorityCount=0 AddressRecCount=0 ResourceRecords: Name=BLUBBER NameType=0x00 (Workstation) ResType=0x0 ResClass=0x1100 TTL=12592 ResourceLength=13872 ^^^^^ Eeeeeks! I shall not include the resource data but it involves all kind of stuff that has nothing to do with either elzas (the samba server) or quebec (the NT wks), including what looks like an ENTIRE arp table. And I can't believe 13k is a usual size for a query response ? Then tcpdump-sbm cores (and I even got the binary dist). Does this help anyone in guessing what could be the problem ? Michel. From cartegw at Eng.Auburn.EDU Mon Feb 9 14:42:18 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found References: <199802091423.PAA18686@bordeaux.nijenrode.nl> Message-ID: <34DF15CA.4DBF8A9@eng.auburn.edu> Michel wrote: > > Well I did that, and modified it too :0080: as well... Still no luck > (unable to locate the domain controller for this domain). > Then, rather than using the system's tcpdump, I used tcpdump-smb. > Then something frightning happened: > > The NT Wks queries for the PDC of the domain (or at least I think so), > and then samba replies with: > [...snip...] > > I shall not include the resource data but it involves all kind of stuff > that has nothing to do with either elzas (the samba server) or quebec > (the NT wks), including what looks like an ENTIRE arp table. And I can't > believe 13k is a usual size for a query response ? > > Then tcpdump-sbm cores (and I even got the binary dist). Can I ask a few questions? - What is the OS of the server? - What compile flags are you using ( ie. -USE_ARCFOUR or any other ones added other than the standard ones defined in the OS section of the Makefile )? - Can you send me a copy of you smb.conf file? - When is the last time you updated your source code ( ie. ran cvs update -d -P )? Need a little more information prior to wagering a guess. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From michel at nijenrode.nl Mon Feb 9 15:00:07 1998 From: michel at nijenrode.nl (Michel) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found In-Reply-To: Your message of "Mon, 09 Feb 1998 08:42:18 CST." <34DF15CA.4DBF8A9@eng.auburn.edu> Message-ID: <199802091500.QAA20400@bordeaux.nijenrode.nl> [regarding no PDC found by NT wks] > > - What is the OS of the server? Linux redhat 4.2, 2.1.49 kernel (with PAM) > - What compile flags are you using ( ie. -USE_ARCFOUR or any other ones > added other than the standard ones defined in the OS section of > the Makefile )? Only the standard ones together with: FLAGS1 = -O2 -DNTDOMAIN FLAGSM = -DLINUX -DFAST_SHARE_MODES LIBSM = > - Can you send me a copy of you smb.conf file? Sure, included below. > - When is the last time you updated your source code ( ie. ran cvs > update -d -P )? I grabbed the 18p2 dist from the ftp server recently, and built that (after uninstalling the RPM for samba that already came with 4.2, and verified that it was actually gone). > > > Need a little more information prior to wagering a guess. I understand. Hope this provides more (together with the emails that have already been sent). Michel. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 935 bytes Desc: smb.conf Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980209/e1b1ee8e/attachment.obj From cartegw at Eng.Auburn.EDU Mon Feb 9 15:05:51 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found References: <199802091500.QAA20400@bordeaux.nijenrode.nl> Message-ID: <34DF1B4F.C9213654@eng.auburn.edu> Michel wrote: > > > > - When is the last time you updated your source code ( ie. ran cvs > > update -d -P )? > > I grabbed the 18p2 dist from the ftp server recently, and built that > (after uninstalling the RPM for samba that already came with 4.2, and > verified that it was actually gone). That would be your problem. You will need to get the CVS distribution of the BRANCH_NTDOM code. See http://samba.anu.edu.au/cvs.html for info regarding updating your code via CVS. The NTDOM code split off around 1.9.18alpha11 and is being developed along a separate path. Hope this helps. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From michel at nijenrode.nl Mon Feb 9 15:13:16 1998 From: michel at nijenrode.nl (Michel) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found In-Reply-To: Your message of "Mon, 09 Feb 1998 09:05:51 CST." <34DF1B4F.C9213654@eng.auburn.edu> Message-ID: <199802091513.QAA21062@bordeaux.nijenrode.nl> Silly me. My apologies for causing the unnecessary noise on the list. -- Michel van der Laan - michel@nijenrode.nl http://www.nijenrode.nl/~michel In your mail from 9-2-1998 you write: > Michel wrote: > > > > > > > - When is the last time you updated your source code ( ie. ran cvs > > > update -d -P )? > > > > I grabbed the 18p2 dist from the ftp server recently, and built that > > (after uninstalling the RPM for samba that already came with 4.2, and > > verified that it was actually gone). > > That would be your problem. You will need to get the CVS distribution > of the BRANCH_NTDOM code. See > > http://samba.anu.edu.au/cvs.html > > for info regarding updating your code via CVS. > > The NTDOM code split off around 1.9.18alpha11 and is being developed > along > a separate path. > > > Hope this helps. > > > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) From Jean-Francois.Micouleau at utc.fr Mon Feb 9 15:15:47 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:47 2003 Subject: Todo list In-Reply-To: <199802091325.NAA24143@mail.bogo.co.uk> Message-ID: On Tue, 10 Feb 1998, Paul Ashton wrote: > I thought I'd try and enumerate some of the things that need > doing and hopefully get some volunteers to look into them, > or at least provide comments and pointers on them. > [snip] > > 3. Password changing. There seems to be dozens of ways to > do this and the various mechanisms are documented in > some of the cifs documents, microsoft ppp chap extensions, > and other places. NetServerPasswordSet() should be an > easy one that we haven't got around to yet. The nice > one to have would be the CTRL-ALT-DEL password change > one as that provides a plaintext password to the server > in order that it can be quality checked. Decoding that Did you get a trace of this one already ? From what I understood on others lists the password is sent in form of encrypted challenge/response. Or I didn't understand at all which is also possible ! > one means that we can synchonise password databases > with /etc/passwd providing the password is changed on > the NT machine. > > 4. Web front ends to configuration management data. Until > the whole protocol is implemented, it would be easier > having a front end to new workstation creation, > password changing, etc., so that RPCs for user manager > for domains and others don't all have to be implemented > (plus you get to be able to admin from Unix/Mac/win3.1). Something have already been started by andrew to manage smb.conf. I think it can be extented to handle the rest. > > 5. Printing. As Luke pointed out, the whole of the spoolss > named pipe subsystem needs to be implemented. This is > quite a job. It would be nice to do so that printer > drivers can be downloaded to workstations as in 95's > PRINTER$ system (I'm assuming NT does this with RPCs). Yes you're right Paul. I took a lot of \\spoolss trace this week-end and the drivers are copied and setup this way. I'm not sure ALL the calls have to be implemented at once. But as luke stated already there is a lot of calls and they are not all well documented in netmon. > > 6. Other subsystems. MS netmon lists R_DRSUAPI, R_INTERNET, > R_LOGON, R_LSARPC, R_REMOTEAUTO, R_RXDS, R_SRVSVC, > R_WINSIF, R_WINSPOOL as MSRPC services. It would be > useful documenting to what extent each is known about, > what exports (dumpbin/exports, quickview) are in the > associated DLLs, etc. > www.ntinternals.com winobj and nthandleex give you > interesting info on which process is handling which > named pipe, i.e. winlogon has the winreg named pipe > open. yes this is needed too because in the case of printing specially there is some call to R_WINSPOOL to ckeck the printers > > 7. Tools. A description of the various tools that can be > used to examine NT and network traffic and lists of > resources with information. e.g. netmon, sourcer, > softice, www.ntinternals.com, msdn, nt resource kit. Yes yes, with links to the ones freely availables ! > Anything else people would like to see? YES : the support of NT ACL, Wins replication and LDAP support for NT5 (I'm already looking at it) > > Any comments? I think some calls not implemented are badly missing like all the SMB NT commands (NT Create&X, NT transact, ...) > > Any volunteers? me, That's one more :) Jean Francois. ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From jar at ntu-kpi.kiev.ua Mon Feb 9 15:39:55 1998 From: jar at ntu-kpi.kiev.ua (Yaroslav L. Halchinsky) Date: Tue Dec 2 02:23:47 2003 Subject: arcfour.c Message-ID: <199802091539.RAA03355@ntu-kpi.kiev.ua> Dear All! Can anyone help me finding file `arcfour.c`? Thank you! Yaroslav Halchinsky From haynesaj at bp.com Mon Feb 9 16:15:38 1998 From: haynesaj at bp.com (Haynes, Andrew J (DPR)) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found Message-ID: I am new to SAMBA and this mail list, my background being entirely in NT. Forgive me if this is nothing to do with your problem, but from this last e-mail it looks like a NetBIOS name resolution issue. In a purely NT network, this error is indicative of a name resolution problem, if it was a password/account issue the NT server normally returns an error code of c0000022 which is "STATUS_ACCESS_DENIED". If the Workstation or server trust accounts are wrong (COMPUTERNAME$), then the secure channel setup would fail with that error code. Does the SAMBA server implement the required NetBIOS names for PDC and PDC/BDC location?. These would be the DOMAIN[1B] (unique) name and the DOMAIN[1C] (group) name. For ordinary secure channel setup, the workstation would query for DOMAIN[1C], either broadcast or via MS WINS and try every server on the list until it gets a response. If the workstation needed to find the PDC, then it queries for the DOMAIN[1B] name, the workstation normally only tries to find the PDC whenever a password needs to be updated, or the accounts database needs to be managed. I think the workstation sends a NetGetDCname command to the PDC (via DOMAIN[1B] NetBIOS) and the PDC then returns its server name. The workstation then queries for the PDC[20] (server service) name and then a connection to IPC$ is made. Typically when DNS is used for name resolution, rather than normal MS methods, the workstation sends a NetBIOS Adapter Status Message to the target system to obtain a copy of its local NetBIOS name table. The workstation would then check that table to see whether the [1B] or [1C] names have been registered by that system. Any comments ?, am I way off target here?. Cheers Andrew > -----Original Message----- > From: Michel [SMTP:michel@nijenrode.nl] > Sent: 09 February 1998 14:26 > To: Multiple recipients of list > Subject: Re: Also no PDC found > > > > > You do need it. I think Luke took out the line saying you didn't > > need to do it. > > > > HOSTNAME$:uid:LMHASH:NTHASH:80 > > with the password set to "hostname" in lower case. > > [snip] > > Well I did that, and modified it too :0080: as well... Still no luck > (unable to locate the domain controller for this domain). > Then, rather than using the system's tcpdump, I used tcpdump-smb. > Then something frightning happened: > > The NT Wks queries for the PDC of the domain (or at least I think so), > and then samba replies with: > > 15:04:27.265907 elzas.nijenrode.nl.netbios-ns > > quebec.nijenrode.nl.netbios-ns: > >>> NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST > TrnID=0x83A8 > OpCode=0 > NmFlags=0x58 > Rcode=3 > QueryCount=0 > AnswerCount=1 > AuthorityCount=0 > AddressRecCount=0 > > ResourceRecords: > Name=BLUBBER NameType=0x00 (Workstation) > ResType=0x0 > ResClass=0x1100 > TTL=12592 > ResourceLength=13872 > > ^^^^^ Eeeeeks! > > I shall not include the resource data but it involves all kind of stuff > that has nothing to do with either elzas (the samba server) or quebec (the > NT > wks), including what looks like an ENTIRE arp table. And I can't believe > 13k is a usual size for a query response ? > > Then tcpdump-sbm cores (and I even got the binary dist). > > Does this help anyone in guessing what could be the problem ? > > Michel. > From paul at argo.demon.co.uk Mon Feb 9 16:34:45 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:47 2003 Subject: Todo list In-Reply-To: References: <199802091325.NAA24143@mail.bogo.co.uk> Message-ID: <199802091637.QAA05067@mail.bogo.co.uk> At 15:15 09/02/98 , Jean-Francois Micouleau wrote: >On Tue, 10 Feb 1998, Paul Ashton wrote: >> 3. Password changing. There seems to be dozens of ways to >> do this and the various mechanisms are documented in >> some of the cifs documents, microsoft ppp chap extensions, >> and other places. NetServerPasswordSet() should be an >> easy one that we haven't got around to yet. The nice >> one to have would be the CTRL-ALT-DEL password change >> one as that provides a plaintext password to the server >> in order that it can be quality checked. Decoding that >Did you get a trace of this one already ? From what I understood on >others lists the password is sent in form of encrypted challenge/response. >Or I didn't understand at all which is also possible ! NTLM challenge response isn't really to do with password changing, just authentication. I've got dozens of traces of NetServerPasswordSet. I'm sure it's just an encryption of the new OWF with the old one as a key. If you look in the ms chap extensions document it lists loads of ways of doing various forms of this. I originally though it was just RC4(sk,newowf) but it wasn't. Just a bit of trial and error needed (or disassemly (or nice mr. leach tells us...)). At the moment we just reject the password change and leave as "hostname" which also makes life easier. The user password change seems to use an undocumented (i.e. undocumented as far as ms netmon is concerned) \samr pipe rpc call. And the whole of the rpc may be encrypted. Anyone familiar with DCE RPC might be able to help here (or anyone willing to download and print the specs). The key to all this stuff is to use a checked build version of netlogon.dll. You can either get this off a checked build (i.e. debug version with additional assertions and symbols) NT CD, in MSDN, or you can download a checked build service pack from microsoft (big!). Once you've done that, net stop netlogon copy netlogon.dll \winnt\system32 (maybe backup the old one) regedt32 set HKLM\CCS\services\netlogon\parameters\DBFLAG REG_SZ 0x1fffffff net start netlogon This will create a directory \winnt\debug and a file netlogon.log That file will contain all the interesting netlogon activities, session keys, and plaintext/ciphertext pairs. If you do it both on your workstation and an NT PDC you will see both sides of the protocol. If Samba is your PDC you will often see why something isn't working such as invalid computed credentials. Paul From paul at argo.demon.co.uk Mon Feb 9 16:43:58 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:47 2003 Subject: Also no PDC found In-Reply-To: Message-ID: <199802091644.QAA05495@mail.bogo.co.uk> At 16:18 09/02/98 , Haynes, Andrew J (DPR) wrote: >Does the SAMBA server implement the required NetBIOS names for PDC and >PDC/BDC location?. These would be the DOMAIN[1B] (unique) name and the >DOMAIN[1C] (group) name. For ordinary secure channel setup, the workstation >would query for DOMAIN[1C], either broadcast or via MS WINS and try every >server on the list until it gets a response. Yes it does. They are all valid points, but often with Samba you will see a symptom that obscures the real cause of the problem (at least until the NTDOMAIN code has gone through several more iterations). Paul From valdand at soften.ktu.lt Mon Feb 9 17:15:03 1998 From: valdand at soften.ktu.lt (Valdas Andrulis) Date: Tue Dec 2 02:23:47 2003 Subject: arcfour.c In-Reply-To: <199802091539.RAA03355@ntu-kpi.kiev.ua> Message-ID: On Tue, 10 Feb 1998, Yaroslav L. Halchinsky wrote: > Dear All! > Can anyone help me finding file `arcfour.c`? > Thank you! > > Yaroslav Halchinsky > <<<< <<<<<>>>>> <<<< /* ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95). This cipher is widely believed and has been tested to be equivalent with the RC4 cipher from RSA Data Security, Inc. (RC4 is a trademark of RSA Data Security) */ /* * $Id: arcfour.h,v 1.1.1.1 1996/02/18 21:38:11 ylo Exp $ * $Log: arcfour.h,v $ * Revision 1.1.1.1 1996/02/18 21:38:11 ylo * Imported ssh-1.2.13. * * Revision 1.2 1995/07/13 01:30:25 ylo * Added cvs log. * * $Endlog$ */ #ifndef ARCFOUR_H #define ARCFOUR_H typedef struct { unsigned int x; unsigned int y; unsigned char state[256]; } ArcfourContext; /* Initializes the context and sets the key. */ void arcfour_init(ArcfourContext *ctx, const unsigned char *key, unsigned int keylen); /* Returns the next pseudo-random byte from the arcfour (pseudo-random generator) stream. */ unsigned int arcfour_byte(ArcfourContext *ctx); /* Encrypts data. */ void arcfour_encrypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len); /* Decrypts data. */ void arcfour_decrypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len); #endif /* ARCFOUR_H */ <<<< <<<<<>>>>> <<<< /* ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95). This cipher is widely believed and has been tested to be equivalent with the RC4 cipher from RSA Data Security, Inc. (RC4 is a trademark of RSA Data Security) */ /* * $Id: arcfour.c,v 1.1.1.1 1996/02/18 21:38:11 ylo Exp $ * $Log: arcfour.c,v $ * Revision 1.1.1.1 1996/02/18 21:38:11 ylo * Imported ssh-1.2.13. * * Revision 1.2 1995/07/13 01:29:59 ylo * Added cvs log. * * $Endlog$ */ #include "assert.h" #include "arcfour.h" /* arcfour added for SAMBA-NTDOMAIN */ void arcfour(unsigned char data[16], unsigned char data_out[16], unsigned char data_in[16]) { ArcfourContext ctx1; arcfour_init(&ctx1, data, 16); arcfour_encrypt(&ctx1, data_out, data_in, 16); } void arcfour_init(ArcfourContext *ctx, const unsigned char *key, unsigned int key_len) { unsigned int t, u; unsigned int keyindex; unsigned int stateindex; unsigned char* state; unsigned int counter; assert(key_len > 0); state = &ctx->state[0]; ctx->x = 0; ctx->y = 0; for (counter = 0; counter < 256; counter++) state[counter] = counter; keyindex = 0; stateindex = 0; for (counter = 0; counter < 256; counter++) { t = state[counter]; stateindex = (stateindex + key[keyindex] + t) & 0xff; u = state[stateindex]; state[stateindex] = t; state[counter] = u; if (++keyindex >= key_len) keyindex = 0; } } inline unsigned int arcfour_byte(ArcfourContext *ctx) { unsigned int x; unsigned int y; unsigned int sx, sy; unsigned char *state; state = ctx->state; x = (ctx->x + 1) & 0xff; sx = state[x]; y = (sx + ctx->y) & 0xff; sy = state[y]; ctx->x = x; ctx->y = y; state[y] = sx; state[x] = sy; return state[(sx + sy) & 0xff]; } void arcfour_encrypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len) { unsigned int i; for (i = 0; i < len; i++) dest[i] = src[i] ^ arcfour_byte(ctx); } void arcfour_decrypt(ArcfourContext *ctx, unsigned char *dest, const unsigned char *src, unsigned int len) { arcfour_encrypt(ctx, dest, src, len); } VAldas From jallison at whistle.com Mon Feb 9 20:57:04 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:47 2003 Subject: Todo list References: Message-ID: <34DF6DA0.446B9B3D@whistle.com> Jean-Francois Micouleau wrote: > > > I think some calls not implemented are badly missing like all the SMB NT > commands (NT Create&X, NT transact, ...) > These are the NT specific SMB's -essentially they are another protocol level (hidden in a flag change :-). I am planning to implement these for the next major rev. of Samba (I have some sample code already....). Jeremy Allison, Samba Team. -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Mon Feb 9 21:45:44 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: arcfour.c In-Reply-To: <199802091539.RAA03355@ntu-kpi.kiev.ua> Message-ID: http://mailhost.cb1.com/~lkcl/arcfour.c On Tue, 10 Feb 1998, Yaroslav L. Halchinsky wrote: > Dear All! > Can anyone help me finding file `arcfour.c`? > Thank you! > > Yaroslav Halchinsky > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Mon Feb 9 21:48:19 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: arcfour.c In-Reply-To: Message-ID: you do realise that you have just broken ITAR restrictions regarding the export of encryption software, and so have i? luke On Tue, 10 Feb 1998, Valdas Andrulis wrote: > > > On Tue, 10 Feb 1998, Yaroslav L. Halchinsky wrote: > > > Dear All! > > Can anyone help me finding file `arcfour.c`? > > Thank you! > > > > Yaroslav Halchinsky > > > > > <<<< > <<<<<>>>>> > <<<< > > > /* > > ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95). > This cipher is widely believed and has been tested to be equivalent > with the RC4 cipher from RSA Data Security, Inc. (RC4 is a trademark > of RSA Data Security) > > */ > > /* > * $Id: arcfour.h,v 1.1.1.1 1996/02/18 21:38:11 ylo Exp $ > * $Log: arcfour.h,v $ > * Revision 1.1.1.1 1996/02/18 21:38:11 ylo > * Imported ssh-1.2.13. > * > * Revision 1.2 1995/07/13 01:30:25 ylo > * Added cvs log. > * > * $Endlog$ > */ > > #ifndef ARCFOUR_H > #define ARCFOUR_H > > typedef struct > { > unsigned int x; > unsigned int y; > unsigned char state[256]; > } ArcfourContext; > > /* Initializes the context and sets the key. */ > void arcfour_init(ArcfourContext *ctx, const unsigned char *key, > unsigned int keylen); > > /* Returns the next pseudo-random byte from the arcfour (pseudo-random > generator) stream. */ > unsigned int arcfour_byte(ArcfourContext *ctx); > > /* Encrypts data. */ > void arcfour_encrypt(ArcfourContext *ctx, unsigned char *dest, > const unsigned char *src, unsigned int len); > > /* Decrypts data. */ > void arcfour_decrypt(ArcfourContext *ctx, unsigned char *dest, > const unsigned char *src, unsigned int len); > > #endif /* ARCFOUR_H */ > > <<<< > <<<<<>>>>> > <<<< > > > /* > > ARCFOUR cipher (based on a cipher posted on the Usenet in Spring-95). > This cipher is widely believed and has been tested to be equivalent > with the RC4 cipher from RSA Data Security, Inc. (RC4 is a trademark > of RSA Data Security) > > */ > > /* > * $Id: arcfour.c,v 1.1.1.1 1996/02/18 21:38:11 ylo Exp $ > * $Log: arcfour.c,v $ > * Revision 1.1.1.1 1996/02/18 21:38:11 ylo > * Imported ssh-1.2.13. > * > * Revision 1.2 1995/07/13 01:29:59 ylo > * Added cvs log. > * > * $Endlog$ > */ > > #include "assert.h" > #include "arcfour.h" > > /* arcfour added for SAMBA-NTDOMAIN */ > > void arcfour(unsigned char data[16], unsigned char data_out[16], unsigned char data_in[16]) > { > ArcfourContext ctx1; > > arcfour_init(&ctx1, data, 16); > arcfour_encrypt(&ctx1, data_out, data_in, 16); > } > > void arcfour_init(ArcfourContext *ctx, const unsigned char *key, > unsigned int key_len) > { > unsigned int t, u; > unsigned int keyindex; > unsigned int stateindex; > unsigned char* state; > unsigned int counter; > > assert(key_len > 0); > > state = &ctx->state[0]; > ctx->x = 0; > ctx->y = 0; > for (counter = 0; counter < 256; counter++) > state[counter] = counter; > keyindex = 0; > stateindex = 0; > for (counter = 0; counter < 256; counter++) > { > t = state[counter]; > stateindex = (stateindex + key[keyindex] + t) & 0xff; > u = state[stateindex]; > state[stateindex] = t; > state[counter] = u; > if (++keyindex >= key_len) > keyindex = 0; > } > } > > inline unsigned int arcfour_byte(ArcfourContext *ctx) > { > unsigned int x; > unsigned int y; > unsigned int sx, sy; > unsigned char *state; > > state = ctx->state; > x = (ctx->x + 1) & 0xff; > sx = state[x]; > y = (sx + ctx->y) & 0xff; > sy = state[y]; > ctx->x = x; > ctx->y = y; > state[y] = sx; > state[x] = sy; > return state[(sx + sy) & 0xff]; > } > > void arcfour_encrypt(ArcfourContext *ctx, unsigned char *dest, > const unsigned char *src, unsigned int len) > { > unsigned int i; > for (i = 0; i < len; i++) > dest[i] = src[i] ^ arcfour_byte(ctx); > } > > void arcfour_decrypt(ArcfourContext *ctx, unsigned char *dest, > const unsigned char *src, unsigned int len) > { > arcfour_encrypt(ctx, dest, src, len); > } > > > > > VAldas > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From bpowell at osc.edu Tue Feb 10 16:59:11 1998 From: bpowell at osc.edu (Brian Powell) Date: Tue Dec 2 02:23:47 2003 Subject: Getting newest NTDOMAIN sources... In-Reply-To: <199802091513.QAA21062@bordeaux.nijenrode.nl> Message-ID: Hi, Hopefully this won't turn out to be a stupid question, but is the following all that is required to get the latest BRANCH_NTDOM source? I ask because what I got after running this looks like pretty old code. Is this more recent than the NTDOMAIN stuff in Samba-1.9.18p2 ? cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co -r BRANCH_NTDOM samba Thanks in advance, -- Brian Powell (614) 292-6017 Sr. Programmer/Analyst, The Ohio Supercomputer Center PGP public key: "finger -l bpowell@osc.edu" (Key ID 6F4E0A0D) From michel at nijenrode.nl Tue Feb 10 17:02:23 1998 From: michel at nijenrode.nl (Michel) Date: Tue Dec 2 02:23:47 2003 Subject: Todo list In-Reply-To: Your message of "Tue, 10 Feb 1998 00:28:19 +1100." <199802091325.NAA24143@mail.bogo.co.uk> Message-ID: <199802101702.SAA13259@bordeaux.nijenrode.nl> What about domain trust relationships ? -- Michel van der Laan - michel@nijenrode.nl http://www.nijenrode.nl/~michel In your mail from 10-2-1998 you write: > I thought I'd try and enumerate some of the things that need > doing and hopefully get some volunteers to look into them, > or at least provide comments and pointers on them. > > 1. A FAQ - There's Luke's home page and some other docs in > samba/docs to be used as a start, but it would be nice > if it was all pulled together to start a regularly > posted FAQ to this list. > > 2. PDC-BDC replication > We know that all the sensitive parts of the protocol are > encrypted with a known RC4 key, but there are quite a > few RPCs that need investigating and implementing for > PDC-BDC replication (which may also apply to general > replication). These include NetDatabaseSync2() and > NetDatabaseDeltas(), plus some named pipe netbios > "announce change to uas or sam" stuff. > > 3. Password changing. There seems to be dozens of ways to > do this and the various mechanisms are documented in > some of the cifs documents, microsoft ppp chap extensions, > and other places. NetServerPasswordSet() should be an > easy one that we haven't got around to yet. The nice > one to have would be the CTRL-ALT-DEL password change > one as that provides a plaintext password to the server > in order that it can be quality checked. Decoding that > one means that we can synchonise password databases > with /etc/passwd providing the password is changed on > the NT machine. > > 4. Web front ends to configuration management data. Until > the whole protocol is implemented, it would be easier > having a front end to new workstation creation, > password changing, etc., so that RPCs for user manager > for domains and others don't all have to be implemented > (plus you get to be able to admin from Unix/Mac/win3.1). > > 5. Printing. As Luke pointed out, the whole of the spoolss > named pipe subsystem needs to be implemented. This is > quite a job. It would be nice to do so that printer > drivers can be downloaded to workstations as in 95's > PRINTER$ system (I'm assuming NT does this with RPCs). > > 6. Other subsystems. MS netmon lists R_DRSUAPI, R_INTERNET, > R_LOGON, R_LSARPC, R_REMOTEAUTO, R_RXDS, R_SRVSVC, > R_WINSIF, R_WINSPOOL as MSRPC services. It would be > useful documenting to what extent each is known about, > what exports (dumpbin/exports, quickview) are in the > associated DLLs, etc. > www.ntinternals.com winobj and nthandleex give you > interesting info on which process is handling which > named pipe, i.e. winlogon has the winreg named pipe > open. > > 7. Tools. A description of the various tools that can be > used to examine NT and network traffic and lists of > resources with information. e.g. netmon, sourcer, > softice, www.ntinternals.com, msdn, nt resource kit. > > For people more comfortable debugging Unix, did you > know that the AT&T port of the NT domain control > system is called Advanced Server for Unix, and the > SCO version of this (AFPS) can be obtained for $20 > as part of their educational and personal releases > of Unixware? > > 8. Migration utilities. "How to migrate from your legacy > NT server to Samba" :-). A step by step process on > extracting the domain SID, user information with > pwdump or pwdump2 (Todd Sabin's program that extracts > password hashes even after SYSKEY has been installed > by injecting a DLL into lsass.exe) and how to > structure this into smb.conf. > > Anything else people would like to see? > > Any comments? > > Any volunteers? > > Cheers, > > Paul From doverbey at att.com Tue Feb 10 17:38:45 1998 From: doverbey at att.com (Overbey, Alfred) Date: Tue Dec 2 02:23:47 2003 Subject: cvs branch Message-ID: How do I retrieve the latest SAMBA code, that with NT-Domain stuff, if I'm located behind a firewall? Thanks dudley doverbey@att.com From cartegw at Eng.Auburn.EDU Tue Feb 10 19:42:19 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: Getting newest NTDOMAIN sources... References: Message-ID: <34E0AD9B.6A34F178@eng.auburn.edu> Brian Powell wrote: > > Hi, > Hopefully this won't turn out to be a stupid question, but is the > following all that is required to get the latest BRANCH_NTDOM source? I > ask because what I got after running this looks like pretty old code. > Is this more recent than the NTDOMAIN stuff in Samba-1.9.18p2 ? > > cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co -r BRANCH_NTDOM samba That should do it and yes that is the latest source. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Tue Feb 10 21:26:34 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: Todo list In-Reply-To: <199802101702.SAA13259@bordeaux.nijenrode.nl> Message-ID: good point. these are covered roughly under the trust relationships stuff. we already have workstation trust relationships. see source/lib/include/rpc_misc.h, look at ACB_WKSTRUST and other ACT_nnnTRUST account control bits. luke On Wed, 11 Feb 1998, Michel wrote: > What about domain trust relationships ? From achadwic at bsginc.com Tue Feb 10 21:08:57 1998 From: achadwic at bsginc.com (achadwic@bsginc.com) Date: Tue Dec 2 02:23:47 2003 Subject: Samba problem with digital modem Message-ID: <852565A7.0073D879.00@smtp.bsginc.com> I've got a friend that uses Samba in an NT network. He dials in via digital modem from his laptop. He can see the network and everything. However, he just can't print. Everyone else can print just fine. Also, when he plugs it into the network directly, he can print. just when dialing in using the modem, it doesn't. Any ideas? Anthony Chadwick From cartegw at Eng.Auburn.EDU Tue Feb 10 21:05:29 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: cvs branch References: Message-ID: <34E0C119.3E9A808@eng.auburn.edu> Overbey, Alfred wrote: > > How do I retrieve the latest SAMBA code, that with NT-Domain stuff, if > I'm located behind a firewall? > Can you get it via ftp? If so I will post the lstest source. j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From venere at dc.ufscar.br Wed Feb 11 01:38:19 1998 From: venere at dc.ufscar.br (The Intel OutSide !) Date: Tue Dec 2 02:23:47 2003 Subject: Win95 client authentication with Samba Message-ID: <34E10F1B.6535EFB2@dc.ufscar.br> Hi, First of all, i'm sorry if this sounds too newbie. But my question is: - Is possible to have a Samba PDC authenticate Windows 95 clients, or this is only possible with NT clients? - If it's possible, what i need to set it up? my system is composed of 100+ Win95 clients and 2 AIX 4.1 which will be the PDC... i have two Solaris 2.5 machines that can be used too... Thanks in advance for your help, Guilherme Venere ----------------------------------------------- Federal University of Sao Carlos - SP - Brazil Computer Science Bacharel Project: Secure Network Administration ----------------------------------------------- From paul at argo.demon.co.uk Wed Feb 11 11:10:47 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:47 2003 Subject: Win95 client authentication with Samba In-Reply-To: <34E10F1B.6535EFB2@dc.ufscar.br> Message-ID: <199802111117.LAA35534@ns.uk.ibm.net> At 01:30 11/02/98 , The Intel OutSide ! wrote: >- Is possible to have a Samba PDC authenticate Windows 95 clients, or >this is only possible with NT clients? Standard Samba already supports domain control support for '95 clients. You don't need the PDC stuff for this. >- If it's possible, what i need to set it up? Get the latest Samba release from http://samba.anu.edu.au/samba/ and compile it, or find an existing compiled copy. Read the docs to configure it and go. Post any problems to the standard Samba mailing lists/newsgroups. Paul From lkcl at switchboard.net Wed Feb 11 12:53:07 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:47 2003 Subject: Samba problem with digital modem In-Reply-To: <852565A7.0073D879.00@smtp.bsginc.com> Message-ID: hi anthony, this question is more appropriately asked of the samba@samba.anu.edu.au list, as this list is for the discussion of development and administration of samba as a replacement for NT server. ok. it looks like your question might be appropriate to ask, according to that criteria :-) let me try and explain further, for everyone's benefit, and to help in writing a "welcome" note when first subscribing to this list. paul ashton and i managed to get domain logons working, for nt workstations, in samba, on the dce/rpc pipes named \PIPE\NETLOGON and \PIPE\lsarpc. unfortunately, once you do that, the nt workstation then thinks it's talking to an nt server, and assumes various bits of functionality exist. e.g \PIPE\srvsvc; \PIPE\spoolss; \PIPE\winreg. so when we first got domain logons working, we couldn't access files on another domain-enabled workstation; couldn't access _local_ files on an NTFS partition if you logged in a second time; could browse the Samba Server; you still can't print properly (but see instructions in http://samba.anu.edu.au/listproc/samba-ntdom/0039.html). some of this is now done. there is still lots more to do. printing is an o/s issue. directly answering your question, i don't know what the issues are: see if someone on the samba digest has dealt with this before, as there _may_ be a way to solve the problem if you use 1.9.18p2 (not BRANCH_NTDOM). if you use BRANCH_NTDOM, you are guaranteed to run into difficulties. best regards, luke On Tue, 10 Feb 1998 achadwic@bsginc.com wrote: > > I've got a friend that uses Samba in an NT network. He dials in via > digital modem from his laptop. He can see the network and everything. > However, he just can't print. Everyone else can print just fine. Also, > when he plugs it into the network directly, he can print. just when > dialing in using the modem, it doesn't. Any ideas? > > > Anthony Chadwick > > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From st95moda at nts.mh.se Wed Feb 11 16:51:07 1998 From: st95moda at nts.mh.se (Daniel =?UNKNOWN-8BIT?Q?M=F6rtsj=F6 ?=) Date: Tue Dec 2 02:23:47 2003 Subject: domain not available ?? Message-ID: <34E1D6FB.FCAFAE8F@nts.mh.se> We are trying to set up samba as PDC. here is a copy of smb.conf: debug level = 5 workgroup = SAMBA domain sid = S-1-5-21-123-456-789-123 domain logons = yes domain controller = yes os level = 50 domain master = yes prefered master = yes [homes] guest ok = no read only = no [printers] path = /usr/spool/smbprinter load printers = yes writable = no public = yes printable = yes We managed to join the domain samba, and when we rebooted the workstation and tried to log in it says creating domainlist and then domain samba is not available ??? We have created a computer account for the testcomputer and a testuser with smbpasswd Have we missed something or what ?? /Daniel -- Dept of Info Tech Phone: Int. +46 60 148568 Midsweden Univ. Fax: +46 60 148830 S-851 70 Sundsvall, Sweden d@nts.mh.se From bpowell at osc.edu Wed Feb 11 17:25:59 1998 From: bpowell at osc.edu (Brian Powell) Date: Tue Dec 2 02:23:47 2003 Subject: Domain passwords... Message-ID: Hello again Samba/NT-domain gurus, FIrst, I'd like to give a BIG thanks too all of you for your hard work on "decrypting" the MS domain protocols and implementing them in Samba. It is truly a blessing that there are people like you out here on the Internet! I fully realize that the Samba NTDOMAIN code is still in a rough test stage, but regardless, we are trying to set it up as our global login scheme for our NT machines. Luckily we are in a position with a little room for experimentation in this regard. So, on to my questions... In the docs, it states that the users' passwords are not checked when logging into the NT workstations (and we have found this to indeed be the case). Why is that? Is it just that it is some kind of complicated process that you have not yet gotten to work, or is there some kind of design reason for this? Is there some type of workaround or trick to ensure some kind of login authentication on the NT workstations in a Samba domain currently? How are others currently handling this problem? Thanks again! -- Brian Powell (614) 292-6017 Sr. Programmer/Analyst, The Ohio Supercomputer Center PGP public key: "finger -l bpowell@osc.edu" (Key ID 6F4E0A0D) From cartegw at Eng.Auburn.EDU Wed Feb 11 18:29:57 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:47 2003 Subject: Domain passwords... References: Message-ID: <34E1EE25.5501B5B7@eng.auburn.edu> Brian Powell wrote: > > > In the docs, it states that the users' passwords are not checked when > logging into the NT workstations (and we have found this to indeed be > the case). Why is that? Is it just that it is some kind of complicated > process that you have not yet gotten to work, or is there some kind of > design reason for this? export laws regarding encryption. See the note about USE_ARCFOUR in docs/NTDOMAIN.txt > Is there some type of workaround or trick to ensure some kind of login > authentication on the NT workstations in a Samba domain currently? How > are others currently handling this problem? get arcfour.h and arcfour.c and compile using the USE_ARCFOUR option ( as stated above ). j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From bpowell at osc.edu Wed Feb 11 18:46:09 1998 From: bpowell at osc.edu (Brian Powell) Date: Tue Dec 2 02:23:48 2003 Subject: Domain passwords (answered)... In-Reply-To: Message-ID: My question has been answered, thanks! Sorry about not R-ing TFM :-) With so many options and readme files, it becomes easy to overlook things... -- Brian Powell (614) 292-6017 Sr. Programmer/Analyst, The Ohio Supercomputer Center PGP public key: "finger -l bpowell@osc.edu" (Key ID 6F4E0A0D) From lkcl at switchboard.net Wed Feb 11 19:54:23 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Domain passwords... In-Reply-To: Message-ID: On Thu, 12 Feb 1998, Brian Powell wrote: > Hello again Samba/NT-domain gurus, > > FIrst, I'd like to give a BIG thanks too all of you for your hard work on > "decrypting" the MS domain protocols and implementing them in Samba. It is > truly a blessing that there are people like you out here on the Internet! > > I fully realize that the Samba NTDOMAIN code is still in a rough test stage, > but regardless, we are trying to set it up as our global login scheme for our > NT machines. Luckily we are in a position with a little room for > experimentation in this regard. So, on to my questions... > > In the docs, it states that the users' passwords are not checked when logging > into the NT workstations (and we have found this to indeed be the case). http://samba.anu.edu.au/listproc/samba-ntdom/0061.html - see Makefile and source and NTDOMAIN.txt for references to ARCFOUR. luke From tls at trinity.unimelb.edu.au Thu Feb 12 07:39:58 1998 From: tls at trinity.unimelb.edu.au (Tyler Saxton) Date: Tue Dec 2 02:23:48 2003 Subject: NTDOM: remote profile created, but automatic logoff? Message-ID: I'm been trying to get the BRANCH_NTDOM samba source code to work as a primary domain controller for some NT workstations in a small computer room. In the smb.conf file, I have set: logon path = \\samba-server\profiles\%U\profile and when I try to log into the samba domain for the first time for a user, the directory %U/profile is created in the "profiles" share, and filled with ntuser.dat, and other directories and files like "application data", "desktop", etc. (All files are created with their names in lower case.) So, it looks to me like the remote profile for the user is created successfully. However, after entering the username and password on the NT machine, what I see is the "Microsoft Windows NT Workstation 4.0..." logo disappear, leaving a blank background, and then after a short time, I get prompted to logon again, without any error messages or explanation. I've also tried to copy a local profile across manually, using the System Control Panel, with the same results. The DOMAIN.txt document mentions having to create a .PDS directory by hand... I'm not sure where exactly to do this (path) what to put in it, or if it's relevant -- At one stage NT did complain that it couldn't create a \\samba-server\profiles\user\profile.pds directory, but that was before I was getting profiles transferred across properly, I think. It doesn't say that now, anyway. Does anyone have any suggestions what might be wrong? --- Tyler Saxton tls@cs.mu.oz.au Student IT Manager tls@trinity.unimelb.edu.au Trinity College (03) 9387 2383 From lkcl at switchboard.net Thu Feb 12 15:20:25 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: NTDOM: remote profile created, but automatic logoff? In-Reply-To: Message-ID: On Thu, 12 Feb 1998, Tyler Saxton wrote: > > I'm been trying to get the BRANCH_NTDOM samba source code to work as a > primary domain controller for some NT workstations in a small computer > room. > > In the smb.conf file, I have set: > > logon path = \\samba-server\profiles\%U\profile > > and when I try to log into the samba domain for the first time for a user, > the directory %U/profile is created in the "profiles" share, and filled > with ntuser.dat, and other directories and files like "application data", > "desktop", etc. (All files are created with their names in lower case.) check out the standard samba case sensitivity and case preserve options. see smb.conf. > So, it looks to me like the remote profile for the user is created > successfully. However, after entering the username and password on the NT > machine, what I see is the "Microsoft Windows NT Workstation 4.0..." logo > disappear, leaving a blank background, and then after a short time, I get > prompted to logon again, without any error messages or explanation. oops. bugger. ok. can you do the standard debugging procedure, which i would appreciate everyone doing if reporting difficulties like this: - increase debug log levels to 150 check there are no "INTERNAL..." messages; - core dump check (related to above) - run NetMonitor on an NT server somewhere. first run NetMonitor, _then_ start smbd (killall smbd; ./smbd) this is important, as connections may have been established on the \PIPE\NETLOGON, and NetMonitor will not be able to decode things properly unless it "sees" the connection being established as well as the data. - alternatively: run tcpdump, and obtain capconvert.c from the samba site ftp://samba.anu.edu.au/pub/samba/tcpdump-smb/capconvert.c and convert the tcpdump output to a .cap file. > I've also tried to copy a local profile across manually, using the System > Control Panel, with the same results. hm. try _without_ a profile what happens? set profile path = "" > The DOMAIN.txt document mentions having to create a .PDS directory by > hand... I'm not sure where exactly to do this (path) what to put in it, > or if it's relevant -- At one stage NT did complain that it couldn't > create a \\samba-server\profiles\user\profile.pds directory, but that was > before I was getting profiles transferred across properly, I think. It > doesn't say that now, anyway. good. luke From edw at detel.com Fri Feb 13 03:57:30 1998 From: edw at detel.com (Ed Weinberg) Date: Tue Dec 2 02:23:48 2003 Subject: regular Samba list Message-ID: <34e5c491.30163743@mail.detel.com> How can I get on the regular Samba list? -- Ed Weinberg, Detel, Inc., An Internet Presence Provider edw@detel.com www.detel.com/ www.serverking.com www.q5.com/ <-- find someone to CoolTalk or chat with here From cartegw at Eng.Auburn.EDU Fri Feb 13 11:26:32 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:48 2003 Subject: regular Samba list In-Reply-To: <34e5c491.30163743@mail.detel.com> Message-ID: On Fri, 13 Feb 1998, Ed Weinberg wrote: > How can I get on the regular Samba list? > See http://samba.anu.edu.au/listproc Should be instructions there. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From vgeisler at engineer.com Fri Feb 13 22:41:03 1998 From: vgeisler at engineer.com (Vince Geisler) Date: Tue Dec 2 02:23:48 2003 Subject: Samba is clobbering NT 4.0S Primary domain controller Message-ID: <01BD388D.6F4551C0@hal> using samba 1.9.18.p1 precompiled rpm, I am having the problem of samba appearing to the NT 4.0 primary domain controller on our network as a backup domain controller.. If the NTserver gets rebooted the samba server will try to act as the domain controller(not very successfully) and won't give up control back to the primary domain controller when it comes back up. This has the effect of booting everyone off the network and locking up all the win 95 machines. This is not good :( Why is this??? in smb.conf, I have tried to disable everything that I can find possibly relating to samba being a domain controller of any kind, primary or backup. Perhaps it's been compiled in (I have the rpm version). Here's the global part of my smb.conf file [global] workgroup = CLOGIC username map =/etc/user.map comment = SMEGHEAD volume = area51 printing = bsd printcap name = /etc/printcap load printers = yes log file = /var/log/samba-log.%m max log size = 50 short preserve case = yes preserve case = yes ; Security and file integrity related options lock directory = /var/lock/samba locking = yes strict locking = yes share modes = yes ;SERVER uses a Windows NT Server security = SERVER Password server = OGOPOGO ; Performance Related Options socket options = TCP_NODELAY ; Domain Control Options ; OS Level Windows NT = 32 os level = 1 ; disables Samba from being the Domain Master Browser domain master = no domain controller = OGOPOGO domain logons = yes any ideas?? thanks in advance... vince From cartegw at Eng.Auburn.EDU Fri Feb 13 22:57:09 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:48 2003 Subject: Samba is clobbering NT 4.0S Primary domain controller References: <01BD388D.6F4551C0@hal> Message-ID: <34E4CFC5.F0662D9@eng.auburn.edu> Vince Geisler wrote: > > using samba 1.9.18.p1 precompiled rpm, I am having the problem of samba > appearing to the NT 4.0 primary domain controller on our network as a > backup domain controller.. > > If the NTserver gets rebooted the samba server will try to act as the > domain controller(not very successfully) and won't give up control back > to the primary domain controller when it comes back up. This has the > effect of booting everyone off the network and locking up all the win 95 > machines. This is not good :( > > Why is this??? in smb.conf, I have tried to disable everything that I > can find possibly relating to samba being a domain controller of any > kind, primary or backup. > > > [global] > [snip] > domain logons = yes > Why do you have this set to yes? Set it to 'no'. Yes tells samba that you would like to act as a domain controller. This doesn't have anything to do with the NT domain controller code per say. In fact, by using a precompiled version of 1.9.18p1 I would wager to say that the NT domain controller support ( what is there ) was not turned on. BTW...The NT Domain code is being devleloped in a separate branch that the standard releases. The split started at 1.9.18alpha11 i think. j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From vgeisler at engineer.com Sat Feb 14 03:54:47 1998 From: vgeisler at engineer.com (Vince Geisler) Date: Tue Dec 2 02:23:48 2003 Subject: Problems with smbmount and win95 Message-ID: <01BD38B9.409A4840@hal> When i try to (smbmount ///c /mnt/net/c) i get the following obscure message smb_dont_catch_keepalive: server -> data_ready ==null mount error : invalid argument if i try to smbmount a nt share it works no problem.... can anyone shed some light on this one ... i have no clue where to begin (admitted newby) T.I.A vince From lkcl at switchboard.net Sat Feb 14 18:52:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: NT LM SSPI and DCE/RPC Message-ID: notes. paul started looking at the "password change" function. press ctrl-alt-delete when logged in, select passwords button, change password. this causes encrypted dce/rpc to be negotiated for \PIPE\samr, over which two apis are sent: 0x37 and 0x38. the encryption used is "NT LM SSPI". however, paul has been using NT 3.51 talking to NT 4.0. there appears to be some interaction there that causes the dce/rpc "encrypted" \PIPE\samr to be dropped, and to go for unencrypted \PIPE\samr. see RPC_AUTH_NTLMSSP_REQ and _RESP in lib/rpc/include/rpc_dce.h. paul unknown_3 in the _RESP structure as 0x82b1, and the unknown_0 in the _REQ structure as 0xb3b6. if this happens, then the pipe is closed, and re-opened without encryption. further experimentation is needed, but a guest as to what is happening is that the response being returned indicates "i support version X of the NTLM SSP". the client doesn't support that version, so closes the connection, and re-opens with unencrypted RPC. ... which brings us on to the 0x37 and 0x38 pipes, in the clear. more on these later. luke From lkcl at switchboard.net Sat Feb 14 16:29:37 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: NTDOM: cvs archive problems. sorted? Message-ID: for those people obtaining the cvs tag version BRANCH_NTDOM, you may have been experiencing difficulties. if you have a source/rpc_pipes, a source/mem_man and a source/ubiqx directory, then you have been. it appears that there is a bug in cvs where if a directory does not exist in the main branch when you check out a tagged branch, it takes the files from the main branch. oops. this has been the source of lots of confusion. i have therefore temporarily created some blank directories rpc_pipes, ubiqx and mem_man, to match those directories of the main branch. i recommend that people re-checkout BRANCH_NTDOM in a totally new directory. luke From lkcl at switchboard.net Sat Feb 14 17:02:31 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: NTDOM: Subjects up for discussion. What to post. Message-ID: To: samba-ntdom and samba mailing lists --- The Samba NT Domains list is for the discussion of development and administration of "Samba NT capabilities". we are looking to develop its Primary and Backup Domain Controller capabilities, and basically make samba look like an NT server and like an NT workstation. therefore, if you have the BRANCH_NTDOM version of Samba (available using public cvs), Microsoft Net Monitor, an NT server and several NT workstations and absolutely no Win95 machines, then you are the ideal person to be on the Samba NT Domains list. frequently we will need people to generate network traces, or to run gdb on a core dump, or to generate high debug level log files. if you have the main Samba branch (available by ftp), no NT servers, no NT workstations, and predominantly Win95/WfWg/DOS machines, and have absolutely no intention of moving over to Windows NT at any time, then being on the Samba NT Domains list is simply going to take up space in your inbox, as it will be of no use to you. so. if you have a problem and are considering posting to samba-ntdom, *please* make sure that a) it's not been discussed before (see http://samba.anu.edu.au/listproc/samba-ntdom) b) it's related to the NT Domains development. c) it's *not* a general "Samba configuration or Samba administration" problem. for those people who are very kindly responding to posters on samba-ntdom, i would be very grateful if you could reply with references to articles in the archives, if a previous article contains information relevant to another posting. how to tell if a posting is relevant to samba-ntdom: 1) you're familiar with Samba and its configuration (current version, 1.9.18p2) 2) you've downloaded BRANCH_NTDOM, read, understood and followed docs/NTDOMAIN.txt. 3) you're using NT workstation or NT server (not Win95) 4) things are falling over: you've read the samba-ntdom archives; the problem isn't mentioned there, and doesn't go away. 5) some functionality is missing (an NT administration tool reports an obscure error "The RPC call failed"); you've increased the debug log levels, and noticed an "Unsupported API" or other message in log.smb: you've read the samba-ntdom archives, and it's not reported in there. thank you. luke (samba team) From andre at lme.usp.br Mon Feb 16 19:47:26 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:48 2003 Subject: Internal error being generated in LSA_LOOKUPSIDS Message-ID: <3.0.1.32.19980216164726.0091f840@ws10.lme.usp.br> Hello, I am getting the following error in my NT Wksta machine log file (the NT workstation is denying access to any domain user after this error occurs): It appears to be coming from the LSA_LOOKUPSIDS RPC call debug level 3: api_rpc_command: LSA_LOOKUPSIDS ============================================================= == INTERNAL ERROR: Signal 11 in pid 768 (ntdom-1.9.18alpha14) Please read the file BUGS.txt in the distribution =============================================================== chdir to / Closing connections 02/16/1998 11:08:11 1micro1 (143.107.70.218) closed connection to service IPC$ Yielding connection to 12 IPC$ 02/16/1998 11:08:11 1micro1 (143.107.70.218) closed connection to service aluno3 Yielding connection to 58 aluno3 Yielding connection to 58 STATUS. Yield successful 02/16/1998 11:08:11 1micro1 (143.107.70.218) closed connection to service winsrv Yielding connection to 72 winsrv Yielding connection to 72 STATUS. Yield successful fd_attempt_close on file_fd_struct 0, fd = 6, dev = 808, inode = 245cb, open_flags = 0, ref_count = 1. 02/16/1998 11:08:11 aluno3 closed file MSOffice/Access/SOA300.DLL (numopen=0) Last message was SMBtrans size=188 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb _flg2=3 smb_tid=12 smb_pid=51966 smb_uid=101 smb_mid=11712 smt_wct=16 smb_vw v[0]=0 (0x0) smb_vwv[1]=112 (0x70) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=112 (0x70) Increasing the debug level to 5: api_rpc_command: api_ntlsa_rpc op 0xf - api_rpc_command: LSA_LOOKUPSIDS 000018 lsa_io_q_lookup_sids 000018 data: 00 00 00 00 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 00002c num_entries : 00000002 000030 ptr_sid_enum: 00154238 000034 num_entries2: 00000002 000038 ptr_sid[0]: 00154e20 00003c ptr_sid[1]: 00154e44 000040 num_auths: 00000006 000044 sid_rev_num: 01 000045 num_auths : 06 000046 id_auth[0] : 00 000047 id_auth[1] : 00 000048 id_auth[2] : 00 000049 id_auth[3] : 00 00004a id_auth[4] : 00 00004b id_auth[5] : 05 00004c sub_auths : 00000015 0000007b 000001c8 00000315 0000007b 000005dc 000064 num_auths: 00000006 000068 sid_rev_num: 01 000069 num_auths : 06 00006a id_auth[0] : 00 00006b id_auth[1] : 00 00006c id_auth[2] : 00 00006d id_auth[3] : 00 00006e id_auth[4] : 00 00006f id_auth[5] : 05 000070 sub_auths : 00000015 0000007b 000001c8 00000315 0000007b 000005dc 000088 num_entries : 00000000 00008c ptr_trans_names: 00000000 000090 num_entries2 : 000f0002 =============================================================== INT ERNAL ERROR: Signal 11 in pid 533 (ntdom-1.9.18alpha14) Please read the file BUGS.txt in the distribution =============================================================== chdir to / unbecome_user now uid=(0,0) gid=(0,0) Closing connections 02/16/1998 15:32:24 1micro1 (143.107.70.218) closed connection to service netlogon Yielding connection to 6 netlogon Yielding connection to 6 STATUS. Yield successful closing dptr key 0 closing dptr key 1 closing dptr key 2 closing dptr key 3 02/16/1998 15:32:24 1micro1 (143.107.70.218) closed connection to service winsrv Yielding connection to 11 winsrv Yielding connection to 11 STATUS. Yield successful 02/16/1998 15:32:24 1micro1 (143.107.70.218) closed connection to service IPC$ Yielding connection to 12 IPC$ 02/16/1998 15:32:24 1micro1 (143.107.70.218) closed connection to service aluno1 Yielding connection to 61 aluno1 Yielding connection to 61 STATUS. Yield successful 02/16/1998 15:32:24 1micro1 (143.107.70.218) closed connection to service lp Yielding connection to 109 lp Yielding connection to 109 STATUS. Yield successful Last message was SMBtrans size=228 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb _flg2=3 smb_tid=12 smb_pid=51966 smb_uid=100 smb_mid=10752 smt_wct=16 smb_vw v[0]=0 (0x0) smb_vwv[1]=152 (0x98) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=152 (0x98) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2050 (0x802) smb_bcc=161 [000] 5C 50 49 50 45 5C 00 5C 00 05 00 00 03 10 00 00 \PIPE\.\ ........ [010] 00 98 00 00 00 04 00 00 00 80 00 00 00 00 00 0F ........ ........ [020] 00 00 00 00 00 04 05 06 07 08 09 0A 0B 0C 0D 0E ........ ........ [030] 0F 10 11 12 13 02 00 00 00 38 42 15 00 02 00 00 ........ .8B..... [040] 00 20 4E 15 00 44 4E 15 00 06 00 00 00 01 06 00 . N..DN. ........ [050] 00 00 00 00 05 15 00 00 00 7B 00 00 00 C8 01 00 ........ .{...... [060] 00 15 03 00 00 7B 00 00 00 DC 05 00 00 06 00 00 .....{.. ........ [070] 00 01 06 00 00 00 00 00 05 15 00 00 00 7B 00 00 ........ .....{.. [080] 00 C8 01 00 00 15 03 00 00 7B 00 00 00 DC 05 00 ........ .{...... [090] 00 00 00 00 00 00 00 00 00 02 00 0F 00 00 00 00 ........ ........ [0A0] 00 . =============================================================== Core limits now 4194304 2147483647 Dumping core in /usr/local/samba/var/corefiles No core file are being generated in /usr/local/samba/var/corefiles Previous RPC commands that also appear in the log file: LSA_OPENPOLICY LSA_QUERYINFOPOLICY The NT workstation is denying access after this error occurs ... Unfortunately, I don't know what I have done to cause this problem, so currently I am not being able to reproduce in a precise way what is happening. If anyone have any hint in how to debug more precisely this, I would be glad to know ... Sincerely, Andre Gerhard Systems/Network Administrator Universidade de Sao Paulo - SP - BRAZIL From lkcl at switchboard.net Mon Feb 16 20:24:29 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Internal error being generated in LSA_LOOKUPSIDS In-Reply-To: <3.0.1.32.19980216164726.0091f840@ws10.lme.usp.br> Message-ID: On Tue, 17 Feb 1998, Andre Gerhard wrote: > Hello, > > > I am getting the following error in my NT Wksta machine log file > (the NT workstation is denying access to any domain user after this > error occurs): > > It appears to be coming from the LSA_LOOKUPSIDS RPC call > > debug level 3: > > api_rpc_command: > LSA_LOOKUPSIDS > ============================================================= > == > INTERNAL ERROR: Signal 11 in pid 768 (ntdom-1.9.18alpha14) > Please read > the file BUGS.txt in the > distribution > =============================================================== > > chdir to / > Closing connections > 02/16/1998 11:08:11 1micro1 > (143.107.70.218) closed connection to service IPC$ > Yielding connection to > 12 IPC$ > 02/16/1998 11:08:11 1micro1 (143.107.70.218) closed connection to > service aluno3 > Yielding connection to 58 aluno3 > Yielding connection to 58 > STATUS. > Yield successful > 02/16/1998 11:08:11 1micro1 (143.107.70.218) > closed connection to service winsrv > Yielding connection to 72 > winsrv > Yielding connection to 72 STATUS. > Yield successful > fd_attempt_close > on file_fd_struct 0, fd = 6, dev = 808, inode = 245cb, open_flags = 0, > ref_count = 1. > 02/16/1998 11:08:11 aluno3 closed file > MSOffice/Access/SOA300.DLL (numopen=0) > Last message was > SMBtrans > size=188 > smb_com=0x25 > smb_rcls=0 > smb_reh=0 > smb_err=0 > smb_flg=24 > smb > _flg2=3 > smb_tid=12 > smb_pid=51966 > smb_uid=101 > smb_mid=11712 > smt_wct=16 > smb_vw > v[0]=0 (0x0) > smb_vwv[1]=112 (0x70) > smb_vwv[2]=0 (0x0) > smb_vwv[3]=1024 > (0x400) > smb_vwv[4]=0 (0x0) > smb_vwv[5]=0 (0x0) > smb_vwv[6]=0 > (0x0) > smb_vwv[7]=0 (0x0) > smb_vwv[8]=0 (0x0) > smb_vwv[9]=0 > (0x0) > smb_vwv[10]=76 (0x4C) > smb_vwv[11]=112 (0x70) > > > Increasing the debug level to 5: > > > api_rpc_command: api_ntlsa_rpc op 0xf - api_rpc_command: > LSA_LOOKUPSIDS > 000018 lsa_io_q_lookup_sids > 000018 data: 00 00 00 > 00 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 > 00002c > num_entries : 00000002 > 000030 ptr_sid_enum: 00154238 > 000034 > num_entries2: 00000002 > 000038 ptr_sid[0]: 00154e20 > 00003c > ptr_sid[1]: 00154e44 > 000040 num_auths: 00000006 > > 000044 sid_rev_num: 01 > 000045 num_auths : 06 > > 000046 id_auth[0] : 00 > 000047 id_auth[1] : 00 > > 000048 id_auth[2] : 00 > 000049 id_auth[3] : 00 > > 00004a id_auth[4] : 00 > 00004b id_auth[5] : 05 > > 00004c sub_auths : 00000015 0000007b 000001c8 00000315 0000007b > 000005dc > 000064 num_auths: 00000006 > 000068 > sid_rev_num: 01 > 000069 num_auths : 06 > > 00006a id_auth[0] : 00 > 00006b id_auth[1] : 00 > > 00006c id_auth[2] : 00 > 00006d id_auth[3] : 00 > > 00006e id_auth[4] : 00 > 00006f id_auth[5] : 05 > > 000070 sub_auths : 00000015 0000007b 000001c8 00000315 0000007b > 000005dc > 000088 num_entries : 00000000 > 00008c > ptr_trans_names: 00000000 > 000090 num_entries2 : > 000f0002 > =============================================================== > INT > ERNAL ERROR: Signal 11 in pid 533 (ntdom-1.9.18alpha14) > Please read the > file BUGS.txt in the > distribution > =============================================================== > =============================================================== > Core > limits now 4194304 2147483647 > Dumping core in /usr/local/samba/var/corefiles > No core file are being generated in /usr/local/samba/var/corefiles > Unfortunately, I don't know what I have done to cause this problem, > so currently I am not being able to reproduce in a precise way what is > happening. > > If anyone have any hint in how to debug more precisely this, > I would be glad to know ... this is the kind of detailed report that i like to see: thanks, andre. ok. under these circumstances, what i usually do is gdb smbd [process number] then continue. make sure you attach to the right smbd process, i.e _after_ a connection has been established. don't leave the process paused for too long, or the nt wksta will time out, and you'll have to start again. then when the error occurs, it will trap on exactly the right line number. well, that's assuming that the stack isn't overwritten (x86), and assuming you've compiled with -g -g. try looking elsewhere for the core dump, by the way: it sometimes lies about the location. what else... oh, yes: just add lots of DEBUG(5,("trans_names(%d): %d\n", __LINE__, num_entries or other useful debug info)); statements, doing a binary search on the problem. if it's reproducible, that is. in this instance, andre, you say it isn't. however, if you are accessing a file on your local system (or a profile) then the NT wksta looks up the RID (i've seen this happen, but only once or twice). as it does this, it sends a LsaLookupSids call, to the PDC (the samba server). unfortunately, something's going wrong with this call. gotta sort it out, too... lukes From twot at netpath.net Tue Feb 17 01:54:38 1998 From: twot at netpath.net (LMS) Date: Tue Dec 2 02:23:48 2003 Subject: Problems with smbmount and win95 References: <01BD38B9.409A4840@hal> Message-ID: <34E8EDDE.80CFD2E4@netpath.net> Vince Geisler wrote: > When i try to (smbmount ///c /mnt/net/c) i get the following obscure message > smb_dont_catch_keepalive: server -> data_ready ==null > mount error : invalid argument > > if i try to smbmount a nt share it works no problem.... > > can anyone shed some light on this one ... i have no clue where to begin (admitted newby) > > T.I.A > > vince You will have to use "User level Security" on Win95 as opposed to "Share level security" Then, you will have to import a list of users from the Domain controller. Just use Everyone and full access to test it out, then start restricting from there. Hope this helps. -- Duane "Very good, you catch on quick!" twot@netpath.net From lkcl at switchboard.net Tue Feb 17 15:48:40 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: encrypted DCE/RPC - progress. Message-ID: paul ashton is exploring the nt lm ssp interface, and the password changing (samr commands 0x38 and 0x37). i've added dce/rpc parsing support for the "authentication verification" (to be tested shortly :-) in the bind / bind ack, but not the encryption of the "stub data". we don't know what the nt lm ssp encryption is: the default appears to be rc4, but we don't know what the key is. 8 bytes come from the client, 8 from the server, and there should be some fancy function to create a key for the rc4 decryption. absolutely no idea. onward and upwards... luke Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From umittiric at bdp.com.tr Tue Feb 17 15:11:42 1998 From: umittiric at bdp.com.tr (Umit TIRIC) Date: Tue Dec 2 02:23:48 2003 Subject: Can I use Samba as a PDC on network??? Message-ID: <002201bd3bb6$5b60d040$dd40aec3@tiric.bdp.com.tr> is it possible to use Samba as a PDC on a domain. Umit TIRIC umit@tiric.net tiric@linux.org.tr Put your hand on a hot stove for a minute, and it seems like an hour. Sit with a pretty girl for an hour, and it seems like a minute. That's relativity. Albert Einstein From lkcl at switchboard.net Tue Feb 17 16:46:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Archive Summary In-Reply-To: <002201bd3bb6$5b60d040$dd40aec3@tiric.bdp.com.tr> Message-ID: What's current; Issues; Status: http://samba.anu.edu.au/listproc/samba-ntdom/0022.html http://samba.anu.edu.au/listproc/samba-ntdom/0039.html http://samba.anu.edu.au/listproc/samba-ntdom/0043.html http://samba.anu.edu.au/listproc/samba-ntdom/0038.html Todo list [thread]: http://samba.anu.edu.au/listproc/samba-ntdom/0047.html http://samba.anu.edu.au/listproc/samba-ntdom/0048.html http://samba.anu.edu.au/listproc/samba-ntdom/0054.html http://samba.anu.edu.au/listproc/samba-ntdom/0060.html http://samba.anu.edu.au/listproc/samba-ntdom/0064.html http://samba.anu.edu.au/listproc/samba-ntdom/0067.html Debugging: http://samba.anu.edu.au/listproc/samba-ntdom/0079.html http://samba.anu.edu.au/listproc/samba-ntdom/0089.html Gotchas (e.g ARCFOUR): http://samba.anu.edu.au/listproc/samba-ntdom/0083.html http://samba.anu.edu.au/listproc/samba-ntdom/0075.html http://samba.anu.edu.au/listproc/samba-ntdom/0061.html From lkcl at switchboard.net Tue Feb 17 16:49:23 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Can I use Samba as a PDC on network??? In-Reply-To: <002201bd3bb6$5b60d040$dd40aec3@tiric.bdp.com.tr> Message-ID: hi umit, for your and other peoples' benefit, i've created a brief summary, which is likely to become http://samba.anu.edu.au/listproc/samba-ntdom/0092.html unless someone else posts first! luke Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy On Wed, 18 Feb 1998, Umit TIRIC wrote: > is it possible to use Samba as a PDC on a domain. > Umit TIRIC > umit@tiric.net > tiric@linux.org.tr > Put your hand on a hot stove for a minute, and it seems like an hour. > Sit with a pretty girl for an hour, and it seems like a minute. That's > relativity. > Albert Einstein > > > From paul at argo.demon.co.uk Tue Feb 17 16:10:28 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:48 2003 Subject: encrypted DCE/RPC - progress. In-Reply-To: Message-ID: <199802171611.QAA26298@ns.uk.ibm.net> At 15:06 17/02/98 , Luke Kenneth Casson Leighton wrote: >we don't know what the nt lm ssp encryption is: the default appears to be >rc4, but we don't know what the key is. 8 bytes come from the client, 8 >from the server, and there should be some fancy function to create a key >for the rc4 decryption. The NTLM SSP is contained in security.dll. Security.dll contains an implementation of rc4 internally (I don't know why it doesn't call the equivalent systemfunctionNNN()). It also calls systemfunction008 at some point which I've never really looked at other than to note that it is form of DES. This form of NTLM is just like all the others in SMB, HTTP, etc. in which the server issues an 8 byte challenge and the client responds with a 24 byte response which is a function of your password hash and the challenge. As a side affect, providing you aren't in France(?) (there is an internal call to IsEncryptionPermitted() that checks which locale is in use), it produces a key to provide packet integrity and perhaps confidentiality. We don't *need* to bother with this at the moment since we can get the client to forget about encrypting the packet if we respond with a certain set of flags in the RPC authentication trailer where the NTLMSSP data is stored. However it would be nice to find out what the key is. It won't be much effort to do, just a bit tedious setting up the debugger and writing a few test programs (or do it all from a disassembly). A lot of this information is available my finding various documents such as ntsspi.doc, linux-dce-rpc source, kb articles, microsoft chap extensions rfc, sspi.h and other header files in the win32 sdk and sample programs, CIFS docs, dejanews and search engines. It just takes quite a bit of time to find it. It would be nice if someone would like to tackle the NetServerPasswordSet RPC which is likely to be an implementation of one of the algorithms in the above documents. All it requires is a bit of research and the ability to write a few simple C programs to do stuff like DES and RC4 (using existing libraries). You don't even have to have an NT server and workstation, just someone willing to send some ASCII netmon dumps. Cheers, Paul From cartegw at Eng.Auburn.EDU Tue Feb 17 16:34:40 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:48 2003 Subject: Archive Summary References: Message-ID: <34E9BC20.33657909@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > What's current; Issues; Status: > > http://samba.anu.edu.au/listproc/samba-ntdom/0022.html Luke, The issue I reported in the above message has been fixed by some of the latest updates to the BRANCH_NTDOM code. At least I am unable to reproduce the problem any more. Sorry I was unable to pin point the problem before it got fixed. j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Tue Feb 17 17:29:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Archive Summary In-Reply-To: <34E9BC20.33657909@eng.auburn.edu> Message-ID: On Wed, 18 Feb 1998, Gerald W. Carter wrote: > Luke Kenneth Casson Leighton wrote: > > > > What's current; Issues; Status: > > > > http://samba.anu.edu.au/listproc/samba-ntdom/0022.html > > Luke, > > The issue I reported in the above message has been fixed by some of the > latest updates to the BRANCH_NTDOM code. At least I am unable to > reproduce the problem any more. oh, bog. > Sorry I was unable to pin point the problem no worries. > before it got fixed. don't count on it - there's bound to be some more! ta, gerald. From lkcl at switchboard.net Tue Feb 17 17:43:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: encrypted DCE/RPC - progress. In-Reply-To: Message-ID: On Wed, 18 Feb 1998, Luke Kenneth Casson Leighton wrote: > paul ashton is exploring the nt lm ssp interface, and the password > changing (samr commands 0x38 and 0x37). i've added dce/rpc parsing > support for the "authentication verification" (to be tested shortly :-) in > the bind / bind ack, but not the encryption of the "stub data". just noticed that this is a 16 byte key from the server, 8 bytes of which are zero. there's nothing from the client in the bind request. client-> rpc bind req (negotiate nt lm ssp) server-> rpc bind resp (confirm nt lm ssp, send 16 byte stuff) client-> rpc request - stub data plus 16 byte "authenticator". server-> rpc response - stub data plus 16 byte "authenticator". luke From cartegw at Eng.Auburn.EDU Tue Feb 17 17:02:24 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:48 2003 Subject: Samba-NTDOM faq References: Message-ID: <34E9C2A0.B7399897@eng.auburn.edu> Greetings I was about to start working on a FAQ for the samba-ntdom code ( at least get started on it ) and had a few general idea for topics. - How to get the BRANCH_NTDOM code - ARCFOUR issues - Printing - Location on on-line documentation ( Luke's site, MS, etc... ) - Tools available for debugging setup ( Netmon, tcpdump, etc... ) Other ideas? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Tue Feb 17 18:08:54 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: encrypted DCE/RPC - progress. In-Reply-To: <199802171611.QAA26298@ns.uk.ibm.net> Message-ID: On Wed, 18 Feb 1998, Paul Ashton wrote: > At 15:06 17/02/98 , Luke Kenneth Casson Leighton wrote: > >we don't know what the nt lm ssp encryption is: the default appears to be > >rc4, but we don't know what the key is. 8 bytes come from the client, 8 > >from the server, and there should be some fancy function to create a key > >for the rc4 decryption. > > The NTLM SSP is contained in security.dll. Security.dll contains an > implementation of rc4 internally (I don't know why it doesn't call > the equivalent systemfunctionNNN()). It also calls systemfunction008 > at some point which I've never really looked at other than to note > that it is form of DES. [probably a... 8challenge/24response calculator. which i have some vague - 4 months ago - recollection is used in NETLOGON.DLL]. > This form of NTLM is just like all > the others in SMB, HTTP, etc. in which the server issues an 8 > byte challenge and the client responds with a 24 byte response > which is a function of your password hash and the challenge. but... but... ah, ok. so the "bind ack response" contains the 8 byte challenge? but... but... where does the "24 byte response" come in to play? i've missed something, haven't i. all i've seen so far is: client -> bind req (no auth stuff) server -> bind ack (8 byte challenge, padded to 16 bytes) client -> rpc request (with 16 byte "authentication verifier") server -> rpc response (with 16 byte "authentication verifier") and unless i'm missing something, there's no 24 byte response in there. i'll have another look at the netmonitor trace, though. > [...] > (or do it all from a disassembly). could people on this list please bear in mind the following: according to ec law, where information required for interoperability is not available by any other means, reverse engineering is not considered to be illegal. some people may, however, be seriously offended (the person responsible for these archives) if anyone posts reverse engineered source code to this list. please therefore only publish specifications to this list and simultaneously to other lists / newsgroups. > It would be nice if someone would like to tackle the > NetServerPasswordSet RPC which is likely to be an > implementation of one of the algorithms in the above > documents. All it requires is a bit of research and > the ability to write a few simple C programs to do > stuff like DES and RC4 (using existing libraries). > You don't even have to have an NT server and workstation, > just someone willing to send some ASCII netmon dumps. ... to be sent, you mean? hm. i think there were some people who offered to write small programs, a few months ago: i had some byte ordering issues to contend with on sparcs. do we have any programmers on this list? lukes From lkcl at switchboard.net Tue Feb 17 18:14:54 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Samba-NTDOM faq In-Reply-To: <34E9C2A0.B7399897@eng.auburn.edu> Message-ID: gerald, NTDOMAIN.txt was the original starting point for compilation / other instructions. if you wanted to expand this, split it into sub-sections, or write something different, please do. the main samba documentation is written in .sgml these days, by the way. luke On Wed, 18 Feb 1998, Gerald W. Carter wrote: > Greetings > > I was about to start working on a FAQ for the samba-ntdom code ( at > least get started on it ) and had a few general idea for topics. > > - How to get the BRANCH_NTDOM code > - ARCFOUR issues > - Printing > - Location on on-line documentation ( Luke's site, MS, etc... ) > - Tools available for debugging setup ( Netmon, tcpdump, etc... ) > > Other ideas? advising people that as this project is to make samba look like an NT Primary Domain Controller, familiarity with NT administration, and with the Primary Domain Controller spec, is a useful prerequisite. luke From dcm at ni.nacs.net Tue Feb 17 20:23:40 1998 From: dcm at ni.nacs.net (dcm@ni.nacs.net) Date: Tue Dec 2 02:23:48 2003 Subject: domain not available Message-ID: <19980217152340.42634@ni.nacs.net> after joining domain.. get the welcome to domain msg as NTDOMAIN.txt states however after the obligatory reboot NT states that the Domain is unavailable and goes back to login prompt.. +=======================================================+ get_rpc_pipe: name: NETLOGON cnum: 12 open: Yes OK Got API command 0x26 on pipe "NETLOGON" (pnum 801)(tdscnt=88,tpscnt=0,mdrcnt=102 4,mprcnt=0,cnum=12,vuid=100) 000000 smb_io_rpc_hdr 000000 major : 05 000001 minor : 00 000002 pkt_type : 00 000003 flags : 03 000004 pack_type : 00000010 000008 frag_len : 0058 00000a auth_len : 0000 00000c call_id : 00000001 Doing \PIPE\NETLOGON 000010 smb_io_rpc_hdr_rr 000010 alloc_hint: 00000040 000014 context_id: 00 000015 cancel_ct : 00 000016 opnum : 04 000017 reserved : 00 api_rpc_command: api_netlog_rpc op 0x4 - api_rpc_command: NET_REQCHAL api_net_req_chal(270): vuid 100 000018 net_io_q_req_chal 000018 undoc_buffer: 0014e6a8 00001c smb_io_unistr2 00001c uni_max_len: 00000008 000020 undoc : 00000000 000024 uni_str_len: 00000008 000028 buffer : \.\.B.I.L.B.O... 000038 smb_io_unistr2 000038 uni_max_len: 00000006 00003c undoc : 00000000 000040 uni_str_len: 00000006 000044 buffer : F.R.O.D.O... 000050 smb_io_chal 000050 data: 72 74 f1 43 10 28 7f ab unistrn2: 46 52 4f 44 4f GetWd /usr/tmp, inode 282860, dev 809 get_smbpwd_entry: opening file /opt/samba/etc/smbpasswd get_smbpwd_entry: search by name: FRODO$ get_smbpwd_entry: skipping comment or blank line get_smbpwd_entry: skipping comment or blank line get_smbpwd_entry: skipping comment or blank line get_smbpwd_entry: found by name: FRODO$ get_smbpwd_entry: returning passwd entry for user FRODO$, uid 65534, acb 80c8718 chdir to /usr/tmp =============================================================== INTERNAL ERROR: Signal 11 in pid 25172 (ntdom-1.9.18alpha14) Please read the file BUGS.txt in the distribution =============================================================== chdir to /opt/src/samba/source unbecome_user now uid=(0,0) gid=(0,0) Closing connections Yielding connection to 12 IPC$ Last message was SMBtrans size=164 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=12 smb_pid=51966 smb_uid=100 smb_mid=768 smt_wct=16 smb_vwv[0]=0 (0x0) smb_vwv[1]=88 (0x58) smb_vwv[2]=0 (0x0) smb_vwv[3]=1024 (0x400) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=0 (0x0) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=76 (0x4C) smb_vwv[11]=88 (0x58) smb_vwv[12]=76 (0x4C) smb_vwv[13]=2 (0x2) smb_vwv[14]=38 (0x26) smb_vwv[15]=2049 (0x801) smb_bcc=97 [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... [010] 00 58 00 00 00 01 00 00 00 40 00 00 00 00 00 04 .X...... .@...... [020] 00 A8 E6 14 00 08 00 00 00 00 00 00 00 08 00 00 ........ ........ [030] 00 5C 00 5C 00 42 00 49 00 4C 00 42 00 4F 00 00 .\.\.B.I .L.B.O.. [040] 00 06 00 00 00 00 00 00 00 06 00 00 00 46 00 52 ........ .....F.R [050] 00 4F 00 44 00 4F 00 00 00 72 74 F1 43 10 28 7F .O.D.O.. .rt.C.(. [060] AB . =============================================================== Core limits now 1024000000 2147483647 Dumping core in /opt/samba/log/corefiles got SIGCLD +================================================+ unfortunately there is 'NO' core dumped as it states.. and i tried the 'gdb' suggestion provided by Luke however, it happens too quickly to attach to anything suggestions, hints? thanks PS. keep up the great work!! :) From lkcl at switchboard.net Tue Feb 17 21:37:42 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: domain not available In-Reply-To: <19980217152340.42634@ni.nacs.net> Message-ID: hi mr dcm, ok, there is a trick to getting a gdb attach to a process :-) you have to first get the workstation to make the connection. pressing ctrl-alt-delete and going down to the domain box is sufficient (at least, on the first time you join the domain) to generate a "LsaEnumTrustedDomains". thereafter, the workstation maintains an open connection, and therefore there will be an smbd process running (assuming that you haven't set a really short smbd idle timeout) so, in between pressing ctrl alt delete, and actually typing in your password, you can gdb attach and continue. lukes p.s mr dcm, what compiler are you using; what compile options (-O or -g -g or none); what o/s; which NT (NT standalone server / NT wksta); which version; (3.51; 3.5; 4.0); which service pack? p.p.s to get any useful info in gdb, use -g -g. this *may* make the problem you are having disappear, if you aren't already using -g -g. On Wed, 18 Feb 1998 dcm@ni.nacs.net wrote: > after joining domain.. get the welcome to domain msg as NTDOMAIN.txt states > however after the obligatory reboot NT states that the Domain is > unavailable and goes back to login prompt.. > > +=======================================================+ > > get_rpc_pipe: name: NETLOGON cnum: 12 open: Yes OK > Got API command 0x26 on pipe "NETLOGON" (pnum 801)(tdscnt=88,tpscnt=0,mdrcnt=102 > 4,mprcnt=0,cnum=12,vuid=100) > 000000 smb_io_rpc_hdr > 000000 major : 05 > 000001 minor : 00 > 000002 pkt_type : 00 > 000003 flags : 03 > 000004 pack_type : 00000010 > 000008 frag_len : 0058 > 00000a auth_len : 0000 > 00000c call_id : 00000001 > Doing \PIPE\NETLOGON > 000010 smb_io_rpc_hdr_rr > 000010 alloc_hint: 00000040 > 000014 context_id: 00 > 000015 cancel_ct : 00 > 000016 opnum : 04 > 000017 reserved : 00 > api_rpc_command: api_netlog_rpc op 0x4 - api_rpc_command: NET_REQCHAL > api_net_req_chal(270): vuid 100 > 000018 net_io_q_req_chal > 000018 undoc_buffer: 0014e6a8 > 00001c smb_io_unistr2 > 00001c uni_max_len: 00000008 > 000020 undoc : 00000000 > 000024 uni_str_len: 00000008 > 000028 buffer : \.\.B.I.L.B.O... > 000038 smb_io_unistr2 > 000038 uni_max_len: 00000006 > 00003c undoc : 00000000 > 000040 uni_str_len: 00000006 > 000044 buffer : F.R.O.D.O... > 000050 smb_io_chal > 000050 data: 72 74 f1 43 10 28 7f ab > unistrn2: 46 52 4f 44 4f > GetWd /usr/tmp, inode 282860, dev 809 > get_smbpwd_entry: opening file /opt/samba/etc/smbpasswd > get_smbpwd_entry: search by name: FRODO$ > get_smbpwd_entry: skipping comment or blank line > get_smbpwd_entry: skipping comment or blank line > get_smbpwd_entry: skipping comment or blank line > get_smbpwd_entry: found by name: FRODO$ > get_smbpwd_entry: returning passwd entry for user FRODO$, uid 65534, acb 80c8718 > chdir to /usr/tmp > =============================================================== > INTERNAL ERROR: Signal 11 in pid 25172 (ntdom-1.9.18alpha14) > Please read the file BUGS.txt in the distribution > =============================================================== > chdir to /opt/src/samba/source > unbecome_user now uid=(0,0) gid=(0,0) > Closing connections > Yielding connection to 12 IPC$ > Last message was SMBtrans > size=164 > smb_com=0x25 > smb_rcls=0 > smb_reh=0 > smb_err=0 > smb_flg=24 > smb_flg2=3 > smb_tid=12 > smb_pid=51966 > smb_uid=100 > smb_mid=768 > smt_wct=16 > smb_vwv[0]=0 (0x0) > smb_vwv[1]=88 (0x58) > smb_vwv[2]=0 (0x0) > smb_vwv[3]=1024 (0x400) > smb_vwv[4]=0 (0x0) > smb_vwv[5]=0 (0x0) > smb_vwv[6]=0 (0x0) > smb_vwv[7]=0 (0x0) > smb_vwv[8]=0 (0x0) > smb_vwv[9]=0 (0x0) > smb_vwv[10]=76 (0x4C) > smb_vwv[11]=88 (0x58) > smb_vwv[12]=76 (0x4C) > smb_vwv[13]=2 (0x2) > smb_vwv[14]=38 (0x26) > smb_vwv[15]=2049 (0x801) > smb_bcc=97 > [000] 5C 50 49 50 45 5C 00 4C 4F 05 00 00 03 10 00 00 \PIPE\.L O....... > [010] 00 58 00 00 00 01 00 00 00 40 00 00 00 00 00 04 .X...... .@...... > [020] 00 A8 E6 14 00 08 00 00 00 00 00 00 00 08 00 00 ........ ........ > [030] 00 5C 00 5C 00 42 00 49 00 4C 00 42 00 4F 00 00 .\.\.B.I .L.B.O.. > [040] 00 06 00 00 00 00 00 00 00 06 00 00 00 46 00 52 ........ .....F.R > [050] 00 4F 00 44 00 4F 00 00 00 72 74 F1 43 10 28 7F .O.D.O.. .rt.C.(. > [060] AB . > =============================================================== > Core limits now 1024000000 2147483647 > Dumping core in /opt/samba/log/corefiles > got SIGCLD > > > +================================================+ > > unfortunately there is 'NO' core dumped as it states.. and i tried > the 'gdb' suggestion provided by Luke however, it happens too quickly > to attach to anything > > > suggestions, hints? > > > thanks > > > PS. > keep up the great work!! :) > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From dcm at ni.nacs.net Wed Feb 18 05:07:21 1998 From: dcm at ni.nacs.net (dcm@ni.nacs.net) Date: Tue Dec 2 02:23:48 2003 Subject: domain unavailable Message-ID: <19980218000721.28548@ni.nacs.net> sorry the current version of gcc here was 2.7.2.3 and not 2.7.2.1 also using GLIBC 2.0.6 & libc 5.3.12 RH5.0 thanks again Luke for your help... From lkcl at switchboard.net Wed Feb 18 11:44:49 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: encrypted DCE/RPC - progress. In-Reply-To: Message-ID: On Wed, 18 Feb 1998, Luke Kenneth Casson Leighton wrote: > On Wed, 18 Feb 1998, Luke Kenneth Casson Leighton wrote: > > > paul ashton is exploring the nt lm ssp interface, and the password > > changing (samr commands 0x38 and 0x37). i've added dce/rpc parsing > > support for the "authentication verification" (to be tested shortly :-) in > > the bind / bind ack, but not the encryption of the "stub data". > > just noticed that this is a 16 byte key from the server, 8 bytes of which > are zero. there's nothing from the client in the bind request. that's because it sends an SMBwriteX, which i will have to implement. this will provide the NTLM 8-byte challenge / 24-byte responses system. it's really really wierd that this _can_ also done in the SMBnegprot / SMBsessionsetupX to establish the connection over which DCE/RPC is sent, but this is totally independent of that. > client-> rpc bind req (negotiate nt lm ssp) > server-> rpc bind resp (confirm nt lm ssp, send 16 byte stuff) client -> SMBwriteX (user, domain, wksta + 24 byte lm and nt responses) server -> SMBwriteX response (just an acknowledgement). > client-> rpc request - stub data plus 16 byte "authenticator". > server-> rpc response - stub data plus 16 byte "authenticator". From bpowell at osc.edu Wed Feb 18 16:46:24 1998 From: bpowell at osc.edu (Brian Powell) Date: Tue Dec 2 02:23:48 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba PDC Message-ID: I don't see this particular topic anywhere in the archives of this mailing list, so... We have finally gotten the Samba PDC code running pretty well and have users logging into their NT4 workstations using a Samba supplied domain login. That part is pretty neat in and of itself! The problem is that for the purposes of file permissions and ownership, the NT workstation does not recognize the the domain username as a valid user. Thus the only files a user can modify on the local workstation are ones where everyone has full access. They cannot "own" any files, because the file security dialog cannot find their username in the domain. Is this simply due to the incomplete DC support that Samba supplies in its current state, or are we doing something wrong? Thanks in advance, -- Brian Powell (614) 292-6017 Sr. Programmer/Analyst, The Ohio Supercomputer Center PGP public key: "finger -l bpowell@osc.edu" (Key ID 6F4E0A0D) From egb at us.ibm.com Wed Feb 18 18:55:17 1998 From: egb at us.ibm.com (Ed Bradford) Date: Tue Dec 2 02:23:48 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba P Message-ID: <5040300012766718000002L082*@MHS> When a workstation logs into a domain controller with the correct credentials (name, password), the domain controller returns a binary user token which consists of USER SID all Global Group SIDS list of privileges the user holds. Samba has to manufacture a repeatable 128 bit "thing" which can be identified by the workstation as a SID. Some insite into how the SID is manufactured on a real domain controller would be useful here. That means that whenever a user is created, a SID must also be created which is unique in all the world and in all time. How Groups are mapped and what they mean to NT is another area that has to be understood. However, basically, a group is merely a collection of SIDs and has its own SID. In NT, a group can own a file. MS recommends groups to administrators because it is easier to add and remove a person from a group than searching a file system for a particular SID. Ed Bradford. samba-ntdom@samba.anu.edu.au on 02/18/98 10:58:05 AM Please respond to bpowell@osc.edu @ internet To: samba-ntdom@samba.anu.edu.au @ internet cc: Subject: Accessing LOCAL files after login to NT-4-WS via Samba PDC I don't see this particular topic anywhere in the archives of this mailing list, so... We have finally gotten the Samba PDC code running pretty well and have users logging into their NT4 workstations using a Samba supplied domain login. That part is pretty neat in and of itself! The problem is that for the purposes of file permissions and ownership, the NT workstation does not recognize the the domain username as a valid user. Thus the only files a user can modify on the local workstation are ones where everyone has full access. They cannot "own" any files, because the file security dialog cannot find their username in the domain. Is this simply due to the incomplete DC support that Samba supplies in its current state, or are we doing something wrong? Thanks in advance, -- Brian Powell (614) 292-6017 Sr. Programmer/Analyst, The Ohio Supercomputer Center PGP public key: "finger -l bpowell@osc.edu" (Key ID 6F4E0A0D) From lkcl at switchboard.net Wed Feb 18 20:10:10 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba PDC In-Reply-To: Message-ID: On Thu, 19 Feb 1998, Brian Powell wrote: > I don't see this particular topic anywhere in the archives of this mailing > list, so... > > We have finally gotten the Samba PDC code running pretty well and have users > logging into their NT4 workstations using a Samba supplied domain login. That > part is pretty neat in and of itself! > > The problem is that for the purposes of file permissions and ownership, the > NT workstation does not recognize the the domain username as a valid user. > Thus the only files a user can modify on the local workstation are ones where > everyone has full access. They cannot "own" any files, because the file > security dialog cannot find their username in the domain. Is this simply due > to the incomplete DC support that Samba supplies in its current state, or are > we doing something wrong? hi brian, there's probably a bug in LsaLookupSids, or another api that's unsupported. can you look in log.smb at debug level 50 for "Unsupported API" calls, and see what's going on? luke From paul at argo.demon.co.uk Wed Feb 18 20:19:09 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:48 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba P In-Reply-To: <5040300012766718000002L082*@MHS> Message-ID: Hi Ed, At 19:03 18/02/98 , Ed Bradford wrote: >When a workstation logs into a domain controller with the correct credentials >(name, password), the domain controller returns a binary user token which >consists of > USER SID > all Global Group SIDS > list of privileges the user holds. > >Samba has to manufacture a repeatable 128 bit "thing" which can be identified >by the workstation as a SID. Some insight into how the SID is manufactured on a >real domain controller would be useful here. That means that whenever a user is >created, a SID must also be created which is unique in all the world and in all >time. How Groups are mapped and what they mean to NT is another area that has >to be understood. However, basically, a group is merely a collection of SIDs >and has its own SID. In NT, a group can own a file. MS recommends groups to >administrators because it is easier to add and remove a person from a group >than searching a file system for a particular SID. All sorted Ed. We know exactly how to do this and allow anyone to manufacture the domain SID of their choosing as specified in smb.conf. If you wish to choose the SID of your existing NT PDC, then that is a good way to start off a migration. Additionally, if anyone wished to spend a couple of days coding, we could even handle supporting multiple independent NT domains to different clients on the same Samba domain controller. Try that on NT. bpowell@osc.edu wrote: >The problem is that for the purposes of file permissions and ownership, the >NT workstation does not recognize the the domain username as a valid user. >Thus the only files a user can modify on the local workstation are ones where >everyone has full access. They cannot "own" any files, because the file >security dialog cannot find their username in the domain. Is this simply due >to the incomplete DC support that Samba supplies in its current state, or are >we doing something wrong? There are a couple of RPCs that support this: LsaLookupSids/Users, and these have been working. I initially implemented these as purely returning the "S-1-5-21-x-y-z-rid" string without bothering to look anything up. I think Luke improved on this (as with everything I wrote ;-) The best way to debug it is with MS netmon in msdn or sms. NT server comes with a version of netmon that doesn't put the network card in promiscuous mode but is often enough. The network trace will probably show why the RPC is invalid. Paul From aperrin at demog.Berkeley.EDU Wed Feb 18 23:18:35 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:23:48 2003 Subject: NT Can't connect to encrypted share Message-ID: Greetings-- After installing 1.9.18alpha14-ntdom, we are unable to connect to shares on the Samba server from an NT (4.0, SP3) computer, regardless of whether EnablePlainTextPasswords is 1 or nonexistent. The same share *can* be mounted, using the encrypted SMB password, by smbclient from both the samba server machine and from another unix machine. The relevant lines from samba.log follow. The share is \\vuk\test, in domain SANDBOX; username is aperrin, and it exists in smbpasswd. Running under Solaris 2.6. Any help will be much appreciated! Domain=[SANDBOX] NativeOS=[Windows NT 1381] NativeLanMan=[Windows NT 4.0] sesssetupX:name=[aperrin] SMB Password - pwlen = 24 Checking SMB password for user aperrin (l=24) get_smbpwd_entry: returning passwd entry for user aperrin, uid 7575, acb 0 Checking SMB password for user aperrin Checking NT MD4 password NT MD4 password check succeeded sess_passwd_check: accepted password adding home directory aperrin at /home/davis/hdir1/aperrin aperrin is in 6 groups 16 726 728 14 714 723 uid 7575 registered to name aperrin Clearing default real name Chained message size=184 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=128 smt_wct=4 smb_vwv[0]=255 (0xFF) smb_vwv[1]=0 (0x0) smb_vwv[2]=0 (0x0) smb_vwv[3]=1 (0x1) smb_bcc=15 switch message SMBtconX (pid 1365) Got device type A: Trying username tesT 02/18/1998 15:16:06 invalid username/password for test 02/18/1998 15:16:06 error packet at line 174 cmd=117 (SMBtconX) eclass=2 ecode=2 size=83 smb_com=0x73 smb_rcls=2 smb_reh=0 smb_err=2 smb_flg=136 smb_flg2=1 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=128 smt_wct=3 smb_vwv[0]=117 (0x75) smb_vwv[1]=80 (0x50) smb_vwv[2]=0 (0x0) smb_bcc=39 02/18/1998 15:16:06 Transaction 5 of length 43 size=39 smb_com=0x74 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=192 smt_wct=2 smb_vwv[0]=255 (0xFF) smb_vwv[1]=282 (0x11A) smb_bcc=0 switch message SMBulogoffX (pid 1365) 02/18/1998 15:16:06 ulogoffX vuid=101 size=39 smb_com=0x74 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=1 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=192 smt_wct=2 smb_vwv[0]=255 (0xFF) smb_vwv[1]=0 (0x0) smb_bcc=0 --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin ---------------------------------- From aperrin at demog.Berkeley.EDU Wed Feb 18 23:19:48 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:23:48 2003 Subject: Can't compile with -DUSE_ARCFOUR Message-ID: Greetings- We're trying to use the -DUSE_ARCFOUR flag to compile 1.9.18alpha14-ntdom, but keep getting linking errors. We *do* have arcfour.c (from the ssh source) but can't figure out the makefile. Does anyone have advice on doing so under Solaris 2.6? --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin ---------------------------------- From marcin.klimowski at solidex.com.pl Thu Feb 19 08:06:17 1998 From: marcin.klimowski at solidex.com.pl (Marcin Klimowski) Date: Tue Dec 2 02:23:48 2003 Subject: Can't compile with -DUSE_ARCFOUR References: Message-ID: <34EBE7F9.2765EC07@solidex.com.pl> Andrew Perrin - Demography wrote: > > Greetings- > > We're trying to use the -DUSE_ARCFOUR flag to compile 1.9.18alpha14-ntdom, > but keep getting linking errors. We *do* have arcfour.c (from the ssh > source) but can't figure out the makefile. Does anyone have advice on > doing so under Solaris 2.6? copy arcfour.c to source/lib/util/ and make your makefile look like this: [..snip...] $(UTIL_SRC_DIR)pwd_cache.o \ $(UTIL_SRC_DIR)arcfour.o \ $(UTIL_SRC_DIR)md4.o \ [...snip..] BTW - i did not manage to compile smbclient on 2.6 compilation dies with: Compiling lib/rpc/client/cli_login.c lib/rpc/client/cli_login.c: In function `do_nt_session_open': lib/rpc/client/cli_login.c:133: too few arguments to function `rpc_pipe_bind' make: *** [lib/rpc/client/cli_login.o] Error 1 09:05:45|(14) kl@zero:~/src/samba/source$ any idea ?! -- Marcin Klimowski From lkcl at switchboard.net Thu Feb 19 18:16:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba P In-Reply-To: Message-ID: > Additionally, if anyone wished to spend a couple of days coding, ...i think jean-francois expressed an interest in doing this [particular task, four months ago]... > we could even handle supporting multiple independent NT domains > to different clients on the same Samba domain controller. ... under different netbios names. yes, this is easy. either use global search replace lp_workgroup() with brse_workgroup(token) or sed -e 's/lp_workgroup()/brse_workgroup(token)/g', add in int token to all functions right back to the netbios session request in server.c, and off you go. > Try that on NT. no thanks. they have global state variables in their code, and anyway we don't have access to the source. [is there a gpl version of nt available?] luke From lkcl at switchboard.net Thu Feb 19 18:24:09 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: Can't compile with -DUSE_ARCFOUR In-Reply-To: Message-ID: On Thu, 19 Feb 1998, Andrew Perrin - Demography wrote: > Greetings- > > We're trying to use the -DUSE_ARCFOUR flag to compile 1.9.18alpha14-ntdom, this flag requires http://mailhost.cb1.com/~lkcl/arcfour.c. > but keep getting linking errors. We *do* have arcfour.c (from the ssh > source) this file requires USE_ARCFOUR_FROM_SSH. > but can't figure out the makefile. you mean Makefile. or, included inline is an example makefile, which is a practical way of compiling different versions without modifying Makefile. this might help (as an example). a number of people have been asking about this. -----------cut--makefile--cut----------- ARCFOUR_OBJ = /usr/local/src/arcfour/arcfour.o FLAGSM= -DFreeBSD \ -DFAST_SHARE_MODES \ -DUSE_ARCFOUR \ -DMEM_MAN \ -DDEBUG_PASSWORD -Wall -Wunused -Wshadow -Wcast-qual LIBSM= -lcrypt #FLAGS1 = -g2 #FLAGS1 = -O include Makefile ----------cut--makefile--cut----------- From aperrin at demog.Berkeley.EDU Thu Feb 19 17:43:58 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:23:48 2003 Subject: NT Can't connect to encrypted share In-Reply-To: Message-ID: Sure - smb.conf follows -- we'll try running on p3 as the next debug tactic. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin ---------------------------------- On Thu, 19 Feb 1998, Luke Kenneth Casson Leighton wrote: > hi andrew, > > you wanna send your smb.conf file to samba-ntdom, so we can comment on it? > you tried running with 1.9.18p3 on *exactly* the same smb.conf file? does > it work on 18p3? > > luke > > On Thu, 19 Feb 1998, Andrew Perrin - Demography wrote: > > > Greetings-- > > After installing 1.9.18alpha14-ntdom, we are unable to connect to shares > > on the Samba server from an NT (4.0, SP3) computer, regardless of whether > > EnablePlainTextPasswords is 1 or nonexistent. > > > > The same share *can* be mounted, using the encrypted SMB password, by > > smbclient from both the samba server machine and from another unix > > machine. > > > > The relevant lines from samba.log follow. The share is \\vuk\test, in > > domain SANDBOX; username is aperrin, and it exists in smbpasswd. Running > > under Solaris 2.6. Any help will be much appreciated! > > > > Domain=[SANDBOX] NativeOS=[Windows NT 1381] NativeLanMan=[Windows NT 4.0] > > sesssetupX:name=[aperrin] > > SMB Password - pwlen = 24 > > Checking SMB password for user aperrin (l=24) > > get_smbpwd_entry: returning passwd entry for user aperrin, uid 7575, acb 0 > > Checking SMB password for user aperrin > > Checking NT MD4 password > > NT MD4 password check succeeded > > sess_passwd_check: accepted password > > adding home directory aperrin at /home/davis/hdir1/aperrin > > aperrin is in 6 groups > > 16 726 728 14 714 723 > > uid 7575 registered to name aperrin > > Clearing default real name > > Chained message > > size=184 > > smb_com=0x75 > > smb_rcls=0 > > smb_reh=0 > > smb_err=0 > > smb_flg=24 > > smb_flg2=3 > > smb_tid=0 > > smb_pid=51966 > > smb_uid=101 > > smb_mid=128 > > smt_wct=4 > > smb_vwv[0]=255 (0xFF) > > smb_vwv[1]=0 (0x0) > > smb_vwv[2]=0 (0x0) > > smb_vwv[3]=1 (0x1) > > smb_bcc=15 > > switch message SMBtconX (pid 1365) > > Got device type A: > > Trying username tesT > > 02/18/1998 15:16:06 invalid username/password for test > > 02/18/1998 15:16:06 error packet at line 174 cmd=117 (SMBtconX) eclass=2 > > ecode=2 > > size=83 > > smb_com=0x73 > > smb_rcls=2 > > smb_reh=0 > > smb_err=2 > > smb_flg=136 > > smb_flg2=1 > > smb_tid=0 > > smb_pid=51966 > > smb_uid=101 > > smb_mid=128 > > smt_wct=3 > > smb_vwv[0]=117 (0x75) > > smb_vwv[1]=80 (0x50) > > smb_vwv[2]=0 (0x0) > > smb_bcc=39 > > 02/18/1998 15:16:06 Transaction 5 of length 43 > > size=39 > > smb_com=0x74 > > smb_rcls=0 > > smb_reh=0 > > smb_err=0 > > smb_flg=24 > > smb_flg2=3 > > smb_tid=0 > > smb_pid=51966 > > smb_uid=101 > > smb_mid=192 > > smt_wct=2 > > smb_vwv[0]=255 (0xFF) > > smb_vwv[1]=282 (0x11A) > > smb_bcc=0 > > switch message SMBulogoffX (pid 1365) > > 02/18/1998 15:16:06 ulogoffX vuid=101 > > size=39 > > smb_com=0x74 > > smb_rcls=0 > > smb_reh=0 > > smb_err=0 > > smb_flg=136 > > smb_flg2=1 > > smb_tid=0 > > smb_pid=51966 > > smb_uid=101 > > smb_mid=192 > > smt_wct=2 > > smb_vwv[0]=255 (0xFF) > > smb_vwv[1]=0 (0x0) > > smb_bcc=0 > > > > > > --------------------------------------------------------------------- > > Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support > > Department of Demography - University of California at Berkeley > > 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA > > http://demog.berkeley.edu/~aperrin ---------------------------------- > > > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba and Network Consultancy > -------------- next part -------------- [global] workgroup = SANDBOX domain sid = S-1-5-21-222-222-222-001 ; Added the following four lines to see if they make profiles work. domain master = yes local master = yes preferred master = yes os level = 200 domain logons = yes security = user ; Samba seems to require the prior line for trust logins. wins support = yes smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 5 log file = /var/log/samba.log load printers = no hide dot files = no revalidate = yes printing = bsd default service = homes encrypt passwords = yes logon path = \\vuk\profile [netlogon] guest ok = no read only = no path = /home/davis/12s7/smb/netlogon/aperrin browseable = no [profile] guest ok = no guest only = no read only = no browseable = yes wide links = yes printable = no path = /home/davis/hdir1/%U/.ntprofile Comment = Profile Directory (%U) [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no create mask = 0775 path = /home/davis/hdir1/%U Comment = Home Directory (%U) [test] guest ok = no read only = no browseable = yes wide links = yes printable = no path = /usr/LOCAL/samba/test Comment = Sandbox [cdrom] guest ok =no read only = yes browseable = yes path = /cdrom wide links = no Comment = CD-ROM From lkcl at switchboard.net Thu Feb 19 18:58:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:48 2003 Subject: NT Can't connect to encrypted share In-Reply-To: Message-ID: hm. the username you are using to log in has an entry in private/smbpasswd, yes? comments and ramblings, etc: you are implicitly using the default guest account of "nobody" here. check that its uid is 65534 not -2. [global] workgroup = SANDBOX ; *** this line should be of the format s-1-5-21-xxx-yyy-zzz. domain sid = S-1-5-21-222-222-222 ; Added the following four lines to see if they make profiles work. domain master = yes local master = yes preferred master = yes os level = 200 domain logons = yes security = user ; Samba seems to require the prior line for trust logins. ; **** and more. wins support = yes smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 5 log file = /var/log/samba.log load printers = no hide dot files = no revalidate = yes printing = bsd default service = homes encrypt passwords = yes logon path = \\vuk\profile ; **** recommend \\%L\%U\profile as all your users will have the same ; **** profile if you do this. also, putting machine names into the ; **** smb.conf file makes it non-portable. [netlogon] guest ok = no read only = no ; **** read only = yes ; **** IT IS A SECURITY RISK TO PUT writeable = yes on the netlogon ; **** share. path = /home/davis/12s7/smb/netlogon/aperrin browseable = no ; **** browseable = yes. [profile] guest ok = no guest only = no read only = no browseable = yes wide links = yes printable = no path = /home/davis/hdir1/%U/.ntprofile oo. interesting. wow. fascinating. does this work, then? wow, cool. i wonder what the implications of doing this are. hm. when one user logs out, the connection isn't dropped, and the next user uses the same smbd process... hm. i wonder. hey, i have an idea. what happens if you clear all the oplocks before responding to the "SMBlogoffX"? sorry, thinking out loud... Comment = Profile Directory (%U) [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no create mask = 0775 path = /home/davis/hdir1/%U Comment = Home Directory (%U) [test] guest ok = no read only = no browseable = yes wide links = yes printable = no path = /usr/LOCAL/samba/test Comment = Sandbox [cdrom] guest ok =no read only = yes browseable = yes path = /cdrom wide links = no Comment = CD-ROM Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Thu Feb 19 19:01:49 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: Can't compile with -DUSE_ARCFOUR In-Reply-To: <34EBE7F9.2765EC07@solidex.com.pl> Message-ID: > > BTW - i did not manage to compile smbclient on 2.6 > compilation dies with: you checked out two days ago, yeah? check out again: i had checked in untested code. i fixed this the following day. > Compiling lib/rpc/client/cli_login.c > lib/rpc/client/cli_login.c: In function `do_nt_session_open': > lib/rpc/client/cli_login.c:133: too few arguments to function > `rpc_pipe_bind' yes, there were. this module should not be calling do_nt_session_open() directly. luke From Jean-Francois.Micouleau at utc.fr Thu Feb 19 18:59:19 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:49 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba P In-Reply-To: Message-ID: On Fri, 20 Feb 1998, Luke Kenneth Casson Leighton wrote: > > Additionally, if anyone wished to spend a couple of days coding, > > ..i think jean-francois expressed an interest in doing this [particular > task, four months ago]... Just a minor correction, which is a little bit relative to ntdom: First, if someone want to add a multiple domain support to samba, it's a good start. Second, samba need to be able to communicate with others wins servers. On a pure coding view I agree there is no link between the 2 points, but on the field, if you manage several domains, it also means you will probably have more than one wins server (John Blair, don't you think the same ?) . End of my 0.2 ECU ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From danny at cs.huji.ac.il Thu Feb 19 21:37:26 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:49 2003 Subject: get_smbpwd_entries Message-ID: <199802192137.XAA10704@sexta.cs.huji.ac.il> i've got the BRANCH_NTDOM branch, and after making some changes to have the smbpassword and our unix password in sync, i stumbbled upon get_smbpwd_entries. Since our password file is well over the 250 mark, i was wondering what is the purpose of it. Im in dear need of a PDC, and don't want it to be an NT box. thanks for any help, danny Daniel Braniss e-mail: danny@cs.huji.ac.il Institute of Computer Science phone: +972 2 658 4385 The Hebrew University Fax: +972 2 561 7723 Jerusalem, Israel From paulle at microsoft.com Fri Feb 20 01:51:40 1998 From: paulle at microsoft.com (Paul Leach) Date: Tue Dec 2 02:23:49 2003 Subject: encrypted DCE/RPC - progress. Message-ID: <5CEA8663F24DD111A96100805FFE6587031E3A74@red-msg-51.dns.microsoft.com> > ---------- > From: Luke Kenneth Casson Leighton[SMTP:lkcl@switchboard.net] > Sent: Wednesday, February 18, 1998 3:04 AM > > it's really really wierd that this _can_ also done in the SMBnegprot / > SMBsessionsetupX to establish the connection over which DCE/RPC is sent, > but this is totally independent of that. > How about because RPC is transport independent and doesn't care that it is being run over the top of named pipes? Paul From andre at lme.usp.br Fri Feb 20 12:18:17 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:49 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba PDC In-Reply-To: Message-ID: <3.0.1.32.19980220091817.00936430@ws10.lme.usp.br> >The problem is that for the purposes of file permissions and ownership, the >NT workstation does not recognize the the domain username as a valid user. >Thus the only files a user can modify on the local workstation are ones where >everyone has full access. They cannot "own" any files, because the file >security dialog cannot find their username in the domain. And the usual method to copy a user profile to a "Default User" profile (System -> User Profiles -> Copy To) didn't work ... Does anyone knows if there is any trouble in doing this by hand ? TIA, Andre Gerhard From lkcl at switchboard.net Fri Feb 20 16:45:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba P In-Reply-To: Message-ID: On Fri, 20 Feb 1998, Jean-Francois Micouleau wrote: > On Fri, 20 Feb 1998, Luke Kenneth Casson Leighton wrote: > > > > Additionally, if anyone wished to spend a couple of days coding, > > > > ..i think jean-francois expressed an interest in doing this [particular > > task, four months ago]... > > Just a minor correction, which is a little bit relative to ntdom: > > First, if someone want to add a multiple domain support to samba, it's a > good start. you start with browsing, and domains automatically follow. > Second, samba need to be able to communicate with others wins servers. wins services are nothing to do with browsing or domain services. wins is like a dynamic version of dns, and nothing more. a simple wins server can be written in 400 lines of code, excluding support libraries (linked lists, netbios routines). browsing _uses_ wins to register [dynamic] netbios names, and nothing more. what i think you might have meant, possibly, was that samba would have to communicate with other domain servers. this puts us into the realm of "trusted domain relationships", which is a whole new ball game, and one that... funnily enough, isn't all that relevant [to either wins services or trusted domain relationships]. > On a pure coding view I agree there is no link between the 2 points, but > on the field, if you manage several domains, it also means you will > probably have more than one wins server you could get away with just the one wins server for a large site, on a beefy machine. but that becomes a single point of failure, sadly. until we have working wins replication, you could configure several nt stand-alone servers running nt replicated wins service. then when samba gets wins replication (someone's sent in a patch: needs some work, but it's a really good start) you could conceivably replace those machines with samba servers (change the ip addresses :-) From lkcl at switchboard.net Fri Feb 20 17:06:18 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: get_smbpwd_entries In-Reply-To: <199802192137.XAA10704@sexta.cs.huji.ac.il> Message-ID: On Fri, 20 Feb 1998, Danny Braniss wrote: > i've got the BRANCH_NTDOM branch, and after making some changes to > have the smbpassword and our unix password in sync, i stumbbled upon > get_smbpwd_entries. Since our password file is well over the 250 mark, > i was wondering what is the purpose of it. this function is for when you run "user manager for domains" on the Samba DC. the code behind this is experimental, and you don't need it. > Im in dear need of a PDC, and don't want it to be an NT box. this will not be a problem: because of other reasons [i still haven't fixed dce/rpc responses of greater than about 1500 bytes], you can only view about four accounts anyway! but that is ok: you can just manage the accounts by editing private/smbpasswd, and smb.conf in the normal way. being able to use USRMGR.EXE at some point in the future will simply be an added bonus, but not strictly necessary. best regards, luke From lkcl at switchboard.net Fri Feb 20 17:17:09 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: encrypted DCE/RPC - progress. In-Reply-To: <5CEA8663F24DD111A96100805FFE6587031E3A74@red-msg-51.dns.microsoft.com> Message-ID: On Fri, 20 Feb 1998, Paul Leach wrote: > > > ---------- > > From: Luke Kenneth Casson Leighton[SMTP:lkcl@switchboard.net] > > Sent: Wednesday, February 18, 1998 3:04 AM > > > > it's really really wierd that this _can_ also done in the SMBnegprot / > > SMBsessionsetupX to establish the connection over which DCE/RPC is sent, > > but this is totally independent of that. > > > How about because RPC is transport independent and doesn't care that it is > being run over the top of named pipes? this had occurred to me, and i'm trying not to mix the SMB transporting code with the RPC code. just in case we think about using another transport, for other reasons (internal daemon/process communication?) in addition, as you say, paul: because it's independant, you can log in as one user, and then just use the secure RPC mechanism over the _top_ of that for a different user (e.g the password change dialog). luke From nuno at lwp.ualg.pt Fri Feb 20 15:38:03 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:49 2003 Subject: How to use /etc/passwd passwords for NTDOM? Message-ID: Hi there amigos I am configuring a linux box to serve an NT domain with Samba. I already got the sources from cvs BRANCH_DOM and compiled it successfully. I can create computer accounts from the workstations and successfully logon using smbpasswd passwords. So, how can I use the other /etc/passwd passwords (I don't want to manually add every account to smbpasswd) to logon from the NT 4 + SP3 workstations? Is there any automatic way of converting /etc/passwd (or shadow) to smbpasswd? mkpasswd doesn't seem to work well (it doesn't convert the passwords, instead it puts XXXX.... in the smb password field). The smb server is: Slackware 3.4 Samba 1.9.18p3 + CVS BRANCH_DOM (I dowloaded today the BRANCH_DOM) I haven't compiled with any extra options.. I compiled it to use shadow and quotas... TIA Nuno From crh at NTS.Umn.EDU Fri Feb 20 17:44:03 1998 From: crh at NTS.Umn.EDU (Christopher R. Hertel) Date: Tue Dec 2 02:23:49 2003 Subject: Accessing LOCAL files after login to NT-4-WS via Samba P In-Reply-To: from "Luke Kenneth Casson Leighton" at Feb 21, 98 03:06:32 am Message-ID: <199802201744.LAA12153@unet.unet.umn.edu> > > Second, samba need to be able to communicate with others wins servers. > > wins services are nothing to do with browsing or domain services. wins is > like a dynamic version of dns, and nothing more. a simple wins server can > be written in 400 lines of code, excluding support libraries (linked > lists, netbios routines). > Slight diversion... A NetBIOS name space, from the point of view of a given machine, is the union of the local LAN and the assigned WINS server (well, we could get into B nodes, etc., but assume we're doing both broadcast and point-to-point). Luke suggested that WINS was like DNS except that it was dynamic. This is only part of it. DNS is hierarchical and distributed. WINS is a flat name space and may be replicated (MS has a scheme). Also there is a big difference between the static DNS and dynamic WINS. Anyway, Luke was able to do multi-Domains on a Samba box. I'm working on multi-WINS on a Samba box. This would provide the ability to support multiple, disjoint NetBIOS name spaces on a single system. For very large organizations (we have 200 DNS subdomains at the UofMn) this could be advantageous. It also suggests possibilities for replication, distribution, etc. More later... Chris -)----- -- Christopher R. Hertel -)----- University of Minnesota crh@nts.umn.edu Networking and Telecommunications Services From cartegw at Eng.Auburn.EDU Fri Feb 20 18:10:47 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:49 2003 Subject: How to use /etc/passwd passwords for NTDOM? References: Message-ID: <34EDC727.1063C6B1@eng.auburn.edu> Nuno Loureiro wrote: > > Is there any automatic way of converting /etc/passwd (or shadow) to > smbpasswd? mkpasswd doesn't seem to work well (it doesn't convert the > passwords, instead it puts XXXX.... in the smb password field). Short answer. No this is no automatic way of doing this. Sorry. I welcome corrections if I am wrong on this one. j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From rmeyer at mhsc.com Fri Feb 20 22:03:37 1998 From: rmeyer at mhsc.com (Roeland M.J. Meyer) Date: Tue Dec 2 02:23:49 2003 Subject: How to use /etc/passwd passwords for NTDOM? In-Reply-To: Message-ID: <3.0.3.32.19980220140337.00b56300@pop.mhsc.com> At 03:39 21-02-98 +1100, Nuno Loureiro wrote: >Hi there amigos > >I am configuring a linux box to serve an NT domain with Samba. > >I already got the sources from cvs BRANCH_DOM and compiled it >successfully. > >I can create computer accounts from the workstations and successfully >logon using smbpasswd passwords. > >So, how can I use the other /etc/passwd passwords (I don't want to >manually add every account to smbpasswd) to logon from the NT 4 >+ SP3 workstations? > >Is there any automatic way of converting /etc/passwd (or shadow) to >smbpasswd? mkpasswd doesn't seem to work well (it doesn't convert the >passwords, instead it puts XXXX.... in the smb password field). Short answer is no. The reason is that Unix passwds are not de-cryptable becasue they are a one-way hash product. What needs to happen, and the only way this can work, is to have a program/shell-script which will update BOTH passwd files when a new passwd is assigned/changed. I am currently working on user management scripts to do this, in PERL, on my Linux servers. The problem gets *really* complex when PAM is involved, using SSH. Toss in NIS and it becomes a royal PITA. Unfortunately, my solution may be *very* site-specific. BTW, I tried KerbNet, it sucks, no usefull dox! ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: mailto:rmeyer@mhsc.com Personalweb pages: http://www.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com/ ___________________________________________ Watch for the SecureMail system at MHSC.NET From twinders at SPC.cc.tx.us Sat Feb 21 00:24:32 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:49 2003 Subject: 2 questions Message-ID: I have the latest BRANCH_DOMAIN cvs files but I am having problems compiling under Digital Unix 4.0D. I have a significant number of signed variables referencing unsigned variables and vice-versa which I hadn't noticed when compiling 1.9.18p3. Is this a problem? Everything finished compiling, but I am weary of installing it. Additionally, I have tried to include the -DUSE_ARCFOUR option. I grabbed arcfour.c from Luke's homepage and put it in /usr/local/src/arcfour/arcfour.c and put a line in the Makefile under my OS definition which says ARCFOUR=/usr/local/src/arcfour/arcfour.c but when compliling I get Warning, unreferenced arcfour. Obviously I have done something wrong. Can someone help with this? --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From lkcl at switchboard.net Sat Feb 21 14:58:19 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: How to use /etc/passwd passwords for NTDOM? In-Reply-To: <34EDC727.1063C6B1@eng.auburn.edu> Message-ID: On Sat, 21 Feb 1998, Gerald W. Carter wrote: > Nuno Loureiro wrote: > > > > Is there any automatic way of converting /etc/passwd (or shadow) to > > smbpasswd? mkpasswd doesn't seem to work well (it doesn't convert the > > passwords, instead it puts XXXX.... in the smb password field). > > Short answer. No this is no automatic way of doing this. Sorry. > > I welcome corrections if I am wrong on this one. rising to the bait... gerry is correct. there is a way round this, which is to get everyone to log in without a password, and force a password change the first time they log in. however, we don't currently know what the password change mechanism is at the moment, but with help or divine intervention we will get this. so, your second option is to use john blair's "migrate passwords" option, which we kind of deliberately haven't put in yet. this will allow you to run for a few days to a week on plain-text passwords, and will generate private/smbpasswd entries as each user logs in, from the plain-text password. then you can move to "encrypted password = yes". anyone left behind would have to log in without a password the first time. HOWEVER... once you move over to smbpasswd entries, you _cannot_ go back again to unix crypts, or any other password mechanism, without installing third party software on all clients [with nt 3.5 / 4.0. nt 5.0 is a different story, but that is currently limited - publicly - to microsoft's implementation of kerberos 5]. see the cifs digest archives for more info on these issues: http://discuss.microsoft.com/archives/index.html luke From lkcl at switchboard.net Sat Feb 21 15:18:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: 2 questions In-Reply-To: Message-ID: On Sat, 21 Feb 1998, Tim Winders wrote: > I have the latest BRANCH_DOMAIN cvs files but I am having problems > compiling under Digital Unix 4.0D. I have a significant number of signed > variables referencing unsigned variables and vice-versa which I hadn't > noticed when compiling 1.9.18p3. Is this a problem? no, i just got confused and tried to address some of the signed/unsigned issues. i made a hash of it. sorry. it shouldn't be a problem, just a pain to so many warnings. > Everything finished > compiling, but I am weary of installing it. it was _that_ tiring, huh :-) > Additionally, I have tried to include the -DUSE_ARCFOUR option. I grabbed > arcfour.c from Luke's homepage and put it in > /usr/local/src/arcfour/arcfour.c and put a line in the Makefile under my > OS definition which says ARCFOUR=/usr/local/src/arcfour/arcfour.c but when make this ARCFOUR_OBJ=... tim, if you use the example "makefile" i sent to this list, copying the DGUX compile options into it and removing the FreeBSD one, you won't have to edit Makefile all the time. luke From twinders at SPC.cc.tx.us Sat Feb 21 20:52:01 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:49 2003 Subject: 2 questions In-Reply-To: Message-ID: On Sat, 21 Feb 1998, Luke Kenneth Casson Leighton wrote: > On Sat, 21 Feb 1998, Tim Winders wrote: > > > I have the latest BRANCH_DOMAIN cvs files but I am having problems > > compiling under Digital Unix 4.0D. I have a significant number of signed > > variables referencing unsigned variables and vice-versa which I hadn't > > noticed when compiling 1.9.18p3. Is this a problem? > > no, i just got confused and tried to address some of the signed/unsigned > issues. i made a hash of it. sorry. it shouldn't be a problem, just a > pain to so many warnings. > > > Everything finished > > compiling, but I am weary of installing it. > > it was _that_ tiring, huh :-) :-) Actually, there were about 100 warnings! > > Additionally, I have tried to include the -DUSE_ARCFOUR option. I grabbed > > arcfour.c from Luke's homepage and put it in > > /usr/local/src/arcfour/arcfour.c and put a line in the Makefile under my > > OS definition which says ARCFOUR=/usr/local/src/arcfour/arcfour.c but when > > make this ARCFOUR_OBJ=... > > tim, if you use the example "makefile" i sent to this list, copying the > DGUX compile options into it and removing the FreeBSD one, you won't have > to edit Makefile all the time. Uh, I JUST subscribed to the samba-ntdom list, so I must have missed that Makefile. Can you send it to me? Thanks! --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From cartegw at Eng.Auburn.EDU Sat Feb 21 21:22:33 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:49 2003 Subject: 2 questions References: Message-ID: <34EF4599.24B8B7E2@eng.auburn.edu> Tim Winders wrote: > > > Uh, I JUST subscribed to the samba-ntdom list, so I must have missed > that Makefile. Can you send it to me? Thanks! > see http://samba.anu.edu.au/listproc/samba-ntdom/0114.html j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From dcm at ni.nacs.net Sat Feb 21 22:10:47 1998 From: dcm at ni.nacs.net (dcm@ni.nacs.net) Date: Tue Dec 2 02:23:49 2003 Subject: non-existent core files Message-ID: <19980221171047.49340@ni.nacs.net> well after a closer inspection the message: =============================================================== INTERNAL ERROR: Signal 11 in pid 9799 (ntdom-1.9.18alpha14) Please read the file BUGS.txt in the distribution =============================================================== is *not* being generated during login yet occuring after the reboot (after joining domain) Luke, you gave the tip on how to attach gdb to smbd while moving into the domain field.. but how do i attach it to smbd before even hitting ctrl-alt-del for logon screen? do i attach it to the parent smbd? will try that... thanks again for the tips/tricks.. apparently smbd does *not* trust my wkstn (NT4SP3) when joining... switch message SMBsesssetupX (pid 9730) Domain=[SHIRE] NativeOS=[Windows NT 1381] NativeLanMan=[Windows NT 4.0] sesssetupX:name=[FRODO$] get_smbpwd_entry: opening file /opt/samba/etc/smbpasswd get_smbpwd_entry: search by name: FRODO$ get_smbpwd_entry: skipping comment or blank line get_smbpwd_entry: skipping comment or blank line get_smbpwd_entry: skipping comment or blank line get_smbpwd_entry: found by name: FRODO$ get_smbpwd_entry: returning passwd entry for user FRODO$, uid 65534, acb 0 Checking SMB password for user FRODO$ Checking NT MD4 password smb_password_check: failed (NULL pointers) NT MD4 password check failed Checking LM MD4 password LM MD4 password check succeeded Wksta trust account FRODO$ denied by server Dan From lkcl at switchboard.net Sun Feb 22 20:55:07 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: non-existent core files In-Reply-To: <19980221171047.49340@ni.nacs.net> Message-ID: On Sun, 22 Feb 1998 dcm@ni.nacs.net wrote: > well after a closer inspection the message: > > =============================================================== > INTERNAL ERROR: Signal 11 in pid 9799 (ntdom-1.9.18alpha14) > Please read the file BUGS.txt in the distribution > =============================================================== > > is *not* being generated during login > yet occuring after the reboot (after joining domain) > > Luke, > you gave the tip on how to attach gdb to smbd while moving into > the domain field.. but how do i attach it to smbd before even hitting > ctrl-alt-del for logon screen? > > do i attach it to the parent smbd? will try that... > > > thanks again for the tips/tricks.. > > > apparently smbd does *not* trust my wkstn (NT4SP3) when joining... > > switch message SMBsesssetupX (pid 9730) > Domain=[SHIRE] NativeOS=[Windows NT 1381] NativeLanMan=[Windows NT 4.0] > sesssetupX:name=[FRODO$] > get_smbpwd_entry: opening file /opt/samba/etc/smbpasswd > get_smbpwd_entry: search by name: FRODO$ > get_smbpwd_entry: skipping comment or blank line > get_smbpwd_entry: skipping comment or blank line > get_smbpwd_entry: skipping comment or blank line > get_smbpwd_entry: found by name: FRODO$ > get_smbpwd_entry: returning passwd entry for user FRODO$, uid 65534, acb 0 the acb bits should be 0x80 (ACB_WKSTRUST) not 0x0. this tells me that you may not have :0080: at the end of the smbpasswd line: check the archives for previous posts on this (thread "Also no PDC found"). lukes From samj at cse.unsw.EDU.AU Mon Feb 23 02:08:24 1998 From: samj at cse.unsw.EDU.AU (Samuel James Johnston) Date: Tue Dec 2 02:23:49 2003 Subject: How to use /etc/passwd passwords for NTDOM? In-Reply-To: <34EDC727.1063C6B1@eng.auburn.edu> Message-ID: You'll be doing well if you manage to work out how to do this. The UNIX password file contains one way encryptions of the users passwords. ie the password is encrypted using the password and a salt as the key, or thereabouts. To create the hashes needed in smbpasswd files you need the original (cleartext) password. Thus, unless you want to crack each line of the UNIX password file, you have little or no chance of achieving this. mkpasswd works only as well as is possible. Perhaps you could modify the passwd (or dare I say, login) executables to update the smbpasswd file. These are about the only two processes that ever get to see your password. Remember too that the smbpasswd file contains passowrd equivalents, so be careful about where you put it/who can see it. Hope this helps, Sam Johnston On Sat, 21 Feb 1998, Gerald W. Carter wrote: > Nuno Loureiro wrote: > > > > Is there any automatic way of converting /etc/passwd (or shadow) to > > smbpasswd? mkpasswd doesn't seem to work well (it doesn't convert the > > passwords, instead it puts XXXX.... in the smb password field). > > Short answer. No this is no automatic way of doing this. Sorry. > > I welcome corrections if I am wrong on this one. > > > > j- > -- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From jar at ntu-kpi.kiev.ua Mon Feb 23 09:19:25 1998 From: jar at ntu-kpi.kiev.ua (Yaroslav L. Halchinsky) Date: Tue Dec 2 02:23:49 2003 Subject: Two samba branches Message-ID: hi, it was already written here that BRANCH_NTDOM is separate from samba so i would like to know if fixes in samba appear in BRANCH_NTDOM ? and when shell i expect release of NTDOM ? Yaroslav Halchinsky (jar@ntu-kpi.kiev.ua) From nuno at lwp.ualg.pt Mon Feb 23 11:57:38 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:49 2003 Subject: Passwds Message-ID: Hi!! I can detect the domain, and logon from NT4+SP3 Wrkts, but the users can logon using any password. I did the smbpasswd file using mksmbpasswd.sh and I did "smbpasswd -add user pass" to change users passwords. I also tried "smbpasswd user" to change users passwords, but the users still can logon without or with any password. If the user doesn't exist, or if it has Xs in the passwd field, he is not able to login. The only users that can login without or with any passwd are the users that I changed their passwords with smbpasswd. I already compiled with ARCFOUR, using the makefile that luke posted to the list, and I grabbed the BRANCH_NTDOM using cvs, on a 1.9.18p3 sources. Anyone knows the problem!? Thanks in Advance, Nuno Loureiro From danny at cs.huji.ac.il Mon Feb 23 13:19:00 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:49 2003 Subject: No subject Message-ID: <199802231319.NAA14351@peetoo.cs.huji.ac.il> im trying to set up samba as a PDC. so far i can set the domain on an NT box, but my Network Appliance file server fails to find it. My guess is that im missing something in the samba.conf, this is an abstract from the log: switch message SMBtconX (pid 29248) Got device type \ checking for home directory gave (NULL) find_service() failed to find service 02/23/1998 14:48:35 couldn't find service 02/23/1998 14:48:35 error packet at line 172 cmd=117 (SMBtconX) eclass=2 ecode=6 tia, danny From cartegw at Eng.Auburn.EDU Mon Feb 23 13:31:53 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:49 2003 Subject: Passwds References: Message-ID: <34F17A49.94F8B6C2@eng.auburn.edu> Nuno Loureiro wrote: > > Hi!! > > I can detect the domain, and logon from NT4+SP3 Wrkts, but the > users can logon using any password. I did the smbpasswd file using > mksmbpasswd.sh and I did "smbpasswd -add user pass" to change users > passwords. I also tried "smbpasswd user" to change users passwords, but > the users still can logon without or with any password. > If the user doesn't exist, or if it has Xs in the passwd field, > he is not able to login. The only users that can login without or with > any passwd are the users that I changed their passwords with smbpasswd. > I already compiled with ARCFOUR, using the makefile that luke > posted to the list, and I grabbed the BRANCH_NTDOM using cvs, on a > 1.9.18p3 sources. > Anyone knows the problem!? Dumb question, but the problem sounds like an absence of the arcfour.c file in the compile. If the user logs in with an invalids passwd, he / she doesn't have to access to their roaming profile, correct? This may be way off base since you said you grabbed the Makefile from Luke's previous message and the reference to arcfour.c was in the same message. The message archive is http://samba.anu.edu.au/listproc/samba-ntdom/0114.html j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From nuno at lwp.ualg.pt Mon Feb 23 14:59:36 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:49 2003 Subject: Passwds Message-ID: >Gerald W. Carter wrote: > >>Nuno Loureiro wrote: >> >> Hi!! >> >> I can detect the domain, and logon from NT4+SP3 Wrkts, but the >> users can logon using any password. I did the smbpasswd file using >> mksmbpasswd.sh and I did "smbpasswd -add user pass" to change users >> passwords. I also tried "smbpasswd user" to change users passwords, but >> the users still can logon without or with any password. >> If the user doesn't exist, or if it has Xs in the passwd field, >> he is not able to login. The only users that can login without or with >> any passwd are the users that I changed their passwords with smbpasswd. >> I already compiled with ARCFOUR, using the makefile that luke >> posted to the list, and I grabbed the BRANCH_NTDOM using cvs, on a >> 1.9.18p3 sources. >> Anyone knows the problem!? > Dumb question, but the problem sounds like an absence of the arcfour.c > file in the compile. If the user logs in with an invalids passwd, he / > she doesn't have to access to their roaming profile, correct? This may Correct. > be way off base since you said you grabbed the Makefile from Luke's > previous message and the reference to arcfour.c was in the same > message. > The message archive is > http://samba.anu.edu.au/listproc/samba-ntdom/0114.html Sorry, I didn't get the point. That's the URL from where I got luke's makefile, and I got arcfour.c from luke's page. I think it's compiling with arcfour. Here's an extract from a make: rtfm.root:/install/net/samba/source > make Using CFLAGS = -DSMBLOGFILE="/usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.nmb" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/lib/lmhosts" -DWEB_ROOT="/usr/local/samba" -DLOCKDIR="/usr/local/samba/var/locks" -DSMBRUN="/usr/local/samba/bin/smbrun" -DCODEPAGEDIR="/usr/local/samba/lib/codepages" -DWORKGROUP="RESNET" -DGUEST_ACCOUNT="nobody" -DDRIVERFILE="/usr/local/samba/lib/printers.def" -O3 -m486 -DLINUX -DSHADOW_PWD -DQUOTAS -DFAST_SHARE_MODES -DSMB_PASSWD="/usr/local/samba/bin/smbpasswd" -DSMB_PASSWD_FILE="/usr/local/samba/private/smbpasswd" -I./include/ -I./lib/ -I./daemon/nmbd/ Using LIBS = -lshadow (...) Compiling lib/rpc/server/srv_lsa_hnd.c Compiling /usr/local/src/arcfour/arcfour.c Compiling daemon/smbd/trans2.c (...) Regards, Nuno Loureiro From Jean-Francois.Micouleau at utc.fr Mon Feb 23 16:38:57 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:49 2003 Subject: Passwds In-Reply-To: Message-ID: On Tue, 24 Feb 1998, Nuno Loureiro wrote: > >Gerald W. Carter wrote: > > > >>Nuno Loureiro wrote: > >> > >> Hi!! > >> > -DGUEST_ACCOUNT="nobody" -DDRIVERFILE="/usr/local/samba/lib/printers.def" > -O3 -m486 -DLINUX -DSHADOW_PWD -DQUOTAS -DFAST_SHARE_MODES > -DSMB_PASSWD="/usr/local/samba/bin/smbpasswd" Are you sure you added -DUSE_ARCFOUR on the FLAGSM line in Makefile ? It should look like : FLAGSM = -DLINUX -DFAST_SHARE_MODES -DUSE_ARCFOUR ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From S.Murcott at massey.ac.nz Mon Feb 23 21:10:57 1998 From: S.Murcott at massey.ac.nz (Simon Murcott) Date: Tue Dec 2 02:23:49 2003 Subject: How to use /etc/passwd passwords for NTDOM? References: Message-ID: <34F1E5E1.5C0769B@massey.ac.nz> Samuel James Johnston wrote: > > You'll be doing well if you manage to work out how to do this. The UNIX > password file contains one way encryptions of the users passwords. ie the > password is encrypted using the password and a salt as the key, or > thereabouts. To create the hashes needed in smbpasswd files you need the > original (cleartext) password. Thus, unless you want to crack each line of > the UNIX password file, you have little or no chance of achieving this. > > mkpasswd works only as well as is possible. Perhaps you could modify the > passwd (or dare I say, login) executables to update the smbpasswd file. > These are about the only two processes that ever get to see your password. > > Remember too that the smbpasswd file contains passowrd equivalents, so be > careful about where you put it/who can see it. > I have noticed that there is a module available for PAM that will allow you to authenticate of a NT/Samba domain controller. In theory this could replace /etc/passwd with private/smbpasswd. Has anyone tried this? I would be very interested in some opinions of it. Regards Simon Murcott ---------------------------------------------------------------------- Computer Consultant Department of Resource and Environmental Planning Massey University, Private Bag 11 222 Palmerston North, New Zealand S.Murcott@massey.ac.nz ---------------------------------------------------------------------- From samj at cse.unsw.EDU.AU Mon Feb 23 23:41:57 1998 From: samj at cse.unsw.EDU.AU (Samuel James Johnston) Date: Tue Dec 2 02:23:49 2003 Subject: How to use /etc/passwd passwords for NTDOM? In-Reply-To: <34F1E5E1.5C0769B@massey.ac.nz> Message-ID: Simon, This sounds like a good idea. The only question I would have about it is that it only contains the password information, rather than the usual unix format of everything in the same file. I guess this could also be a good thing. One wants to make sure the smbpasswd file is _very_ secure. Not only are the keys crackable (reasonably easily), but they are effectively password equivalents. Sam Johnston > I have noticed that there is a module available for PAM that will allow > you to authenticate of a NT/Samba domain controller. In theory this > could replace /etc/passwd with private/smbpasswd. > > Has anyone tried this? I would be very interested in some opinions of > it. > > Regards > > Simon Murcott > ---------------------------------------------------------------------- > Computer Consultant > Department of Resource and Environmental Planning > Massey University, Private Bag 11 222 > Palmerston North, New Zealand > S.Murcott@massey.ac.nz > ---------------------------------------------------------------------- > From danny at cs.huji.ac.il Tue Feb 24 10:43:37 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:49 2003 Subject: PDC Message-ID: <199802241043.KAA16362@peetoo.cs.huji.ac.il> hi, Im using the NTDOMAIN branch, and i can change the NT identification to domain SAMBA ( i get a nice welcome message), i can then access the shares. which means that the nt_password stuff is ok. BUT: when i reboot NT 1) the logon window shows up with the 'local domain - ie. hostname' not as the NTDOMAIN.txt says with the SAMBA domain. 2) when i select the samba domain there is only one entry in the domain, ie the domain-name SAMBA 3) the real painful one: i can't login. :-( from the logs, the credentials don't match. im deep in trying to understand the code/process (the credential process) but any help is welcome. danny From cartegw at Eng.Auburn.EDU Tue Feb 24 13:26:36 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:49 2003 Subject: PDC References: <199802241043.KAA16362@peetoo.cs.huji.ac.il> Message-ID: <34F2CA8C.26D1BE89@eng.auburn.edu> Danny Braniss wrote: > > BUT: > when i reboot NT > 1) the logon window shows up with the 'local domain - ie. > hostname' not as the NTDOMAIN.txt says with the SAMBA > domain. > 2) when i select the samba domain there is only one entry in > the domain, ie the domain-name SAMBA > 3) the real painful one: i can't login. :-( > from the logs, the credentials don't match. > > im deep in trying to understand the code/process (the credential > process) but any help is welcome. Can't really say anything without a little more information. Perhaps including a partial debug log (the parts where the error messages appear) at level 5 or so. Also the [global] and [netlogon] sections of smb.conf would be nice as well as Makefile options. Also include the last time you updated the BRANCH_NTDOM code as well as the OS and hardware you are running on. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From paul at argo.demon.co.uk Tue Feb 24 13:44:22 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:49 2003 Subject: Synchronising passwords In-Reply-To: Message-ID: <888327951.1020975.0@saic.demon.co.uk> Here is my understanding of the possibilities to support common passwords between Unix and NT and Samba. (Aside: standard description of the password hashing for continuity purposes:- Standard Unix passwords are obtained through 25 iterations of modified DES, using the password up to 8 characters and a two character salt. The algorithm is not reversible. NT stores 2 versions of the password. One is the Lanman hash which involves a single standard DES encryption on each half of a 14 character password (upper cased) independently and no salt. The second is the NT hash which is MD4(Unicode(password)). Neither of the hashes are reversible, but the Lanman one is brute forceable given typical password usage constraints). The NT and LM hashes also function as password equivalents and their secrecy, even though they are hashed, is critical. ) Evidently we can't reverse any of the hashes, and we don't really want to brute force the Lanman hashes, so we can't turn any to plaintext and reencrypt in the others. This means we must gain access to the password whilst it is plaintext and convert it, if that is desired. There are two ways to do this: gain access to the plaintext when it is changed, or gain access when it is used. NT clients provide the plaintext password to the server when the password is changed, so we could use that to synchonise the passwords. This involves implementing a couple of RPCs which are more or less understood, but just need implementing. It is also nice in that we don't have to make any client changes. The problem is that other ways of changing the password don't provide the plaintext, such as the SMB password change function and one of the MS CHAP password change functions for example. These provide only the new password hash, meaning we can't generate an /etc/passwd entry. If we wish to make a client modification we can gain access to the plaintext password on NT by installing a notification package under: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages and install a dll that communicates the password to the server (securely we hope), and allows it to generate a Unix password. When Unix passwords are changed, the are almost exclusively hashed on the client and communicated to the name service afterwards, (NIS, NIS+, /etc/passwd). This doesn't give us any opportunity to form any other type of hash of the plaintext. In order to synchonise passwords at this point would require a modification to /bin/passwd or equivalent, or a new PAM module. At password usage time, we can gain access to the NT password at several different points:- GINA - The GINA module presents the GUI username and password request at interactive login time. Obviously it has access to your plaintext password and can use this to communicate with another password server. There are several examples of replacement GINAs, most notable being NISGINA which contains a full port of ONC RPC and Unix compatible NIS library calls. The disadvantage with this is that it is quite a large chunk of code leading to lots of possibilities of introducing bugs, and also, lots of other people like to make replacement GINAs too, making interoperability difficult at best. Next is a new "authentication package". The standard one, msv1_0 authenticates via the local SAM or a DC via the NETLOGON service. There isn't much information on this other than lsaauth.hlp in the ddk/msdn. I also haven't come across any freely available examples. The lsaauth.hlp API information may be sufficient to implement a replacement or augmentation of msv1_0 that would allow the plaintext password to be communicated to a password server (search for the LsaApCallPackage function and friends). Next we have a "subauthentication dll". These are external DLLs called by msv1_0 to do additional or replacement user validation. The documentation (SDK samples/win32/winnt/security/subauth/readme.txt) indicates that these DLLs have access to the password in order to do alternative or extra validation. It may also be possible to provide an alternative "network provider" that also has access to the user password. I haven't really looked into this and would welcome some insight. On the Unix side we can modify /bin/login, su, passwd, telnetd, etc., or the appropriate library interface or write a new PAM for those systems that support it (at least Linux + Solaris). These could generate the new smbpasswd entry. Instead of trying to synchronise password hashes we can change one system to use the hashes of the other. NT uses the password hash in many places other than at login time, such as in RPCs, HTTP-NTLM, SMB, and all of these would have to be modified to support the new value. On Unix here are PAMs to synchronise with NT servers (and therefore Samba also), or Samba directly. However the disadvantage is that we use the weak NT password equivalents. Finally, we can skip all this completely. Stop anyone changing password on either system somehow, and only allow password changing via a Web browser (for example) over SSL, which propogates the changes to all databases. Personally I would prefer to change both systems to use a new system in common such as http://srp.stanford.edu/srp/ This would involve writing PAMs for Unix and a new authentication package for NT (at least). I definitely would not want to have a new GINA (I've tried it...). Please post any corrections, observations or pointers to examples. Cheers, Paul From samba at aquasoft.com.au Tue Feb 24 22:20:37 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:49 2003 Subject: Synchronising passwords In-Reply-To: <888327951.1020975.0@saic.demon.co.uk> Message-ID: Paul, Your analysis of the issues is clear and seemingly comprehensive, as per your usual style. One issue you did not address is the inherent dynamics of change. What has inertia? What could gain support of the Unix/Linux community and what effort would that take? Also, what is your estimate of the time frame before an acceptable solution may be available? My personal preference is to make the password synchronisation Unix centric, thus PAM could be a suitable vehicle even given maintenance of both /etc/passwd and /etc/smbpasswd files. I am confident that the Unix community will be __unwilling__ to consider a change away from /etc/passwd (and it's friends). While in London, I spoke with Luke about this and the possibily of a samd (SAM Daemon) that maintains a Unix equivalent of the NT SAM and SECURITY database files in a suitably secure format. I suspect this is still a good option to protect the database from prying eyes. The samd could have an API that Samba could call into. This does not address your concern of the mechanics of implementing a synchronised password change from a Windows client system. The key to success of Samba has been the fact that it does NOT require ANY third-party add-on software for the MS Windows client. I can not help but fear the worst should we now change that by requiring a "Samba proprietary" password change/authentication system for client platforms. Sorry if I seem a wet blanket here, that is not my intention. Your efforts are appreciated very much. Cheers, John H Terpstra From nuno at lwp.ualg.pt Tue Feb 24 22:23:29 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:49 2003 Subject: script to control login times Message-ID: Hi!! Anyone did or know about a script to know user's login time?!?! I have a lab with 20 computers, and I want to do a page with the time each user is logged in. TIA, Nuno Loureiro PS: btw, I resolved already user's authentication. Thanks for the support given. ----- Nuno Andre Henriques Loureiro http://lwp.ualg.pt/~nuno PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 Finger nuno@lwp.ualg.pt for more info From paul at argo.demon.co.uk Tue Feb 24 23:10:29 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:49 2003 Subject: Synchronising passwords In-Reply-To: References: <888327951.1020975.0@saic.demon.co.uk> Message-ID: <199802242312.XAA23583@mail.bogo.co.uk> At 09:20 25/02/98 +1100, Samba Bugs wrote: >Also, what is your estimate of the time frame before an acceptable >solution may be available? It depends what you want. Many people will be happy to require the user to generate their smbpasswd on unix first, either via a special program, or via a web browser. There is no absolute necessity to implement compatibility. The time frame for that solution is 0 - somebody has already written a CGI script to do this ISTR. What about all the people who don't want their users to do anything at all? Well there are two immediate solutions that require hardly any effort but reduce security. 1. Ignore the password and force the user to change it when they log in, store the new smbpasswd entry. 2. Tell your users to login as "USER-UNIXPASSWORD" with any password. Samba-ntdom will extract the second half of the username, crypt(3) it and compare with /etc/passwd. If it matches, generate an smbpasswd entry and log them in. Their password goes over the net in the clear but if it used to anyway... To make it a bit more secure, force them to change it as well (but then it won't match /etc/passwd anymore, but that isn't a such a bad idea...). >My personal preference is to make the password synchronisation Unix >centric, thus PAM could be a suitable vehicle even given maintenance of >both /etc/passwd and /etc/smbpasswd files. I am confident that the >Unix community will be __unwilling__ to consider a change away from >/etc/passwd (and it's friends). That's fine but it can only happen at password change time. Otherwise a client modification is required to get the plaintext password. >I can not help but >fear the worst should we now change that by requiring a "Samba >proprietary" password change/authentication system for client platforms. We don't have to *require* it. As long as people can work without it and having the more elegant/secure, yet client modifying authentication package as an *option*. Paul From paul at argo.demon.co.uk Tue Feb 24 23:39:34 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:49 2003 Subject: Synchronising passwords In-Reply-To: References: <888327951.1020975.0@saic.demon.co.uk> Message-ID: <199802242341.XAA25275@mail.bogo.co.uk> Here's yet another low cost hack for synchonising passwords:- When Samba responds to the NetLogonSamLogon RPC call, it can respond with data completely independent to that which was supplied in the request, i.e. if you try and login as FOO, it can return your username as BAR, etc. So the hack goes as follows:- If you try and log in and your password does not match smbpasswd, you will be logged as a user "PASSWDCHG" who's login program will be downloaded from a the Samba DC netlogon share. The login program will ask you for a username and password, communicate it to the server in reversibly encrypted (perhaps public key) form, crypt(3)d and if it matches, update smbpasswd. Then it logs you out. Easy to implement, requires no client changes, no user education. Paul From samj at cse.unsw.EDU.AU Wed Feb 25 00:41:34 1998 From: samj at cse.unsw.EDU.AU (Samuel James Johnston) Date: Tue Dec 2 02:23:49 2003 Subject: Password dilemmas. In-Reply-To: Message-ID: John, You have raised an important issue here. Certainly the UNIX community is not going to be overly excited at the prospect of even having to alter the format of the /etc/passwd file, let alone completely creating a new 'samba proprietry' one. Of course if we were MS... The issues as I see them are: * Everything in the windows NT client must be stock standard * The UNIX server should be as close to stock standard as possible (this means we can't really modify the authentication procedures, etc.) * The password should be able to be changed using the standard password change dialog in NT and a modified /bin/passwd file in UNIX. * The solution cannot rely on PAMs, etc. which may be specific to certain operating systems. (ie it must be portable between different versions of UNIX) * The file which contains the LM and MD4 hashes must be kept secure, as these are both reversible (almost) and are password equivalents. Any which way we look at it, the UNIX and the NT hashes must be generated whenever the password is changed. Thus we need to have the cleartext password. This has proven a problem in NTland because the authentication is done using the hashes (challenge/response etc.), and thus the PDC does not get to see the cleartext password. In the land of UNIX, the only two processes which handle the cleartext password regularly are login and /bin/passwd. One thing which hasn't been mentioned is the NT password filtering system (passfilt.dll). This feature hasn't had much publicity, but there's a KB article on it at MS. A simple passfilt.dll was released with SP2, as far as I know. Basically it is a dll which sits on the PDC and checks the password for validity, in terms of length, mix of characters, maybe a dictionary check, etc. Of course to check the password, you need to have the password. Thus even if the standard method of changing the password is for the client to provide a hash which is fed directly into the SAM, there m for the PDC to request a cleartext password. I haven't had a chance to look into this in depth, so if anyone has more of an idea about it... OK so we've got the cleartext password in UNIX now, either via the standard dialog, or through /bin/passwd. Creating the hashes isn't too difficult, but where does one put them. Probably the most convenient option is to stash it in a text file (like everything else), pretty much identical to the smbpasswd file, if not exactly the same. This will need to be locked away somewhere, much the same as a shadow password file. We would probably want to consider not having an entry for root, rather having both a root and an administrator account (root for UNIX, with no LM and MD4 hashes, and administrator for NT). This will mean we can sleep at night in the knowledge that the root password is safe (even if everyone elses aren't quite as secure). The other option suggested for the storage was to have a samd, which would look after the hashes in some encrypted format, and would check that the user requesting a hash is authorised to do so. This is adding complexity somewhat, and is looking like a bit of a 'samba proprietry' solution, which is not really a good thing. Do we have that big a problem with a text file protected by file system security to justify implementing a new protocol? The other options Paul came up with... for example having users connect to a web page using SSL... are also good ideas, except that anything non-standard may mean that some sites choose not to adopt samba. I'd be interested to hear if anyone has any comments about any of this, particularly with regards the innards of the NT passowrd change system. Regards, Sam Johnston Computing Support Officer, UNSW On Wed, 25 Feb 1998, Samba Bugs wrote: > Paul, > > Your analysis of the issues is clear and seemingly comprehensive, as per > your usual style. > > One issue you did not address is the inherent dynamics of change. > What has inertia? What could gain support of the Unix/Linux community and > what effort would that take? > > Also, what is your estimate of the time frame before an acceptable > solution may be available? > > My personal preference is to make the password synchronisation Unix > centric, thus PAM could be a suitable vehicle even given maintenance of > both /etc/passwd and /etc/smbpasswd files. I am confident that the > Unix community will be __unwilling__ to consider a change away from > /etc/passwd (and it's friends). > > While in London, I spoke with Luke about this and the possibily of a samd > (SAM Daemon) that maintains a Unix equivalent of the NT SAM and SECURITY > database files in a suitably secure format. I suspect this is still a good > option to protect the database from prying eyes. The samd could have an > API that Samba could call into. > > This does not address your concern of the mechanics of implementing a > synchronised password change from a Windows client system. The key to > success of Samba has been the fact that it does NOT require ANY > third-party add-on software for the MS Windows client. I can not help but > fear the worst should we now change that by requiring a "Samba > proprietary" password change/authentication system for client platforms. > > Sorry if I seem a wet blanket here, that is not my intention. > Your efforts are appreciated very much. > > Cheers, > John H Terpstra > > From aperrin at demog.Berkeley.EDU Wed Feb 25 01:50:43 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:23:49 2003 Subject: Password dilemmas. In-Reply-To: Message-ID: I am very clearly *not* a programmer, nor a security expert. But just as a thought to this thread: what about expanding on the existing "shadow" scheme used in Solaris (and I assume elsewhere) to separate passwords and the rest of /etc/passwd? Currently on shadowed systems, unix-hashed passwords are stored in /etc/shadow, which has a simple 1-to-1 relationship to /etc/passwd. What if one were to produce /etc/smbshadow as well, which could contain unix-hashed copies of lanman-hashed SMB passwords? Then, modify smbpasswd (the program) to be an appropriate substitute for passwd (the program), so it would change both locations as necessary. Indeed, a very useful version of this might allow root to specify the relationship between the two (i.e., the two must be identical, the two must not be identical, etc.). This might satisfy most or all of the conditions folks have posted, and add to sysadmins' flexibility in deciding how to roll out solutions. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin ---------------------------------- From twinders at SPC.cc.tx.us Wed Feb 25 06:28:59 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:49 2003 Subject: Password dilemmas. In-Reply-To: Message-ID: On Wed, 25 Feb 1998, Samuel James Johnston wrote: > not get to see the cleartext password. In the land of UNIX, the only two > processes which handle the cleartext password regularly are login and > /bin/passwd. What about POP/IMAP daemons? This wouldn't be universal of course, but on MY system, I don't have too many "interactive" logins (telnet, etc). Most/all of my users have Unix accounts which are used primarily for mail (POP/IMAP) and some file storage (SAMBA). Could this be used in any way to "get" the cleartext password? --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From paul at argo.demon.co.uk Wed Feb 25 08:02:36 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:49 2003 Subject: Password dilemmas. In-Reply-To: Message-ID: <199802250804.IAA13967@mail.bogo.co.uk> At 11:47 25/02/98 +1100, Samuel James Johnston wrote: >Any which way we look at it, the UNIX and the NT hashes must be generated >whenever the password is changed. Thus we need to have the cleartext >password. This has proven a problem in NTland because the authentication >is done using the hashes (challenge/response etc.), and thus the PDC does >not get to see the cleartext password. In the land of UNIX, the only two >processes which handle the cleartext password regularly are login and >/bin/passwd. It's not a problem in NT, it is a problem with Unix. With NT, as I said in my synchronisation article, the password is passed in the clear to the DC. If the user changes their password on Unix we need to intercept it with a client change or new PAM. >One thing which hasn't been mentioned is the NT password filtering system >(passfilt.dll). This feature hasn't had much publicity, but there's a KB >article on it at MS. A simple passfilt.dll was released with SP2, as far >as I know. Basically it is a dll which sits on the PDC and checks the >password for validity, in terms of length, mix of characters, maybe a >dictionary check, etc. Of course to check the password, you need to have >the password. Thus even if the standard method of changing the password is >for the client to provide a hash which is fed directly into the SAM, there >m for the PDC to request a cleartext password. I haven't had a chance to >look into this in depth, so if anyone has more of an idea about it... That uses the "Notification Package" mechanism I mentioned in my article. The password is supplied to the server using the RPCs I mentioned. If the NT machine is a domain member you only have to install the notification package on the PDC (or do the equivalent with Samba). >OK so we've got the cleartext password in UNIX now, either via the >standard dialog, or through /bin/passwd. Creating the hashes isn't too >difficult, but where does one put them. Probably the most convenient >option is to stash it in a text file (like everything else), pretty much >identical to the smbpasswd file, if not exactly the same. Why not store in the standard smbpasswd file? Paul From rmeyer at mhsc.com Wed Feb 25 08:07:39 1998 From: rmeyer at mhsc.com (Roeland M.J. Meyer) Date: Tue Dec 2 02:23:49 2003 Subject: Password dilemmas. In-Reply-To: Message-ID: <3.0.3.32.19980225000739.00befc50@pop.mhsc.com> At 11:47 25-02-98 +1100, Samuel James Johnston wrote: >John, > >You have raised an important issue here. Certainly the UNIX community is >not going to be overly excited at the prospect of even having to alter the >format of the /etc/passwd file, let alone completely creating a new 'samba >proprietry' one. Of course if we were MS... > >The issues as I see them are: > >* Everything in the windows NT client must be stock standard Not quite, we can modify registry and configuration. >* The UNIX server should be as close to stock standard as possible (this >means we can't really modify the authentication procedures, etc.) And this includes forcing use of shadows and other non-standard foolishness. Including PAM. However, there might be one exception. BTW, my efforts with kerbnet are a bust. Too much critical dox are missing from the release. >* The password should be able to be changed using the standard password >change dialog in NT and a modified /bin/passwd file in UNIX. Careful how you modify here ... >* The solution cannot rely on PAMs, etc. which may be specific to certain >operating systems. (ie it must be portable between different versions of >UNIX) >* The file which contains the LM and MD4 hashes must be kept secure, as >these are both reversible (almost) and are password equivalents. Given that WinNT passwords are naturally insecure, send them plain-text and wrap an encryption-shell around the whole machine! This is the SSH approach and it works. However, someone will have to port the relevent parts of SHH to the CygWin.dll system. Alternatively, the client can spend the $89US to buy F-secure. BTW, I thought that Samba had a means to change the password using a shell script or direct access to /bin/passwd? I know that I had it setup that way once, about a year ago. This means that the plain-text password had to be available at one point. Or is this before we went to encrypted password support? ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: mailto:rmeyer@mhsc.com Personalweb pages: http://www.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com/ ___________________________________________ Watch for the SecureMail system at MHSC.NET From paul at argo.demon.co.uk Wed Feb 25 09:19:28 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:49 2003 Subject: Password dilemmas. In-Reply-To: <3.0.3.32.19980225000739.00befc50@pop.mhsc.com> Message-ID: <199802250928.JAA17867@mail.bogo.co.uk> At 19:14 25/02/98 +1100, Roeland M.J. Meyer wrote: >Given that WinNT passwords are naturally insecure, send them plain-text and >wrap an encryption-shell around the whole machine! This is the SSH approach >and it works. However, someone will have to port the relevent parts of SHH >to the CygWin.dll system. Alternatively, the client can spend the $89US to >buy F-secure. SSH has already been ported to cygwin. Both as a client and a server. No need to buy f-secure unless you want the pretty GUI. However, doing this or even using IPSEC, using plaintext passwords can cause other problems (which I don't recall, but are on some archive somewhere or other). Paul From lkcl at switchboard.net Wed Feb 25 12:19:34 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: Two samba branches In-Reply-To: Message-ID: On Mon, 23 Feb 1998, Yaroslav L. Halchinsky wrote: > hi, > > it was already written here that BRANCH_NTDOM is separate from samba > so i would like to know if fixes in samba appear in BRANCH_NTDOM ? yes they do. this is done manually, and i haven't done any since 18p2. lukes From lkcl at switchboard.net Wed Feb 25 12:23:50 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:49 2003 Subject: your mail In-Reply-To: <199802231319.NAA14351@peetoo.cs.huji.ac.il> Message-ID: On Mon, 23 Feb 1998, Danny Braniss wrote: > im trying to set up samba as a PDC. try setting up a 1.9.18p3 server. if that works and BRANCH_NTDOM doesn't, then post to samba-ntdom@samba.anu.edu.au with the results, ok? give lots of context information, ok? > so far i can set the domain on an NT box, but my Network Appliance file server > fails to find it. oo! one of those! fascinating! we'll definitely want to get things working with one of those! > My guess is that im missing something in the samba.conf, smb.conf. > this is an abstract from the log: people need more context than this, and also the smb.conf file, in order to say what's going on. > switch message SMBtconX (pid 29248) > Got device type \ > checking for home directory gave (NULL) > find_service() failed to find service > 02/23/1998 14:48:35 couldn't find service > 02/23/1998 14:48:35 error packet at line 172 cmd=117 (SMBtconX) eclass=2 > ecode=6 > > tia, > danny > > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From danny at cs.huji.ac.il Wed Feb 25 12:36:38 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:49 2003 Subject: your mail In-Reply-To: Your message of Wed, 25 Feb 1998 12:23:50 +0000 (GMT) . Message-ID: <199802251236.MAA18858@peetoo.cs.huji.ac.il> In message you write: }On Mon, 23 Feb 1998, Danny Braniss wrote: } }> im trying to set up samba as a PDC. } }try setting up a 1.9.18p3 server. if that works and BRANCH_NTDOM doesn't, }then post to samba-ntdom@samba.anu.edu.au with the results, ok? give lots }of context information, ok? } setting up 1.9.18p3 will take some time, so in the meantime im sending all i have for the BRANCH_NTDOM }> so far i can set the domain on an NT box, but my Network Appliance file serv }er }> fails to find it. } }oo! one of those! fascinating! we'll definitely want to get things }working with one of those! } }> My guess is that im missing something in the samba.conf, } }smb.conf. } }> this is an abstract from the log: } }people need more context than this, and also the smb.conf file, in order }to say what's going on. } } }> switch message SMBtconX (pid 29248) }> Got device type \ }> checking for home directory gave (NULL) }> find_service() failed to find service }> 02/23/1998 14:48:35 couldn't find service }> 02/23/1998 14:48:35 error packet at line 172 cmd=117 (SMBtconX) eclass=2 }> ecode=6 }> }> tia, -------------- next part -------------- 02/25/1998 09:27:20 init msg_type=0x81 msg_flags=0x0 02/25/1998 09:27:20 Transaction 1 of length 182 size=178 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=0 smb_pid=4647 smb_uid=0 smb_mid=15617 smt_wct=0 smb_bcc=143 switch message SMBnegprot (pid 3253) Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [XENIX CORE] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [LANMAN1.0] Requested protocol [Windows for Workgroups 3.1a] Requested protocol [DOS LM1.2X002] Requested protocol [DOS LANMAN2.1] Requested protocol [NT LM 0.12] Selected protocol NT LM 0.12 02/25/1998 09:27:20 negprot index=7 size=88 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=1 smb_tid=0 smb_pid=4647 smb_uid=0 smb_mid=15617 smt_wct=17 smb_vwv[0]=7 (0x7) smb_vwv[1]=12803 (0x3203) smb_vwv[2]=256 (0x100) smb_vwv[3]=65280 (0xFF00) smb_vwv[4]=255 (0xFF) smb_vwv[5]=65280 (0xFF00) smb_vwv[6]=255 (0xFF) smb_vwv[7]=46336 (0xB500) smb_vwv[8]=12 (0xC) smb_vwv[9]=8448 (0x2100) smb_vwv[10]=3 (0x3) smb_vwv[11]=0 (0x0) smb_vwv[12]=31484 (0x7AFC) smb_vwv[13]=48846 (0xBECE) smb_vwv[14]=48449 (0xBD41) smb_vwv[15]=34817 (0x8801) smb_vwv[16]=2303 (0x8FF) smb_bcc=19 02/25/1998 09:27:20 Transaction 2 of length 196 size=192 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=65535 smb_pid=4647 smb_uid=0 smb_mid=15618 smt_wct=13 smb_vwv[0]=117 (0x75) smb_vwv[1]=146 (0x92) smb_vwv[2]=65535 (0xFFFF) smb_vwv[3]=2 (0x2) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=1 (0x1) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=0 (0x0) smb_vwv[11]=212 (0xD4) smb_vwv[12]=0 (0x0) smb_bcc=85 switch message SMBsesssetupX (pid 3253) Domain=[] NativeOS=[] NativeLanMan=[N] sesssetupX:name=[] Get_Pwnam: user has been changed to guest account nobody nobody is in 2 groups 32766 32766 uid 32767 registered to name nobody Clearing default real name Chained message size=192 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=65535 smb_pid=4647 smb_uid=100 smb_mid=15618 smt_wct=4 smb_vwv[0]=255 (0xFF) smb_vwv[1]=0 (0x0) smb_vwv[2]=0 (0x0) smb_vwv[3]=1 (0x1) smb_bcc=35 switch message SMBtconX (pid 3253) Got device type \ checking for home directory gave (NULL) find_service() failed to find service 02/25/1998 09:27:20 couldn't find service 02/25/1998 09:27:20 error packet at line 172 cmd=117 (SMBtconX) eclass=2 ecode=6 size=86 smb_com=0x73 smb_rcls=2 smb_reh=0 smb_err=6 smb_flg=136 smb_flg2=1 smb_tid=65535 smb_pid=4647 smb_uid=100 smb_mid=15618 smt_wct=3 smb_vwv[0]=117 (0x75) smb_vwv[1]=83 (0x53) smb_vwv[2]=1 (0x1) smb_bcc=42 end of file from client Closing connections 02/25/1998 09:27:20 Server exit (normal exit) -------------- next part -------------- [global] server string = Samba %v NT Domain Controller security = user interfaces = 132.65.16.9/16 workgroup = FOUNDATION lock directory = /var/samba/locks log file = /var/samba/logs/log-%m domain logons = yes domain master = yes encrypt passwords = yes domain sid = S-1-5-21-123-456-789-123 hosts allow = 132.65. share modes = yes public = yes logon path = \\nafs2\home\profiles\%U logon home = /tmp # locking = yes # strict locking = yes # keepalive = 30 [netlogon] writeable = no guest ok = no path=/net/nafs2/home/profiles/%U [win] comment = windows programs/archives path = /home read only = yes public = no browseable = yes From cartegw at Eng.Auburn.EDU Wed Feb 25 14:16:26 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:49 2003 Subject: script to control login times References: Message-ID: <34F427BA.50A5F372@eng.auburn.edu> Nuno Loureiro wrote: > > Hi!! > > Anyone did or know about a script to know user's login time?!?! > I have a lab with 20 computers, and I want to do a page with the > time each user is logged in. We have a program that logs to wtmp. It is setup as a preexec and postexec to the [homes] share. I can make it available if you would like. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Wed Feb 25 18:32:02 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:50 2003 Subject: Password dilemmas. References: <3.0.3.32.19980225000739.00befc50@pop.mhsc.com> Message-ID: <34F463A2.61133CF4@whistle.com> Roeland M.J. Meyer wrote: > > And this includes forcing use of shadows and other non-standard > foolishness. Including PAM. However, there might be one exception. BTW, my > efforts with kerbnet are a bust. Too much critical dox are missing from the > release. > Oh. I wrote the original KerbNet docs for NT (someone else then had a go at them after me :-( ) as I did the Cygnus Kerbnet port to NT. What was wrong ? Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Wed Feb 25 21:24:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:50 2003 Subject: your mail In-Reply-To: <199802251236.MAA18858@peetoo.cs.huji.ac.il> Message-ID: hi danny, couple of things. 1) you don't have a [homes] service. for some reason, SMBsessionsetupX is rejected if you don't have one of these. this is odd. 2) you are using public = yes in [global]. you might not want to do this, as all services will be made public unless you specify otherwise. 3) your [netlogon] service has a path .../%U. hm. interesting. this would allow you to specify a NTconfig.pol file on a per-user basis. but the configuration files already contain per-user and per-group and per-computer info, so i'd recommend that you drop the %U from the path. if you want to specify a per-user login file, then specify in [global] "profile path = .../profile.%U.bat (or .cmd). luke On Wed, 25 Feb 1998, Danny Braniss wrote: > In message you write: > }On Mon, 23 Feb 1998, Danny Braniss wrote: > } > }> im trying to set up samba as a PDC. > } > }try setting up a 1.9.18p3 server. if that works and BRANCH_NTDOM doesn't, > }then post to samba-ntdom@samba.anu.edu.au with the results, ok? give lots > }of context information, ok? > } > setting up 1.9.18p3 will take some time, so in the meantime im sending all i > have for the BRANCH_NTDOM > > }> so far i can set the domain on an NT box, but my Network Appliance file serv > }er > }> fails to find it. > } > }oo! one of those! fascinating! we'll definitely want to get things > }working with one of those! > } > }> My guess is that im missing something in the samba.conf, > } > }smb.conf. > } > }> this is an abstract from the log: > } > }people need more context than this, and also the smb.conf file, in order > }to say what's going on. > } > } > }> switch message SMBtconX (pid 29248) > }> Got device type \ > }> checking for home directory gave (NULL) > }> find_service() failed to find service > }> 02/23/1998 14:48:35 couldn't find service > }> 02/23/1998 14:48:35 error packet at line 172 cmd=117 (SMBtconX) eclass=2 > }> ecode=6 > }> > }> tia, > > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy -------------- next part -------------- 02/25/1998 09:27:20 init msg_type=0x81 msg_flags=0x0 02/25/1998 09:27:20 Transaction 1 of length 182 size=178 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=0 smb_pid=4647 smb_uid=0 smb_mid=15617 smt_wct=0 smb_bcc=143 switch message SMBnegprot (pid 3253) Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [XENIX CORE] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [LANMAN1.0] Requested protocol [Windows for Workgroups 3.1a] Requested protocol [DOS LM1.2X002] Requested protocol [DOS LANMAN2.1] Requested protocol [NT LM 0.12] Selected protocol NT LM 0.12 02/25/1998 09:27:20 negprot index=7 size=88 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=1 smb_tid=0 smb_pid=4647 smb_uid=0 smb_mid=15617 smt_wct=17 smb_vwv[0]=7 (0x7) smb_vwv[1]=12803 (0x3203) smb_vwv[2]=256 (0x100) smb_vwv[3]=65280 (0xFF00) smb_vwv[4]=255 (0xFF) smb_vwv[5]=65280 (0xFF00) smb_vwv[6]=255 (0xFF) smb_vwv[7]=46336 (0xB500) smb_vwv[8]=12 (0xC) smb_vwv[9]=8448 (0x2100) smb_vwv[10]=3 (0x3) smb_vwv[11]=0 (0x0) smb_vwv[12]=31484 (0x7AFC) smb_vwv[13]=48846 (0xBECE) smb_vwv[14]=48449 (0xBD41) smb_vwv[15]=34817 (0x8801) smb_vwv[16]=2303 (0x8FF) smb_bcc=19 02/25/1998 09:27:20 Transaction 2 of length 196 size=192 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=65535 smb_pid=4647 smb_uid=0 smb_mid=15618 smt_wct=13 smb_vwv[0]=117 (0x75) smb_vwv[1]=146 (0x92) smb_vwv[2]=65535 (0xFFFF) smb_vwv[3]=2 (0x2) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=1 (0x1) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=0 (0x0) smb_vwv[11]=212 (0xD4) smb_vwv[12]=0 (0x0) smb_bcc=85 switch message SMBsesssetupX (pid 3253) Domain=[] NativeOS=[] NativeLanMan=[N] sesssetupX:name=[] Get_Pwnam: user has been changed to guest account nobody nobody is in 2 groups 32766 32766 uid 32767 registered to name nobody Clearing default real name Chained message size=192 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=65535 smb_pid=4647 smb_uid=100 smb_mid=15618 smt_wct=4 smb_vwv[0]=255 (0xFF) smb_vwv[1]=0 (0x0) smb_vwv[2]=0 (0x0) smb_vwv[3]=1 (0x1) smb_bcc=35 switch message SMBtconX (pid 3253) Got device type \ checking for home directory gave (NULL) find_service() failed to find service 02/25/1998 09:27:20 couldn't find service 02/25/1998 09:27:20 error packet at line 172 cmd=117 (SMBtconX) eclass=2 ecode=6 size=86 smb_com=0x73 smb_rcls=2 smb_reh=0 smb_err=6 smb_flg=136 smb_flg2=1 smb_tid=65535 smb_pid=4647 smb_uid=100 smb_mid=15618 smt_wct=3 smb_vwv[0]=117 (0x75) smb_vwv[1]=83 (0x53) smb_vwv[2]=1 (0x1) smb_bcc=42 end of file from client Closing connections 02/25/1998 09:27:20 Server exit (normal exit) -------------- next part -------------- [global] server string = Samba %v NT Domain Controller security = user interfaces = 132.65.16.9/16 workgroup = FOUNDATION lock directory = /var/samba/locks log file = /var/samba/logs/log-%m domain logons = yes domain master = yes encrypt passwords = yes domain sid = S-1-5-21-123-456-789-123 hosts allow = 132.65. share modes = yes public = yes logon path = \\nafs2\home\profiles\%U logon home = /tmp # locking = yes # strict locking = yes # keepalive = 30 [netlogon] writeable = no guest ok = no path=/net/nafs2/home/profiles/%U [win] comment = windows programs/archives path = /home read only = yes public = no browseable = yes From samj at cse.unsw.EDU.AU Wed Feb 25 22:35:14 1998 From: samj at cse.unsw.EDU.AU (Samuel James Johnston) Date: Tue Dec 2 02:23:50 2003 Subject: Password dilemmas. In-Reply-To: Message-ID: Tim, Certainly this would work, but it's probably not going to be acceptable for a lot of sites. Maybe we could come up with a solution like the one Paul sent yesterday, and then give a list of alternatives for those who want to do it another way (hack login, popd, etc.) Sam. On Wed, 25 Feb 1998, Tim Winders wrote: > On Wed, 25 Feb 1998, Samuel James Johnston wrote: > > > > not get to see the cleartext password. In the land of UNIX, the only two > > processes which handle the cleartext password regularly are login and > > /bin/passwd. > > What about POP/IMAP daemons? This wouldn't be universal of course, but on > MY system, I don't have too many "interactive" logins (telnet, etc). > Most/all of my users have Unix accounts which are used primarily for mail > (POP/IMAP) and some file storage (SAMBA). > > Could this be used in any way to "get" the cleartext password? > > --------------------------------------------------------------------- > | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | > | Network Administrator | Phone: 806-894-9611 x 2369 | > | South Plains College | Fax: 806-897-4711 | > --------------------------------------------------------------------- > > > From tobbe at island.liu.se Thu Feb 26 00:30:25 1998 From: tobbe at island.liu.se (Tobias Karlsson) Date: Tue Dec 2 02:23:50 2003 Subject: Compiling Samba-NTDOM Message-ID: <34F4B7A1.DE25F71A@island.liu.se> During the linking stage I get the following error, however I havent been able to find where the reference to getsmbpass is in pwd_cache. Any ideas? Linking smbd Undefined first referenced symbol in file getsmbpass ./lib/util/pwd_cache.o ld: fatal: Symbol referencing errors. No output written to smbd /Tobias From twinders at SPC.cc.tx.us Thu Feb 26 00:55:32 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:50 2003 Subject: Password dilemmas. In-Reply-To: Message-ID: I was just throwing something out there. I didn't say it was necessarily *GOOD*. ;) On Thu, 26 Feb 1998, Samuel James Johnston wrote: > Tim, > > Certainly this would work, but it's probably not going to be acceptable > for a lot of sites. Maybe we could come up with a solution like the one > Paul sent yesterday, and then give a list of alternatives for those who > want to do it another way (hack login, popd, etc.) > > Sam. > > On Wed, 25 Feb 1998, Tim Winders wrote: > > > On Wed, 25 Feb 1998, Samuel James Johnston wrote: > > > > > > > not get to see the cleartext password. In the land of UNIX, the only two > > > processes which handle the cleartext password regularly are login and > > > /bin/passwd. > > > > What about POP/IMAP daemons? This wouldn't be universal of course, but on > > MY system, I don't have too many "interactive" logins (telnet, etc). > > Most/all of my users have Unix accounts which are used primarily for mail > > (POP/IMAP) and some file storage (SAMBA). > > > > Could this be used in any way to "get" the cleartext password? > > > > --------------------------------------------------------------------- > > | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | > > | Network Administrator | Phone: 806-894-9611 x 2369 | > > | South Plains College | Fax: 806-897-4711 | > > --------------------------------------------------------------------- > > > > > > > --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From samj at cse.unsw.EDU.AU Thu Feb 26 01:50:20 1998 From: samj at cse.unsw.EDU.AU (Samuel James Johnston) Date: Tue Dec 2 02:23:50 2003 Subject: Extracting passwords from users. In-Reply-To: Message-ID: > I was just throwing something out there. I didn't say it was > necessarily *GOOD*. ;) Tim, Doesn't have to be good. So long as it works. The only thing I would have to say about it is that it could look somewhat unprofessional. For example someone's released an authentication package for NT that authenticates by logging onto an FTP server on UNIX. Fair enough, it works... but it's not really the sort of thing that would be widely accepted. We should probably choose one method to distribute and then have a list of suggestions (ie popd, login, setting users' shells to /bin/passwd). Regards, Sam. > > On Thu, 26 Feb 1998, Samuel James Johnston wrote: > > > Tim, > > > > Certainly this would work, but it's probably not going to be acceptable > > for a lot of sites. Maybe we could come up with a solution like the one > > Paul sent yesterday, and then give a list of alternatives for those who > > want to do it another way (hack login, popd, etc.) > > > > Sam. > > > > On Wed, 25 Feb 1998, Tim Winders wrote: > > > > > On Wed, 25 Feb 1998, Samuel James Johnston wrote: > > > > > > > > > > not get to see the cleartext password. In the land of UNIX, the only two > > > > processes which handle the cleartext password regularly are login and > > > > /bin/passwd. > > > > > > What about POP/IMAP daemons? This wouldn't be universal of course, but on > > > MY system, I don't have too many "interactive" logins (telnet, etc). > > > Most/all of my users have Unix accounts which are used primarily for mail > > > (POP/IMAP) and some file storage (SAMBA). > > > > > > Could this be used in any way to "get" the cleartext password? > > > > > > --------------------------------------------------------------------- > > > | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | > > > | Network Administrator | Phone: 806-894-9611 x 2369 | > > > | South Plains College | Fax: 806-897-4711 | > > > --------------------------------------------------------------------- > > > > > > > > > > > > > --------------------------------------------------------------------- > | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | > | Network Administrator | Phone: 806-894-9611 x 2369 | > | South Plains College | Fax: 806-897-4711 | > --------------------------------------------------------------------- > > > From twinders at SPC.cc.tx.us Thu Feb 26 02:24:32 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:50 2003 Subject: Extracting passwords from users. In-Reply-To: Message-ID: On Thu, 26 Feb 1998, Samuel James Johnston wrote: > > I was just throwing something out there. I didn't say it was > > necessarily *GOOD*. ;) > > Tim, > > Doesn't have to be good. So long as it works. The only thing I would have > to say about it is that it could look somewhat unprofessional. For example > someone's released an authentication package for NT that authenticates by > logging onto an FTP server on UNIX. Fair enough, it works... but it's not > really the sort of thing that would be widely accepted. > > We should probably choose one method to distribute and then have a list of > suggestions (ie popd, login, setting users' shells to /bin/passwd). Good point. I am trying to figure out a way to INITIALLY create the smbpasswd file for my users. I think I am almost there, but not quite... --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From michel at nijenrode.nl Thu Feb 26 09:53:40 1998 From: michel at nijenrode.nl (Michel) Date: Tue Dec 2 02:23:50 2003 Subject: Extracting passwords from users. In-Reply-To: Your message of "Thu, 26 Feb 1998 12:53:50 +1100." Message-ID: <199802260953.KAA27076@bordeaux.nijenrode.nl> Actually I'm working on synchronization/usercreation tools that work along side with samba; main goal is to get something to work that will fit my needs until samba pdc-ing is more completed, and I expect it to be finished by the weekend (first crude-but-workable-version). It consists of a small daemon running on NT-server(s), capable of handling account-creation and password changing. Then a client for this on the unix machine that adds/changes passwords of the NT accounts, Unix accounts and samba accounts all in one go, as well as a daemon version of this that accepts such requests from win95 workstations. For win95 a small password changing program (that connects to samba server to change the password, which then in turns forwards the request to the NT server(s)). It's not beautiful, not standard and involves a lot of plain passwords but the parts that I have now work really well and fit my needs. At least till the same functionality is in samba. If others find this package interesting drop me a note; if I get lots of request I'll announce the finishing of the tools. Michel. -- Michel van der Laan - michel@nijenrode.nl http://www.nijenrode.nl/~michel In your mail from 26-2-1998 you write: > > I was just throwing something out there. I didn't say it was > > necessarily *GOOD*. ;) > > Tim, > > Doesn't have to be good. So long as it works. The only thing I would have > to say about it is that it could look somewhat unprofessional. For example > someone's released an authentication package for NT that authenticates by > logging onto an FTP server on UNIX. Fair enough, it works... but it's not > really the sort of thing that would be widely accepted. > > We should probably choose one method to distribute and then have a list of > suggestions (ie popd, login, setting users' shells to /bin/passwd). > > Regards, > > Sam. > > > > > On Thu, 26 Feb 1998, Samuel James Johnston wrote: > > > > > Tim, > > > > > > Certainly this would work, but it's probably not going to be acceptable > > > for a lot of sites. Maybe we could come up with a solution like the one > > > Paul sent yesterday, and then give a list of alternatives for those who > > > want to do it another way (hack login, popd, etc.) > > > > > > Sam. > > > > > > On Wed, 25 Feb 1998, Tim Winders wrote: > > > > > > > On Wed, 25 Feb 1998, Samuel James Johnston wrote: > > > > > > > > > > > > > not get to see the cleartext password. In the land of UNIX, the only >two > > > > > processes which handle the cleartext password regularly are login and > > > > > /bin/passwd. > > > > > > > > What about POP/IMAP daemons? This wouldn't be universal of course, but > on > > > > MY system, I don't have too many "interactive" logins (telnet, etc). > > > > Most/all of my users have Unix accounts which are used primarily for ma >il > > > > (POP/IMAP) and some file storage (SAMBA). > > > > > > > > Could this be used in any way to "get" the cleartext password? > > > > > > > > --------------------------------------------------------------------- > > > > | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | > > > > | Network Administrator | Phone: 806-894-9611 x 2369 | > > > > | South Plains College | Fax: 806-897-4711 | > > > > --------------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | > > | Network Administrator | Phone: 806-894-9611 x 2369 | > > | South Plains College | Fax: 806-897-4711 | > > --------------------------------------------------------------------- > > > > > > From cartegw at Eng.Auburn.EDU Thu Feb 26 13:19:05 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:50 2003 Subject: script to control login times References: <3.0.1.32.19980226094655.009382e0@ws10.lme.usp.br> Message-ID: <34F56BC9.3FC51BF5@eng.auburn.edu> Andre Gerhard wrote: > > At 01:20 AM 2/26/98 +1100, you wrote: > >Nuno Loureiro wrote: > >> > >> Hi!! > >> > >> Anyone did or know about a script to know user's login time?!?! > >> I have a lab with 20 computers, and I want to do a page with the > >> time each user is logged in. > > > >We have a program that logs to wtmp. It is setup as a preexec and > >postexec to the [homes] share. I can make it available if you would > >like. > > > > > Hello, Gerald ! > > I am really interested in your script ... > Could you post it to the ntdom list, or send it to me ? I have had a couple of requests for the program we use to log users to wtmp. I am trying to find time in the next day or so to clean things up and will post a URL to the source code ( in C ) shortly. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Thu Feb 26 13:24:20 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:50 2003 Subject: Compiling Samba-NTDOM References: <34F4B7A1.DE25F71A@island.liu.se> Message-ID: <34F56D04.22BF8BD3@eng.auburn.edu> Tobias Karlsson wrote: > > During the linking stage I get the following error, however I havent > been able to find where the reference to getsmbpass is in pwd_cache. > > Any ideas? > > Linking smbd > Undefined first referenced > symbol in file > getsmbpass ./lib/util/pwd_cache.o > ld: fatal: Symbol referencing errors. No output written to smbd > > /Tobias Add a line in the Makefile in the UTILOBJ definition like this UTILOBJ = \ $(UTIL_SRC_DIR)interface.o \ $(UTIL_SRC_DIR)replace.o \ ......[snip]..... $(UTIL_SRC_DIR)getsmbpass.o \ ......[snip]..... BTW....When is the last time you updated the source code? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From nigel.williams at nomura.co.uk Thu Feb 26 16:15:25 1998 From: nigel.williams at nomura.co.uk (nigel.williams@nomura.co.uk) Date: Tue Dec 2 02:23:50 2003 Subject: Synchronising passwords In-Reply-To: <888327951.1020975.0@saic.demon.co.uk> Message-ID: Network providers / Credential managers are documented on the NT ddk in ntnp.doc However the Authentinfo structure does not appear to be documented but is as follows. typedef struct _AUTHENTINFO { DWORD w0; WORD domlen; //+4h PWSTR pszDomain; //+8h WORD userlen; //+0Ch PWSTR pszUserName; //+10h WORD passlen; //+14h PWSTR pszPassword; //+18h DWORD w7; //+1Ch } AUTHENTINFO, *LPAUTHENTINFO; Nigel Williams From edw at detel.com Thu Feb 26 18:13:07 1998 From: edw at detel.com (Ed Weinberg) Date: Tue Dec 2 02:23:50 2003 Subject: Synchronising passwords In-Reply-To: References: Message-ID: <34fab08d.13565055@mail.detel.com> On Fri, 27 Feb 1998 03:22:10 +1100, nigel.williams@nomura.co.uk wrote: This message came with the body "attached". If there was a text body I would have read it! -- Ed Weinberg, Detel, Inc., An Internet Presence Provider edw@detel.com www.detel.com/ www.serverking.com www.q5.com/ <-- find someone to CoolTalk or chat with here From Jean-Marie.Chretien at ibt.univ-angers.fr Thu Feb 26 08:32:27 1998 From: Jean-Marie.Chretien at ibt.univ-angers.fr (Jean-Marie.Chretien@ibt.univ-angers.fr) Date: Tue Dec 2 02:23:50 2003 Subject: Compiling Samba-NTDOM Message-ID: To build properly all samba tools you have to modify the file source/Makefile in your samba directory to include getsmbpass.o in UTILOBJ section : # general utility object files UTILOBJ= \ $(UTIL_SRC_DIR)getsmbpass.o \ $(UTIL_SRC_DIR)interface.o \ ... Jean-Marie Chretien _____________________________________________________________________________ UNIVERSITE D'ANGERS Institut de Biologie Theorique _________________ 10, Rue A. Bocquel __ __ ___ __/ 49100 ANGERS - FRANCE / / \ / / / /___/ / / e-mail: chretien@ibt.univ-angers.fr / / \ / / fax: (33) 241.72.34.46 _/ /_____/ /_/ phone: (33) 241.72.34.34 _____________________________________________________________________________ > From samba-ntdom@samba.anu.edu.au Thu Feb 26 01:57 MET 1998 > From: Tobias Karlsson > To: Multiple recipients of list > Subject: Compiling Samba-NTDOM > During the linking stage I get the following error, however I havent > been able to find where the reference to getsmbpass is in pwd_cache. > > Any ideas? > > > Linking smbd > Undefined first referenced > symbol in file > getsmbpass ./lib/util/pwd_cache.o > ld: fatal: Symbol referencing errors. No output written to smbd > > > > /Tobias > From cartegw at Eng.Auburn.EDU Thu Feb 26 23:16:20 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:50 2003 Subject: utility to log times connections to utmp Message-ID: <34F5F7C4.5229A93B@eng.auburn.edu> For all who were interested, here is the URL for the program to log to utmp. Basically we run it as a preexec / postexec option to a share taht is always mounted during the login script. The program compiles under Solaris 2.5.1 [apps] preexec = /etc/local/utmppipe %U %d 7 %M postexec = /etc/local/utmppipe %U %d 8 %M public = yes path = /export/apps There can be some strange issues that arise depending on what service has the exec scripts. For example, we started putting it on [homes] for a Windows 95 lab with roaming profiles and ( you guessed it ). The system was logging four connections to utmpx. pLay around and see what is best for you. URL : ftp://ftp.eng.auburn.edu/pub/doug/utmppipe.c j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From todd at edge.cis.mcmaster.ca Fri Feb 27 05:27:56 1998 From: todd at edge.cis.mcmaster.ca (Todd Pfaff) Date: Tue Dec 2 02:23:50 2003 Subject: script to control login times In-Reply-To: <34F56BC9.3FC51BF5@eng.auburn.edu> Message-ID: On Fri, 27 Feb 1998, Gerald W. Carter wrote: > Andre Gerhard wrote: > > > > At 01:20 AM 2/26/98 +1100, you wrote: > > >Nuno Loureiro wrote: > > >> > > >> Hi!! > > >> > > >> Anyone did or know about a script to know user's login time?!?! > > >> I have a lab with 20 computers, and I want to do a page with the > > >> time each user is logged in. > > > > > >We have a program that logs to wtmp. It is setup as a preexec and > > >postexec to the [homes] share. I can make it available if you would > > >like. > > > > > > > > Hello, Gerald ! > > > > I am really interested in your script ... > > Could you post it to the ntdom list, or send it to me ? > > I have had a couple of requests for the program we use to log users to > wtmp. I am trying to find time in the next day or so to clean things up > and will post a URL to the source code ( in C ) shortly. if you're using sunos (5.5 anyway) you can use the sessreg program to do this. you can also find sessreg source code in the x11r5 mit/clients/xdm source directory. root preexec = [ %U != nobody ] && /usr/openwin/bin/sessreg -a -l s/%M -s %d %U root postexec = [ %U != nobody ] && /usr/openwin/bin/sessreg -d -l s/%M -s %d %U -- Todd Pfaff \ Email: pfaff@mcmaster.ca Computing and Information Services \ Voice: (905) 525-9140 x22920 ABB 132 \ FAX: (905) 528-3773 McMaster University \ Hamilton, Ontario, Canada L8S 4M1 \ From marcin.klimowski at solidex.com.pl Fri Feb 27 08:02:37 1998 From: marcin.klimowski at solidex.com.pl (Marcin Klimowski) Date: Tue Dec 2 02:23:50 2003 Subject: Compiling Samba-NTDOM References: <19980226230311Z12641402-18482+4865@samba.anu.edu.au> Message-ID: <34F6731D.EBF59089@solidex.com.pl> Jean-Marie.Chretien@ibt.univ-angers.fr wrote: > > To build properly all samba tools you have to modify the file source/Makefile in your samba directory to include getsmbpass.o in UTILOBJ section : > > # general utility object files > UTILOBJ= \ > $(UTIL_SRC_DIR)getsmbpass.o \ > $(UTIL_SRC_DIR)interface.o \ > ... WHY isn't it put there by default ?! -- Marcin Klimowski From nuno at lwp.ualg.pt Fri Feb 27 15:15:38 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:50 2003 Subject: Summary Message-ID: Hi there!!! Thanks again for the support given. Well, this week I installed samba to be a PDC of 25 NT4+SP3 Workstations. I can login normally, I can access shares, I can print, I use policies, profiles, etc.. During the installation I had some problems, and I would like some help to "repair" some of those problems. My smb.conf is included bellow. 1 - To use policies I had to put netlogon/ntconfig.pol and ntconfig.pol.LOG mode 777. If I use other mode on the files the policies won't work. Also, the policies problem is a kind'of complicated, because to NT there is no USER neither groups on the Domain. I used the Default Policy all the users and individual policies for each one of the admins. Well, this is working, but netlogon/ntconfig.* world writable is a security problem. Is there a way to contorn this? I Hope that the lusers to be lamers. :) 2 - I tryed to share a dir on a workstation, to everyone (the only possibility), but from another workstation I can't mount it *sometimes*. 3 - the preexec option to log user's logins and logouts doesn't work for me. Dunno why.. 4 - I use that trick (net use lpt1 //server/printer) to print. I have two printers, and I can print on both that way with no problem, but I would like to do pooling between both, on windows. I tryed to use Windows to do pooling but it doesn't work. Anyone knows how can I do this? Can anyone also see my smb.conf and do some tunning!?!! :) Thanks in advance, Nuno Loureiro ---------------------- Begin of smb.conf --------------------------------- ; The global setting for a default install ; Copyright(C) John H Terpstra - 1997 ;===================== Global Settings ===================================== [global] workgroup = SEGNET comment = AAUAL Samba Server domain sid = S-1-5-21-123-456-789-123 security = USER encrypt passwords = yes local master = yes os level = 75 domain master = yes preferred master = yes domain logons = yes wins support = yes logon drive = u: logon home = "\\rtfm\%U" logon path = \\%L\Profiles\%U unix realname = yes time server = True guest account = nobody logon script = script.bat ; printing = BSD or SYSV or AIX, etc. printing = bsd printcap name = /etc/printcap load printers = no ; Logs log file = /usr/local/samba/var/log.%m max log size = 500 ; log level = 50 ; Options for handling file name case sensitivity and / or preservation ; Case Sensitivity breaks many WfW and Win95 apps ; case sensitive = yes short preserve case = yes preserve case = yes ; Security and file integrity related options lock directory = /usr/local/samba/var/locks locking = yes share modes = yes guest ok = no ; Performance Related Options ; Before setting socket options read the smb.conf man page!! socket options = TCP_NODELAY # Unix users can map to different SMB User names username map = /etc/users.map ;======================= Share Definitions ============================== [homes] comment = Home Directories public = no browseable = no writable = yes root preexec = echo \"%u connected to %S from %m (%I)\" >> /tmp/log root postexec = echo \"%u disconnected from %S from %m (%I)\" >> /tmp/log ; Un-comment the following and create the netlogon directory for Domain Logons [Netlogon] comment = Samba Network Logon Service path = /home/samba/netlogon ; Case sensitivity breaks logon script processing!!! case sensitive = no guest ok = no locking = no ; writable = no writable = yes ; For browseable say NO if you want to hide the NETLOGON share browseable = yes ; Un-comment the following to provide a specific roving profile share ; the default is to use the user's home directory [Profiles] path = /home/samba/profiles browseable = no printable = no guest ok = yes writable = yes ; NOTE: There is NO need to specifically define each individual printer [printers] comment = All Printers path = /usr/spool/samba browseable = no printable = yes ; Set public = yes to allow user 'guest account' to print guest ok = no writable = no create mask = 0700 printer driver = HP DeskJet 670C print command = /usr/bin/lpr -P%p %s ; rm %s lpq command = /usr/bin/lpq -P%p lprm command = /usr/bin/lprm -P%p %j [public] comment = Public Stuff path = /home/samba/public public = yes writable = yes printable = no write list = @users read list = @alunos ; admin users = nuno, bpedro, antobar, victor [admins] comment = Only for Administrators path = /home/samba/admin valid users = nuno, bpedro, antobar, victor, viseu admin users = nuno, bpedro, antobar, victor, viseu public = yes ; writable = no write list = @users printable = no ------------------- End of smb.conf ------------------------------ From valdand at soften.ktu.lt Fri Feb 27 16:31:28 1998 From: valdand at soften.ktu.lt (Valdas Andrulis) Date: Tue Dec 2 02:23:50 2003 Subject: Smbclient In-Reply-To: <4A317614E7@glavunion.cz> Message-ID: Here is the situation: I have computer ALPHA (NT 4.0 Workstation) in samba PDC domain SFTN. I want to use smbclient to conect to share on ALPHA: senis> smbclient //alpha/temp -U administrator Server time is Fri Feb 27 18:07:47 1998 Timezone is UTC+2.0 Password: Session setup failed for username=administrator myname=SENIS destname=ALPHA ERRDOS - ERRnoaccess (Access denied.) You might find the -U, -W or -n options useful Sometimes you have to use `-n USERNAME' (particularly with OS/2) Some servers also insist on uppercase-only passwords senis> i also tried -U alpha\\administrator - the same this is for samba versions 1.9.17p2 , 1.9.18 , 1.9.18p2. And for samba-ntdom version of smbclient i get: senis> smbclient //alpha/temp -U administrator service: \\alpha\temp Enter Password: failed session setup client_init: connection failed warning: connection could not be established to alpha<20> this version of smbclient may crash if you proceed senis> The same occures if just want to list available shares. And the last: When I remove ALPHA from domain SFTN then above commands work perfectly for all versions. Any ideas why is this so? From cartegw at Eng.Auburn.EDU Fri Feb 27 17:46:03 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:50 2003 Subject: Summary References: Message-ID: <34F6FBDB.F5ED782E@eng.auburn.edu> Nuno Loureiro wrote: > > > 1 - To use policies I had to put netlogon/ntconfig.pol and > ntconfig.pol.LOG mode 777. If I use other mode on the files the policies > won't work. Also, the policies problem is a kind'of complicated, because > to NT there is no USER neither groups on the Domain. I used the Default > Policy all the users and individual policies for each one of the admins. > Well, this is working, but netlogon/ntconfig.* world writable is a > security problem. Is there a way to contorn this? I configured a manaul update on my NT 4.0 clients with no problem. Both ntconfig.pol and ntconfig.pol.LOG have permission 644. Also you can manually add a username. NT does not attempt to verify that it is a valid one. You are correct that there are no groups. > > 2 - I tryed to share a dir on a workstation, to everyone (the only > possibility), but from another workstation I can't mount it *sometimes*. > 3 - the preexec option to log user's logins and logouts doesn't work for > me. Dunno why.. Can you run your preexec script manually as the common user? A common problem I have seen is that the script cannot be read / executed by a normal user or is trying to something that a normal user cannot do. If you are referring to you root preexec / postexec commands in [homes], have you tried putting the command in a script and calling the script instead? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Fri Feb 27 17:50:01 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:50 2003 Subject: utmp References: Message-ID: <34F6FCC9.5B54BB7F@eng.auburn.edu> Nuno Loureiro wrote: > > Hi!! > > I wonder if you have a port of your program to linux, or if can > you change it with a little of hack. > I get an error while trying to compile it.. > > rtfm.root:/install > gcc -o utmppipe utmppipe.c > utmppipe.c:31: utmpx.h: No such file or directory > > I guess that utmpx.h is Solaris stuff, since I don't find it > under linux. > Oopps. I have put in the header files ( utmp.h and utmpx.h ) in ftp://ftp.eng.auburn.edu/pub/doug/utmp.h ftp://ftp.eng.auburn.edu/pub/doug/utmpx.h Sorry for the confustion. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From crh at NTS.Umn.EDU Fri Feb 27 17:58:42 1998 From: crh at NTS.Umn.EDU (Christopher R. Hertel) Date: Tue Dec 2 02:23:50 2003 Subject: Synchronising passwords In-Reply-To: <888327951.1020975.0@saic.demon.co.uk> from "Paul Ashton" at Feb 25, 98 01:59:53 am Message-ID: <199802271758.LAA11054@unet.unet.umn.edu> Possibly of interest... Novell solved the problem of password sync by rewriting samsrv.ddl. They have to play some interesting games to make sure that nothing overwrites their samsrv.dll with a "new" version from Microsoft. This is all part of their NDS for NT product. I suppose that something could be written to allow Samba to authenticate against the Novell NDS, but then we'd have three players in the game instead of just two. Still, it's an interesting solution. Anyway, the "right" thing to do would be to write a samsrv.dll that allows the administrator to decide upon an authentication scheme. Chris -)----- -- Christopher R. Hertel -)----- University of Minnesota crh@nts.umn.edu Networking and Telecommunications Services From paul at argo.demon.co.uk Fri Feb 27 18:02:38 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:50 2003 Subject: Synchronising passwords In-Reply-To: <199802271758.LAA11054@unet.unet.umn.edu> References: <888327951.1020975.0@saic.demon.co.uk> Message-ID: <888602959.0220772.0@saic.demon.co.uk> At 11:58 27/02/98 -0600, Christopher R. Hertel wrote: >Novell solved the problem of password sync by rewriting samsrv.ddl. They >have to play some interesting games to make sure that nothing overwrites >their samsrv.dll with a "new" version from Microsoft. This is all part of >their NDS for NT product. I suppose that something could be written to >allow Samba to authenticate against the Novell NDS, but then we'd have >three players in the game instead of just two. Still, it's an >interesting solution. >Anyway, the "right" thing to do would be to write a samsrv.dll that allows >the administrator to decide upon an authentication scheme. That's what we have done. samsrv supplies the server side of the RPCs as we have implemented in Samba. Novell just did the same again but put it on NT instead of implementing it on a Novell or Unix server. If we ported Samba as a PDC to NT, we would end up replacing samsrv.dll. Paul From bias at pobox.com Sat Feb 28 01:57:00 1998 From: bias at pobox.com (Liston Bias) Date: Tue Dec 2 02:23:50 2003 Subject: How to use /etc/passwd passwords for NTDOM? In-Reply-To: Message-ID: I'd be real curious to understand how to make this transition without knowing the plaintext version of the password. Since we are dealing with two types of encrytion here, I do not see how you can make the transfer. One thing we have attempted to do at the FAMU-FSU college of engineering is use NISGina to authenticate the user and then create the initial smbpasswd. The changing of password would need to occur on unix end where a wrapper would enable the changing of regular password and samba password at the same time. With recent developments in samba, it looks like we may be able to use SAMBA for for authentication but the above problem would exist for our users who already have an account but not a samba password. The only way I can see around this is to force them to change/authenticate their password before proceeded, but since all are users are not unix savy this is quite a task. I look forward to using samba for authentication so that we may return to NISplus in non-campatibility mode which is, ofcourse, impossible with NISGina. Perhaps some of these problems will be address at the LISA-NT conference held in Seattle this August. I will surely be there looking for these kinds of answers. I'm certain many of you will be also. Regards, Liston ============================================================================ - Liston Bias The aim of argument, or of discussion, Alumnus of Oklahoma State Univ should not be victory, but progress. Alumnus of Florida State Univ -- Joseph Joubert bias@pobox.com http://www.pobox.com/~bias ============================================================================ From danny at cs.huji.ac.il Sat Feb 28 12:07:57 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:50 2003 Subject: your mail In-Reply-To: Your message of Thu, 26 Feb 1998 07:46:18 +1100 . Message-ID: i think this was lost in the neverland ... In message you write: }hi danny, } }couple of things. } }1) you don't have a [homes] service. for some reason, SMBsessionsetupX is }rejected if you don't have one of these. this is odd. } i added: [homes] comment = Home Directories browseable = yes path = /tmp/%H writeable = yes create mode = 0700 directory mode = 0700 but it didn't help i changed the debug to print some strings between '...' and this is what i get in the logs: ... switch message SMBtconX (pid 5550) Got device type \ find_service: '' lp_servicenumber: couldn't find checking for home directory '' gave (NULL) lp_servicenumber: couldn't find printers find_service() failed to find service '' 02/26/1998 11:06:01 couldn't find service 02/26/1998 11:06:01 error packet at line 172 cmd=117 (SMBtconX) eclass=2 ecode=6 ... - --==_Exmh_1371508480 Content-Type: text/plain ; name="log-nafs-02"; charset=us-ascii Content-Description: log-nafs-02 Content-Disposition: attachment; filename="log-nafs-02" lp_file_list_changed() file /etc/samba.conf -> /etc/samba.conf last mod_time: Thu Feb 26 10:57:33 1998 02/26/1998 11:06:01 init msg_type=0x81 msg_flags=0x0 write_socket(5,4) write_socket(5,4) wrote 4 got smb length of 178 got message type 0x0 of len 0xb2 02/26/1998 11:06:01 Transaction 1 of length 182 size=178 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=0 smb_pid=4647 smb_uid=0 smb_mid=15617 smt_wct=0 smb_bcc=143 [000] 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 .PC NETW ORK PROG [010] 52 41 4D 20 31 2E 30 00 02 58 45 4E 49 58 20 43 RAM 1.0. .XENIX C [020] 4F 52 45 00 02 4D 49 43 52 4F 53 4F 46 54 20 4E ORE..MIC ROSOFT N [030] 45 54 57 4F 52 4B 53 20 31 2E 30 33 00 02 4C 41 ETWORKS 1.03..LA [040] 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 NMAN1.0. .Windows [050] 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 for Wor kgroups [060] 33 2E 31 61 00 02 44 4F 53 20 4C 4D 31 2E 32 58 3.1a..DO S LM1.2X [070] 30 30 32 00 02 44 4F 53 20 4C 41 4E 4D 41 4E 32 002..DOS LANMAN2 [080] 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .1..NT L M 0.12. switch message SMBnegprot (pid 5550) Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [XENIX CORE] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [LANMAN1.0] Requested protocol [Windows for Workgroups 3.1a] Requested protocol [DOS LM1.2X002] Requested protocol [DOS LANMAN2.1] Requested protocol [NT LM 0.12] lp_file_list_changed() file /etc/samba.conf -> /etc/samba.conf last mod_time: Thu Feb 26 10:57:33 1998 lp_file_list_changed() file /etc/samba.conf -> /etc/samba.conf last mod_time: Thu Feb 26 10:57:33 1998 Selected protocol NT LM 0.12 02/26/1998 11:06:01 negprot index=7 size=88 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=1 smb_tid=0 smb_pid=4647 smb_uid=0 smb_mid=15617 smt_wct=17 smb_vwv[0]=7 (0x7) smb_vwv[1]=12803 (0x3203) smb_vwv[2]=256 (0x100) smb_vwv[3]=65280 (0xFF00) smb_vwv[4]=255 (0xFF) smb_vwv[5]=65280 (0xFF00) smb_vwv[6]=255 (0xFF) smb_vwv[7]=44544 (0xAE00) smb_vwv[8]=21 (0x15) smb_vwv[9]=8448 (0x2100) smb_vwv[10]=3 (0x3) smb_vwv[11]=32768 (0x8000) smb_vwv[12]=5538 (0x15A2) smb_vwv[13]=38338 (0x95C2) smb_vwv[14]=48450 (0xBD42) smb_vwv[15]=34817 (0x8801) smb_vwv[16]=2303 (0x8FF) smb_bcc=19 [000] 3A C5 08 C8 98 40 93 4F 46 4F 55 4E 44 41 54 49 :....@.O FOUNDATI [010] 4F 4E 00 ON. write_socket(5,92) write_socket(5,92) wrote 92 got smb length of 192 got message type 0x0 of len 0xc0 02/26/1998 11:06:01 Transaction 2 of length 196 size=192 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=65535 smb_pid=4647 smb_uid=0 smb_mid=15618 smt_wct=13 smb_vwv[0]=117 (0x75) smb_vwv[1]=146 (0x92) smb_vwv[2]=65535 (0xFFFF) smb_vwv[3]=2 (0x2) smb_vwv[4]=0 (0x0) smb_vwv[5]=0 (0x0) smb_vwv[6]=0 (0x0) smb_vwv[7]=1 (0x1) smb_vwv[8]=0 (0x0) smb_vwv[9]=0 (0x0) smb_vwv[10]=0 (0x0) smb_vwv[11]=212 (0xD4) smb_vwv[12]=0 (0x0) smb_bcc=85 [000] 00 00 00 00 00 4E 00 65 00 74 00 41 00 70 00 70 .....N.e .t.A.p.p [010] 00 20 00 52 00 65 00 6C 00 65 00 61 00 73 00 65 . .R.e.l .e.a.s.e [020] 00 20 00 34 00 2E 00 33 00 2E 00 31 00 44 00 31 . .4...3 ...1.D.1 [030] 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 .....W.i .n.d.o.w [040] 00 73 00 20 00 4E 00 54 00 20 00 34 00 2E 00 30 .s. .N.T . .4...0 [050] 00 00 00 00 00 ..... switch message SMBsesssetupX (pid 5550) Domain=[] NativeOS=[] NativeLanMan=[N] sesssetupX:name=[] lp_file_list_changed() file /etc/samba.conf -> /etc/samba.conf last mod_time: Thu Feb 26 10:57:33 1998 Get_Pwnam: user has been changed to guest account nobody nobody is in 2 groups 32766 32766 uid 32767 registered to name nobody Clearing default real name Client requested max send size of 65535 Chained message size=192 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32769 smb_tid=65535 smb_pid=4647 smb_uid=100 smb_mid=15618 smt_wct=4 smb_vwv[0]=255 (0xFF) smb_vwv[1]=0 (0x0) smb_vwv[2]=0 (0x0) smb_vwv[3]=1 (0x1) smb_bcc=35 [000] 00 5C 00 5C 00 53 00 48 00 4C 00 55 00 44 00 49 .\.\.S.H .L.U.D.I [010] 00 47 00 5C 00 49 00 50 00 43 00 24 00 00 00 49 .G.\.I.P .C.$...I [020] 50 43 00 PC. switch message SMBtconX (pid 5550) Got device type \ find_service: '' lp_servicenumber: couldn't find checking for home directory '' gave (NULL) lp_servicenumber: couldn't find printers find_service() failed to find service '' 02/26/1998 11:06:01 couldn't find service 02/26/1998 11:06:01 error packet at line 172 cmd=117 (SMBtconX) eclass=2 ecode=6 size=86 smb_com=0x73 smb_rcls=2 smb_reh=0 smb_err=6 smb_flg=136 smb_flg2=1 smb_tid=65535 smb_pid=4647 smb_uid=100 smb_mid=15618 smt_wct=3 smb_vwv[0]=117 (0x75) smb_vwv[1]=83 (0x53) smb_vwv[2]=1 (0x1) smb_bcc=42 [000] 55 6E 69 78 00 53 61 6D 62 61 20 6E 74 64 6F 6D Unix.Sam ba ntdom [010] 2D 31 2E 39 2E 31 38 61 6C 70 68 61 31 34 00 46 -1.9.18a lpha14.F [020] 4F 55 4E 44 41 54 49 4F 4E 00 OUNDATIO N. write_socket(5,90) write_socket(5,90) wrote 90 end of file from client Closing connections smb_shm_close fcntl_lock 4 9 0 1 3 Lock call successful calling smb_shm_unregister_process(/var/samba/locks/SHARE_MEM_FILE.processes, 5550) smb_shm_unregister_process : read record for pid 5550 smb_shm_unregister_process : erasing record for pid 5550 (seek_val = -4) fcntl_lock 4 9 0 1 2 Lock call successful 02/26/1998 11:06:01 Server exit (normal exit) - --==_Exmh_1371508480-- ------- End of Forwarded Message From tobbe at island.liu.se Sat Feb 28 14:47:40 1998 From: tobbe at island.liu.se (Tobias Karlsson) Date: Tue Dec 2 02:23:50 2003 Subject: Compiling Samba-NTDOM References: <34F56D04.22BF8BD3@eng.auburn.edu> Message-ID: <34F8238C.1319A771@island.liu.se> Gerald W. Carter wrote: > > BTW....When is the last time you updated the source code? > > j- > I did a cvs update -d -P for about a week ago. /Tobbe From lkcl at switchboard.net Sat Feb 28 17:40:33 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:50 2003 Subject: Compiling Samba-NTDOM In-Reply-To: <34F6731D.EBF59089@solidex.com.pl> Message-ID: On Fri, 27 Feb 1998, Marcin Klimowski wrote: > Jean-Marie.Chretien@ibt.univ-angers.fr wrote: > > > > To build properly all samba tools you have to modify the file source/Makefile in your samba directory to include getsmbpass.o in UTILOBJ section : > > > > # general utility object files > > UTILOBJ= \ > > $(UTIL_SRC_DIR)getsmbpass.o \ > > $(UTIL_SRC_DIR)interface.o \ > > ... > > > WHY isn't it put there by default ?! 1) because i compile up on linux and don't get a problem, so can't reproduce it 2) because in UTIL_OBJ is the wrong place, as it's included explicitly in other areas. luke From lkcl at switchboard.net Sat Feb 28 17:58:19 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:50 2003 Subject: How to use /etc/passwd passwords for NTDOM? In-Reply-To: Message-ID: On Sat, 28 Feb 1998, Liston Bias wrote: > I'd be real curious to understand how to make this transition without > knowing the plaintext version of the password. Since we are dealing with > two types of encrytion here, I do not see how you can make the transfer. > > is quite a task. I look forward to using samba for authentication so that > we may return to NISplus in non-campatibility mode which is, ofcourse, > impossible with NISGina. one possibility is to abstract smbpasswds a bit, making private/smbpasswd one option. another option being an ldap database or a NIS+ database (secure password fields can be provided by these). > Perhaps some of these problems will be address at the LISA-NT conference > held in Seattle this August. I will surely be there looking for these > kinds of answers. I'm certain many of you will be also. i have submitted a work in progress paper to lisa-nt98, and hope to have issues like this addressed by then. luke