From caesmb at lab2.cc.wmich.edu Mon Jun 1 12:29:39 1998 From: caesmb at lab2.cc.wmich.edu (CAE Samba Admin) Date: Tue Dec 2 02:24:13 2003 Subject: Mapping various drive to same share (Was: Re: Mixed profiles w/Samba-PDC) In-Reply-To: <19980531122739Z12583064-2975+945@samba.anu.edu.au> Message-ID: > >So far, the only strange thing that has happened is the following. > >The logon script will force everybody to have two network connections: > >F: for their home directory and G: for a public repository. After the > >user has logged in, and as time goes by, drive letters beyond G: get > >mapped to the public repository as well. After several hours, drive > >letters all the way through Z: can end up being mapped to the same > >share. Even when taking out this share from the logon script, it is > >the home directory that gets mapped over and over in this way. You cannot use : in your shortcuts to start programs. If you use UNC pathnames, this annoyance will cease to happen. Kevin From lkcl at switchboard.net Mon Jun 1 17:59:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: release of pam-ntdom 0.23 Message-ID: pam_ntdom version 0.23, updated from david airlie's pam_smb version 1.0, is now available. as pam_smb-1.0 uses GNU autoconf, so does pam_ntdom-0.23. *** obtain pam_ntdom from: - the samba site or a samba mirror site, from the samba/pam_ntdom directory. e.g ftp://samba.anu.edu.au/pub/samba/pam_ntdom e.g ftp://sunsite.doc.ic.ac.uk/pub/packages/samba/pam_ntdom - public cvs access. use a module name of pam_ntdom instead of samba in the instructions listed here: http://samba.anu.edu.au/cvs.html *** obtain pam_smb from the same locations (specifying pam_smb instead of pam_ntdom) and also from: - david airlie's ftp site ftp://ftp.csn.ul.ie:/pub/linux/pam/pam_smb - david airlie's home page: http://www.csn.ul.ie/~airlied/pam_smb luke (samba team) From tavis at mahler.econ.columbia.edu Mon Jun 1 18:39:28 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:13 2003 Subject: RID's In-Reply-To: Message-ID: I'm wondering if someone can quickly tell me what functionalities will be added once you guys straighten out the RID mapping problem. Will we be able to save local profiles? Use User Manager on our workstations? Generate group-based file/share permissions? Is all of this handled on the workstation end once the smb server is able to announce RIDs, or does each of these tasks require programming on the server end? Thanks, Tavis From abs at maunsell.co.uk Mon Jun 1 18:47:29 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:13 2003 Subject: getpeername failed Message-ID: <19980601194729.24368@maunsell.co.uk> May 26 09:21:24 lonp smbd[7536]: getpeername failed Just noticed a bunch of these errors turned up in my syslog from smbd, on looking back, this has been happening since 26th June, which might coincide with a cvs release I would have installed. There was a bunch of changes in util.c on that day, does anyone else get this? Doesn't seem to affect anything as best I can tell... -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From aperrin at demog.Berkeley.EDU Mon Jun 1 18:52:20 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:13 2003 Subject: getpeername failed In-Reply-To: <19980601194729.24368@maunsell.co.uk> Message-ID: I've been seeing it too -- not sure that it causes problems, but I'm also at the moment unable to use smbclient to connect to samba shares. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Tue, 2 Jun 1998, Andy Smith wrote: > May 26 09:21:24 lonp smbd[7536]: getpeername failed > > Just noticed a bunch of these errors turned up in my syslog from smbd, on > looking back, this has been happening since 26th June, which might coincide > with a cvs release I would have installed. There was a bunch of changes in > util.c on that day, does anyone else get this? > > Doesn't seem to affect anything as best I can tell... > > -- > _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 > /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 > ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk > / England. -or- abs@maunsl00.demon.co.uk > From jallison at whistle.com Mon Jun 1 18:50:34 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:13 2003 Subject: RID's References: Message-ID: <3572F7FA.7DC78C27@whistle.com> Tavis Barr wrote: > > I'm wondering if someone can quickly tell me what functionalities will be > added once you guys straighten out the RID mapping problem. Will we be > able to save local profiles? Use User Manager on our workstations? > Generate group-based file/share permissions? Is all of this handled on the > workstation end once the smb server is able to announce RIDs, or does each > of these tasks require programming on the server end? > I think you should already be able to store local profiles. Can someone confirm this ? The RID mapping problem is really an infrastructure design problem, to allow UNIX to efficiently operate as a PDC - by itself it doesn't change much, but once the design is made, it allows a lot of new code to be written. > Use User Manager on our workstations The User manager problem is a currently broken rpc call - it's on my list of things to fix. > Generate group-based file/share permissions? Yes, the RID mapping should help this (but we need NT SMB support first). Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From abs at maunsell.co.uk Mon Jun 1 20:01:14 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:13 2003 Subject: getpeername failed In-Reply-To: ; from Andrew Perrin - Demography on Mon, Jun 01, 1998 at 11:52:20AM -0700 References: <19980601194729.24368@maunsell.co.uk> Message-ID: <19980601210114.12917@maunsell.co.uk> On Mon, Jun 01, 1998 at 11:52:20AM -0700, Andrew Perrin - Demography wrote: > > I've been seeing it too -- not sure that it causes problems, but I'm also > at the moment unable to use smbclient to connect to samba shares. Hmm.. just tried it myself, I can run smbclient against samba domain clients on my subnet, but not against samba domain clients on other subnets. I get this one :- Session setup failed for username=ABS myname=ABS destname=LONE ERRSRV - ERRbad pw (Bad password - name/password pair in a Tree Connect or Session Setup are inv alid.) -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From tas at microdisplay.com Tue Jun 2 00:15:37 1998 From: tas at microdisplay.com (Todd Stiers) Date: Tue Dec 2 02:24:13 2003 Subject: Roaming Profiles Not Saving References: Message-ID: <35734429.FCD1FB85@microdisplay.com> Luke Kenneth Casson Leighton wrote: > > I can read but not save my NT 4.0 profiles to SAMBA (yes, this is a > > repeat), > > but it reads wonderfully. > > add: > > case sensitive = no > case preserve = yes > short case preserve = yes > > see what happens: let us know. > > luke > No change :(Profiles still not saving. (I put this in section [global]) > > > > [global] > > workgroup = MICRODISWORK > > domain sid = S-1-5-21-1016038973-2536072266-1649160573 > > oo look! someone chose a decent domain sid!!! > Actually, I used MACHINE.SID in /usr/local/samba/lib/....is this something I should be making up by hand? -Todd -- [--- [--- [--- [--- [--- [--- [--- [--- Todd Stiers Systems Administrator The MicroDisplay Corporation (510)243-9515x129 http://www.microdisplay.com ---] ---] ---] ---] ---] ---] ---] ---] From vrobi at ddrummer.com Tue Jun 2 05:51:08 1998 From: vrobi at ddrummer.com (Robert Vasvari) Date: Tue Dec 2 02:24:13 2003 Subject: Make windows connect to a port other than 139 Message-ID: <9806020551.AA15992@ddrummer.com> Hi All, I'm planning to run my own SMB server on some box, binding to a user level port (>1024). Problem is, WINDOWS (both Nt and 95) only connects to an SMB server on ports 137-139. So, the question is: is there a way to make WINDOWS connect to a specified port on the remote host when mapping a network drive? Something like: NET USE \\myserver:myport\myservice \USER:username etc.. =[vrobi]= From norm at city.ac.uk Tue Jun 2 10:24:06 1998 From: norm at city.ac.uk (NoRM) Date: Tue Dec 2 02:24:14 2003 Subject: smbpasswd question Message-ID: I'm looking at porting the NT Domain samba to our rather specific environment. We have a centralised user database, much like Kerberos, and I have in the past ported Samba to use our system, rather than the standard shadow passwd file without problems. Now, with the advent of encrypted passwords, we have a problem. We've decided to try and augment our central database with a second passwd field, to store the hashed passwords as used by NT (in my test system, I simply system() call smbpasswd from the password changer). However, when looking at it in more depth, there are two entries in the smbpasswd file... Can I ask under which circumstances each is used? I.E. can I get away with ignoring one of the two algorithms? Norman R. McBride http://www.city.ac.uk/~norm/ Computing Services, City University, England norm@city.ac.uk (MIME) "...the extreme case best illustrates the norm..." Stephen King From lkcl at switchboard.net Tue Jun 2 12:51:40 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: Roaming Profiles Not Saving In-Reply-To: <35734429.FCD1FB85@microdisplay.com> Message-ID: > Luke Kenneth Casson Leighton wrote: > > > > I can read but not save my NT 4.0 profiles to SAMBA (yes, this is a > > > repeat), > > > but it reads wonderfully. > > > > add: > > > > case sensitive = no > > case preserve = yes > > short case preserve = yes > > > > see what happens: let us know. > > > > luke > > > > No change :(Profiles still not saving. hm. don't know then. anyone else any ideas? > (I put this in section [global]) good. > > > > > > > > [global] > > > workgroup = MICRODISWORK > > > domain sid = S-1-5-21-1016038973-2536072266-1649160573 > > > > oo look! someone chose a decent domain sid!!! > > > > Actually, I used MACHINE.SID in /usr/local/samba/lib/....is this something > > I should be making up by hand? ok, it's generated randomly. if MACHINE.SID exists, "domain sid" is ignored. if MACHINE.SID does not exist and "domain sid" is used, "domain sid" is copied into MACHINE.SID. if MACHINE.SID does not exist and "domain sid" is not used, MACHINE.SID gets generated with a random value. luke From lkcl at switchboard.net Tue Jun 2 12:53:26 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: Make windows connect to a port other than 139 In-Reply-To: <9806020551.AA15992@ddrummer.com> Message-ID: On Tue, 2 Jun 1998, Robert Vasvari wrote: > > Hi All, > > I'm planning to run my own SMB server on some box, > binding to a user level port (>1024). Problem is, > WINDOWS (both Nt and 95) only connects to an SMB > server on ports 137-139. So, the question is: > is there a way to make WINDOWS connect to a specified port on the > remote host when mapping a network drive? Something like: > NET USE \\myserver:myport\myservice \USER:username etc.. no there is not. you will need to run on pors 137 and 139. luke From cartegw at Eng.Auburn.EDU Tue Jun 2 13:10:18 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:14 2003 Subject: Roaming Profiles Not Saving References: Message-ID: <3573F9BA.5C02315B@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > > > case sensitive = no > > > case preserve = yes > > > short case preserve = yes > > > > > > see what happens: let us know. > > > > > > luke > > > > > > > No change :(Profiles still not saving. > > hm. don't know then. anyone else any ideas? Don't really remember who start thies thread. Andrew P. maybe? Could you put a log file from the failed profile update on the web. A debug level of 20. Maybe a netmon sniff as well if you have access to it. If not, the possibly a tcpdump file in raw format available for download. > ok, it's generated randomly. if MACHINE.SID exists, "domain sid" is > ignored. > > if MACHINE.SID does not exist and "domain sid" is used, "domain sid" > is copied into MACHINE.SID. > > if MACHINE.SID does not exist and "domain sid" is not used, > MACHINE.SID gets generated with a random value. For those interested, this behavior has been documented in the docs/NTDOMAIN.txt file as well as the NTDOM FAQ. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Tue Jun 2 13:08:02 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: smbpasswd question In-Reply-To: Message-ID: dear norman, yes you can ignore the LM hash: at the minimum you must support the NT hash. i recommend that you follow the "password API needed" and associated threads on: http://samba.anu.edu.au/listproc/samba-technical as we are developing a password API. i recommend that you contact danny breiss, as he is developing a prototype of the clear-text password API; the encrypted password API already exists and is in passdb.c small note, big hint: the passdb.c API should have _nothing_ to do with the UNIX getpwnam() call or its entries. the minimum information that must be stored is: - username - NT 16 byte hash - 16 bit ACB account type. please contact me either privately or preferably via samba-technical@samba.anu.edu.au if you need any assistance: we are actively seeking to support as many password database systems as possible. best regards, luke On Tue, 2 Jun 1998, NoRM wrote: > I'm looking at porting the NT Domain samba to our rather specific > environment. We have a centralised user database, much like Kerberos, and > I have in the past ported Samba to use our system, rather than the > standard shadow passwd file without problems. > > Now, with the advent of encrypted passwords, we have a problem. We've > decided to try and augment our central database with a second passwd > field, to store the hashed passwords as used by NT (in my test system, I > simply system() call smbpasswd from the password changer). > > However, when looking at it in more depth, there are two entries in the > smbpasswd file... > > Can I ask under which circumstances each is used? I.E. can I get away > with ignoring one of the two algorithms? > > > Norman R. McBride http://www.city.ac.uk/~norm/ > Computing Services, City University, England norm@city.ac.uk (MIME) > > "...the extreme case best illustrates the norm..." Stephen King > > From Stefaan.Eeckels at ecc.lu Tue Jun 2 16:44:30 1998 From: Stefaan.Eeckels at ecc.lu (Stefaan A Eeckels) Date: Tue Dec 2 02:24:14 2003 Subject: Make windows connect to a port other than 139 In-Reply-To: <9806020551.AA15992@ddrummer.com> Message-ID: Robert, > I'm planning to run my own SMB server on some box, > binding to a user level port (>1024). Problem is, > WINDOWS (both Nt and 95) only connects to an SMB > server on ports 137-139. So, the question is: > is there a way to make WINDOWS connect to a specified port on the > remote host when mapping a network drive? Something like: > NET USE \\myserver:myport\myservice \USER:username etc.. The simple answer is 'NO'. The MS clients can't use SMB on anything else but the standard ports. Stefaan -- PGP key available from PGP key servers (http://www.pgp.net/pgpnet/) ___________________________________________________________________ Williams and Holland's Law: If enough data is collected, anything may be proven by statistical methods. From jallison at whistle.com Tue Jun 2 17:47:09 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:14 2003 Subject: Make windows connect to a port other than 139 References: <9806020551.AA15992@ddrummer.com> Message-ID: <35743A9D.1CFA596C@whistle.com> Robert Vasvari wrote: > > Hi All, > > I'm planning to run my own SMB server on some box, > binding to a user level port (>1024). Problem is, > WINDOWS (both Nt and 95) only connects to an SMB > server on ports 137-139. So, the question is: > is there a way to make WINDOWS connect to a specified port on the > remote host when mapping a network drive? Something like: > NET USE \\myserver:myport\myservice \USER:username etc.. > > =[vrobi]= > > Back in the days of Windows NT 3.1, I managed to do this (and break SMB networking at the time :-) by changing the line that reads : nbsession 139/tcp in the file c:\winnt\system32\drivers\etc\services and then rebooting the NT box. It *may* still work on NT4.x - give it a try. Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jjorgens at bdsinc.com Tue Jun 2 18:31:50 1998 From: jjorgens at bdsinc.com (Jens B. Jorgensen) Date: Tue Dec 2 02:24:14 2003 Subject: Make windows connect to a port other than 139 References: Message-ID: <35744515.27C0FAE6@bdsinc.com> Stefaan A Eeckels wrote: > Robert, > > > I'm planning to run my own SMB server on some box, > > binding to a user level port (>1024). Problem is, > > WINDOWS (both Nt and 95) only connects to an SMB > > server on ports 137-139. So, the question is: > > is there a way to make WINDOWS connect to a specified port on the > > remote host when mapping a network drive? Something like: > > NET USE \\myserver:myport\myservice \USER:username etc.. > The simple answer is 'NO'. The MS clients can't use SMB on > anything else but the standard ports. It's even worse than that. Win95 boxes only respond to NMB packets on port 137 even when they're supposed to respond on the source port of the request... -- Jens B. Jorgensen jjorgens@bdsinc.com From lkcl at switchboard.net Tue Jun 2 20:07:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: Make windows connect to a port other than 139 In-Reply-To: <35744515.27C0FAE6@bdsinc.com> Message-ID: On Wed, 3 Jun 1998, Jens B. Jorgensen wrote: > Stefaan A Eeckels wrote: > > > Robert, > > > > > I'm planning to run my own SMB server on some box, > > > binding to a user level port (>1024). Problem is, > > > WINDOWS (both Nt and 95) only connects to an SMB > > > server on ports 137-139. So, the question is: > > > is there a way to make WINDOWS connect to a specified port on the > > > remote host when mapping a network drive? Something like: > > > NET USE \\myserver:myport\myservice \USER:username etc.. > > The simple answer is 'NO'. The MS clients can't use SMB on > > anything else but the standard ports. > > It's even worse than that. Win95 and NT. although we have observed that with NT it's very odd behaviour: - when the NetBIOS broadcast bit (NOTHING to do with tcp/ip, by the way) is set in the query received by the NT machine, the response is sent on the queryer's port (which can be anything). - when the NetBIOS broadcast bit (NOTHING to do with tcp/ip) is clear in the query, the response is always sent on port 137 as you mention, jens. if anything, it should be the other way round. actually, if anything, the response should always be to the queryer's tcp port number. luke > boxes only respond to NMB packets on port > 137 even when they're supposed to respond on the source port of the > request... > > -- > Jens B. Jorgensen > jjorgens@bdsinc.com > > > From rhn at orcom.ch Tue Jun 2 11:05:18 1998 From: rhn at orcom.ch (Ruud Huynen) Date: Tue Dec 2 02:24:14 2003 Subject: A small sucess Message-ID: <01bd8e16$53c53620$0302010a@pcrudi.orcom.ch> Hello > >> Chris re-wrote the name mangling code between the last >> 1.9.18 release and the head branch. His tests showed >> that it had exactly the same behaviour as the older >> branch (but was faster). >> I have sent the following message in January to samba-bugs. Till now a didn't recieve a message that my problem is reproducable. This is the problem: When I have a directory e.g. 'customer' and rename it to 'Customer', I can descend into this directory, but no files/directories are displayed. When the name I want to change is only 1 character, e.g. 'a' and rename it to 'A' everything functions. Also when the name I rename changes in the first character, e.g. 'Aaa' to 'Baa' it works. I have the following settings: ; mangled names = no mangle case = no case sensitive = no default case = lower preserve case = yes short preserve case = yes character set = iso8859-1 client code page = 850 I tested this on AIX (gcc without -O), HPUX and SCO. The samba release is 1.9.17p5. Can you check if this problem doesn't exist anymore in 1.9.18 and Domain-Branch. Regards Ruud Huynen rhn@orcom.ch ORCOM Systems AG Tel. +41 61 976 33 33 Fax. +41 61 971 54 71 From abs at maunsell.co.uk Tue Jun 2 21:13:33 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:14 2003 Subject: new uid/rid scheme In-Reply-To: <356F75F3.BE3D89B7@whistle.com>; from Jeremy Allison on Sat, May 30, 1998 at 01:03:33PM +1000 References: <356F75F3.BE3D89B7@whistle.com> Message-ID: <19980602221333.63896@maunsell.co.uk> On Sat, May 30, 1998 at 01:03:33PM +1000, Jeremy Allison wrote: > > Subject was Re: [Fwd: Mixed profiles w/Samba-PDC] > > [ rid -> uid psuedo-code snipped ] > > I've coded this up and am ready to check it into the > main branch. I presume what I checked out today includes this, my existing profile certainly became invalid when logging in against the newly compiled samba pdc. As a second step, I removed ~/profile, and saw it return when I logged in subsequently, and get populated when I logged out. However, my settings are not now being retrieved from NTUSER.DAT, even though the timestamp on the file indicates it is being updated. Also, smbd announced to syslog it was dumping core on a number of occasions, but the corefiles directory is empty? Anyway, I have gone back to friday night's version, and restored this morning's profile, which is now roaming again properly, so the lab is ready for the morning again. Dont ask me why, but my getpeername errors seem to have gone away now, hard to be sure because I had the network pretty much to myself. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From aperrin at demog.Berkeley.EDU Tue Jun 2 23:36:10 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:14 2003 Subject: Lots of progress Message-ID: Well, thought you'd like to know we now have our DEMOGRAPHY domain running and relatively stable thanks to the help of the Samba team and others on the list -- many, many thanks. Really our only remaining concern is with include=smb.conf.%U, which doesn't seem to work, at least for adding domain groups = for specific users. I've got domain groups = 513 in the main smb.conf, then domain groups = 512 513 544 in the smb.conf.* for each person who should be an administrator. But it doesn't give administrative privileges to these folks. However, a dummy account created called ntadmin and marked with domain admins = ntadmin works great and is afforded admin privileges. Good going, Samba guys! --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From mhaigh at village.vut.edu.au Wed Jun 3 01:50:36 1998 From: mhaigh at village.vut.edu.au (Mick Haigh) Date: Tue Dec 2 02:24:14 2003 Subject: file permissions for NT policies Message-ID: <3574ABEC.8397693C@village.vut.edu.au> Hiya Everyone. I've been messing around with policies with NT 4.0 machines and have come across a very annoying behaviour. To allow the NT 4.0 machine to download a new copy of the policy reliably when a user logs on, I have had to allow write access to the NTconfig.POL file in /NETLOGON. I have no idea why this is necessary and have yet to check on whether this is the case with an NT server instead of a Samba server. Perhaps someone out there can give me an answer or let me know what I might have done wrong. Thanks Mick -------------- next part -------------- A non-text attachment was scrubbed... Name: vcard.vcf Type: text/x-vcard Size: 275 bytes Desc: Card for Mick Haigh Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980603/72413938/vcard.vcf From china at pprd.abbott.com Wed Jun 3 16:18:13 1998 From: china at pprd.abbott.com (Albert Chin-A-Young) Date: Tue Dec 2 02:24:14 2003 Subject: Just-in-time mounts when following symlinks Message-ID: This mail message follows from several discussions with Luke Leighton. It's mostly technical in nature but I'm submitting to all mailing lists anyway (Luke's suggestion). We have our Samba server running with the Berkeley AMD automounter (nothing peculiar here). In order for our Samba users to walk the automount tree, we created a program to create symbolic links from the local filesystem to the automounter keys. So, we have a tree that looks like the following: /amdlinks d418 (tree created from amd.d418 map) PS2MIF -> /d418/PS2MIF adm -> /d418/adm bin -> /d418/bin da abt (tree created from amd.da.abt map) dist nosw -> /da/abt/dist/nosw sw -> /da/abt/dist/sw adm (tree created from amd.da.adm map) dist sys -> /da/adm/dist/sys So, the user, using the File Manager/Explorer in windows, can map to \\samba\da or \\samba\d418 and walk the /amdlinks/da or /amdlinks/d418 tree and see all the directories that the automounter *might* mount (if we didn't do it this way, \\samba\da would map to the automounter /da directory which might not contain anything and this would make it impossible for them to "point-and-click" their way down the directory tree). The problem occurs when users descend into a directory with a list of symbolic links (such as \\samba\d418 above). When you descend into this directory, the Samba server will kick off the automounter in this directory and mount everything in /d418. This becomes a big problem when there are *many* symbolic links in a directory pointing to autmounted paths (which would then cause lots of NFS mount). So, what I would like is a "just in time links" option that returns the symbolic link to the File Manager and, not until the user "double clicks" on an entry that is a symbolic link, have it followed (and thus kick off the automounter on an "as-needed" basis). Mucking with 'follow symlinks' doesn't help at all. Setting this to 'no' still causes the flood of mounts described above. The reason for this is that only when you "double click" on the file which is a link is an lstat() call made. However, when you access \\samba\d418 above, stat() calls are done on the links which cause the mount. What I need is a simple addition where 'follow symlinks = yes' but a symbolic link is *ONLY* followed when a user "double clicks" on the file from the file manager (dunno how else to describe this). So, lstat() on one hand and stat() on the other. We are prepared to pay for this change but I need to know if it's possible. Also, the Samba server is running 1.9.18p7 on a Solaris 2.5.1 box. -- albert chin (china@pprd.abbott.com) From cartegw at Eng.Auburn.EDU Wed Jun 3 20:37:37 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:14 2003 Subject: NT Domian Support for SAMBA References: <199806030116.LAA07412@townrmc.families.qld.gov.au> Message-ID: <3575B411.E12C2013@eng.auburn.edu> Simon, I'm CC'ing this to the samba-ntdom mailing list in case someone else would like to respond to you as well. Simon Hendry wrote: > > Hi .. Hello :) > Q1 ). We are looking at placing a NT box next to some of our Unix > machines in some of our area offices ( 1 Sparc , 1 NT box environment > ). If we do this and setup SAMBA as a PDC and setup the NT Box as a > member of a domain , then if a Windows 95 machine attempts a > connection such as \\NTBOX\cdrive , will the NT Machine redirect the > passwd lookup to the SAMBA machine and use smbpasswd and NOT the SAM > database to authenticate the user... >From another NT box this works fine ( validates the DOMAIN account ). I was unable to get it to work from Win95 -> WinNT or from WfWg -> WinNT. However, after looking at the Netmon sniff of the packets, the "Windows for Workgroups 3.1a" dialect is selected which is correct. Anyone got a response to this one? > Q2 ) We want the NT machine in each office to authenticate > against the local SAMBA box , not one across a wide area > network link... Will there be a problem with having multiple > samba boxes running as PDC for a single domain given that each > box will be on a distinctly different network across a routed > link from one another ? Hmmm...This is tricky. Assuming that NetBIOS name resolution is done locally on each subnet ( ie. don't use WINS ) so that no PDC is aware of another, this might work. Not sure I would recommend it though. Really you are wanting to setup several domains that just happen to have the same name ( and possibily domain sid ). The are in essence isolated from each other due to the block ports ( see coments below on blocking traffic at the router ). IMHO a better solution would be to setup an individual domain for each local subnet and the use scp ( or rsync...not via NFS obviously ) to distribute the smbpasswd file to the servers and thus maintain a central list of accounts. Does that make any sense? > Will we have to block certain traffic on our routers so that the NT > box doesn't detect a PDC somewhere else ? If you do not need run SMB / NBT traffic across the routers, the just block port 135, 137, 138 and 139. > Are there settings in smb.conf on the SAMBA machine that will > stop the NT box becoming aware of the master browse list for > the entire network ? Haven't tried this. If you blocks the ports listed above, then this is no biggie. The samba servers ( and NT boxes ) should be isolated. If you do not block the ports and do not use WINS, then domain master = yes local master = yes perferred master = yes os level = 64 should do it. This is assuming only **one** PDC on a subnet. > Is there a problem from a SAMBA point of view having multiple > PDCs ? NT in general defines a domain to have only one PDC ( hence the name Primary Domain Controller ) and the several BDC's depending on need. It is possibile to get similar behavior to a BDC in samba by manually merging changes from the smbpasswd files (gotta love unix flat files). This could be real tricky since you don't want to change the local entries for the machine trust accounts. > Is it possible to get the same functionality from the SAMBA boxes > if we make them only BDCs and therefore avoid the multiple PDCs > issue ??? This would be the ideal solution but unfortunately, the NTDOM code does not currently support acting as a BDC. See above comments... I fell like I have made this about as clear as mud. Anyone else care to join in? Thanks, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Thu Jun 4 02:13:34 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:14 2003 Subject: A small sucess References: <01bd8e16$53c53620$0302010a@pcrudi.orcom.ch> Message-ID: <357602CE.3760FC14@whistle.com> Ruud Huynen wrote: > > This is the problem: > When I have a directory e.g. 'customer' and rename it to 'Customer', I can descend into this directory, but no files/directories are displayed. > > When the name I want to change is only 1 character, e.g. 'a' and rename it to 'A' everything functions. > Also when the name I rename changes in the first character, e.g. 'Aaa' to 'Baa' it works. > > I have the following settings: > ; mangled names = no > mangle case = no > case sensitive = no > default case = lower > preserve case = yes > short preserve case = yes > character set = iso8859-1 > client code page = 850 > > I tested this on AIX (gcc without -O), HPUX and SCO. The samba release is 1.9.17p5. > Can you check if this problem doesn't exist anymore in 1.9.18 and Domain-Branch I have tested this and cannot reproduce on the HEAD branch. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Thu Jun 4 14:19:12 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: Just-in-time mounts when following symlinks In-Reply-To: Message-ID: [cross-posted to samba-technical, samba-ntdom and samba]. On Thu, 4 Jun 1998, Albert Chin-A-Young wrote: > This mail message follows from several discussions with Luke Leighton. > It's mostly technical in nature but I'm submitting to all mailing > lists anyway (Luke's suggestion). > > We have our Samba server running with the Berkeley AMD automounter > (nothing peculiar here). In order for our Samba users to walk the > automount tree, we created a program to create symbolic links from > the local filesystem to the automounter keys. So, we have a tree > that looks like the following: > > /amdlinks > d418 (tree created from amd.d418 map) > PS2MIF -> /d418/PS2MIF > adm -> /d418/adm > bin -> /d418/bin > da > abt (tree created from amd.da.abt map) > dist > nosw -> /da/abt/dist/nosw > sw -> /da/abt/dist/sw > adm (tree created from amd.da.adm map) > dist > sys -> /da/adm/dist/sys > > So, the user, using the File Manager/Explorer in windows, can > map to \\samba\da or \\samba\d418 and walk the /amdlinks/da or > /amdlinks/d418 tree and see all the directories that the automounter > *might* mount (if we didn't do it this way, \\samba\da would map > to the automounter /da directory which might not contain anything > and this would make it impossible for them to "point-and-click" > their way down the directory tree). > > The problem occurs when users descend into a directory with a list > of symbolic links (such as \\samba\d418 above). When you descend > into this directory, the Samba server will kick off the automounter > in this directory and mount everything in /d418. This becomes a big > problem when there are *many* symbolic links in a directory pointing > to autmounted paths (which would then cause lots of NFS mount). So, > what I would like is a "just in time links" option that returns the > symbolic link to the File Manager and, not until the user "double > clicks" on an entry that is a symbolic link, have it followed > (and thus kick off the automounter on an "as-needed" basis). my suggestion to solve this was to have a function that either calls lstat or stat with a boolean switch. then, identify _all_ SMB calls that make a stat or lstat calls. then, subdivide them into calls that need to have the real file/directory time/date and those that could get away with the file/directory link time/date. this _may_ require an smb.conf file list option. at a first guess, you could do lstat on directories, and stat on files. my second guess is simply that stat is being accidentally called (which triggers the automount lookup) in places where lstat should only be called (under the control of lp_symlinks() whatever). opinions / comments welcomed. luke From lkcl at switchboard.net Thu Jun 4 15:22:02 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: two temporary new parameters: "domain admin group" and "domain guest group" Message-ID: these sit alongside "domain admin users" and "domain guest users". you may find that: - if you do not use these parameters, you may get profile problems (where did it go???) - if you _do_ use these parameters (instead of domain admin users) that the problems with multiple administrators getting the same profile goes away. luke From lkcl at switchboard.net Thu Jun 4 15:42:15 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: CVS update: samba/source/lib/rpc/server (fwd) Message-ID: ---------- Forwarded message ---------- Date: Fri, 5 Jun 1998 01:29:41 +1000 From: samba-cvs@samba.anu.edu.au To: Multiple recipients of list Subject: CVS update: samba/source/lib/rpc/server Date: Friday June 5, 1998 @ 1:24 Author: lkcl Update of /data/cvs/samba/source/lib/rpc/server In directory samba:/tmp/cvs-serv10313/lib/rpc/server Modified Files: srv_util.c Log Message: added "domain admin group" and "domain guest group" parameters. this is because "domain admin users" and "domain guest users" was overloaded. incorrectly. From pckizer at tamu.edu Thu Jun 4 15:48:52 1998 From: pckizer at tamu.edu (Philip Kizer) Date: Tue Dec 2 02:24:14 2003 Subject: Just-in-time mounts when following symlinks In-Reply-To: Your message of "Fri, 05 Jun 1998 01:21:26 +1000." Message-ID: <199806041548.KAA08667@gonzo.tamu.edu> Luke Kenneth Casson Leighton wrote: >my suggestion to solve this was to have a function that either calls lstat >or stat with a boolean switch. then, identify _all_ SMB calls that make a >stat or lstat calls. then, subdivide them into calls that need to have >the real file/directory time/date and those that could get away with the >file/directory link time/date. this _may_ require an smb.conf file list >option. The directory or file timestamp would never change from the viewpoint of the client, then. If the directory reading routines were made to only lstat, then the only time infomation would be made available would be after a file was opened to do an fstat. >at a first guess, you could do lstat on directories, and stat on files. But...until you stat the links to get the stat info on the target of the link, you don't know whether it's a directory or a file. How would dos_mode() set the mode correctly from make_dir_struct() for the reply to the client? Wouldn't the client display incorrect info (in, for instance, FileManager) if a link is a directory but information is not returned to that effect so a file icon is create rather than a directory icon? Please pardon if I just haven't looked at the code or protocols enough yet. -- Philip Kizer Texas A&M CIS Operating Systems Group, Unix From kfleming at access-laserpress.com Thu Jun 4 18:58:31 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:14 2003 Subject: Username mapping Message-ID: <3576EE57.BD14EAB2@access-laserpress.com> For some reason my smb.conf man page doesn't include any information on "map user" and I think it will do what I want... Here's the scenario: I've got a Linux machine (RH 4.2) running the 1.9.19-prealpha code from a week or so ago. It works fine, and is running as a domain member server with a (real:-) NT machine as the PDC. There are a couple of shares on this machine, and I've tested accessing those shares from three different user accounts. The three user accounts are set up identically in /etc/passwd and /etc/group, but only two of them work. The third does not, and I suspect it does not because the user name is longer than 8 characters. The full username is listed in /etc/passwd, and works just fine when used for the POP/IMAP servers on the same Linux machine, but does not work through Samba. Any thoughts as to what might be wrong here? From jallison at whistle.com Thu Jun 4 17:45:12 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:14 2003 Subject: Default case settings. References: Message-ID: <3576DD28.CFDD2C2B@whistle.com> Hi all, After answering the question 'how do I make Samba serve files with the same case-preserving-but- case-insentive way as NT does' for the hundredth time, I'd like to propose for the 1.9.19 Samba release (due as alpha 'real soon now' (tm) :-) to change the defaults for these parameters to : preserve case = yes short preserve case = yes case sensitive = no I'm asking everyone as this will fundamentally change the default Samba configuration on a new install. Would anyone object to this change being done ? Could it screw up someone's carefully hand crafted smb.conf file ? Please respond only if it's a 'No - do that and I'll kill you' response :-). Silence gives assent and I'll make the change. Cheers, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From china at pprd.abbott.com Thu Jun 4 20:54:28 1998 From: china at pprd.abbott.com (Albert Chin-A-Young) Date: Tue Dec 2 02:24:14 2003 Subject: Just-in-time mounts when following symlinks In-Reply-To: Message-ID: On Thu, 4 Jun 1998, Luke Kenneth Casson Leighton wrote: >[cross-posted to samba-technical, samba-ntdom and samba]. > >On Thu, 4 Jun 1998, Albert Chin-A-Young wrote: > >> [description removed] > >my suggestion to solve this was to have a function that either calls lstat >or stat with a boolean switch. then, identify _all_ SMB calls that make a >stat or lstat calls. then, subdivide them into calls that need to have >the real file/directory time/date and those that could get away with the >file/directory link time/date. this _may_ require an smb.conf file list >option. > >at a first guess, you could do lstat on directories, and stat on files. > > >my second guess is simply that stat is being accidentally called (which >triggers the automount lookup) in places where lstat should only be >called (under the control of lp_symlinks() whatever). > >opinions / comments welcomed. Ok, following discussions with Paul Epp , there are a total of three ways to solve this problem: 1. Add the following options to smb.conf: jit symlinks = yes/no file symlinks = [pointer to file with REs] directory symlinks = [pointer to file with REs] Then wrap calls to stat() accordingly so that symbolic links in a particular directory are treated as files or directories and force lstat() on them. The 'jit symlinks' stands for 'just-in-time symlinks' and would enable this feature. This would be a general- purpose mechanism for anyone with trees of symbolic links. 2. Move Samba to a Solaris 2.6 platform running the Solaris automounter. Due to the new browsability feature that exists in this automounter, Samba can walk the list of automounter keys without causing a mount storm because the automounter lies when stat() is called (so nothing is mounted). An added benefit to this is that we can point shares directly at the automounter namespace and get rid of our utility to create a tree of links from the automounter maps. 3. Modify the Berkeley AMD automounter to lie about stat() as the Solaris 2.6 automounter does. What do you all think? Paul is already coding up solution #1 and will be done shortly. I have tested solution #2 and it works just fine (though we're running AMD here). >luke -- albert chin (china@pprd.abbott.com) From jallison at whistle.com Thu Jun 4 21:13:57 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:14 2003 Subject: Just-in-time mounts when following symlinks References: Message-ID: <35770E15.F3872CCC@whistle.com> Albert Chin-A-Young wrote: > > Ok, following discussions with Paul Epp , there are > a total of three ways to solve this problem: > 1. Add the following options to smb.conf: > jit symlinks = yes/no > file symlinks = [pointer to file with REs] > directory symlinks = [pointer to file with REs] > Then wrap calls to stat() accordingly so that symbolic > links in a particular directory are treated as files > or directories and force lstat() on them. The > 'jit symlinks' stands for 'just-in-time symlinks' and > would enable this feature. This would be a general- > purpose mechanism for anyone with trees of symbolic > links. What are the speed considerations of this ? The stat system call is one of the most common within Samba, in fact one of the optimizations (I will get around to one day :-) would be to optimize out as many of these stat calls as possible, ensuring they are only done once per pathname. My fear with the solution you propose is that it will be horribly slow, due to the extra overhead in processing stat calls. > > What do you all think? Paul is already coding up solution #1 and > will be done shortly. I have tested solution #2 and it works just > fine (though we're running AMD here). > I'd be interested in the code, although I don't want to commit to including it in the master sources (except as a compile-time option) until some benchmarks have been done. Cheers, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From china at pprd.abbott.com Thu Jun 4 21:34:31 1998 From: china at pprd.abbott.com (Albert Chin-A-Young) Date: Tue Dec 2 02:24:14 2003 Subject: Just-in-time mounts when following symlinks In-Reply-To: <35770E15.F3872CCC@whistle.com> Message-ID: On Thu, 4 Jun 1998, Jeremy Allison wrote: >Albert Chin-A-Young wrote: >> >> Ok, following discussions with Paul Epp , there are >> a total of three ways to solve this problem: >> 1. Add the following options to smb.conf: >> jit symlinks = yes/no >> file symlinks = [pointer to file with REs] >> directory symlinks = [pointer to file with REs] >> Then wrap calls to stat() accordingly so that symbolic >> links in a particular directory are treated as files >> or directories and force lstat() on them. The >> 'jit symlinks' stands for 'just-in-time symlinks' and >> would enable this feature. This would be a general- >> purpose mechanism for anyone with trees of symbolic >> links. > >What are the speed considerations of this ? > >The stat system call is one of the most common within >Samba, in fact one of the optimizations (I will get >around to one day :-) would be to optimize out as >many of these stat calls as possible, ensuring they >are only done once per pathname. > >My fear with the solution you propose is that it will >be horribly slow, due to the extra overhead in processing >stat calls. What you say makes sense. This certainly depends on the list of items in the 'file symlinks' and 'directory symlinks' options. As they're REs, you'd have to match for every symbolic link you find (not every file). I don't see us losing when deciding whether or not to do stat() v. lstat() but the RE matching might definitely be a performance hit. In practice, I'd expect people to have one directory tree of symbolic links (for the automounter keys) and for that to be the only directory specified in 'directory symlinks'. > Jeremy Allison, -- albert chin (china@pprd.abbott.com) From pkeck at coe.uga.edu Fri Jun 5 12:37:23 1998 From: pkeck at coe.uga.edu (Paul Keck) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? Message-ID: <19980605083723.29479@coe.uga.edu> Hi all. I'm a little new to Samba- only been running it for a few months mostly for people to get into their Solaris 2.5 home dirs. It's working great for that- thanks to you all! We now have a need for something to serve as an NT PDC. I've R'ed the FMs and have a question. All the PDC docs start out with "turn on encrypted passwords, check ENCRYPTION.txt for how." If I understand it right, once I do this all the folks using /etc/password to get to their home dirs will have to make themselves ANOTHER password which will be put in {samba}/private/smbpasswd. Until they do they will be out of luck getting to their home dirs. Am I wrong? Can I set the box up as a PDC and still use /etc/passwd? If not, is there a way I could translate /etc/passwd into the smbpasswd format without using a password cracker? :-) I'd like to avoid having another password database if at all possible. We also use Netware (4.11 and 3.12) and I've heard there is an NT product which will let you use an NDS tree to authenticate, but this requires an NT server to act as the go-between. I'd rather not have a production NT box if I can help it. Thanks! If I'm barking up the wrong tree, any better ideas would be appreciated. -- Paul Keck pkeck@coe.uga.edu http://www.coe.uga.edu/~pkeck Univ. of Georgia- College of Education ftp://ftp.coe.uga.edu/users/pkeck Office of Information Technology (OIT) mailto:pkeck@ediacara.org --Opinions mine, not OIT's.-- Go fighting anomalocaridids!!! From cartegw at Eng.Auburn.EDU Fri Jun 5 13:11:53 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:14 2003 Subject: file permissions for NT policies References: <3574ABEC.8397693C@village.vut.edu.au> Message-ID: <3577EE99.871A31B9@eng.auburn.edu> Mick Haigh wrote: > > Hiya Everyone. > > I've been messing around with policies with NT 4.0 machines and have > come across a very annoying behaviour. To allow the NT 4.0 machine to > download a new copy of the policy reliably when a user logs on, I have > had to allow write access to the NTconfig.POL file in /NETLOGON. I > have no idea why this is necessary and have yet to check on whether > this is the case with an NT server instead of a Samba server. Didn't see anyone respond to this one yet, so here goes. Add the following to smb.conf [netlogon] locking = no public = no ..... My guess is that you had locking turned on and therefore the clients ocould not access the file simultaneously. Let me know if this works. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From gdoucet at altavista.net Fri Jun 5 13:37:52 1998 From: gdoucet at altavista.net (Geoffroy Doucet) Date: Tue Dec 2 02:24:14 2003 Subject: No subject Message-ID: <000701bd9087$258eeb70$0200a8c0@grosfox.infodigital.dyn.ml.org> -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at switchboard.net Fri Jun 5 15:02:10 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: Username mapping In-Reply-To: <3576EE57.BD14EAB2@access-laserpress.com> Message-ID: i need to create a "domain map username" parameter. this will take a username / domain / password from an nt domain login and return a _different_ (unix) username in the LsaSamLogon response. the user will actually be logged in under the returned username _not_ the one they specified in the nt domain login dialog. then you will be able to do things like log in with a 20 character name and actually be logged in with an 8 character name. luke On Fri, 5 Jun 1998, Kevin P. Fleming wrote: > For some reason my smb.conf man page doesn't include any information on > "map user" and I think it will do what I want... Here's the scenario: > > I've got a Linux machine (RH 4.2) running the 1.9.19-prealpha code from > a week or so ago. It works fine, and is running as a domain member > server with a (real:-) NT machine as the PDC. There are a couple of > shares on this machine, and I've tested accessing those shares from > three different user accounts. > > The three user accounts are set up identically in /etc/passwd and > /etc/group, but only two of them work. The third does not, and I suspect > it does not because the user name is longer than 8 characters. The full > username is listed in /etc/passwd, and works just fine when used for the > POP/IMAP servers on the same Linux machine, but does not work through > Samba. > > Any thoughts as to what might be wrong here? > From lkcl at switchboard.net Fri Jun 5 15:11:01 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <19980605083723.29479@coe.uga.edu> Message-ID: a new option has been added: "update encrypted". run with this for a week; then move over to "encrypt passwords". On Fri, 5 Jun 1998, Paul Keck wrote: > Hi all. I'm a little new to Samba- only been running it for a few months > mostly for people to get into their Solaris 2.5 home dirs. It's working > great for that- thanks to you all! > > We now have a need for something to serve as an NT PDC. I've R'ed the FMs > and have a question. All the PDC docs start out with "turn on encrypted > passwords, check ENCRYPTION.txt for how." If I understand it right, once I > do this all the folks using /etc/password to get to their home dirs will > have to make themselves ANOTHER password which will be put in > {samba}/private/smbpasswd. Until they do they will be out of luck getting > to their home dirs. > > Am I wrong? Can I set the box up as a PDC and still use /etc/passwd? If > not, is there a way I could translate /etc/passwd into the smbpasswd format > without using a password cracker? :-) > > I'd like to avoid having another password database if at all possible. We > also use Netware (4.11 and 3.12) and I've heard there is an NT product which > will let you use an NDS tree to authenticate, but this requires an NT server > to act as the go-between. I'd rather not have a production NT box if I can > help it. > > Thanks! If I'm barking up the wrong tree, any better ideas would be > appreciated. > -- > Paul Keck pkeck@coe.uga.edu http://www.coe.uga.edu/~pkeck > Univ. of Georgia- College of Education ftp://ftp.coe.uga.edu/users/pkeck > Office of Information Technology (OIT) mailto:pkeck@ediacara.org > --Opinions mine, not OIT's.-- Go fighting anomalocaridids!!! > From cartegw at Eng.Auburn.EDU Fri Jun 5 15:18:25 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? References: Message-ID: <35780C41.C9C7BCC1@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > a new option has been added: "update encrypted". run with this for a > week; then move over to "encrypt passwords". This works very well. One problem I had with it and haven't had time to track things down was the the passwd_mod() would sometime fail to lock the private/smbpasswd file. This will show up in the smbd log. see ya, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Fri Jun 5 17:58:56 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:14 2003 Subject: Username mapping In-Reply-To: <199806051709.KAA00783@java.netapp.com> Message-ID: On Fri, 5 Jun 1998, Jeremy Allison wrote: > > i need to create a "domain map username" parameter. > > > > this will take a username / domain / password from an nt domain login and > > return a _different_ (unix) username in the LsaSamLogon response. > > > > the user will actually be logged in under the returned username _not_ the > > one they specified in the nt domain login dialog. > > > > then you will be able to do things like log in with a 20 character name > > and actually be logged in with an 8 character name. > > > > (Working from home at the moment as my car has a flat tyre - > don't hit reply :-). > > We're suffering from creeping parameteritis at the moment. > > Why do you need this ? Isn't this the same as the username > map parameter. no it isn't the same. map username would map to a unix username underneath, but maintain the same nt username. "domain map username" would map to a different nt username, and would be nothing to do with "map username". > Don't we just need to get the domain code > to use the same username map file instead ? possibly, possibly not. the capability exists to respond to the LsaSamLogon query with a totally different username. this i believe to be different from the "map username" option. but i could be wrong (and i think i might be). someone convince me :-) From jallison at whistle.com Fri Jun 5 19:28:46 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? References: <35780C41.C9C7BCC1@eng.auburn.edu> Message-ID: <357846EE.AF70952A@whistle.com> Gerald Carter wrote: > > This works very well. One problem I had with it and haven't had time to > track things down was the the passwd_mod() would sometime fail to lock > the private/smbpasswd file. This will show up in the smbd log. > Has this happened recently ? I fixed some of the code that did that a few weeks ago. Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Fri Jun 5 19:54:48 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? References: <35780C41.C9C7BCC1@eng.auburn.edu> <357846EE.AF70952A@whistle.com> Message-ID: <35784D08.6ED812DE@eng.auburn.edu> Jeremy Allison wrote: > > Has this happened recently ? I fixed some of the code > that did that a few weeks ago. Happened on May 21 using 1.9.18p7. I haven't tried it with the pre-alpha code. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From pkeck at coe.uga.edu Fri Jun 5 20:05:46 1998 From: pkeck at coe.uga.edu (Paul Keck) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <357846EE.AF70952A@whistle.com>; from Jeremy Allison on Sat, Jun 06, 1998 at 05:40:49AM +1000 References: <357846EE.AF70952A@whistle.com> Message-ID: <19980605160546.46938@coe.uga.edu> You guys are great! This will help a lot. Since I got help once, let me push the envelope with more questions. :-) After the period of getting everyone to log in and get their password updated is done and we switch to encrypted passwords, /etc/passwd and smbpasswd will start to diverge, right? Meaning, if they change one the other will NOT change. If that is true, is there a good way around this? Something I can set up a cron job to nightly pipe /etc/passwd through and re-create smbpasswd? Somehow leave "update encrypted" on while "encrypt passwords" is running (not possible)? Am I dreaming? I was perusing the source code just now (not being a decent c programmer, I am even more impressed with samba!). Unless I miss my guess, in the password update scheme you take the password they type in (unencrypted) and try to authenticate them to /etc/passwd. If this works, then make an NT-style encrypted password out of the unencrpyted password in hand and stick it in smbpasswd. If this is accurate, then my dream of a unix-style to NT-style password converter will probably go unfulfilled, unless it incorporates a cracker. Someone tell me I'm wrong! I'll pay good pizza for something I can cron/pipe my /etc/passwd through. :-) -- Paul Keck pkeck@coe.uga.edu http://www.coe.uga.edu/~pkeck Univ. of Georgia- College of Education ftp://ftp.coe.uga.edu/users/pkeck Office of Information Technology (OIT) mailto:pkeck@ediacara.org --Opinions mine, not OIT's.-- Go fighting anomalocaridids!!! From cartegw at Eng.Auburn.EDU Fri Jun 5 20:16:43 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? References: <19980605160546.46938@coe.uga.edu> Message-ID: <3578522B.14A1D8E2@eng.auburn.edu> Paul Keck wrote: > > After the period of getting everyone to log in and get their password > updated is done and we switch to encrypted passwords, /etc/passwd and > smbpasswd will start to diverge, right? Meaning, if they change one > the other will NOT change. Correct > If that is true, is there a good way around this? The best solution is to rewrite you passwd program on the unix box to pipe the change to /etc/passwd and smbpasswd. This is fairly trivial if these files are located on the same box that user's login to change their passwd. If uses's change their passwd on other machines besides these master's, then things get a little trickier. > Someone tell me I'm wrong! I'll pay good pizza for something I can > cron/pipe my /etc/passwd through. :-) Nice to see goo southern hospitality on the 'net :) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From china at pprd.abbott.com Fri Jun 5 20:28:36 1998 From: china at pprd.abbott.com (Albert Chin-A-Young) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <3578522B.14A1D8E2@eng.auburn.edu> Message-ID: On Sat, 6 Jun 1998, Gerald Carter wrote: >Paul Keck wrote: >> >> After the period of getting everyone to log in and get their password >> updated is done and we switch to encrypted passwords, /etc/passwd and >> smbpasswd will start to diverge, right? Meaning, if they change one >> the other will NOT change. > >Correct > >> If that is true, is there a good way around this? > >The best solution is to rewrite you passwd program on the unix box to >pipe the change to /etc/passwd and smbpasswd. This is fairly trivial >if these files are located on the same box that user's login to change >their passwd. If uses's change their passwd on other machines besides >these master's, then things get a little trickier. If you're running NIS, I'd like to see a modified rpc.yppasswdd that updated NIS passwd and NIS smbpasswd at the same time. Samba would then have to be modified to use NIS for smbpasswd. I'd also like to see Samba refer to both smbpasswd and passwd (if the login name is not in smbpasswd, then look in passwd). The latter is important until everyone changes their password. > Gerald ( Jerry ) Carter -- albert chin (china@pprd.abbott.com) From lanejohn at cps.msu.edu Fri Jun 5 20:32:56 1998 From: lanejohn at cps.msu.edu (John R Lane) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <3578522B.14A1D8E2@eng.auburn.edu> References: <3578522B.14A1D8E2@eng.auburn.edu> Message-ID: <13688.21386.480686.845606@canterbury.cps.msu.edu> >> After the period of getting everyone to log in and get their >> password updated is done and we switch to encrypted passwords, >> /etc/passwd and smbpasswd will start to diverge, right? >> Meaning, if they change one the other will NOT change. Gerald> Correct >> If that is true, is there a good way around this? Gerald> The best solution is to rewrite you passwd program on the Gerald> unix box to pipe the change to /etc/passwd and smbpasswd. Gerald> This is fairly trivial if these files are located on the Gerald> same box that user's login to change their passwd. If Gerald> uses's change their passwd on other machines besides these Gerald> master's, then things get a little trickier. FYI: I've pretty much finished coding up a PAM module to possibly be integrated with pam_ntdom which handles password changes using the (network) password change functionality of samba. In other words, you should just be able to stack pam_unix on top of pam_ntdom and have password updates done on a samba server as well as through NIS (or whatever you use). ie., something like other password required /usr/lib/security/pam_unix.so.1 other password required /usr/lib/security/pam_ntdom.so.1 I hope to have it debugged and working sometime this weekend; next week at the latest, though I'm new to PAM, so I'll be counting on having a few people test it and give feedback. jrl. System Administrator Department of Computer Science Michigan State University From lanejohn at cps.msu.edu Fri Jun 5 20:37:32 1998 From: lanejohn at cps.msu.edu (John R Lane) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: References: Message-ID: <13688.22118.100261.656921@canterbury.cps.msu.edu> Albert> If you're running NIS, I'd like to see a modified Albert> rpc.yppasswdd that updated NIS passwd and NIS smbpasswd at Unfortunately this isn't possible since rpc.yppasswdd (at least on Solaris) never sees the (new) plain-text password. Albert> the same time. Samba would then have to be modified to use Albert> NIS for smbpasswd. I'd also like to see Samba refer to Albert> both smbpasswd and passwd (if the login name is not in Albert> smbpasswd, then look in passwd). The latter is important Albert> until everyone changes their password. jrl. From jallison at whistle.com Fri Jun 5 20:38:50 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? References: <3578522B.14A1D8E2@eng.auburn.edu> Message-ID: <35785759.9EA81381@whistle.com> Gerald Carter wrote: > > Paul Keck wrote: > > > > After the period of getting everyone to log in and get their password > > updated is done and we switch to encrypted passwords, /etc/passwd and > > smbpasswd will start to diverge, right? Meaning, if they change one > > the other will NOT change. > > Correct > > > If that is true, is there a good way around this? > > The best solution is to rewrite you passwd program on the unix box to > pipe the change to /etc/passwd and smbpasswd. This is fairly trivial > if these files are located on the same box that user's login to change > their passwd. If uses's change their passwd on other machines besides > these master's, then things get a little trickier. > If you are on a system that supports the ALLOW_CHANGE_PASSWORD compile flag to Samba, you don't need to change your UNIX passwd program, you can get Samba to change both your smb and your UNIX passwords simultaneously. Look up the 'unix password sync' parameter for details. Of course the code that allows NT workstations to update the user passwords for the logged on user isn't written yes (although I have the packet dump and it's on my list of things to fix). Regards, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From aperrin at demog.Berkeley.EDU Fri Jun 5 21:02:08 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: Unless I misunderstand this, using NIS to distribute smbpasswd would be a huge security hold, since the smbpasswd hashes would be flying around the net; anybody with a sniffer would be able to glean a password-equivalent from this. Am I wrong? Andy Perrin UC Berkeley, Demography > > If you're running NIS, I'd like to see a modified rpc.yppasswdd that > updated NIS passwd and NIS smbpasswd at the same time. Samba would > then have to be modified to use NIS for smbpasswd. I'd also like to > see Samba refer to both smbpasswd and passwd (if the login name is not > in smbpasswd, then look in passwd). The latter is important until > everyone changes their password. > > > Gerald ( Jerry ) Carter > > -- > albert chin (china@pprd.abbott.com) > From cartegw at Eng.Auburn.EDU Fri Jun 5 21:03:08 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? References: Message-ID: <35785D0C.D330C5F5@eng.auburn.edu> Albert Chin-A-Young wrote: > > If you're running NIS, I'd like to see a modified rpc.yppasswdd that > updated NIS passwd and NIS smbpasswd at the same time. Samba would > then have to be modified to use NIS for smbpasswd. I'd also like to > see Samba refer to both smbpasswd and passwd (if the login name is not > in smbpasswd, then look in passwd). The latter is important until > everyone changes their password. making the smbpasswd file available via NIS IHMO is a bad idea. Remember that the hashes in smbpasswd are plaintext equivalents. Better to use the security = domain model and authenticate against one server that has the smbpasswd file local. j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From china at pprd.abbott.com Fri Jun 5 21:20:20 1998 From: china at pprd.abbott.com (Albert Chin-A-Young) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <35785D0C.D330C5F5@eng.auburn.edu> Message-ID: On Sat, 6 Jun 1998, Gerald Carter wrote: >Albert Chin-A-Young wrote: >> >> If you're running NIS, I'd like to see a modified rpc.yppasswdd that >> updated NIS passwd and NIS smbpasswd at the same time. Samba would >> then have to be modified to use NIS for smbpasswd. I'd also like to >> see Samba refer to both smbpasswd and passwd (if the login name is not >> in smbpasswd, then look in passwd). The latter is important until >> everyone changes their password. > >making the smbpasswd file available via NIS IHMO is a bad idea. >Remember that the hashes in smbpasswd are plaintext equivalents. Better >to use the security = domain model and authenticate against one server >that has the smbpasswd file local. This depends on your implementation of NIS. The way we have things here, every machine is an NIS master and, therefore, can only bind to itself (we could also make the Samba servers members of their own domain). If smbpasswd were in NIS, then two Samba servers, or more, could share the same file and you could have updates occur centrally with a modified passwd/rpc.yppasswd combination (it's also easy enough to distribute smbpasswd to only a few NIS servers). We distribute NIS maps as flat files and could easily rdist them with ssh to severely decrease the security flaws in the idea. I don't care for single points of failure but if 'password server' supports more than one password server, then I'm all for it (but then you still have the problem of keeping smbpasswd in sync). > Gerald ( Jerry ) Carter -- albert chin (china@pprd.abbott.com) From tavis at mahler.econ.columbia.edu Fri Jun 5 21:31:21 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:14 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <3578522B.14A1D8E2@eng.auburn.edu> Message-ID: On Sat, 6 Jun 1998, Gerald Carter wrote: > The best solution is to rewrite you passwd program on the unix box to > pipe the change to /etc/passwd and smbpasswd. This is fairly trivial > if these files are located on the same box that user's login to change > their passwd. If uses's change their passwd on other machines besides > these master's, then things get a little trickier. Is there any way to do this without having users prompted four times for their password (twice by Unix and twice by smbpasswd)? Wasn't there a "unix password sync" option? I can't find it in my documentation. It would certainly be great if someone could write a passwd program that updated both password files. Cheers, Tavis From cartegw at Eng.Auburn.EDU Fri Jun 5 21:49:25 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? References: Message-ID: <357867E5.9A733B48@eng.auburn.edu> Albert Chin-A-Young wrote: > > This depends on your implementation of NIS. The way we have things > here, every machine is an NIS master and, therefore, can only bind > to itself (we could also make the Samba servers members of their > own domain). If smbpasswd were in NIS, then two Samba servers, > or more, could share the same file and you could have updates > occur centrally with a modified passwd/rpc.yppasswd combination > (it's also easy enough to distribute smbpasswd to only a few NIS > servers). We distribute NIS maps as flat files and could easily > rdist them with ssh to severely decrease the security flaws in the > idea. I don't care for single points of failure but if 'password > server' supports more than one password server, then I'm all for it > (but then you still have the problem of keeping smbpasswd in sync). It's things like 'ypcat smbpasswd.byname' that I would be afraid of ( as well as somebody sniffing the wire ). Just make sure that 'ypcat smbpasswd only works for root ( but then you still have to worry about someone monitoring the network traffic ). The scp option was one that I considered here as well and may well do as a push update from a cron job on a secure server. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From bernie at ecr.mu.oz.au Sun Jun 7 04:54:32 1998 From: bernie at ecr.mu.oz.au (Bernie Kirby) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? Message-ID: <199806070454.OAA01748@tamboon.ecr.mu.oz.au> G'day, > > Hi all. I'm a little new to Samba- only been running it for a few months > > mostly for people to get into their Solaris 2.5 home dirs. It's working > > great for that- thanks to you all! > > My sentiments exactly. Samba is the best thing since sliced bread. I don't know enough about NT to really comment, but... > a new option has been added: "update encrypted". run with this for a > week; then move over to "encrypt passwords". If this option actually encrypts the passords on the fly, then would it not then be possible to first encrypt it unix-style, then check it against a normal unix passwd file, and then if that checks out, second, encrypt it NT style, and then use that version to do all the 'NT' related things that are required? Assumption: Needs clear text passwords enabled on the NT machines. (We don't care about Clear text passords flying around our network). Thus, one could invisibly have NT passwords that are actually generated on the fly after being verified in normal unix style? ... enabling one to still keep a single unix password file? It's just a thought, as we have a 'central' password system here, and I'm going to have to modify it to also updates the nt passwords when a user changes their usual unix password, not to mention initially generating these passwords for thousands of existing users, for which I envisage having them running an smbpasswd like command that will add an NT password to our cenrtal database. The update encrypted option may be an alternative, but I can see it begining to diverge from the unix passwords after a while. Anyway, keep up the good work people! Bernie. From cartegw at Eng.Auburn.EDU Sun Jun 7 11:37:50 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <199806070454.OAA01748@tamboon.ecr.mu.oz.au> Message-ID: On Sun, 7 Jun 1998, Bernie Kirby wrote: > If this option actually encrypts the passords on the fly, then > would it not then be possible to first encrypt it unix-style, then > check it against a normal unix passwd file, and then if that checks out, > second, encrypt it NT style, and then use that version to do all the 'NT' > related things that are required? > Assumption: Needs clear text passwords enabled on the NT machines. Problem with this is that certain NT actions are unable to send the clear text password ( as per protocol design ) such as machine account password changes as well as domain logins. In fact I think the only action that will generate a plain text password being sent over the wire is accessing shares. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Sun Jun 7 14:26:05 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <3578522B.14A1D8E2@eng.auburn.edu> Message-ID: On Sat, 6 Jun 1998, Gerald Carter wrote: > Paul Keck wrote: > > > > After the period of getting everyone to log in and get their password > > updated is done and we switch to encrypted passwords, /etc/passwd and > > smbpasswd will start to diverge, right? Meaning, if they change one > > the other will NOT change. > > Correct > > > If that is true, is there a good way around this? > > The best solution is to rewrite you passwd program on the unix box to > pipe the change to /etc/passwd and smbpasswd. This is fairly trivial this has already been done. ftp://samba.anu.edu.au/pub/samba/contributed/yp-smb-passwd-0.2.tgz From lkcl at switchboard.net Sun Jun 7 14:29:44 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Sat, 6 Jun 1998, Andrew Perrin - Demography wrote: > Unless I misunderstand this, using NIS to distribute smbpasswd would be a > huge security hold, since the smbpasswd hashes would be flying around the > net; anybody with a sniffer would be able to glean a password-equivalent > from this. Am I wrong? you are correct. the private/smbpasswd file *MUST* be kept on local disk, and must not be passed around. From lkcl at switchboard.net Sun Jun 7 14:32:06 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <35785D0C.D330C5F5@eng.auburn.edu> Message-ID: On Sat, 6 Jun 1998, Gerald Carter wrote: > Albert Chin-A-Young wrote: > > > > If you're running NIS, I'd like to see a modified rpc.yppasswdd that > > updated NIS passwd and NIS smbpasswd at the same time. Samba would > > then have to be modified to use NIS for smbpasswd. I'd also like to > > see Samba refer to both smbpasswd and passwd (if the login name is not > > in smbpasswd, then look in passwd). The latter is important until > > everyone changes their password. > > making the smbpasswd file available via NIS IHMO is a bad idea. > Remember that the hashes in smbpasswd are plaintext equivalents. Better > to use the security = domain model and authenticate against one server > that has the smbpasswd file local. alternatively use NIS+. some assistance with this to finish the nis+ password database module is still required (estimated module size: 1200 lines of code). From lkcl at switchboard.net Sun Jun 7 14:45:56 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <199806070454.OAA01748@tamboon.ecr.mu.oz.au> Message-ID: > My sentiments exactly. Samba is the best thing since sliced bread. we do have a survey entry where someone has said this. and someone else said "make the coffee", i believe. someone else recommended that we add a method to upgrade windows machines to unix... From tavis at mahler.econ.columbia.edu Sun Jun 7 18:57:04 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Mon, 8 Jun 1998, Luke Kenneth Casson Leighton wrote: > > The best solution is to rewrite you passwd program on the unix box to > > pipe the change to /etc/passwd and smbpasswd. This is fairly trivial > > this has already been done. > > ftp://samba.anu.edu.au/pub/samba/contributed/yp-smb-passwd-0.2.tgz I just downloaded this file and looked at the documentation and the code. I couldn't find any references to smb passwords, unless it's buried deep in the getpwuid() types of calls. It looked like a plain old YP passwd program (although a perfectly good one at that). Am I missing something? Thanks, Tavis From awilliam at whitemice.org Sun Jun 7 16:20:11 1998 From: awilliam at whitemice.org (Adam Williams) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? (fwd) In-Reply-To: root "Re: Must a Samba PDC use encrypted passwords? (fwd)" (Jun 7, 4:16pm) References: Message-ID: <9806071620.ZM22559@estate1.whitemice.org> > > > The best solution is to rewrite you passwd program on the unix box to > > > pipe the change to /etc/passwd and smbpasswd. This is fairly trivial > > > > this has already been done. > > > > ftp://samba.anu.edu.au/pub/samba/contributed/-0.2.tgz > > I just downloaded this file and looked at the documentation and the > code. I couldn't find any references to smb passwords, unless it's > buried deep in the getpwuid() types of calls. It looked like a plain old > YP passwd program (although a perfectly good one at that). Am I missing > something? > I am the author of yp-smb-passwd. They are drop in relacements for yppasswd/yppasswdd. You must replace both the client and the server. They yppasswdd executes /usr/local/samba/bin/smbpasswd automatically when a user changes their NIS password, so they remain in sync. The call is found in the update.c file. Let me know if you have any other questions. From tavis at mahler.econ.columbia.edu Mon Jun 8 05:41:00 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:15 2003 Subject: YP-smb-passwd In-Reply-To: <9806071620.ZM22559@estate1.whitemice.org> Message-ID: On Mon, 8 Jun 1998, Adam Williams wrote: > I am the author of yp-smb-passwd. They are drop in relacements for > yppasswd/yppasswdd. You must replace both the client and the server. They > yppasswdd executes /usr/local/samba/bin/smbpasswd automatically when a user > changes their NIS password, so they remain in sync. The call is found in the > update.c file. Let me know if you have any other questions. As long as you're offering, I might as well be nosy. :*) (Great work by the way). If the program uses bin/smbpasswd to update the smb password on the client machine, I assume this means /usr/local has to be mounted with write access on the clients? I'm just wondering if there might be a way to update smb passwords without requiring this (we have our NIS clients mount /usr/local with access only for security reasons). I realize that sending the SMB encryption throught the yp hash tables would be even way more insecure. Maybe there's a way to create a one-way (client-to-server) mechanism to pass along updates? Not that I can think of one or anything... Cheers, Tavis From twinders at SPC.cc.tx.us Mon Jun 8 12:51:55 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <35785759.9EA81381@whistle.com> Message-ID: On Sat, 6 Jun 1998, Jeremy Allison wrote: > If you are on a system that supports the ALLOW_CHANGE_PASSWORD > compile flag to Samba, you don't need to change your UNIX > passwd program, you can get Samba to change both your smb > and your UNIX passwords simultaneously. Jeremy - Do you have any additional UNIX systems on your list to add the ALLOW_CHANGE_PASSWORD capability to? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From lkcl at switchboard.net Mon Jun 8 12:57:09 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Sun, 7 Jun 1998, Tavis Barr wrote: > > > On Mon, 8 Jun 1998, Luke Kenneth Casson Leighton wrote: > > > > The best solution is to rewrite you passwd program on the unix box to > > > pipe the change to /etc/passwd and smbpasswd. This is fairly trivial > > > > this has already been done. > > > > ftp://samba.anu.edu.au/pub/samba/contributed/yp-smb-passwd-0.2.tgz > > I just downloaded this file and looked at the documentation and the > code. I couldn't find any references to smb passwords, unless it's > buried deep in the getpwuid() types of calls. It looked like a plain old > YP passwd program (although a perfectly good one at that). Am I missing > something? > > Thanks, > Tavis tavis, being honest: i have no idea. someone (please check the archives) said, "i've written this program that does both unix and samba passwords" i said, "great, send me a copy i'll put in the contributed directory". so you might be missing something: please let me know, however, one way or the other! thanks, luke From jallison at whistle.com Mon Jun 8 17:29:41 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? References: Message-ID: <357C1F85.99646B57@whistle.com> Tim Winders wrote: > Jeremy - > > Do you have any additional UNIX systems on your list to add the > ALLOW_CHANGE_PASSWORD capability to? > Well I rely on people telling us that the ALLOW_CHANGE_PASSWORD code works on their OS revision - I then update the Makefile to reflect this. Thus the Makefile should reflect the current state of ALLOW_CHANGE_PASSWORD on different systems. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From twinders at SPC.cc.tx.us Mon Jun 8 17:58:20 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <357C1F85.99646B57@whistle.com> Message-ID: On Mon, 8 Jun 1998, Jeremy Allison wrote: > Tim Winders wrote: > > > Jeremy - > > > > Do you have any additional UNIX systems on your list to add the > > ALLOW_CHANGE_PASSWORD capability to? > > > > Well I rely on people telling us that the ALLOW_CHANGE_PASSWORD > code works on their OS revision - I then update the Makefile > to reflect this. > > Thus the Makefile should reflect the current state of ALLOW_CHANGE_PASSWORD > on different systems. Ah. Well, it DOES NOT work under Digital Unix 4.0D. I submitted a bug report as well as a gdb result from the core file that is dumped when one tries to change a password from Win95 with ALLOW_CHANGE_PASSWORD compiled... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From william at hae.com Mon Jun 8 18:24:42 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: Can one of the FAQ maintainers start a password change matrix of what works vs. what dosen't work vs. what password database vs. wether NT/95 vs. can/cannot change UNIX password. This whole thing is getting out of hand. Searching the archvies is becoming difficult, because it take a lot of work to make sure you are on the right page. For instance, I was under the impression that NT machines were changing passwords on SAMBA PDC's from message 0704 in the samba-ntdom list (search on "happily"). It appears this is not the case because of a message today from Jeremy saying it was on his list to add it. If you need some help in this regard, I would be happy to setup a quick chart, if you could give me the latest status on the above. --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." On Tue, 9 Jun 1998, Tim Winders wrote: > Date: Tue, 9 Jun 1998 03:55:54 +1000 > From: Tim Winders > To: Multiple recipients of list > Subject: Re: Must a Samba PDC use encrypted passwords? > > On Mon, 8 Jun 1998, Jeremy Allison wrote: > > > Tim Winders wrote: > > > > > Jeremy - > > > > > > Do you have any additional UNIX systems on your list to add the > > > ALLOW_CHANGE_PASSWORD capability to? > > > > > > > Well I rely on people telling us that the ALLOW_CHANGE_PASSWORD > > code works on their OS revision - I then update the Makefile > > to reflect this. > > > > Thus the Makefile should reflect the current state of ALLOW_CHANGE_PASSWORD > > on different systems. > > Ah. Well, it DOES NOT work under Digital Unix 4.0D. I submitted a bug > report as well as a gdb result from the core file that is dumped when one > tries to change a password from Win95 with ALLOW_CHANGE_PASSWORD > compiled... > > === Tim > > --------------------------------------------------------------------- > | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | > | Network Administrator | Phone: 806-894-9611 x 2369 | > | South Plains College | Fax: 806-897-4711 | > --------------------------------------------------------------------- > > > From william at hae.com Mon Jun 8 18:28:03 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? (fwd) Message-ID: Sorry to follow up to my own post... I meant a matrix to show the status of password support, not all of the PDC functionallity. --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." ---------- Forwarded message ---------- Date: Mon, 8 Jun 1998 11:24:42 -0700 (PDT) From: William Stuart To: samba-ntdom@samba.anu.edu.au Subject: Re: Must a Samba PDC use encrypted passwords? Can one of the FAQ maintainers start a password change matrix of what works vs. what dosen't work vs. what password database vs. wether NT/95 vs. can/cannot change UNIX password. This whole thing is getting out of hand. Searching the archvies is becoming difficult, because it take a lot of work to make sure you are on the right page. For instance, I was under the impression that NT machines were changing passwords on SAMBA PDC's from message 0704 in the samba-ntdom list (search on "happily"). It appears this is not the case because of a message today from Jeremy saying it was on his list to add it. If you need some help in this regard, I would be happy to setup a quick chart, if you could give me the latest status on the above. --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." From cartegw at Eng.Auburn.EDU Mon Jun 8 18:37:16 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? References: Message-ID: <357C2F5C.3766799A@eng.auburn.edu> William Stuart wrote: > > Can one of the FAQ maintainers start a password change matrix of what > works vs. what dosen't work vs. what password database vs. whether > NT/95 vs. can/cannot change UNIX password. The confusion is that people are talking about different things. See comments below. > This whole thing is getting out of hand. Searching the archvies is > becoming difficult, because it take a lot of work to make sure you are > on the right page. For instance, I was under the impression that NT > machines were changing passwords on SAMBA PDC's from message 0704 in > the samba-ntdom list (search on "happily"). It appears this is not > the case because of a message today from Jeremy saying it was on his > list to add it. Machines are "happily" changing their password. Not users. Too my knowledge, changing your password on a Samba PDC from an NT client machine has never been supported nor advertised as working. The problem is in the encryption method ( NTLMSSP ? ) Windows 95 clients are able to change their password ( assuming the server supports the ALLOW_CHANGE_PASSWORD code ) via the control panel. The unix password is changed as well ( see the "unix password sync" option ). Luke, could you comment on what has been checked in and works as far as alternative password databases is concerned? Is anything other than private/smbpasswd supposed to work with samba acting as a PDC yet? Corrections welcome as always, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From D.Bannon at latrobe.edu.au Mon Jun 8 23:28:17 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: <3.0.3.32.19980609092817.00872920@bioserve.biochem.latrobe.edu.au> At 23:00 08/06/1998 +1000, Luke Kenneth Casson Leighton wrote: >being honest: i have no idea. someone (please check the archives) said, >"i've written this program that does both unix and samba passwords" i >said, "great, send me a copy i'll put in the contributed directory". > Luke, Are you possibly thinking of my very basic programme to replace the unix passwd programme. I wrote it somewhat earlier in the NTDomain history and have been using it since then. Works fine in our simple enviroment. I believe a number of other people are using it too. I was a bit 'shy' of putting it in the contributed directory at the time and posted it via my web page, http://bioserve.latrobe.edu.au/about/passwd.c.txt . I now see the reason for sending such stuff directly to the 'Samba Central', how do I do so ? David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From tavis at mahler.econ.columbia.edu Tue Jun 9 06:01:43 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <3.0.3.32.19980609092817.00872920@bioserve.biochem.latrobe.edu.au> Message-ID: On Tue, 9 Jun 1998, David Bannon wrote: > Luke, > Are you possibly thinking of my very basic programme to replace the unix > passwd programme. I wrote it somewhat earlier in the NTDomain history and > have been using it since then. Works fine in our simple enviroment. I > believe a number of other people are using it too. I was a bit 'shy' of > putting it in the contributed directory at the time and posted it via my > web page, http://bioserve.latrobe.edu.au/about/passwd.c.txt . I tested this code out on SunOs 4.1.3, and found a number of things that didn't work right: (1) There is no header file "mode.h" in my system, although when I commented it out, nothing failed to compile (2) SunOS does not use the passwd.dir and passwd.pag files; hence it does not have /sbin/mkpasswd. This command failed and reported an error, but /etc/passwd and ~/smbpasswd were still updated correctly. (3) Upon successful completion, it changed the permissions on /etc/passwd to make it readable only by root. (!!!!!!!!!!!!!!!!!!!!) (4) It only worked correctly for non-privileged users when run setuid root, but smbpasswd only works correctly when _not_ setuid root. Anyway, it's a nifty little program and I don't know if you ever intended to make it operable beyond your own system, but if you do perhaps we can work on fixing the above. Cheers, Tavis From caesmb at lab2.cc.wmich.edu Tue Jun 9 12:16:44 1998 From: caesmb at lab2.cc.wmich.edu (CAE Samba Admin) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: > a new option has been added: "update encrypted". run with this for a > week; then move over to "encrypt passwords". Just to clarify this in my mind... If I have "update encrypted" I have to have "encrypt passwords" off, which effectively breaks PDC functionality, right? Kevin From twinders at SPC.cc.tx.us Tue Jun 9 12:36:16 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Tue, 9 Jun 1998, Tavis Barr wrote: > (2) SunOS does not use the passwd.dir and passwd.pag files; hence it does > not have /sbin/mkpasswd. This command failed and reported an error, but > /etc/passwd and ~/smbpasswd were still updated correctly. I am using Digital Unix 4.0D. My system DOES make use of the passwd.dir and passwd.pag files, but the /usr/sbin/mkpasswd command dumps core on me when it is run as /usr/sbin/mkpasswd /etc/passwd. The man page says it is from the expect toolkit and generates a random password and optionally applies it to a user. It looks like the command has changed from DU 3.2 to 4.0. > (3) Upon successful completion, it changed the permissions on /etc/passwd > to make it readable only by root. (!!!!!!!!!!!!!!!!!!!!) I had the same problem. > (4) It only worked correctly for non-privileged users when run setuid > root, but smbpasswd only works correctly when _not_ setuid root. I believe this is a new setting for smbpasswd. I *THINK* it used to have to be setuid root. Now it cannot be... > Anyway, it's a nifty little program and I don't know if you ever intended > to make it operable beyond your own system, but if you do perhaps we can > work on fixing the above. echo, echo === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From cartegw at Eng.Auburn.EDU Tue Jun 9 16:02:54 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Tue, 9 Jun 1998, CAE Samba Admin wrote: > > > a new option has been added: "update encrypted". run with this for a > > week; then move over to "encrypt passwords". > > Just to clarify this in my mind... If I have "update encrypted" I > have to have "encrypt passwords" off, which effectively breaks PDC > functionality, right? > Yup. Just a thought. Has anyone tried using this with "password server" option as a way to get accounts froman NT PDC as a migration strategy? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From mhw at wittsend.com Tue Jun 9 16:26:46 1998 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: from "Gerald W. Carter" at Jun 10, 98 02:07:15 am Message-ID: <199806091626.MAA05630@alcove.wittsend.com> A non-text attachment was scrubbed... Name: not available Type: text Size: 1718 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980609/e0d57699/attachment.bat From jallison at whistle.com Tue Jun 9 16:44:14 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? References: <199806091626.MAA05630@alcove.wittsend.com> Message-ID: <357D665E.3E3650EC@whistle.com> Michael H. Warfield wrote: > > Gerald W. Carter enscribed thusly: > > > On Tue, 9 Jun 1998, CAE Samba Admin wrote: > > > > > a new option has been added: "update encrypted". run with this for a > > > > week; then move over to "encrypt passwords". > > > > Just to clarify this in my mind... If I have "update encrypted" I > > > have to have "encrypt passwords" off, which effectively breaks PDC > > > functionality, right? > > > Yup. Just a thought. Has anyone tried using this with "password server" > > option as a way to get accounts froman NT PDC as a migration strategy? > What a *wonderful* idea !!!! Thanks Gerald ! > Oh man yes! That is exactly what I need. I have a Samba server > that I would like as the PDC for our engineering domain and I would like > to migrate users from our ADMIN domain by doing just that. Let the box > authenticate against the other domain's PDC and build up a migrated database! > The other domain could be another Samba PDC or could be (as in this case) > and NT PDC. This would be real handy. > > Will see if this works or what it breaks in the process! > Let me know if this fails to work - I'll work on the code until it does - this is *far* too useful to not work :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Tue Jun 9 17:12:48 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <3.0.3.32.19980609092817.00872920@bioserve.biochem.latrobe.edu.au> Message-ID: On Tue, 9 Jun 1998, David Bannon wrote: > At 23:00 08/06/1998 +1000, Luke Kenneth Casson Leighton wrote: > > > >being honest: i have no idea. someone (please check the archives) said, > >"i've written this program that does both unix and samba passwords" i > >said, "great, send me a copy i'll put in the contributed directory". > > > > Luke, > Are you possibly thinking of my very basic programme to replace the unix > passwd programme. oh, probably. > I wrote it somewhat earlier in the NTDomain history and > have been using it since then. Works fine in our simple enviroment. I > believe a number of other people are using it too. I was a bit 'shy' of > putting it in the contributed directory at the time i'm not!!! > and posted it via my > web page, http://bioserve.latrobe.edu.au/about/passwd.c.txt . > I now see the reason for sending such stuff directly to the 'Samba > Central', yep. > how do I do so ? send it to me: i log in to samba.anu.edu.au and ftp it to there from my computer at cb1. From abs at maunsell.co.uk Tue Jun 9 18:50:50 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: ; from Gerald W. Carter on Wed, Jun 10, 1998 at 02:07:13AM +1000 References: Message-ID: <19980609195050.63634@maunsell.co.uk> On Wed, Jun 10, 1998 at 02:07:13AM +1000, Gerald W. Carter wrote: > > On Tue, 9 Jun 1998, CAE Samba Admin wrote: > > > > > > a new option has been added: "update encrypted". run with this for a > > > week; then move over to "encrypt passwords". > > > > Just to clarify this in my mind... If I have "update encrypted" I > > have to have "encrypt passwords" off, which effectively breaks PDC > > functionality, right? > > > > Yup. Just a thought. Has anyone tried using this with "password server" > option as a way to get accounts froman NT PDC as a migration strategy? I am migrating UNIX NIS users to NT at a rate of about 5 per week for the next 3 months, I could really do with a strategy to automate it. I've read as much as I can find, but I still cant see how to use this in my particular situation :- I have a samba PDC (security = user) several samba domain clients (security = domain) and an armful of NT4/sp3 desktops. If I set encryption = no and 'update encrypted' on the PDC, I have to visit every existing NT4 desktop to tweak the registry to use cleartext, or all the current users (71 so far) will fail to log in wont they? I already assumed that I missed that boat. So, have I misinterpreted 'migration' completely, and you mean migrating existing samba users? (all my samba users are first timers) Or have I missed something that allows me to have the samba domain clients culling hashes? -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From cartegw at Eng.Auburn.EDU Tue Jun 9 19:59:40 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? References: <19980609195050.63634@maunsell.co.uk> Message-ID: <357D942C.9C424E26@eng.auburn.edu> Andy Smith wrote: > > I am migrating UNIX NIS users to NT at a rate of about 5 per week for > the next 3 months, I could really do with a strategy to automate it. > I've read as much as I can find, but I still cant see how to use this > in my particular situation :- It May not help you here. See my comments at the end. > I have a samba PDC (security = user) several samba domain clients > (security = domain) and an armful of NT4/sp3 desktops. If I set > encryption = no and 'update encrypted' on the PDC, I have to visit > every existing NT4 desktop to tweak the registry to use cleartext, or > all the current users (71 so far) will fail to log in wont they? I > already assumed that I missed that boat. Not if you edit the registry remotely. There are several ways to do this. If you have a domain admin account, thne that simplifies things immensely. Use regedit.exe and connect remotely and import the EnablePlainTextPassword setting. > So, have I misinterpreted 'migration' completely, and you mean > migrating existing samba users? (all my samba users are first timers) > Or have I missed something that allows me to have the samba domain > clients culling hashes? Here what I was thinking. It really had more to do with migrating accounts from an NT PDC than NIS. The migration itself is designed to work with current Samba / Win95 users or possibility NT domain users. Could also work if you NT boxes are sending clear text ( and hence the users are being annoyed by having to enter the password for every first connection to a different samba server ). My idea was to have a samba server that was set to "security = server" and the NT clients had the plaintext passwd enabled. During the login script to the NT controlled domain, a share would be mapped from the samba server which would validate against the NT PDC. Since the user had already logged into the domain, this would succeed and the Samba server would put an encrypted version of the user's passwd in private/smbpasswd. This sort of strategy assumes a couple of things. 1. The password is sent in clear text to the samba server. I am not sure if this is the case using the "passwd server" option. I am guessing it is. 2. All users already have accounts on the NT PDC. Make any more sense? Corrections welcome as always, :) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Tue Jun 9 20:00:51 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:15 2003 Subject: Migration from NT PDC [ was Re: Must a Samba PDC use encrypted passwords?] References: <19980609195050.63634@maunsell.co.uk> Message-ID: <357D9473.D33DB3C4@eng.auburn.edu> Sorry. I meant to start a new thread on this with my last mesage. Hope that's OK with everyone. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From caesmb at lab2.cc.wmich.edu Tue Jun 9 20:21:42 1998 From: caesmb at lab2.cc.wmich.edu (CAE Samba Admin) Date: Tue Dec 2 02:24:15 2003 Subject: smbpasswd delete users Message-ID: Hello, smbpasswd seems to be missing a rather key function... Is it still undocumented or can smbpasswd delete users from the smbpasswd file. Is this functionality left out on purpose? I have the need to delete users out of the file, as I assume most people do. However, besides the inconvienence of using text editors/filters, I have concerns about one of these programs editing the smbpasswd file while samba is trying to access it or someone is changing a password. Do you plan on implementing a delete function to smbpasswd very soon? If not, how do I go about locking the smbpasswd file? Kevin From jallison at whistle.com Tue Jun 9 20:49:10 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:15 2003 Subject: smbpasswd delete users References: Message-ID: <357D9FC6.6D190A47@whistle.com> CAE Samba Admin wrote: > > smbpasswd seems to be missing a rather key function... Is it > still undocumented or can smbpasswd delete users from the smbpasswd file. > Is this functionality left out on purpose? I have the need to delete > users out of the file, as I assume most people do. However, besides the > inconvienence of using text editors/filters, I have concerns about one of > these programs editing the smbpasswd file while samba is trying to access > it or someone is changing a password. Do you plan on implementing a > delete function to smbpasswd very soon? If not, how do I go about locking > the smbpasswd file? > True, it's missing. It needs a function to create a new smbpasswd file, then lock the original exclusively, then go through all the current smbpasswd entries, writing all but the entry targeted for delete. Finally, it needs to do a rename of the old file, and a move into place of the new file. This means some slightly fiddly locking code to ensure that all other smbd's see a consistant view of the smbpasswd db at all times (or at least retry when they don't). It's more fiddly than doing an add (which is just appending a record), which is why it isn't written yet. Moving to a gdbm based smbpasswd file would make this much easier, and currently I was waiting until this work to do the delete functionality. But if you want to write it now, be my guest :-). Regards, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From abs at maunsell.co.uk Tue Jun 9 21:52:41 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: <357D942C.9C424E26@eng.auburn.edu>; from Gerald Carter on Tue, Jun 09, 1998 at 02:59:40PM -0500 References: <19980609195050.63634@maunsell.co.uk> <357D942C.9C424E26@eng.auburn.edu> Message-ID: <19980609225241.48905@maunsell.co.uk> On Tue, Jun 09, 1998 at 02:59:40PM -0500, Gerald Carter wrote: > > Here what I was thinking. It really had more to do with migrating > accounts from an NT PDC than NIS. The migration itself is designed to > > [handy explanation snipped] > > Make any more sense? Yup, thanks, it was obvious once you'd confirmed the above. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From abs at maunsell.co.uk Tue Jun 9 22:24:00 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: ; from William Stuart on Tue, Jun 09, 1998 at 01:13:51PM -0700 References: <19980609195050.63634@maunsell.co.uk> Message-ID: <19980609232400.64188@maunsell.co.uk> On Tue, Jun 09, 1998 at 01:13:51PM -0700, William Stuart wrote: > > A way to automate this process (assuming your users have the right to > modify thier registries) you could email the *.reg file found on the SAMBA > web site. Your users then double-click on the file and it changes the > keys. > > Later, after your sure you have all the accounts, you can send them an > email with a *.reg file that will set them back. > > It all depends on how much you trust your users. I know most (but not all) at least to speak to. There isn't a 'trust' problem. Lets be clear, they have mostly been doing CAD here on UNIX workstations for 10 years, this is a *huge* change in culture for them. Even the hotshots who have their own equipment at home are finding NT != W95. Your idea about mailing *.reg is a good one, except that in this case, they've got rather a lot on their plate, I would choose not to distract them at this time. I will test the authority of a domain user tomorrow when I get back to work, my feeling is that since I have taken no special measures like domain groups = admins (which I found not to work BTW), this probably would need some changes to my configuration. Anyway, I can see that in principal, this could be a way forward, thanks. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From abs at maunsell.co.uk Tue Jun 9 22:41:57 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:15 2003 Subject: Compiling for Solaris 2.4 Message-ID: <19980609234157.30571@maunsell.co.uk> For reasons which are out of my control, for the forseable future, (well, at least up to 31/12/1999), I have to support samba on Solaris 2.4. The latest code updated using CVS does not compile out of the box, I have patches that fix this. Should I send them here? Likewise, I have a number of print/plot devices currently residing on INTERACTIVE unix boxes, it would be real good to run samba there so I can migrate these devices in my own time. My version of IUS (4.1 without the maintenance update) is missing some pretty basic stuff, especially atexit(), but nonetheless, I have compiled and am running a version of the current cvs code. Should I send these patches as well? -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From samba at aquasoft.com.au Tue Jun 9 23:13:25 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:24:15 2003 Subject: Compiling for Solaris 2.4 In-Reply-To: <19980609234157.30571@maunsell.co.uk> Message-ID: Andy, Please send your patches to samba-bugs@samba.anu.edu.au. If we can get the time they should make it into the next update due this week-end. Cheers, John H Terpstra - Samba-Team On Wed, 10 Jun 1998, Andy Smith wrote: > For reasons which are out of my control, for the forseable future, (well, > at least up to 31/12/1999), I have to support samba on Solaris 2.4. The > latest code updated using CVS does not compile out of the box, I have > patches that fix this. Should I send them here? > > Likewise, I have a number of print/plot devices currently residing on > INTERACTIVE unix boxes, it would be real good to run samba there so I can > migrate these devices in my own time. My version of IUS (4.1 without > the maintenance update) is missing some pretty basic stuff, especially > atexit(), but nonetheless, I have compiled and am running a version of the > current cvs code. Should I send these patches as well? > > -- > _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 > /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 > ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk > / England. -or- abs@maunsl00.demon.co.uk > From jallison at whistle.com Tue Jun 9 23:19:07 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:15 2003 Subject: Compiling for Solaris 2.4 References: <19980609234157.30571@maunsell.co.uk> Message-ID: <357DC2EB.7190C105@whistle.com> Andy Smith wrote: > > For reasons which are out of my control, for the forseable future, (well, > at least up to 31/12/1999), I have to support samba on Solaris 2.4. The > latest code updated using CVS does not compile out of the box, I have > patches that fix this. Should I send them here? > Mail them to samba-bugs@samba.anu.edu.au and I'll integrate them, thanks. > Likewise, I have a number of print/plot devices currently residing on > INTERACTIVE unix boxes, it would be real good to run samba there so I can > migrate these devices in my own time. My version of IUS (4.1 without > the maintenance update) is missing some pretty basic stuff, especially > atexit(), but nonetheless, I have compiled and am running a version of the > current cvs code. Should I send these patches as well? > Yes please, same place. Cheers, Jeremy. -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Wed Jun 10 11:02:38 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Tue, 9 Jun 1998, CAE Samba Admin wrote: > > > a new option has been added: "update encrypted". run with this for a > > week; then move over to "encrypt passwords". > > Just to clarify this in my mind... If I have "update encrypted" I > have to have "encrypt passwords" off, which effectively breaks PDC > functionality, right? correct. but you should have only been running "update encrypted" for 3 to 7 days _prior_ to enabling "encrypt passwords" therefore this situation should not really occur. what you _could_ do is have: include = smb.conf.%m and have two different netbios names for your machine, one with update encrypted the other with encrypt passwords. From cartegw at Eng.Auburn.EDU Wed Jun 10 13:13:17 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? References: <19980609232400.64188@maunsell.co.uk> Message-ID: <357E866D.EB0B28B2@eng.auburn.edu> Andy Smith wrote: > > On Tue, Jun 09, 1998 at 01:13:51PM -0700, William Stuart wrote: > > > > A way to automate this process (assuming your users have the right > > to modify thier registries) you could email the *.reg file found on > > the SAMBA web site. Your users then double-click on the file and > > it changes the keys. > > > > Later, after your sure you have all the accounts, you can send them > > an email with a *.reg file that will set them back. Hmmm....IMHO this value should not be accessible for users to modify. Big security hole. Also like to remove the association betwen the registry editor and *.reg files. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From wasse at CS.bgu.ac.il Wed Jun 10 13:31:48 1998 From: wasse at CS.bgu.ac.il (wass eran) Date: Tue Dec 2 02:24:15 2003 Subject: subscribe Message-ID: subscribe ________________________________________________ \ Ayranne(Eran) Wass \ \ System Administration Group \ | Ben Gurion University - Computer Science | \ | \ E-MAIL: wasse@cs.bgu.ac.il \ \ HOME-PAGE: www.cs.bgu.ac.il/~wasse \ \ \ \_______________________________________________\ From wasse at CS.bgu.ac.il Wed Jun 10 13:33:40 1998 From: wasse at CS.bgu.ac.il (wass eran) Date: Tue Dec 2 02:24:15 2003 Subject: BRANCH_NTDOM , aquiring without the use of cvs Message-ID: hi, i have problems with abroad connections, only if i use http connections i get fast speeds, my question is - is there any way to add the BRANCH_NTDOM to my samba without the cvs ? ________________________________________________ \ Ayranne(Eran) Wass \ \ System Administration Group \ | Ben Gurion University - Computer Science | \ | \ E-MAIL: wasse@cs.bgu.ac.il \ \ HOME-PAGE: www.cs.bgu.ac.il/~wasse \ \ \ \_______________________________________________\ From jengelha at gac.edu Wed Jun 10 16:02:41 1998 From: jengelha at gac.edu (Jeff S Engelhardt) Date: Tue Dec 2 02:24:15 2003 Subject: machine account invalid Message-ID: <199806101602.LAA06280@sallinen.it.gac.edu> I have just added a machine to the domain, and now when I try to log onto a domain account from that machine, it tells me that the systems password does not exist or the password is invalid. Following is a message that I get from the smb log. I do have the machine account in smbpasswd and I think everything else is set correctly for domain administering. Lunen is the server, demo-pc is the client, and roaming is the domain name. Any help would be greatly appreciated. Thank you Jeff Engelhardt jengelha@gac.edu server request level: B16BBDz 3fffffff domains_req:No local_only:No Servertype search: 3fffffff s: dom mismatch ROAMING 80001000 DEMO-PC ROAMING **SV** LUNEN 9b0b Samba 1.9.19-prealpha ROAMING **SV** DEMO-PC 51003 ROAMING fill_srv_info DEMO-PC 51003 ROAMING fill_srv_info LUNEN 9b0b Samba 1.9.19-prealpha ROAMING fill_srv_info DEMO-PC 51003 ROAMING fill_srv_info LUNEN 9b0b Samba 1.9.19-prealpha ROAMING NetServerEnum domain = ROAMING uLevel=1 counted=2 total=2 copy_trans_params_and_data: params[0..8] data[0..75] From cartegw at Eng.Auburn.EDU Wed Jun 10 16:10:51 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:15 2003 Subject: machine account invalid References: <199806101602.LAA06280@sallinen.it.gac.edu> Message-ID: <357EB00B.88469582@eng.auburn.edu> Jeff S Engelhardt wrote: > > I have just added a machine to the domain, and now when I try to > log onto a domain account from that machine, it tells me that > the systems password does not exist or the password is invalid. > Following is a message that I get from the smb log. I do have the > machine account in smbpasswd and I think everything else is set > correctly for domain administering. Lunen is the server, demo-pc > is the client, and roaming is the domain name. > > Any help would be greatly appreciated. > Jeff, Could you send the smbpasswd entry for the machine as well as the [netlogon] and [global] section of smb.conf. Let's looks at these first and then log files with a debug level of 20 if neccessary. Thanks, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From gavin at mindless.anarki.net Wed Jun 10 14:52:43 1998 From: gavin at mindless.anarki.net (Gavin Unsworth) Date: Tue Dec 2 02:24:15 2003 Subject: which branch is current? Message-ID: Hello, I've been using samba for the last few months on our small NT/95/Mac/Linux network at work and am very impressed. Excellent work! I've been following this list from the archives and have finally decided to join as after so long, I'm starting to have questions I can't answer by scouring FAQ's and archives. I understand that the NTDOM branch is being migrated into the main branch. Which one then is the most current? I haven't seen an announcement that NTDOM is dead yet. I also understand it's no longer necessary to obtain arcfour.o or to specific -DNTDOAIN when compiling from the main branch. Does this hold for the NTDOM branch also? I've been playing around with both and am getting different behaviour. At the moment, I'm using the latest main branch code from the CVS repository and seem to have 'lost' domain admin users. The clients are NT4.0 workstations. Any users are authenticated OK, but after logging in get the welcome screen and have no priveledges as if they were guest users. The same occurs for non domain admin users. Do I need to specify domain groups = (magic number for users groups which I can't seem to find) ? __ | My hat today could be... Gavin Unsworth | Triple Zed 102.1MHz Brisbane www.4zzzfm.org.au gavin@mindless.anarki.net | Radio 4EB 1053kHz Brisbane www.4eb.org.au www.mindless.anarki.net | @net www.anarki.net From caesmb at lab2.cc.wmich.edu Wed Jun 10 17:17:14 1998 From: caesmb at lab2.cc.wmich.edu (CAE Samba Admin) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: > correct. but you should have only been running "update encrypted" for 3 > to 7 days _prior_ to enabling "encrypt passwords" therefore this situation > should not really occur. Well, this is fine and dandy if you are migrating from having people connect to non-PDC samba box towards a PDC, but when you are starting out in an homogeneous NT enviornment never having had samba running for other than test purposes, this is rather pointless as a user won't be able to sit down at an NT box and type in there username and password to login without having *first* been in the smbpasswd file. > what you _could_ do is have: > > include = smb.conf.%m > > and have two different netbios names for your machine, one with update > encrypted the other with encrypt passwords. Chicken before the egg. I don't see what you are getting at here. Kevin From lkcl at switchboard.net Wed Jun 10 17:22:55 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Wed, 10 Jun 1998, CAE Samba Admin wrote: > > > correct. but you should have only been running "update encrypted" for 3 > > to 7 days _prior_ to enabling "encrypt passwords" therefore this situation > > should not really occur. > > Well, this is fine and dandy if you are migrating from having > people connect to non-PDC samba box towards a PDC, but when you are > starting out in an homogeneous NT enviornment never having had samba > running for other than test purposes, this is rather pointless as a user > won't be able to sit down at an NT box and type in there username and > password to login without having *first* been in the smbpasswd file. ok, then under _these_ circumstances, in a pre-existing NT network, you want to use the PWDUMP utility (by jeremy allison) or its NT server admin / resource kit equivalent (don't know exactly where this is). you will be able to obtain the 16 byte NT and LM hashes using either of these programs, from which a private/smbpasswd file can directly be created. luke From jallison at whistle.com Wed Jun 10 17:16:06 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:15 2003 Subject: which branch is current? References: Message-ID: <357EBF56.50AEA95B@whistle.com> Gavin Unsworth wrote: > > I understand that the NTDOM branch is being migrated into the main branch. > Which one then is the most current? I haven't seen an announcement that > NTDOM is dead yet. I also understand it's no longer necessary to obtain > arcfour.o or to specific -DNTDOAIN when compiling from the main branch. > Ok - here's the announcement. The NTDOM branch is dead. Long live the head branch :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Wed Jun 10 17:30:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Wed, 10 Jun 1998, CAE Samba Admin wrote: > > > correct. but you should have only been running "update encrypted" for 3 > > to 7 days _prior_ to enabling "encrypt passwords" therefore this situation > > should not really occur. > > Well, this is fine and dandy if you are migrating from having > people connect to non-PDC samba box towards a PDC, but when you are > starting out in an homogeneous NT enviornment never having had samba > running for other than test purposes, this is rather pointless as a user > won't be able to sit down at an NT box and type in there username and > password to login without having *first* been in the smbpasswd file. > > > what you _could_ do is have: > > > > include = smb.conf.%m > > > > and have two different netbios names for your machine, one with update > > encrypted the other with encrypt passwords. > > Chicken before the egg. I don't see what you are getting at here. ah - this was based on the assumption that your network was a pre-existing samba environment with clear-text passwords, and you were upgrading to the samba server to PDC status. this is the situation in which "update encrypted" is appropriate, and none other. the solution for you as described in the previous post, going effectively for a migration from NT to samba, is to use PWDUMP or the NT server admin equivalent, and to create the smbpasswd file from this output. good luck! luke From caesmb at lab2.cc.wmich.edu Wed Jun 10 17:31:39 1998 From: caesmb at lab2.cc.wmich.edu (CAE Samba Admin) Date: Tue Dec 2 02:24:15 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: > > Well, this is fine and dandy if you are migrating from having > > people connect to non-PDC samba box towards a PDC, but when you are > > starting out in an homogeneous NT enviornment never having had samba > > running for other than test purposes, this is rather pointless as a user > > won't be able to sit down at an NT box and type in there username and > > password to login without having *first* been in the smbpasswd file. > > ok, then under _these_ circumstances, in a pre-existing NT network, you > want to use the PWDUMP utility (by jeremy allison) or its NT server admin > / resource kit equivalent (don't know exactly where this is). True we are going from an existing NT network, but we aren't looking to relace NT. The samba server is on the machine with the campus wide user database, so we aren't really migrating from NT either. We're starting from ground zero, and unfortunately there doesn't seem to be any clean method to get all the users from the unix passwd database into the smbpasswd file. There are several thousand users in that database and only a few hundred will use our lab, which is currently the only one which will be authenticating against samba. We have no way of knowing who exactly those few hundred users will be. We'd just dump everyone into the smbpasswd file if we could fine a *secure* way to seemlessly change there smbpasswd when they change their unix passwd. However, there doesn't seem to be a mechanism for this yet. Kevin From lkcl at switchboard.net Wed Jun 10 17:45:36 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:16 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: On Wed, 10 Jun 1998, CAE Samba Admin wrote: > > > > Well, this is fine and dandy if you are migrating from having > > > people connect to non-PDC samba box towards a PDC, but when you are > > > starting out in an homogeneous NT enviornment never having had samba > > > running for other than test purposes, this is rather pointless as a user > > > won't be able to sit down at an NT box and type in there username and > > > password to login without having *first* been in the smbpasswd file. > > > > ok, then under _these_ circumstances, in a pre-existing NT network, you > > want to use the PWDUMP utility (by jeremy allison) or its NT server admin > > / resource kit equivalent (don't know exactly where this is). > > True we are going from an existing NT network, but we aren't > looking to relace NT. The samba server is on the machine with the campus > wide user database, so we aren't really migrating from NT either. We're > starting from ground zero, and unfortunately there doesn't seem to be any > clean method to get all the users from the unix passwd database into the > smbpasswd file. ok, then another alternative is to use "security = server" or better, "security = domain". this will allow you to verify your users against an nt or samba pdc, selected with "password server = some_domain_controller". use the netbios name not the ip address for this option. yes, you are right: there is no clean way (yet) to get NT SAM information into a private/smbpasswd file: you would have to copy via some intermediate secure media. lukes From aperrin at demog.Berkeley.EDU Wed Jun 10 18:31:04 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:16 2003 Subject: Must a Samba PDC use encrypted passwords? In-Reply-To: Message-ID: Kevin, how about this as a scheme: 1.) set up the samba server as non-encrypted with update encrypted on for a while. Put a read-only [homes] share on it. 2.) Put a quick script in the Startup folder of the NT machines that's something like "cmd /c type \\server\homes\dummy.txt". This way upon logging in, each user gets their home directory mounted, thereby updating your smbpasswd file. 3.) When you're ready, switch to encryption on, and filter the smbpaswd file with a grep -v XXXXXXX which will give you all the lines that have a non-blank password. As an alternative, you could keep a non-encrypted server running and the item in the startup folder so that new users get their pw created. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Thu, 11 Jun 1998, CAE Samba Admin wrote: > > > > Well, this is fine and dandy if you are migrating from having > > > people connect to non-PDC samba box towards a PDC, but when you are > > > starting out in an homogeneous NT enviornment never having had samba > > > running for other than test purposes, this is rather pointless as a user > > > won't be able to sit down at an NT box and type in there username and > > > password to login without having *first* been in the smbpasswd file. > > > > ok, then under _these_ circumstances, in a pre-existing NT network, you > > want to use the PWDUMP utility (by jeremy allison) or its NT server admin > > / resource kit equivalent (don't know exactly where this is). > > True we are going from an existing NT network, but we aren't > looking to relace NT. The samba server is on the machine with the campus > wide user database, so we aren't really migrating from NT either. We're > starting from ground zero, and unfortunately there doesn't seem to be any > clean method to get all the users from the unix passwd database into the > smbpasswd file. > There are several thousand users in that database and only a few > hundred will use our lab, which is currently the only one which will be > authenticating against samba. We have no way of knowing who exactly those > few hundred users will be. We'd just dump everyone into the smbpasswd > file if we could fine a *secure* way to seemlessly change there smbpasswd > when they change their unix passwd. However, there doesn't seem to be a > mechanism for this yet. > > Kevin > > > From cartegw at Eng.Auburn.EDU Wed Jun 10 18:34:56 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:16 2003 Subject: Creating private/smbpasswd [was Re: Must a Samba PDC use encrypted passwords?] References: Message-ID: <357ED1D0.7049E421@eng.auburn.edu> CAE Samba Admin wrote: > > There are several thousand users in that database and only a few > hundred will use our lab, which is currently the only one which will > be authenticating against samba. We have no way of knowing who > exactly those few hundred users will be. We'd just dump everyone into > the smbpasswd file if we could fine a *secure* way to seemlessly > change there smbpasswd when they change their unix passwd. However, > there doesn't seem to be a mechanism for this yet. Same situation as here. Thousands of users but so far only about 300 accessing the NT lab machines. Here is our solution. Sorry I can't release any code with this explanation. Create a custom /bin/passwd that will change the entry in /etc/passwd and private/smbpasswd. Now **force** users to change their unix passwd before giving them access to the NT boxes. This will create the entry in private/smbpasswd or update it if one exists and therefore keep the accounts lists in sync. I know I have said this before ( as have others ) and I really don't mean to sound like a broken record. There have been other solution such as using POP. Check the list archives for these. The basic idea is to get hold of the plain text and then send the change to both /etc/passwd and private/smbpasswd at the same time. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From D.Bannon at latrobe.edu.au Thu Jun 11 04:55:46 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:16 2003 Subject: Simple sync between smbpasswd and passwd In-Reply-To: Message-ID: <3.0.3.32.19980611145546.00836eb0@bioserve.biochem.latrobe.edu.au> This thread needed a new name. At 16:08 09/06/1998 +1000, you wrote: > >On Tue, 9 Jun 1998, David Bannon wrote: > > ... my very basic programme to replace the unix passwd programme... > http://bioserve.latrobe.edu.au/about/passwd.c.txt Unfortuantly I only have access to DEC and linux at present. My DEC is a bit old (hey, if its not broken, why fix it ?) and my linux is being rebuilt for another 'development'. I may be able to call on some friendships to get limited Sun access, not very satisfactory... (you know, 'can I write to your passwd file please ?'). > >I tested this code out on SunOs 4.1.3, and found a number of things that >didn't work right: > >(1) There is no header file "mode.h" in my system, Seems to go back to early OSF stuff, has some defines for stat. Unnecessary on my system, although a couple of man pages for function like to mention it. Leave it out. > >(2) SunOS does not use the passwd.dir and passwd.pag files; hence it does >not have /sbin/mkpasswd. This command failed and reported an error, but >/etc/passwd and ~/smbpasswd were still updated correctly. I can easy set up a define to include (or not) such things. >(3) Upon successful completion, it changed the permissions on /etc/passwd >to make it readable only by root. (!!!!!!!!!!!!!!!!!!!!) Now, that would be a real beauty ! Someone else had the same problem. In the function FilterFile() there is a call to fchmod(.. 0x644). Can it be that that function is not implemented on other systems ???? >(4) It only worked correctly for non-privileged users when run setuid >root, but smbpasswd only works correctly when _not_ setuid root. Hmm... I am using a month or so old version of Samba NTDom, I have not been upgrading very often as what I had works for me at present. I did read somewhere a comment about smbpasswd changing its way of doing things there. I will be running up a linux box with samba in the next couple of days, I'll get the current copy and compare. >Anyway, it's a nifty little program and I don't know if you ever intended >to make it operable beyond your own system, but if you do perhaps we can >work on fixing the above. I don't think it is worth the effort of setting up pre compile config files, as long as the problems are solveable and documented then any programmmer should be able to fiddle the header to get something working. I'll have a go at problen #4 in particular in the next couple of weeks if possible. (I'm going camping in Central Australia for 2 weeks soon, so it may be a bit longer). Any comments, suggestions etc are welcome. David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From norm at city.ac.uk Thu Jun 11 11:18:16 1998 From: norm at city.ac.uk (NoRM) Date: Tue Dec 2 02:24:16 2003 Subject: HKEY_CURRENT_USER Message-ID: I'm having some problems with roaming profiles on my Samba PDC domain. Basically all users logging in via the PDC cannot alter their HKCU hive. Which makes the system quite unworkable in some senses. According to regedt32, that hive is owned by ntbox\administrators, who have full control, as do members of the system group. But 'everyone' has only read access. Um... help? :) Norman R. McBride http://www.city.ac.uk/~norm/ Computing Services, City University, England norm@city.ac.uk (MIME) "...the extreme case best illustrates the norm..." Stephen King From caesmb at lab2.cc.wmich.edu Thu Jun 11 12:20:32 1998 From: caesmb at lab2.cc.wmich.edu (CAE Samba Admin) Date: Tue Dec 2 02:24:16 2003 Subject: Creating private/smbpasswd [was Re: Must a Samba PDC use encrypted passwords?] In-Reply-To: <357ED1D0.7049E421@eng.auburn.edu> Message-ID: > Same situation as here. Thousands of users but so far only about 300 > accessing the NT lab machines. Here is our solution. Sorry I can't > release any code with this explanation. Maybe you could give a few hints...? > Create a custom /bin/passwd that will change the entry in /etc/passwd > and private/smbpasswd. Now **force** users to change > their unix passwd before giving them access to the NT boxes. This > will create the entry in private/smbpasswd or update it if one exists > and therefore keep the accounts lists in sync. Currently we have a custom passwd program that will change both passwords. Unfortunately it has to ask the passwd 6 times (old,new,verify) for both smbpasswd and passwd. This is unacceptable becuase as stated before, most users will never enter our lab. The extra passwd change will just confuse the hell out of them. We would put everyone from the NIS+ database into the smbpasswd file if we could seemlessly change their password in the smbpasswd file when they change their unix password. We haven't been able to come up with a secure way to do this. Sure you can pass smbpasswd the username and password, but if by chance someone happens to do a "ps" at the moment, the password is exposed. We ponderred getting the old/new passwords and dumping them to a file then trying to pipe them into smbpasswd, but quickly dropped that idea as too messy. Kevin From aperrin at demog.Berkeley.EDU Thu Jun 11 15:22:01 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:16 2003 Subject: A new problem Message-ID: This morning there's a new problem on our NTDOM setup: the system seems to have made the switch incorrectly when one user logs out and another logs onto an NT machine in the domain. New user gets [homes] fine, but the profile share doesn't work; the error received is "your roaming profile is not available," and trying to connect manually to the share fails with "access is denied." Here's a level 3 log from the machine serving the profile: 1998/06/11 08:17:33 Transaction 298 of length 87 switch message SMBtrans2 (pid 17095) chdir to /home/davis/hdir1/carlm/ntprofile chdir to /home/davis/hdir1/carlm/ntprofile 1998/06/11 08:17:33 chdir (/home/davis/hdir1/carlm/ntprofile) failed cnum=49 1998/06/11 08:17:33 error packet at line 4642 cmd=50 (SMBtrans2) eclass=2 ecode=4 error string = Permission denied 1998/06/11 08:17:33 Transaction 299 of length 87 switch message SMBtrans2 (pid 17095) chdir to /home/davis/hdir1/carlm/ntprofile chdir to /home/davis/hdir1/carlm/ntprofile 1998/06/11 08:17:33 chdir (/home/davis/hdir1/carlm/ntprofile) failed cnum=49 1998/06/11 08:17:33 error packet at line 4642 cmd=50 (SMBtrans2) eclass=2 ecode=4 error string = Permission denied This takes some interpreting: carlm is the user who was logged onto the NT machine *before* -- NOT the one who's logging in now. The one who's logging in now is aperrin; so it's getting the new login well enough to get the credentials right and to get the right [homes] share, but not well enough to renegotiate the [ntprofile] directory. Relevant parts of smb.conf on the machine serving profiles follow. Samba 1.9.19-prealpha, Solaris 2.6, NT4.0 SP3. [global] workgroup = DEMOGRAPHY smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 3 wins support = no wins server = 128.32.163.196 os level = 0 preferred master = no domain logons = no encrypt passwords = yes security = domain password server = boserup log file = /var/log/samba.%m.log load printers = no hide dot files = no default service = homes time server = true guest account = nobody [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no Comment = Home Directory (%U) [ntprofile] guest ok = no read only = no browseable = yes wide links = yes printable = no path = /home/davis/hdir1/%U/ntprofile Comment = Profile Directory (%U) --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From aperrin at demog.Berkeley.EDU Thu Jun 11 17:36:44 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:16 2003 Subject: More info on the new problem Message-ID: The issue I posted this morning re: %U and %H not resolving correctly is somewhat more nuanced than I thought. 1.) I changed smb.conf so the share is now defined as: [ntprofile] guest ok = no read only = no browseable = yes wide links = yes printable = no ; path = /home/davis/hdir1/%U/ntprofile path = %H/ntprofile locking = no Comment = Profile Directory (%U) ... but it still doesn't work (same behavior). 2.) Here's an interesting log from a login session in which the domain server validates the login using the correct name and password (ntadmin) but then tries to connect to the wrong profile directory (~aperrin/ntprofile) and fails. chdir to /etc/init.d 1998/06/11 09:04:55 Transaction 182 of length 165 switch message SMBsesssetupX (pid 17396) Domain=[DEMOGRAPHY] NativeOS=[Windows NT 1381] NativeLanMan=[] sesssetupX:name=[ntadmin] resolve_name: Attempting lmhosts lookup for name BOSERUP startlmhosts: Can't open lmhosts file /usr/LOCAL/samba/lib/lmhosts. Error was No such file or directory resolve_name: Attempting host lookup for name BOSERUP Connecting to 128.32.163.119 at port 139 adding home directory ntadmin at /home/davis/hdir1/ntadmin ntadmin is in 1 groups 726 uid 9335 registered to name ntadmin Clearing default real name 1998/06/11 09:04:56 Transaction 183 of length 96 switch message SMBtrans2 (pid 17396) chdir to /home/davis/hdir1/aperrin/ntprofile chdir to /home/davis/hdir1/aperrin/ntprofile 1998/06/11 09:04:57 chdir (/home/davis/hdir1/aperrin/ntprofile) failed cnum=52 1998/06/11 09:04:57 error packet at line 4642 cmd=50 (SMBtrans2) eclass=2 ecode=4 error string = Permission denied 1998/06/11 09:04:57 Transaction 184 of length 90 switch message SMBtrans2 (pid 17396) chdir to /home/davis/hdir1/aperrin/ntprofile chdir to /home/davis/hdir1/aperrin/ntprofile 1998/06/11 09:04:57 chdir (/home/davis/hdir1/aperrin/ntprofile) failed cnum=52 1998/06/11 09:04:57 error packet at line 4642 cmd=50 (SMBtrans2) eclass=2 ecode=4 error string = Permission denied 3.) This behavior is relatively short-lived -- I tested it by logging off the PC as one user, waiting approximately 3 minutes, and logging back in as a different user -- the problem goes away and the login works fine. Seems like somebody's holding some information just a tad too long? --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From tavis at mahler.econ.columbia.edu Thu Jun 11 18:30:24 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:16 2003 Subject: Simple sync between smbpasswd and passwd In-Reply-To: <3.0.3.32.19980611145546.00836eb0@bioserve.biochem.latrobe.edu.au> Message-ID: I guess what I'm wondering is if there shouldn't be a replacement for passwd (in addition to yppasswd and NIS+) as part of the official Samba code. If so, then it would require a Makefile for different systems and testing by different people under different environments. I'm not an experienced enough programmer to take this on, but would be happy to do the debugging for SunOS (including the problems below). The setuid problem will need some thinking out (is there a way for a setuid program to call another one as non-setuid? If not, then there would have to be two separate sub-programs, one run non-setuid that asks for the password and runs checks on it and sends it to smbpasswd, and a setuid program that takes an original password and an acceptable password as an agrument, verifies the original password, and changes it. I'm not sure if that wold create security problems). The other problems seem easily fixable, though I suspect more such problems will come up as people use it on different systems. My question for people on the Samba team: Is this the appropriate list to discuss such a project? How does one officially start it? Thanks, Tavis On Thu, 11 Jun 1998, David Bannon wrote: > > This thread needed a new name. > > At 16:08 09/06/1998 +1000, you wrote: > > > >On Tue, 9 Jun 1998, David Bannon wrote: > > > > ... my very basic programme to replace the unix passwd programme... > > http://bioserve.latrobe.edu.au/about/passwd.c.txt > > Unfortuantly I only have access to DEC and linux at present. My DEC is a > bit old (hey, if its not broken, why fix it ?) and my linux is being > rebuilt for another 'development'. I may be able to call on some > friendships to get limited Sun access, not very satisfactory... (you know, > 'can I write to your passwd file please ?'). > > > > >I tested this code out on SunOs 4.1.3, and found a number of things that > >didn't work right: > > > >(1) There is no header file "mode.h" in my system, > > Seems to go back to early OSF stuff, has some defines for stat. > Unnecessary on my system, although a couple of man pages for > function like to mention it. Leave it out. > > > > > >(2) SunOS does not use the passwd.dir and passwd.pag files; hence it does > >not have /sbin/mkpasswd. This command failed and reported an error, but > >/etc/passwd and ~/smbpasswd were still updated correctly. > > I can easy set up a define to include (or not) such things. > > >(3) Upon successful completion, it changed the permissions on /etc/passwd > >to make it readable only by root. (!!!!!!!!!!!!!!!!!!!!) > > Now, that would be a real beauty ! Someone else had the same problem. In > the function FilterFile() there is a call to fchmod(.. 0x644). Can it be > that that function is not implemented on other systems ???? > > > >(4) It only worked correctly for non-privileged users when run setuid > >root, but smbpasswd only works correctly when _not_ setuid root. > > Hmm... I am using a month or so old version of Samba NTDom, I have not been > upgrading very often as what I had works for me at present. I did read > somewhere a comment about smbpasswd changing its way of doing things there. > I will be running up a linux box with samba in the next couple of days, > I'll get the current copy and compare. > > > >Anyway, it's a nifty little program and I don't know if you ever intended > >to make it operable beyond your own system, but if you do perhaps we can > >work on fixing the above. > > > I don't think it is worth the effort of setting up pre compile config > files, as long as the problems are solveable and documented then any > programmmer should be able to fiddle the header to get something working. > I'll have a go at problen #4 in particular in the next couple of weeks if > possible. (I'm going camping in Central Australia for 2 weeks soon, so it > may be a bit longer). > > Any comments, suggestions etc are welcome. > > David > > > ------------------------------------------------------------ > David Bannon D.Bannon@latrobe.edu.au > School of Biochemistry Phone 61 03 9479 2197 > La Trobe University, Plenty Rd, Fax 61 03 9479 2467 > Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au > ------------------------------------------------------------ > ..... Humpty Dumpty was pushed ! > From harper at banks.scar.utoronto.ca Thu Jun 11 19:24:47 1998 From: harper at banks.scar.utoronto.ca (John Harper) Date: Tue Dec 2 02:24:16 2003 Subject: logging connections (and dead time parameter) Message-ID: <35802EFE.3B32@lake.scar.utoronto.ca> Now that I have the Samba NTDOM code up and running as a PDC I would really like to be able to log connections from our lab machines. One would think this should be easy given that the NT client machine is obviously aware that a user is logging in and also later logging out, but it seems that from the Samba side this is rather more difficult (at least presently). I presume the samba server is aware of the login (because it must do the authentication*), but I don't know if the client passes any info back about the logout. If that were so, is it possible that hooks might be added to samba to allow logging these events? *does it look different when coming from an NT client versus another Samba server that is in security=server mode? If not then this is toast. The problem seems compounded by the fact that neither of the shares served by a PDC (profiles and netlogon) has the same lifetime as the user session. The client will hold the connections to these shares open even after the user logs out, so if you want to reliably login the next user in you have to name the profile share something like p:%U. But since netlogon is a fixed name, it may not disconnect at all and you can't work around it - and I need the client to connect to it each time to trigger the root preexec I use to generate a login.bat file on the fly (since I have 6000 users, I don't want to store everyone's batch files). Does anyone know a way to force an NT client to disconnect all shares upon user logout? My solution was to set the dead time parameter to the smallest possible value (1 minute), but this still leaves a problem if another user tries to login right away. I tried to solve the logging problem by using postexec's on the profile share: when the user connects the share is opened to read the profile, after the files are closed the share times out a minute later and the post exec runs. When the user logs out of the client, the share is reopened to write the profile, and again it dies after a minute idle and the postexec again runs. I try to tell the difference between the two execs (login vs logout) of the program by examining the mod time of the NTUSER.dat file (if recently modified, then this is a logout). This is all very kludgy...but it seems to work as long as sessions are longer than a minute and users don't log in right away. (Of So.... could it be made possible to set the dead time param to 0 and mean disconnect immediately? (currently 0 means never disconnect), or could some other param be added that specifies on a per share basis to drop the connection as soon as all files are closed? Or is there some better way to accomplish all of this? Thanks John Harper ------------------------------------ Academic Computing Coordinator University of Toronto at Scarborough harper@scar.utoronto.ca From kevin.currie at wmich.edu Thu Jun 11 21:30:43 1998 From: kevin.currie at wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:16 2003 Subject: Fw: Proposal: filename map Message-ID: <002101bd9580$31343720$2a01a8c0@marvin.sirius.cybernetics.net> Sorry to forward this here... It really doesn't apply, but I wanted to check and see if the lists would take a message from an unsubscribed user. Since I have an account that is subscribed to this list, I thought I'd see if it pops up. I am interested in the opinion from anyone here. >Hello, > >After using samba for about a year now on my home network, and for a couple >months now on my work network, I feel that I'm familiar enough with most of >the tricks with the % variables to know there isn't a clean way to solve my >problem, which is this: > >I use samba at home to share a lot of DOS programs. Most of the ones I have >problems with are games, emulators, etc, but this option would be nice for >other stuff too. These programs want their config files in their directory >and to be a certain name. This is a problem when you have a very >heterogeneous computer enviornment as far as hardware is concerned. I would >like to be able to have the config files available to the programs >(transparently) on a per machine basis. > >What would be ideal is an option like the one for remapping usernamed, but >for files. One that would interpret the samba variables. So that I could >define some like: > >/home/samba/games/doom/doom.cfg = /home/samba/%m/doom.cfg > >Now, I understand there could be some speed concerns related to this. Any >wise person would only have a handful of mappings in this file. Because of >the speed concerns, this is probably an option that would have its code left >in or out at compile time. > >I have looked at the samba source a little bit, enough for it to confuse the >hell out of me. I have never done any unix programming before, but I do >have DOS experience. I would be willing to try and code this, but I would >need help. I'm hoping that it might be as simple as when a file open call >is made to samba, I can simply call a function that will translate the >filename string before any system calls are made. This is something I know >I can program. So, to the developers, does this sound possible? > >Also, if this sounds like a useful option to anyone else out there, please >let me know. I am not a subscriber to either of these lists, so please >reply to me and the list. > >Thanks, >Kevin Currie > > > From jallison at whistle.com Fri Jun 12 01:14:49 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:16 2003 Subject: A new problem References: Message-ID: <35808109.ABB343F8@whistle.com> Andrew Perrin - Demography wrote: > This takes some interpreting: carlm is the user who was logged onto the NT > machine *before* -- NOT the one who's logging in now. The one who's > logging in now is aperrin; so it's getting the new login well enough to > get the credentials right and to get the right [homes] share, but not well > enough to renegotiate the [ntprofile] directory. Relevant parts of > smb.conf on the machine serving profiles follow. > You need a greater debug log level. The thing to check is what vuid is being used for the [profile] connection - make sure it's the correct vuid for the logged on user. The %U name mapping is indexed from the vuid in the incoming packet. If you can reproduce this I'd appreciate a very high debug log level, as it appears that the %U mapping is failing. Some people have reported this previously but I've never has a reproducible test case for it. Regards, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Fri Jun 12 01:32:37 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:16 2003 Subject: More info on the new problem References: Message-ID: <35808535.BF017AD2@whistle.com> Andrew Perrin - Demography wrote: > > > 3.) This behavior is relatively short-lived -- I tested it by logging off > the PC as one user, waiting approximately 3 minutes, and logging back in > as a different user -- the problem goes away and the login works fine. > Seems like somebody's holding some information just a tad too long? > Aha - *now* it's beginning to make sense. The issue is that, like the special [homes] share, a share that maps dynamically to a differnt path confuses the *hell* out of NT sometimes. The reason follows : NT validates each user, by doing a session_setup_and_X call, and gets what Samba calls a vuid (valid user id) token back for that user. The user then maps a share, [profiles], say, using the vuid from the logged in user. The vuid tells the server who is creating the mapping to this share. This mapping of a share returns a tcon value (tree connect id) that is valid for that share. The kicker is that the tcon id is valid *for any vuid* ! So, user A logs off, but NT being all multi-threaded like, doesn't disconnect the tcon for the [profiles] share immediately (it's busy doing something like flushing it's disk buffers or whatever). User B then logs on and of course needs a connection to the [profiles] share. But NT thinks "hang on, I've allready *got* a valid tcon value for the [profiles] share, I'll just validate the user with a session_setup_and_X and start using the old tcon with the new vuid." The result is as you have observed. The problem is that Samba is expanding the share path at *connection time*, not at access time. This means that for a share containing a %U expansion, so long as a tcon is valid Samba will always refer to the disk area using the %U expansion of the user who originally mapped the share, not neccesarily the user who is now using the share. The correct fix for this is for shares that contain user variable 'meta' expansions (ie. anything containing a %U or %G) need to be flagged specially in the connection struct, and the pathname re-validated when a vuid that is not the same as the last vuid that accessed the share uses the path. This is a fix Andrew and I discussed 6 months or so ago, but we haven't got round to adding yet. This is slower than what we have now, as the expensive expansion of home directory paths is done more often than on the initial connect (as it is now), but for a single user NT system caching the vuid of last user and only revalidating if this changes is probably a good enough fix. I'll look again at the work needed to implement this. In the mean time, the fix would be to change the profile path for each user to be something like \\samba-server\profiles\user_name\profile where the definition of the [profiles] share on the Samba server is : [profiles] path = /home Where /home is the directory containing all the users home directories. Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Fri Jun 12 01:58:47 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:16 2003 Subject: logging connections (and dead time parameter) In-Reply-To: <35802EFE.3B32@lake.scar.utoronto.ca> Message-ID: On Fri, 12 Jun 1998, John Harper wrote: > Now that I have the Samba NTDOM code up and running as a PDC I would > really like to be able to log connections from our lab machines. > One would think this should be easy given that the NT client machine is > obviously aware that a user is logging in and also later logging out, > but it seems that from the Samba side this is rather more difficult (at > least presently). I presume the samba server is aware of the login > (because it must do the authentication*), but I don't know if the client > passes any info back about the logout. If that were so, is it possible > that hooks might be added to samba to allow logging these events? > John, Forgive me for being brief. I am currently working on a paper for a deadline and am etting very tired ( if only i could finish this thing and get on with my life...) Sorry 'bout that. Enoughranting. What you are referring to really has no clean solution. However, I will say this. The [homes] and [netlogon] shares have an inconsistent lifetime you are correct. What I have done is to perform the logging on an generic applicaiotn share that everyone mounts during the login script. A preexec and postexec scripts are used to log to /var/adm/wtmpx. Shares other than [homes] and [netlogon] behave more predictably. At least this has been my experience. You'll have to be careful with "dead time" settings though. Experiement and see. Hope the make seom sense and is of some help. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Fri Jun 12 02:04:45 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:16 2003 Subject: HKEY_CURRENT_USER In-Reply-To: Message-ID: On Thu, 11 Jun 1998, NoRM wrote: > I'm having some problems with roaming profiles on my Samba PDC domain. > Basically all users logging in via the PDC cannot alter their HKCU hive. > Which makes the system quite unworkable in some senses. > > According to regedt32, that hive is owned by ntbox\administrators, who > have full control, as do members of the system group. But 'everyone' has > only read access. > Sounds like your users are getting the default user profeil rather than their own. Are you using the "domain admin users"? Also check under the HKEY_USERS hive and see if it actually lists the .DefaultUser as well as a SID number for the current logged in domain user. How were the user profiles generated ( automatically or manually )? Have they ever worked? So many questions....back to finishing this paper....sign.... j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From paul at argo.demon.co.uk Fri Jun 12 03:01:02 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:16 2003 Subject: logging connections (and dead time parameter) In-Reply-To: Your message of "Fri, 12 Jun 1998 05:29:59 +1000." <35802EFE.3B32@lake.scar.utoronto.ca> Message-ID: <199806120401.FAA07540@argo.demon.co.uk> harper@banks.scar.utoronto.ca said: > least presently). I presume the samba server is aware of the login > (because it must do the authentication*), but I don't know if the client > passes any info back about the logout. If that were so, is it possible > that hooks might be added to samba to allow logging these events? An NT client does call a "logout" RPC. You should see it in your logs at the right level. You could stuff in a syslog in the NetLogonSamLogon/Logout if that is what you want. Paul From stat at atria.com Fri Jun 12 13:39:26 1998 From: stat at atria.com (Seiichi Tatsukawa) Date: Tue Dec 2 02:24:16 2003 Subject: More info on the new problem Message-ID: <009701bd9607$847aa6d0$c968f3ce@blueshark.atria.com> :This is slower than what we have now, as the :expensive expansion of home directory paths :is done more often than on the initial connect :(as it is now), but for a single user NT system :caching the vuid of last user and only revalidating :if this changes is probably a good enough fix. If you have a NT service (or services) running as a domain user or use su.exe/suss.exe in the NT Resource Kit, switching of vuids can happen more often on a NT workstation. --- Seiichi + Seiichi Tatsukawa + + Rational Software, Lexington, MA + From jallison at whistle.com Sat Jun 13 02:31:12 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:16 2003 Subject: Samba 1.9.18p8 released. Message-ID: <3581E470.48CF8A4C@whistle.com> The Samba Team are pleased to announce Samba 1.9.18p8. It may be fetched via ftp from : ftp://samba.anu.edu.au/pub/samba/samba-1.9.18p8.tar.gz Binary packages will be made available for this release within a short time. A separate announcement will be made for the release of these packages. Offers of binary Samba packages for various systems are welcome and should be sent to samba-bugs@samba.anu.edu.au. If you have problems, or think you have found a bug please email a report to : samba-bugs@samba.anu.edu.au As always, all bugs are our responsibility. Without further ado, here are the release notes. Regards, The Samba Team. --------------------------------------------------------------------- WHATS NEW IN 1.9.18p8 - June 12th 1998. ====================================== This is the latest stable release of Samba. This is the version that all production Samba servers should be running for all current bug-fixes. Note that most Samba Team effort is now going into working on the next major release which should contain some Windows NT Domain features. It is intended that any future work on the 1.9.18 series be maintenance only fixes. An announcement will be made when the first alpha release of the next Samba series is available. Bugfixes added since 1.9.18p7 ----------------------------- 1). Fixed bug so Samba returns ERROR_MORE_DATA for long share lists that won't fit in the data buffer given by the client. 2). Made mapping of Windows to UNIX usernames only occur once per name. 3). Cause changing of SMB password to fail if UNIX pasword change fails and unix password sync is set. 4). Ensure the Samba names are added to the remote broadcast subnet to allow NT workstations to do a directed broadcast node status query (they seem to want to do this for some reason). 5). Fixed HPUX10 Trusted systems bigcrypt password authentication call. 6). Ensure smbd doesn't crash if 'account disabled' set in smbpasswd file. 7). Ensured 'revalidate' parameter is only checked if we're in share level security. 8). Ensure that password lengths are sanity checked even if in server level security. 9). Fix bug with multi-user NT systems where a file currently open by one user could always be opened by another. 10). Ensure we save the current user info and restore it correctly whilst in the oplock break state. 11). Added some simple sanity checks to testparam. 12). Added timezone sanity checks. 13). Re-wrote wildcard handling for trans2 calls. Wildcard matching now seems to be *identical* to NT (as far as I can tell). 14). Added facility for user list code to be explicit about checking UNIX group database or NIS netgroup list. Updated smb.conf detailing this. 15). Fixed bug in multibyte character handling when parsing a pathname. 16). Fixed file descriptor leak in client code. 17). Fixed QSORT_CAST compile bugs on many systems. 18). Added codepages 737 (Greek) and 861 (Icelandic). If you have problems, or think you have found a bug please email a report to : samba-bugs@samba.anu.edu.au As always, all bugs are our responsibility. Regards, The Samba Team. Previous release notes for 1.9.18p7 follow. ========================================================================= This release is a security hole patch fix for a security hole reported on BugTraq by Drago. The security hole may have allowed authenticated users to subvert security on the server by overflowing a buffer in a filename rename operation. It is as yet undetermined whether the security hole is actually exploitable because of existing buffer overflow checks in Samba and the limitations on available characters in filenames but the Samba Team considered the threat of a possible security hole enough to warrant an immediate patch release. It is highly recommended that all sites assume that the security hole is exploitable and upgrade to version 1.9.18p7 of Samba. The previous release 1.9.18p6, which was intended to fix the security hole, has compile problems on several platforms, and should not be used. Previous release notes for 1.9.18p5 follow. ========================================================================= Added features in 1.9.18p5 -------------------------- New parameters -------------- passwd chat debug This parameter is to allow Samba administrators to debug their password chat scripts more easily when they have "unix password sync" set. It is provided as a debugging convenience only and should be enabled only when debugging. Full documentation is in the smb.conf man page. update encrypted The code for this parameter was kindly donated by Bruce Tenison. If this parameter is set to "yes" (it defaults to "no") and an smbpasswd file exists containing all the valid users of a Samba system but no encrypted passwords (ie. the Lanman hash and NT hash entries in the file are set to "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"), then as users log in with plaintext passwords that are matched against their UNIX password entries, their plaintext passwords will be hashed and entered into the smbpasswd file. After all the users have successfully logged in using unencrypted passwords, the smbpasswd file will have the Lanman and NT hashes of these users UNIX passwords correctly stored. At that point the administrator can convert Samba to use encrypted passwords (and configure the Windows 95 and NT clients to send only encrypted passwords) and migrate to an encrypted setup without having to ask users to re-enter all their passwords explicitly. Note that to use this option the "encrypt passwords" parameter must be set to "no" when this option is set to "yes". See the smb.conf man page for up to date information on this parameter. Updates to smbtar ----------------- The following changes were developed by Richard Sharpe for Canon Information Systems Research Australia (CISRA). The Samba Team would like to thank Canon Information Systems Research Australia for their funding this effort, as such sponsorship advances the Samba project significantly. 1. Restore can now restore files with long file names 2. Save now saves directory information so that we can restore directory creation times 3. tar now accepts both UNIX path names and DOS path names. New document in docs/ directory ------------------------------- A new document, PROFILES.txt has been added to the docs/ directory. This is still a work in progress (currently consisting of a series of email exchanges) and will be updated over the coming releases. The document covers the task of getting roving profiles to work with a Samba server with Windows 95 and Windows NT clients. Bugfixes added since 1.9.18p4 ----------------------------- 1). Samba should now compile cleanly with the gcc -Wstrict-prototypes option. 2). New code page 852 tranlation table created by Petr Hubeny. 3). New "update encrypted" parameter (described above). 4). New "passwd chat debug" parameter (described above). 5). Updates to smbtar (described above). 6). Fix to do correct null session connections from nmbd and smbd. 7). Synchronous open flag is now honoured. 8). security=server now logs out correctly. 9). Fix to stop long printer job listings causing Win95 and smbd to spin the CPU & network. 10). Multibyte character fix that prevented the "character set" parameter working in 1.9.18p4. 11). Fix for problems with security=share and the [homes] share. 12). NIS+ patch to get home directory info. 13). Added FTRUNCATE_NEEDS_ROOT define for systems with broken ftruncate() call. 14). Fix for nmbd not allowing log append mode. 15). Fix for nmbd as a WINS server doing a name query after a WACK with the 'recursion desired' bit set - this would cause problems if directed at a machine running a WINS server. 16). Correctly ignore "become backup browser" requests, rather than logging them as a problem. 17). Use compressed names correctly as requested by RFC1002. 18). Workaround for bug where NT allows a guest logon and doesn't set the guest bit (in security=server mode). 19). Added SOFTQ print type. 20). Free filename on file close (long standing small memory leak fix). 21). Fix for lp_defaultservice() getting overwritten by rotating string buffers. 22). Print time in international, rather than USA, format. 23). Fix to queue a trans2 open request when oplock break pending. 24). Added Simplified Chinese codepage (936). 25). Fixed expansion bug with %U, %G when multiple sessionsetups done in security > SHARE mode. 26). Change to DEC enhanced mode security code to allow the same binary to work when in enhanced and basic security mode. This change affects all systems that define OSF1_ENH_SEC at compile time. Previous release notes for 1.9.18p4 follow. ========================================================================= Added features in 1.9.18p4 -------------------------- Changing passwords now supported -------------------------------- Samba now supports changing the SMB password from a Windows 95 client, using the standard Windows 95 password changing dialog. Note that by default this changes the SMB password, not the UNIX password (Samba must be set up with encrypted passwords in order to support this). The smbpasswd program has been re-written to take advantage of this feature, and now has no need to be a setuid root program, thus eliminating a potential security hole. As a side effect of this change smbpasswd can now be used on a UNIX machine to change users passwords on an NT machine. The new password changing code can also synchronize a users UNIX password at the same time a SMB password is being changed, if Samba is compiled with password changing enabled, and the new parameter 'unix password sync' is set to True. By default this is off, as it allows the password change program to be called as root, which may be considered a security problem at some sites. Name resolution order now user selectable ----------------------------------------- The resolution of NetBIOS names into IP addresses can be done in several different ways (broadcast, lmhosts, DNS lookup, WINS). Previous versions of Samba were inconsistant in which commands used which methods to look up IP addresses from a name. New in this version is a parameter (name resolve order, mentioned in the new parameters list below) that allows administrators to select the methods of name resolution, and the order in which such methods are applied. All Samba utilities have been changed to use the new name to IP address name resolution code and so this can be controlled from a central place. Expanded multi-byte character support ------------------------------------- In previous versions of Samba, Kanji (Japanese) character support was treated as a special case, making it the only multi-byte character set natively supported in Samba. New code has been added to generalize the multi-byte codepage support, with the effect that other multibyte codepage support can be easily added. The new codepages that this version ships with are Korean Hangul and Traditional Chinese. New Parameters in 1.9.18p4 -------------------------- name resolve order = lmhosts wins hosts bcast This parameter allows control over the order in which netbios name to IP Address resolution is attempted. Any method NOT specified will be excluded from the name resolution process. If this parameter is not specified then the above default order will be observed - this is consistent with prior releases. See the smb.conf and smbclient man pages for full details. See the above text for the announcement on this feature. fake directory create times This parameter is a compatibility option for software developers using Microsoft NMAKE make tool, saving files onto a Samba share. Setting this parameter to true causes Samba to lie to the client about the creation time of a directory, so NMAKE commands don't re-compile every file. unix password sync This parameter is set to False by default. When set to True, it causes Samba to attempt to synchronize the users UNIX password when a user is changing their SMB password. This causes the password change program to be run as root (as the new password change code has no access to the plaintext of the old password). Because of this, it is set off by default to allow sites to set their own security policy regarding UNIX and SMB password synchronization. This parameter has no effect if Samba has been compiled without password changing enabled. Changed compile-time default in 1.9.18p4 ---------------------------------------- The maximum length of a printer share name has now been increased to 15 characters - the same as file share names. Any one who needs to revert back to 8 character printer share name support can do so by adjusting the #define in local.h. Bugfixes added since 1.9.18p3 ----------------------------- 1). Fix for nmbd leaving the child nmbd running when doing DNS lookups as a WINS server. 2). Fix core dump in smbd when acting as a logon server with security=share. 3). Workaround for a bug in FTP OnNet software NBT implementation. It does a broadcast name release for WORKGROUP<0> and WORKGROUP<1e> names and don't set the group bit. 4). Ensure all the NetBIOS aliases are added to all the known interfaces on nmbd initialization. 5). Fix bug in multiple query name responses print code. 6). Fix to send out mailslot reply on correct interface. 7). Fix retranmission queue to scan WINS server subnet so nmbd retransmits queries needed when acting as a WINS server. Thanks to Andrey Alekseyev for spotting this one. 8). Send host announcement to correct 0x1d name rather than 0x1e name. 9). Fix for WINS server when returning multi-homed record, was returning one garbage IP address. 10). Fix for Thursby Software's 'Dave' client - ensure that a vuid of zero is always returned for them when in share level security (the spec say's it shouldn't matter, but it was causing them grief). 11). Added KRB4 authentication code. 12). Fix to allow max printer name to be 15 characters (see above). 13). Fix for name mangling cache bug - cache wasn't being used in some cases. 14). Fix for RH5.0 broken system V shared memory include files. 15). Fix for broken redirector use of resume keys between deletes in a directory. Samba now returns zero as resume keys (as does NT) and uses the resume filename instead. 16). Fix for systems that have a broken implementation of isalnum() - was causing gethostbyname to fail. 17). Fix for 'hide files' bug not working correctly (bug in is_in_path function - fix from Steven Hartland . 18). Fixed bug in smbclient where debug log level on the command line was being overridden by the log level in smb.conf. 19). Fixed bug in USE_MMAP code where client sending a silly offset to readraw could cause a smbd core dump. Bugfixes added since 1.9.18p2 ----------------------------- 1). Fix to cause oplocked files to be broken when open file table is full before giving up and reporting 'too many open files'. This fix seems to help many applications on Win95. 2). Fix to stop extra files being closed in user logoff code. 3). Fix to stop padded packet being returned on trans2 call. This bug could cause Windows 95 to freeze on some (rare) occasions. 4). Added fix for Visual C++ filetime changes (see above). 5). Made security check code an option (see above). 6). Fixed printer job enumeration in smbclient. 7). Re-added code into smbclient that causes it to do NetBIOS broadcast name lookups (as it used to in 1.9.17). 8). Fixed code dump bug in smbtar. 9). Fixed mapping code between Appletalk and Kanji filenames. 10). Tuned shared memory size based on open file table size. 11). Made nmbd log file names consistant with smbd. 12). Fixed nmbd problem where packet queues could grow without bound when connection to WINS server was down. 13). Fix for DCE login code. 14). Fix for system V printing to remove extra space in printer name. 15). Patch to add a new substitution paramter (%p) in a service patchname. Adds NIS home path (see the man page on smb.conf for details). Patch from Julian Field. 16). Fix to stop smbpassword code from failing when parsing invalid uid fields. 17). Made volume serial number constant based on machine and service name. 18). Added expand environment variables code from Branko Cibej. See the man page on smb.conf for details. 19). Fixed warnings in change_lanman_password code. Bugfixes added since 1.9.18p1 ----------------------------- 1). A deadlock condition in the oplock code has been found and fixed. This occured under heavy load at large sites. Several of the sites who reported the original problem have now been testing the code in this (1.9.18p2) release for a week now with no problems (previously the problem occurred within 3-6 hours). (Thanks to Peter Crawshaw of Mount Allison University for his great help in tracking down this bug). 2). Fix for a share level security problem that caused 'valid users' not to work correctly. 3). Addition of Russian code page support. 4). Fix to the password changing code (thanks to Randy Boring at Thursby Software Systems for this). 5). More fixes to the Windows 95 printer driver support code from Herb Lewis at SGI. 6). Two NetBIOS over TCP source name type fixes in nmbd. 7). Memory leak in the dynamic loading of services in an smb.conf file fixed. 8). LPRng parsing code fix. 9). Fix to try and return a 'best guess' of create time under UNIX (which doens't store such a file attribute). 10). Added parameters to samba/examples/smb.conf.default file : Remote announce, Remote browse sync, username map, filename case preservation and sensitivity options. 11). Reply to trans2 calls now aligns all parameters and data on 4 byte boundary. 12). Fixed SIGTERM bug where nmbd would hang on exit. 13). Fixed WINS server bug to allow spaces in WINS names. Bugfixes added since 1.9.18 --------------------------- 1). Fix for oplock-break problem. If an open crossed with an oplock break on the wire it was possible for the same fnum to be re-used. This caused a rare but fatal problem. 2). Fix for adding printers to Windows NT 4.x. Now return correct "no space error" when buffer of zero given. 3). Fix for nmbd core dumps when running on architectures that cannot access structures on non-aligned boundaries (sparc, alpha etc). 4). Compiler warnings in nmbd fixed. 5). Makefile updated for Linux 2.0 versions (new smbmount commands should only be compiled for 2.1.x kernels). 6). Addition of a timestamp to attack warning messages. Changes in 1.9.18. ------------------ This release contains several major changes and much re-written code. The main changes are : 1). Oplock support now operational. ----------------------------------- Samba now supports 'exclusive' and 'batch' oplocks. These are an advanced networked file system feature that allows clients to obtain a exclusive use of a file. This allows a client to cache any changes it makes locally, and greatly improves performance. Windows NT has this feature and prior to this release this was one of the reasons Windows NT could be faster in some situations. Samba has now been benchmarked as out performing Windows NT on equivalently priced hardware. The oplock code in Samba has been extensively tested and is believed to be completely stable. Please report any problems to the samba-bugs alias. 2). NetBIOS name daemon re-written. ----------------------------------- The old nmbd that has caused some users problems has now been completely re-written and now is much easier to maintain and add changes to. Changes include support for multi-homed hosts in the same way as an NT Server with multiple IP interfaces behaves (registers with the WINS server as a multi-homed name type), and also support for multi-homed name registration in the Samba WINS server. Another added feature is robustness in the face of WINS server failure, nmbd will now keep trying to contact the WINS server until it is successful, in the same way as an NT Server. Also in this release is an implementation of the Lanman announce protocol used by OS/2 clients. Thanks to Jacco de Leeuw for this code. 3). New Internationalization support. ------------------------------------- With this release Samba no longer needs to be separately compiled for Japanese (Kanji) support, the same binary will serve both Kanji and non-Kanji clients. A new method of dynamically loading client code pages has been added to allow the case insensitivity to be done dependent on the code page of the client. Note that Samba still will only handle one client code page at a time. This will be fixed when Samba is fully UNICODE enabled. Please see the new man page for make_smbcodepage for details on adding additional client code page support. 4). New Printing support. ------------------------- An implementation of the Windows 95 automatic printer driver installation has been added to smbd. To use this new feature please read the document: docs/PRINTER_DRIVER.txt Thanks to Jean-Francois Micouleau, and also Herb Lewis of Silicon Graphics for this new code. Printer support on System V systems (notably Solaris) has been improved with the addition of code generously donated by Norm Jacobs of Sun Microsystems. Sun have also made a Solaris SPARC workstation available to the Samba Team to aid in their porting efforts. Changed code. ------------- Samba no longer needs the libdes library to support encrypted passwords. Samba now contains a restricted version of DES that can only be used for authentication purposes (to comply with the USA export encryption regulations and to allow USA Mirror sites to carry Samba source code). The 'encrypt passwords' parameter may now be used without recompiling. Much of the internals of Samba has been re-structured to support the oplock and Domain controller changes. Samba now contains an implementation of share modes using System V shared memory as well as the mmap() based code. This was done to allow the 'FAST_SHARE_MODES' to be used on more systems (especially HPUX 9.x) that have System V shared memory, but not the mmap() call. The System V shared memory code is used by default on many systems as it has benchmarked as faster on many systems. The Automount code has been slightly re-shuffled, such that the home directory (and profile location) can be specified by \\%N\homes and \\%N\homes\profiles respectively, which are the defaults for these values. If -DAUTOMOUNT is enabled, then %N is the server component of the user's NIS auto.home entry. Obviously, you will need to be running Samba on the user's home server as well as the one they just logged in on. The RPC Domain code has been moved into a separate directory rpc_pipe/, and a LGPL License issued specifically for code in this directory. This is so that people can use this code in other projects. Missing feature. ---------------- One feature that we wanted to get into this release that was not possible due to the re-write of the nmbd code was the scalability features in the Samba WINS server. This feature is now tentatively scheduled for the next release (1.9.19). Apologies to anyone who was hoping for this feature to be included. The nmbd re-write will make it much easier to add such things in future. New parameters in smb.conf. --------------------------- New Global parameters. ---------------------- Documented in the smb.conf man pages : "bind interfaces only" "lm announce" "lm interval" "logon drive" "logon home" "min wins ttl" "max wins ttl" "username level" New Share level parameters. --------------------------- Documented in the smb.conf man pages : "delete veto files" "oplocks" Nascent web interface for configuration. ---------------------------------------- source/wsmbconf.c is a cgi-bin program for editing smb.conf. It can also be run standalone. This is in a very early stage of development. Debugging support. ------------------ smbd and nmbd will now modify their debug log level when they receive a USR1 signal (increase debug level by one) and USR2 signal (decrease debug level by one). This has been added to aid administrators track down faults that only occur after long periods of time, or transiently. Reporting bugs. --------------- If you have problems, or think you have found a bug please email a report to : samba-bugs@samba.anu.edu.au Please state the version number of Samba that you are running, and *full details* of the steps we need to reproduce the problem. As always, all bugs are our responsibility. Regards, The Samba Team. From jjm at iname.com Sat Jun 13 10:13:17 1998 From: jjm at iname.com (Johan Meiring) Date: Tue Dec 2 02:24:16 2003 Subject: Subject: HKEY_CURRENT_USER Message-ID: <003501bd96b5$49c5f900$100a9ac2@sandra> >I'm having some problems with roaming profiles on my Samba PDC domain. >Basically all users logging in via the PDC cannot alter their HKCU hive. >Which makes the system quite unworkable in some senses. > >According to regedt32, that hive is owned by ntbox\administrators, who >have full control, as do members of the system group. But 'everyone' has >only read access. > I saw the same behaviour when I manually copied a profile from one user, (the default user?) to a spesific user. Although the file system does not supprot ACL's the NTUSER.DAT file internelly does. I had oner of three options: a) Don't try to copy a profile to a user to give him one, let NT machine create it by itself. b) Load the NTUSER.DAT hive into regedit and modify the ACL to give the user permissions, while you are administrator. c) Copy the profile to the user using 'Control Panel' --> 'System' --> 'User Profiles'. This modifies the NTUSER.DAT's ACL when you copy it. Hope this helps. Johan -------------- next part -------------- HTML attachment scrubbed and removed From trep at dem.qc.ca Sat Jun 13 22:15:29 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:16 2003 Subject: Cannot add a printer (NT4SP3 + latest cvs samba) Message-ID: <199806132215.SAA23897@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 1198 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980613/4d729f81/attachment.bat From cartegw at Eng.Auburn.EDU Sat Jun 13 23:00:19 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:16 2003 Subject: Cannot add a printer (NT4SP3 + latest cvs samba) In-Reply-To: <199806132215.SAA23897@ursula.dem.qc.ca> Message-ID: On Sun, 14 Jun 1998, Pierre-Jules Tremblay wrote: > > Here's a new problem I tripped up on last week: > > Using the current (98/6/13 - 18:00 EDST) cvs'ed version of samba, I > tried to add a printer through the "Add printer" dialog in Windows NT > 4.0 Workstation, service pack 3. Typed in the name of the printer > share using its UNC path. I got an error message saying that "Could > not connect to the printer. The printer name is invalid.". > Nope not new. Let me finish up this upgrade and I will send you a workaround for the moment. It a hack. Not source code. j- From abs at maunsell.co.uk Sun Jun 14 08:59:45 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:16 2003 Subject: Cannot add a printer (NT4SP3 + latest cvs samba) In-Reply-To: ; from Gerald W. Carter on Sun, Jun 14, 1998 at 09:03:36AM +1000 References: Message-ID: <19980614095945.14303@maunsell.co.uk> On Sun, Jun 14, 1998 at 09:03:36AM +1000, Gerald W. Carter wrote: > > On Sun, 14 Jun 1998, Pierre-Jules Tremblay wrote: > > > > > Here's a new problem I tripped up on last week: > > > > Using the current (98/6/13 - 18:00 EDST) cvs'ed version of samba, I > > tried to add a printer through the "Add printer" dialog in Windows NT > > 4.0 Workstation, service pack 3. Typed in the name of the printer > > share using its UNC path. I got an error message saying that "Could > > not connect to the printer. The printer name is invalid.". > > > > > Nope not new. Let me finish up this upgrade and I will send you a > workaround for the moment. It a hack. Not source code. I have the same problem, but find that if it doesn't connect using the add printer wizzard, if I browse to the printer in network neighbourhood, things generally work right after that. Sometimes I have to attempt the connection serveral times, and there is still one printer which refuses a connection from some wkstns, so if you have a workaround could you let me know as well please. Thanks. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From m.sinitsch at intakt.at Sun Jun 14 17:08:38 1998 From: m.sinitsch at intakt.at (m.sinitsch@intakt.at) Date: Tue Dec 2 02:24:16 2003 Subject: subscribe Message-ID: <01bd97b7$12ee7a30$0101a8c0@ms_va> subscribe -------------- next part -------------- HTML attachment scrubbed and removed From cartegw at Eng.Auburn.EDU Sun Jun 14 22:03:25 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:16 2003 Subject: Cannot add a printer (NT4SP3 + latest cvs samba) In-Reply-To: <19980614095945.14303@maunsell.co.uk> Message-ID: On Sun, 14 Jun 1998, Andy Smith wrote: > > On Sun, 14 Jun 1998, Pierre-Jules Tremblay wrote: > > > > > Using the current (98/6/13 - 18:00 EDST) cvs'ed version of samba, I > > > tried to add a printer through the "Add printer" dialog in Windows NT > > > 4.0 Workstation, service pack 3. Typed in the name of the printer > > > share using its UNC path. I got an error message saying that "Could > > > not connect to the printer. The printer name is invalid.". > > I have the same problem, but find that if it doesn't connect using the > add printer wizzard, if I browse to the printer in network > neighbourhood, things generally work right after that. Sometimes I > have to attempt the connection serveral times, and there is still one > printer which refuses a connection from some wkstns, so if you have a > workaround could you let me know as well please. OK. Here a quick and dirty fix. the NT box needs to be coaxed to back down from the MSRPC calls to use the LanMan calls. Add the printer locally but connect it to the LanMan port which you have created ( rather than LPT1: ) To create the LanMan port, modify the following registry script for your site and import it... ------------------------------------------------- REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services] "Name"="win32spl.dll" "DisplayName"="LanMan Print Services" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Monitors] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Monitors\LanMan Print Services Port] "Driver"="win32spl.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\PortNames] "\\\\lab1\\kryptonite"="win32spl.dll" "\\\\LAB1\\rainbow"="win32spl.dll" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\lab1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\lab1\Printers] "DefaultSpoolDirectory"="D:\\WINNT\\System32\\spool\\PRINTERS" --------------------------------------- You may have to reboot the NT machine to get these ports to show up. I have tried this and it seems to work. Let me know how if goes. If it is an acceptable solution, the I will add it to the FAQ for now. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From BRuddy at LEHIGHCEMENT.COM Mon Jun 15 13:09:20 1998 From: BRuddy at LEHIGHCEMENT.COM (Ruddy, Bob) Date: Tue Dec 2 02:24:16 2003 Subject: WINS Database Message-ID: In NT you can view the currently registered computers in the wins database, you can also see when those entries expire. Is there any way that I can view the WINS database of a samba machine? Thank for your help. I am testing samba on a small scale 1 hub setup right now. I am hoping that by the end of July I can replace 3 old NT servers with 2 samba servers. Thanks again for your help. Bob From aperrin at demog.Berkeley.EDU Mon Jun 15 15:38:42 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:16 2003 Subject: WINS Database In-Reply-To: Message-ID: Don't know if it's kosher but cat /usr/LOCAL/samba/var/locks/wins.dat works for me. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Mon, 15 Jun 1998, Ruddy, Bob wrote: > In NT you can view the currently registered computers in the wins > database, you can also see when those entries expire. Is there any way > that I can view the WINS database of a samba machine? Thank for your > help. I am testing samba on a small scale 1 hub setup right now. I am > hoping that by the end of July I can replace 3 old NT servers with 2 > samba servers. Thanks again for your help. > > Bob > From aperrin at demog.Berkeley.EDU Mon Jun 15 16:19:10 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:16 2003 Subject: Does NTDOM break browsing by non-NTDOM Samba? Message-ID: Hi folks - recently our non-NTDOM (1.9.18p7) workgroup has stopped browsing correctly -- specifically, the Samba machine that's supposed to be the browse master keeps losing elections to one of the NT machines on the workgroup. This is odd since: 1.) It's worked fine for over a year until recently; and 2.) The server is set for os level = 200 and preferred master = yes. Is it possible that having a 1.9.19-prealpha NTDOM going on the same subnet is causing the problem? --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From cartegw at Eng.Auburn.EDU Mon Jun 15 17:25:09 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:16 2003 Subject: Does NTDOM break browsing by non-NTDOM Samba? References: Message-ID: <358558F5.3AB7F641@eng.auburn.edu> Andrew Perrin - Demography wrote: > > Hi folks - recently our non-NTDOM (1.9.18p7) workgroup has stopped > browsing correctly -- specifically, the Samba machine that's supposed > to be the browse master keeps losing elections to one of the NT > machines on the workgroup. This is odd since: > > 1.) It's worked fine for over a year until recently; and > 2.) The server is set for os level = 200 and preferred master = yes. > > Is it possible that having a 1.9.19-prealpha NTDOM going on the same > subnet is causing the problem? I am experiencing similar things and have seen posts about this on the main samba list. Haven't had time to really work though it though. I don't think that it is caused by 1.9.19pre-alpha servers. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From evanc at synapse.net Mon Jun 15 18:53:06 1998 From: evanc at synapse.net (Evan Champion) Date: Tue Dec 2 02:24:16 2003 Subject: Odd domain authentication problem Message-ID: Hi all, Hopefully this isn't a FAQ. I checked the archives and nothing jumped out at me :-) I cvs'd the latest code this morning and am trying to get a samba server up that is able to authenticate users against an NT PDC. We've managed to get it so that if I try to login to the samba server from NT, then authentication succeeds. However, I can't manage to get it to authenticate with smbclient; the error is invalid password. The command line I am using is: smbclient -L sambaserver -W domain The only thing I am seeing logged is: cli_net_sam_logon: NT_STATUS_WRONG_PASSWORD domain_client_validate: unable to validate password for user evanc in domain MYDOMAIN to Domain controller CONTROLLER. Error was NT_STATUS_WRONG_PASSWORD. If I leave off -W domain from the smbclient command line, it seems to try to login to domain WORKGROUP instead (bug? Shouldn't it pick the default out of smb.conf?) I have encryption enabled, security = domain and password server set to the domain controller. I was able to smbpasswd -j successfully. Any help would be much appreciated. Thanks. Evan From harper at scar.utoronto.ca Mon Jun 15 20:37:54 1998 From: harper at scar.utoronto.ca (John Harper) Date: Tue Dec 2 02:24:16 2003 Subject: logging connections (and dead time parameter) Message-ID: <19980615163754.50824@scar.utoronto.ca> Gerald Carter wrote: > >What you are referring to really has no clean solution. However, I will >say this. The [homes] and [netlogon] shares have an inconsistent lifetime >you are correct. What I have done is to perform the logging on an generic >applicaiotn share that everyone mounts during the login script. A preexec >and postexec scripts are used to log to /var/adm/wtmpx. Shares other than >[homes] and [netlogon] behave more predictably. At least this has been my >experience. This would work except you'd have to set dead time to never disconnect that share, and since it's a global parameter, none of the other shares would either, which rather ruins the point of having a dead time parameter. In our labs we could have lots of connections and I think I will need the idle ones to go away. It would help if dead time was a per-share parameter, so it could be tuned for the expected likelihood of use of each share. Paul Ashton wrote: > >An NT client does call a "logout" RPC. You should see it in your >logs at the right level. You could stuff in a syslog in the >NetLogonSamLogon/Logout if that is what you want. > I've found the relevant sections of the code and hacked it to add the global parameters "login exec" and "logout exec", which are run the same way root execs are. The login exec seems to be ok, but I'm having a problem with the logout - at the point in the code where the api NET_SAMLOGOFF is serviced by the call to api_net_sam_logoff() I can't seem to identify the user - it looks as though the user is "nobody". I'd like the username so I can write the proper wtmp entry; but it mostly works - I have a log file that accurately shows when the machine is being used and by who. If anyone cares I can produce the diffs for the mods. I wrote: > But since netlogon is a fixed name, it may not disconnect at all and >you can't work around it - and I need the client to connect to it >each time to trigger the root preexec I use to generate a login.bat >file on the fly (since I have 6000 users, I don't want to store >everyone's batch files). I was running with dead time = 1 to minimize this problem, but in the end I also had to change the code trivially to allow dead time to be set to 0 so that Samba drops shares asap after all files are closed. On my PDC this applies to the profile and specifically to the NETLOGON share. If I don't do this, then in a busy lab there will be many times when a person leaves, and the next tries to login when less than a minute has elapsed they will not get any drive or printer mappings. John Harper ------------------------------------ Academic Computing Coordinator University of Toronto at Scarborough harper@scar.utoronto.ca From jallison at whistle.com Mon Jun 15 22:01:10 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:16 2003 Subject: Odd domain authentication problem References: Message-ID: <358599A6.A6A3263E@whistle.com> Evan Champion wrote: > We've managed to get it so that if I try to login to the samba server from > NT, then authentication succeeds. However, I can't manage to get it to > authenticate with smbclient; the error is invalid password. > > The command line I am using is: > > smbclient -L sambaserver -W domain > > The only thing I am seeing logged is: > > cli_net_sam_logon: NT_STATUS_WRONG_PASSWORD > domain_client_validate: unable to validate password for user evanc in > domain MYDOMAIN to Domain controller CONTROLLER. Error was > NT_STATUS_WRONG_PASSWORD. I just checked in changes to the head brach that fixes these problems. The two problems were that smbclient wasn't doing the NT password hashing (it is now) and also wasn't correctly looking at the 'workgroup=' parameter in smb.conf (it does now :-). cvs update & it should work (it does here). Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Mon Jun 15 23:26:21 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:16 2003 Subject: Username map issue with 1.9.18p8 Message-ID: <3585AD9D.C44D776E@whistle.com> Hi All, Sorry to be posting this :-(, but if you're using the 'username map' parameter with Samba 1.9.18p8, here's a small patch you may need. Without it the username map will work once per smbd and then refuse to map subsequent names. This isn't a big problem as normally, on a single user NT or 95 system, username map will only be called once per session (in the sessionsetup_and_X SMB call). Sorry our testing didn't catch this (it's one of those multi-user things). It's already fixed in the master sources. I wasn't sure how many people are using the username map parameter but I thought I'd be on the safe side and broadcast the fix anyway, in case people run into it. Apologies, Jeremy Allison. Samba Team. -------------------cut here---------------------------- --- /home/jallison/tmp/samba-1.9.18p8/source/username.c Fri Jun 12 18:44:21 1998 +++ username.c Mon Jun 15 14:51:32 1998 @@ -46,7 +46,6 @@ ********************************************************************/ BOOL map_username(char *user) { - static int depth=0; static BOOL initialised=False; static fstring last_from,last_to; FILE *f; @@ -54,7 +53,7 @@ pstring buf; char *mapfile = lp_username_map(); - if (!*mapfile || depth) + if (!*mapfile) return False; if (!*user) @@ -82,8 +81,6 @@ DEBUG(4,("Scanning username map %s\n",mapfile)); - depth++; - while((s=fgets_slash(buf,sizeof(buf),f))!=NULL) { char *unixname = s; char *dosname = strchr(unixname,'='); @@ -132,8 +129,6 @@ */ fstrcpy(last_from,user); fstrcpy(last_to,user); - - depth--; return False; } -------------------end patch--------------------------- -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From evanc at synapse.net Tue Jun 16 13:19:42 1998 From: evanc at synapse.net (Evan Champion) Date: Tue Dec 2 02:24:16 2003 Subject: Odd domain authentication problem In-Reply-To: <358599A6.A6A3263E@whistle.com> Message-ID: On Tue, 16 Jun 1998, Jeremy Allison wrote: > I just checked in changes to the head brach that fixes > these problems. Yup, works great. Thanks! Evan From lens at elv.enic.fr Tue Jun 16 14:52:11 1998 From: lens at elv.enic.fr (Frederic LENS) Date: Tue Dec 2 02:24:16 2003 Subject: Authentication of NT users on a LINUX Workstation Message-ID: <3586869A.823D53B4@elv.enic.fr> Hello all ! Basically, here is what our school wants to do : we want to be able to use NT Authentication services on LINUX Workstations. Ok, great, here is what we've done so far : * I've installed REDHAT 5.1 on two Linux Workstations * Downloaded, compiled, and configured the latest SAMBA release, * Downloaded, compiled, and configured the PAM_NTDOM authentication module (adding a line for it to /etc/pam.d/login file) The trouble is, it won't work ! I double checked the config file, and it won't work. Basically, we've got to authenticate against one well known NT Domain. The Linux Workstation has been added to it, yet it refuses to work.. One thing I didn't quite understand : I read in a doc somehere that I had to use smbpasswd to add my workstation to the domain (to create the SID and UID numbers). The command was : smbpasswd -j , yet smbpasswd tells me that the -j parameter is unknown... After a second download of the samba source code (using CVS, asking for the BRANCH_NTDOM release), and a successfull compilation, it **still** didn't work.. What am I doign wrong ?? Some help would be really appreciated ! Thanks in advance, << Fr?d?ric LENS >> Student engineer in Telecomunications http://www.enic.fr From cartegw at Eng.Auburn.EDU Tue Jun 16 15:43:37 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:16 2003 Subject: Authentication of NT users on a LINUX Workstation References: <3586869A.823D53B4@elv.enic.fr> Message-ID: <358692A9.2BF681F0@eng.auburn.edu> Frederic LENS wrote: > > > One thing I didn't quite understand : I read in a doc somehere that > I had to use smbpasswd to add my workstation to the domain (to create > the SID and UID numbers). The command was : smbpasswd -j , > yet smbpasswd tells me that the -j parameter is unknown... After a > second download of the samba source code (using CVS, asking for the > BRANCH_NTDOM release), and a successfull compilation, it **still** > didn't work.. You should ask for the main ( head ) branch source code. BRANCH_NTDOM is dead. See question 2.1 in the FAQ. [Question 6.1] Also the smbpasswd -j is used in conjunction with th new "security = domain" option not yet available in the main distribution. It's in testing stages. See the NT Domain FAQ for more information. It's linked off the main samba site. Someone else will have to respond to the PAM questions. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From william at hae.com Tue Jun 16 15:58:58 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:16 2003 Subject: Authentication of NT users on a LINUX Workstation In-Reply-To: <358692A9.2BF681F0@eng.auburn.edu> Message-ID: Is there a way in CVS to deny anonymous connections on the branch level to prevent unfortunate situations like this? --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." On Wed, 17 Jun 1998, Gerald Carter wrote: > Date: Wed, 17 Jun 1998 01:49:18 +1000 > From: Gerald Carter > To: Multiple recipients of list > Subject: Re: Authentication of NT users on a LINUX Workstation > > Frederic LENS wrote: > > > > > > One thing I didn't quite understand : I read in a doc somehere that > > I had to use smbpasswd to add my workstation to the domain (to create > > the SID and UID numbers). The command was : smbpasswd -j , > > yet smbpasswd tells me that the -j parameter is unknown... After a > > second download of the samba source code (using CVS, asking for the > > BRANCH_NTDOM release), and a successfull compilation, it **still** > > didn't work.. > > You should ask for the main ( head ) branch source code. BRANCH_NTDOM > is dead. See question 2.1 in the FAQ. > > [Question 6.1] Also the smbpasswd -j is used in conjunction > with th new "security = domain" option not yet available in the main > distribution. It's in testing stages. See the NT Domain FAQ for more > information. It's linked off the main samba site. > > Someone else will have to respond to the PAM questions. > > > > > Hope this helps, > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From bausch at faw.uni-ulm.de Wed Jun 17 08:40:19 1998 From: bausch at faw.uni-ulm.de (Lars Oliver Bausch) Date: Tue Dec 2 02:24:16 2003 Subject: Samba and NT DC'S Message-ID: <358780F3.A2C93A5@faw.uni-ulm.de> Hi ! I've installed a Samba DC. I wan't to configure the Samba machine as the PDC, and wan't to have my old NT-machine as BDC's. The samba-machine work's as PDC. And two NT-machines are BDC. But if I can't setup the samba-machine as a PDC from the usermanager of the NT-machine, the sync from the samba-DC to the NT-BDC doesn't work. Usermanager prints the error "RPC doesnt run". Can anyone help me ? THX Lars From cartegw at Eng.Auburn.EDU Wed Jun 17 12:49:26 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:16 2003 Subject: Samba and NT DC'S References: <358780F3.A2C93A5@faw.uni-ulm.de> Message-ID: <3587BB56.B189F4BF@eng.auburn.edu> Lars Oliver Bausch wrote: > > I've installed a Samba DC. I wan't to configure the Samba machine as > the PDC, and want to have my old NT-machine as BDC's. > > The samba-machine work's as PDC. And two NT-machines are BDC. > > But if I can't setup the samba-machine as a PDC from the usermanager > of the NT-machine, the sync from the samba-DC to the NT-BDC doesn't > work. Usermanager prints the error "RPC doesnt run". > > Can anyone help me ? Domain Control replication ( read as PDC <-> BDC relationships ) are not currently implemented. See question 1.1 of the NTDOM FAQ for information on what is and is not currently working. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Wed Jun 17 15:09:59 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:16 2003 Subject: Solaris 2.6 and latest NTDOM code Message-ID: <3587DC47.15E9B9A1@eng.auburn.edu> Greetings again... Hopefully I can draw on everyone experience for this one. I recently upgraded one of our servers from Solaris 2.5.1 to 2.6. For some insane reason ( actually was the only time I could ) i decided to update the head branch source as well. Was because I knew the samba update would break all profiles and this was actually the only time i could do it. So now I am experiencing stabiulity problems on samba. Most seems to be categorized as the second nmbd process dieing ( the ont that preforms the gethostbyname() stuff ). Obvously the Samba PDC is also acting as a WINS server. Some symptoms on the clients include dropping connections to the server and complaining about an invalid password when trying to reconnect. Let me clarify that I am logged into the NT box, the connection gets dropped and without logging out I try... C:\> net use Disconnected H: \\server\homes C:\> net use h: /d C:\> net use h: \\server\homes ***Incorrect passwd*** You can replce the share in the above example with any valid one you wish. My question is this. Has anyone experienced similar problems on Solaris 2.6 or is it the current state of the NTDOM code? Thanks in advance, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From aperrin at demog.Berkeley.EDU Wed Jun 17 15:34:34 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code In-Reply-To: <3587DC47.15E9B9A1@eng.auburn.edu> Message-ID: We use it under Solaris 2.6 and have had no problems -- however, our last update from the main branch is ~2 or 3 weeks old. Take from this what you will :). Andy --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Thu, 18 Jun 1998, Gerald Carter wrote: > Greetings again... > > Hopefully I can draw on everyone experience for this one. > > I recently upgraded one of our servers from Solaris 2.5.1 to 2.6. For > some insane reason ( actually was the only time I could ) i decided to > update the head branch source as well. Was because I knew the samba > update would break all profiles and this was actually the only time i > could do it. > > So now I am experiencing stabiulity problems on samba. Most seems to be > categorized as the second nmbd process dieing ( the ont that preforms > the gethostbyname() stuff ). Obvously the Samba PDC is also acting as a > WINS server. > > Some symptoms on the clients include dropping connections to the server > and complaining about an invalid password when trying to reconnect. Let > me clarify that I am logged into the NT box, the connection gets dropped > and without logging out I try... > > C:\> net use > Disconnected H: \\server\homes > > C:\> net use h: /d > C:\> net use h: \\server\homes > > ***Incorrect passwd*** > > You can replce the share in the above example with any valid one you > wish. My question is this. > > > Has anyone experienced similar problems on Solaris 2.6 or is it the > current state of the NTDOM code? > > > > Thanks in advance, > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From Dan.Galloway at turner.com Wed Jun 17 16:36:01 1998 From: Dan.Galloway at turner.com (Galloway, Dan) Date: Tue Dec 2 02:24:17 2003 Subject: problem with joining domain Message-ID: I've been trying to set up a samba server to authenticate passwords to an NT domain, specifically to the PDC. I've tried using security=server, and now I'm trying security=domain. The error I keep getting for security=server is: Connecting to 157.166.87.190 at port 139 connected to password server 157.166.87.190 write_socket(7,76) write_socket(7,76) wrote 76 Sent session request got smb length of 1 157.166.87.190 rejected the session This happens on two different domains. The samba server is on a different network subnet than the PDC. The other error I get in the security=server mode is: password server is not connected. Using security=domain, I get a different error: Connecting to 157.166.87.252 at port 139 write_socket(5,76) write_socket(5,76) wrote 76 Sent session request got smb length of 1 modify_trust_password: machine 157.166.87.252 rejected the session setup. Error was : code 131. 1998/06/17 11:52:50 : change_trust_account_password: Failed to change password f or domain CNN_INTERACTIVE. ./smbpasswd: Unable to join domain CNN_INTERACTIVE. When I use the smb-enabled tcpdump, I get this: 10:00:26.928639 xanadu.33097 > cnnitech1.turner.com.netbios-ssn: S 92202168:9220 2168(0) win 8760 (DF) 4500 002c 95a1 4000 ff06 00c3 9da6 521e 9da6 57fc 8149 008b 057e e4b8 0000 0000 6002 2238 247c 0000 0204 05b4 10:00:26.930442 cnnitech1.turner.com.netbios-ssn > xanadu.33097: S 276304538:276 304538(0) ack 92202169 win 8760 (DF) 4500 002c 9a1d 4000 7f06 7c47 9da6 57fc 9da6 521e 008b 8149 1078 129a 057e e4b9 6012 2238 0159 0000 0204 05b4 0000 10:00:26.930581 xanadu.33097 > cnnitech1.turner.com.netbios-ssn: . ack 1 win 876 0 (DF) 4500 0028 95a2 4000 ff06 00c6 9da6 521e 9da6 57fc 8149 008b 057e e4b9 1078 129b 5010 2238 1916 0000 10:00:27.182806 xanadu.33097 > cnnitech1.turner.com.netbios-ssn: P 1:77(76) ack 1 win 8760 >>> NBT Packet NBT Session Request Flags=0x81000048 Destination=157 NameType=0x20 (Server) Source=XAN NameType=0x00 (Workstation) Data: (4 bytes) [000] 20 7A 0D 1E z.. (DF) 4500 0074 95a3 4000 ff06 0079 9da6 521e 9da6 57fc 8149 008b 057e e4b9 1078 129b 5018 2238 0102 0000 8100 0048 2044 4244 4644 4843 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4143 4100 2046 4945 4245 4f45 10:00:27.208402 cnnitech1.turner.com.netbios-ssn > xanadu.33097: FP 1:6(5) ack 7 7 win 8684 >>> NBT Packet NBT SessionReject Flags=0x83000001 Reason=0x82 Called name not present (DF) 4500 002d 9b1d 4000 7f06 7b46 9da6 57fc 9da6 521e 008b 8149 1078 129b 057e e505 5019 21ec 1406 0000 8300 0001 8200 10:00:27.208622 xanadu.33097 > cnnitech1.turner.com.netbios-ssn: . ack 7 win 876 0 (DF) 4500 0028 95a4 4000 ff06 00c4 9da6 521e 9da6 57fc 8149 008b 057e e505 1078 12a1 5010 2238 18c4 0000 10:00:27.220934 xanadu.33097 > cnnitech1.turner.com.netbios-ssn: F 77:77(0) ack 7 win 8760 (DF) 4500 0028 95a5 4000 ff06 00c3 9da6 521e 9da6 57fc 8149 008b 057e e505 1078 12a1 5011 2238 18c3 0000 10:00:27.222416 cnnitech1.turner.com.netbios-ssn > xanadu.33097: . ack 78 win 86 84 (DF) 4500 0028 9c1d 4000 7f06 7a4b 9da6 57fc 9da6 521e 008b 8149 1078 12a1 057e e506 5010 21ec 190f 0000 0000 0000 0000 The part that really gets me is that I can't find a table of NBT errors to look up that 0x82 anywhere. I did get on the PDC and do a nbtstat -a to verify that it knows about the samba server and that it thinks it is a part of the domain. I'm running samba on a Sparc5, Solaris 2.6. Thanks in advance for any help. Dan From abs at maunsell.co.uk Wed Jun 17 17:06:07 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code In-Reply-To: <3587DC47.15E9B9A1@eng.auburn.edu>; from Gerald Carter on Thu, Jun 18, 1998 at 01:17:16AM +1000 References: <3587DC47.15E9B9A1@eng.auburn.edu> Message-ID: <19980617180607.53954@maunsell.co.uk> On Thu, Jun 18, 1998 at 01:17:16AM +1000, Gerald Carter wrote: > > Has anyone experienced similar problems on Solaris 2.6 or is it the > current state of the NTDOM code? Since you mentioned it, sorry to say I am experiencing stability probs as well, cvs main branch Jun 11 21:33 GMT, hardware/OS unchanged, SS20/Solaris 2.5.1. The PDC stops responding completely most mornings and has to be restarted once or twice to get everyone logged in. Printers are also being dropped I am told, but I haven't had time to investigate any of this yet. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From cartegw at Eng.Auburn.EDU Wed Jun 17 18:05:31 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code References: Message-ID: <3588056B.892F004A@eng.auburn.edu> Andrew Perrin - Demography wrote: > > We use it under Solaris 2.6 and have had no problems -- however, our > last update from the main branch is ~2 or 3 weeks old. Take from this > what you will :). What about people running code checked out from 6/13 or later? Any platform...Are there any stability issues with it? Thanks, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Wed Jun 17 18:50:04 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code In-Reply-To: <3588056B.892F004A@eng.auburn.edu> Message-ID: yOn Thu, 18 Jun 1998, Gerald Carter wrote: > Andrew Perrin - Demography wrote: > > > > We use it under Solaris 2.6 and have had no problems -- however, our > > last update from the main branch is ~2 or 3 weeks old. Take from this > > what you will :). > > What about people running code checked out from 6/13 or later? Any > platform...Are there any stability issues with it? > Sorry to respond to my own messages. I have a core dump file and am going to try and track down what's going on. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From abs at maunsell.co.uk Thu Jun 18 16:19:45 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:17 2003 Subject: Cannot add a printer (NT4SP3 + latest cvs samba) In-Reply-To: ; from Gerald W. Carter on Sun, Jun 14, 1998 at 05:03:25PM -0500 References: <19980614095945.14303@maunsell.co.uk> Message-ID: <19980618171945.63638@maunsell.co.uk> On Sun, Jun 14, 1998 at 05:03:25PM -0500, Gerald W. Carter wrote: > > OK. Here a quick and dirty fix. the NT box needs to be coaxed to back > down from the MSRPC calls to use the LanMan calls. Add the printer > locally but connect it to the LanMan port which you have created ( rather > than LPT1: ) > > To create the LanMan port, modify the following registry script for your > site and import it... > > [script snipped] > > You may have to reboot the NT machine to get these ports to show up. I > have tried this and it seems to work. Let me know how if goes. If it is > an acceptable solution, the I will add it to the FAQ for now. Yup, that cracked it. I do have to reboot, but that is trivial compared to the time this will save me in the coming weeks, thanks. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From caesmb at lab2.cc.wmich.edu Thu Jun 18 20:18:14 1998 From: caesmb at lab2.cc.wmich.edu (CAE Samba Admin) Date: Tue Dec 2 02:24:17 2003 Subject: Trust relationships, sort of Message-ID: Hello, Slowly, very slowly, we're finding ways to get samba to fit our needs around here, but we are constantly running in to problems where I as a lab manager would like to be able to administer things like machine accounts and shares and such. This cannot be done easily because we are using the campus accout database for logins, and as such (understandably) the administrators of that system don't want me to be able to edit the smb.conf file (becase of that little root preexec thing). NT has a solution to things like this call trust relationships. Now, I know you don't have trust relationships functioning yet, but as a stepping stone, how hard would it be to code in pseudo trust relationships between samba servers? Maybe using something like a combo of PDC functionality with a "password server" style command. Basically, if a user isn't a member of the domain, try against another domain (more or less just forward the request as a domain member similar to if you were using security = domain). I'm just curious if this would be easy to implement or not, because I know true trust relationships are too far off to start begging for just yet... :) Kevin From joseph at cheek.com Thu Jun 18 20:44:19 1998 From: joseph at cheek.com (Joseph Cheek) Date: Tue Dec 2 02:24:17 2003 Subject: Trust relationships, sort of Message-ID: <000f01bd9af9$dea74400$2f151fac@ntdev.microsoft.com> trust relationships are such a hassle with a large number of domains. is there any type of multi-domain relationship model we can implement that's better than trust relationships? i get the feeling that ms just made trust relationships as a bandaid to the entire single-signon/single point of authentication problem. there have got to be better solutions. any ideas? joe -- Joseph Cheek, Director, Cheek Consulting Computer Network Solutions -- NetWare, Linux, and Internet consulting Novell and Caldera partners, supporter of Linux in business joseph@cheek.com, http://www.cheek.com/, (206) 282-2892 -----Original Message----- From: CAE Samba Admin To: Multiple recipients of list Date: Thursday, June 18, 1998 1:26 PM Subject: Trust relationships, sort of > >Hello, > > Slowly, very slowly, we're finding ways to get samba to fit our >needs around here, but we are constantly running in to problems where I as >a lab manager would like to be able to administer things like machine >accounts and shares and such. This cannot be done easily because we >are using the campus accout database for logins, and as such >(understandably) the administrators of that system don't want me to be >able to edit the smb.conf file (becase of that little root preexec thing). > NT has a solution to things like this call trust relationships. >Now, I know you don't have trust relationships functioning yet, but as a >stepping stone, how hard would it be to code in pseudo trust relationships >between samba servers? Maybe using something like a combo of PDC >functionality with a "password server" style command. Basically, if a >user isn't a member of the domain, try against another domain (more or >less just forward the request as a domain member similar to if you were >using security = domain). > I'm just curious if this would be easy to implement or not, >because I know true trust relationships are too far off to start begging >for just yet... :) > >Kevin > > > From Jean-Francois.Micouleau at utc.fr Thu Jun 18 21:04:03 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:17 2003 Subject: Trust relationships, sort of In-Reply-To: <000f01bd9af9$dea74400$2f151fac@ntdev.microsoft.com> Message-ID: On Fri, 19 Jun 1998, Joseph Cheek wrote: > trust relationships are such a hassle with a large number of domains. is > there any type of multi-domain relationship model we can implement that's > better than trust relationships? i get the feeling that ms just made trust > relationships as a bandaid to the entire single-signon/single point of > authentication problem. there have got to be better solutions. any ideas? take a look at NT 5.0: www.microsoft.com/NTServer/Basics/TechPapers/default.asp They will do hierarchy relationships using Active Directory. Now guess why samba will support LDAP ? Active Directory is using an ldap server as backend. J.F. ----------------------------------------------------------- Pinky: "What are we going to do tonight, Brain?" Brain: "The same thing we do every night, Pinky : try to install Windows NT !" ----------------------------------------------------------- From william at hae.com Thu Jun 18 21:15:38 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:17 2003 Subject: Trust relationships, sort of In-Reply-To: Message-ID: Gee, Wouldn't it be great if SAMBA could implement ActiveDirectory and release it before NT 5.0? --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." On Fri, 19 Jun 1998, Jean-Francois Micouleau wrote: > Date: Fri, 19 Jun 1998 07:05:42 +1000 > From: Jean-Francois Micouleau > To: Multiple recipients of list > Subject: Re: Trust relationships, sort of > > On Fri, 19 Jun 1998, Joseph Cheek wrote: > > > trust relationships are such a hassle with a large number of domains. is > > there any type of multi-domain relationship model we can implement that's > > better than trust relationships? i get the feeling that ms just made trust > > relationships as a bandaid to the entire single-signon/single point of > > authentication problem. there have got to be better solutions. any ideas? > > take a look at NT 5.0: www.microsoft.com/NTServer/Basics/TechPapers/default.asp > > They will do hierarchy relationships using Active Directory. Now guess why > samba will support LDAP ? Active Directory is using an ldap server as > backend. > > J.F. > > ----------------------------------------------------------- > Pinky: "What are we going to do tonight, Brain?" > Brain: "The same thing we do every night, Pinky : > try to install Windows NT !" > ----------------------------------------------------------- > > From tavis at mahler.econ.columbia.edu Thu Jun 18 22:52:46 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:17 2003 Subject: Combining passwd programs In-Reply-To: <000f01bd9af9$dea74400$2f151fac@ntdev.microsoft.com> Message-ID: A couple of us have been talking about writing a passwd binary that would basically take the smbpasswd.c program and add a routine to change the Unix password right after the one that changes the smbpasswd file. The only trouble is, in order to change the Unix password, as far as I know the program has to be run setuid root. I remember that smbpasswd was changed recently so that it didn't have to be run this way (in fact it couldn't but that's easy enough to comment out of the code). My question for ye wise ones: Are there any particular security holes created by running the smb password-changing routine as setuid root that aren't created by running other programs (e.g., Unix passwd) as setuid root? Thanks for your help, Tavis From Jean-Francois.Micouleau at utc.fr Thu Jun 18 23:56:12 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:17 2003 Subject: Combining passwd programs In-Reply-To: Message-ID: On Fri, 19 Jun 1998, Tavis Barr wrote: > A couple of us have been talking about writing a passwd binary that would > basically take the smbpasswd.c program and add a routine to change the > Unix password right after the one that changes the smbpasswd file. That's already done. It's not smbclient which changes the Unix password but smbd itself. Take a look at the 'unix password sync' option > > The only trouble is, in order to change the Unix password, as far as I know > the program has to be run setuid root. Because usually root don't have to type the old password in clear-text form when changing a user's password > I remember that smbpasswd was > changed recently so that it didn't have to be run this way (in fact it > couldn't but that's easy enough to comment out of the code). My question > for ye wise ones: Are there any particular security holes created by running > the smb password-changing routine as setuid root that aren't created by > running other programs (e.g.., Unix passwd) as setuid root? > J.F. ----------------------------------------------------------- Pinky: "What are we going to do tonight, Brain?" Brain: "The same thing we do every night, Pinky : try to install Windows NT !" ----------------------------------------------------------- From Monscheuer at t-online.de Thu Jun 18 22:50:51 1998 From: Monscheuer at t-online.de (Monscheuer@t-online.de) Date: Tue Dec 2 02:24:17 2003 Subject: Does NT4.0 recognize SAMBA domain controllers ? Message-ID: <898210251.250000.MONSCHEUER@T-Online.de> Hello ! I need some help to get rid of NT4.0 saying "unable to locate domain controller" when attempting to change a PC from a workgroup's member to a domain's member. I've been trying to setup Samba 1.8.19p8 (?, well, the latest one dated as of June, 13th) as a NT primary domain controller on a SUN Sparc5 running Solaris 2.5.1 during the last days and basically Samba behaves excellent as for mounting drives and similar. But now I also need its PDC functionality to serve the PCs running NT4.0 At this point I perhaps should mention that I'm an alien from a galaxy called DEC, planet VAX, where the people do speak VMS. Foreign language tought at school there was *nix. And they never told us about Samba ... Say I'm really new to this. So please forgive me in case I'll make some unintelligible assumptions or unintentionally will give incomplete descriptions of the problems I'm experiencing. Please tell me what you need to know to point me at a solution. Ah yes, and please be aware that I have to retranslate all these (horrible) German NT messages and the German NT GUI terms... So don't be surprised if "my" NT messages/terms don't exactly match what you are probably used to. Back to the original topic: The PCs running NT4.0 can't be changed to become a member of an existing domain. "Cannot find the domain controller" is what NT4.0 always is coming up with. Nevertheless, I think I have setup Samba and the SUN box as well as the PCs almost correctly - for a simple reason: The related logfiles (tried loglevels from 4 to 20) in /var/smb on the SUN show the negotiations between the PCs and the SUN (or more precisely between NT and Samba) when I'm trying to make a PC a member of a domain (network setup -> identification card -> change -> domain -> enter name -> OK). The logfile shows someone/some process logging in to the SUN (or the Samba server ?), changing dirs and the like. All of this seems to work like a charm when the PC attempts to contact the domain controller. But then, it fails. For no reason which is obvious to me (ok, that's why I'm asking here ;-). At a particular point in the negotiations for making a NTws a domain's member a list of machines is showing up in /var/smb/log.pc_name Unfortunately, I'm not in the position to rate this list and whether there's anything wrong with the machines' setups. The machine in question running SAMBA appears twice in this list (if memory serves [no pun intended ;-)], I'm at home now and can't access the boxes at work): s: dom mismatch S066223 80001000 S066223 TEC223 **SV** S066223 59b09 Samba 1.8.19p8 TEC223 ... ... I'm not sure that 59b09 in the 3rd column on the line begining with **SV** is correct, but at least it looks similar to this value. It's the only value in the 3rd column which is different to all the other lines (about 25) which are 80001000 in this place. What exactly does each single column mean ? What exactly does **SV** mean ? Why does the same machine (NT is trying to identify as the PDC) appear twice ? What's the exact difference between these two lines ? Am I right guessing that "dom mismatch" means "domain mismatch" ? Is anything wrong with this list or with the machines' setup respectively ? You see, I'm pretty clueless and I'm trying to find a point to start from to track down the problem. If a complete logfile of such an attempt to turn a NT box into a domain's member is of any interest, just drop me a line. There is yet another "interesting" behaviour with NT4.0 (at least here): - Fire up your NT explorer - Click on "network environment", then "complete network" - Choose one of the domains being displayed (might need to choose M$ network before, too) - Move your pointer to a machine in the domain you just selected and press the right mouse button, then select "properties" (may need to "connect" to this machine first). What does the card coming up on your NT box say regarding the computer's domain ? Is the domain's name correct ? Here it is not. Only the first three characters of the domain name are being displayed when asking NT to display the properties of a machine (having remote control enabled) running Samba (configured to be a PDC). A domain called GENERIC is displayed to have the name GEN or a domain called ALLG025 is displayed to have the name ALL... Is there anything I can do to find the reason for this behaviour ? Is this just a minor "NT display bug" or is this perhaps the culprit why trying to turn a NT4.0 box into a domain member does miserably fail ? It's somewhat of strange that all names are truncated to 3 chars here. Again, I'm pretty clueless and so any insights are most welcome. TIA and best regards ! Michael Monscheuer Voice +49 4122 8083 Monscheuer@t-online.de Stadtkoppelweg 1 +49 171 5107677 Monscheuer@decus.decus.de D-25436 Moorrege Fax +49 4122 82637 monscheu@tc-wedel.de -------------------------------------------------------------------------- This message brought to you fron an entirely Micro$oft free system From BARTH at cck.uni-kl.de Fri Jun 19 09:53:55 1998 From: BARTH at cck.uni-kl.de (Christian Barth) Date: Tue Dec 2 02:24:17 2003 Subject: Which Linux? or Solarix 2.6 x86 ? Message-ID: <13319D2D72@novell-fbk1.mv.uni-kl.de> Hello! Currently we are planning the new server for our lab. It will be a PC-based system serving files, printers, mail, .. to two workstations (sparc clons with SunOS 4.1.3 and Solaris 2.4) and about 20 PC's mainly with NT4SP3, but there are also some DOS / WfW3.11 PC's left. We are planning to set up a Samba PDC. (Thanks for your good work!) Now there is the question of the OS for our new server. Basically we have to choose between Linux and Solarix 2.6 x86. If we decide for Linux we have to choose a distribution, ... (Currently we are using Slackware-Linux to get cheap X-Terminals) What would you prefer? What things have to be taken care of? What has to be avoided? Any comments? (May be this is not the right list for this question, but I enjoy reading this list) Thanks Christian _____________________________________________________________________ Christian Barth Univerity of Kaiserslautern, Germany Institute for manufacturing and production engineering Postfach 3049, 67655 Kaiserslautern, Germany Phone ..49/631/205-2872, Fax ..49/631/205-3238, email barth@cck.uni-kl.de From daniel at med.up.pt Fri Jun 19 10:36:55 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:17 2003 Subject: Which Linux? or Solarix 2.6 x86 ? In-Reply-To: <13319D2D72@novell-fbk1.mv.uni-kl.de> Message-ID: On Fri, 19 Jun 1998, Christian Barth wrote: > What would you prefer? I prefer Slackware (3.5 is out) for Servers and the lot and RedHat (5.1 out too) for personal use. > What things have to be taken care of? If you're familiar with Unix families and SysV plus BSD stuff you won't have any problems, I think. > What has to be avoided? Drinking and eating while working in front of your screen over the keyboard :-) > (May be this is not the right list for this question, but I enjoy > reading this list) You're right, I just took some time while waiting for a compile, to answer to you and maybe spare someone else. Hope to help, Daniel Fonseca - SysAdmin for Oporto Med School http://www.med.up.pt From heinig at hdz-ima.rwth-aachen.de Fri Jun 19 15:18:56 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:24:17 2003 Subject: Which Linux? or Solarix 2.6 x86 ? References: <13319D2D72@novell-fbk1.mv.uni-kl.de> Message-ID: <358A815F.5E76B463@hdz-ima.rwth-aachen.de> Christian Barth wrote: > Hello! > > Currently we are planning the new server for our lab. It will be a > PC-based system serving files, printers, mail, .. to two workstations > (sparc clons with SunOS 4.1.3 and Solaris 2.4) and about 20 PC's > mainly with NT4SP3, but there are also some DOS / WfW3.11 PC's left. > We are planning to set up a Samba PDC. (Thanks for your good work!) > > Now there is the question of the OS for our new server. Basically we > have to choose between Linux and Solarix 2.6 x86. If we decide for > Linux we have to choose a distribution, ... > (Currently we are using Slackware-Linux to get cheap X-Terminals) Why don't you use one of the SPARC clones as a server? Those sort of machines are usually rather well built and generally have fewer hardware problems than a PC system (at least in our experience...). As far as I'm concerned, using a SPARC clone as server would be the only major argument for Solaris, and since you're not planning on doing that, I'd use either Linux or FreeBSD. > What would you prefer? *Personally*, FreeBSD. This is a purely religious point, however, so please, no flames. I'd be just as happy with Linux...The reason for this choice lies in my hitherto *excellent* experience of Linux/FreeBSD technical support: if you ever have a problem with the system itself, there's ALWAYS someone who knows what's wrong. The Linux hacker/guru community is enormous and expanding by the day and is unconstrained by issues of time, company policy and license terms. In other words, someone will always help you, and very often it will be the best help you can get: from the developer himself (as is the case with Samba). > What things have to be taken care of? One issue that springs to mind is disk space: we use disk quotas for our system, to prevent one user overflowing the filesystem. That is incidentally one point that speaks for Solaris: I *know* disk quotas work under Solaris. If you're planning on using quotas, check whether they're reliable under Linux. > What has to be avoided? Putting the coffee machine next to the keyboard. Computers don't like coffee.... :-) :-) > Any comments? As long as you don't go out and buy NT server, I'll stay polite. :-) :-) Good luck & have fun. Gerald From allan at rm117-2.aste.usu.edu Fri Jun 19 09:38:47 1998 From: allan at rm117-2.aste.usu.edu (Allan K. Neal) Date: Tue Dec 2 02:24:17 2003 Subject: suscribe Message-ID: subscribe From epp at clrtech.bc.ca Sat Jun 20 00:05:40 1998 From: epp at clrtech.bc.ca (Paul Epp) Date: Tue Dec 2 02:24:17 2003 Subject: Win95 Not Using Encrypted Passwords Message-ID: I'm currently working on setting up a samba based cdrom tower. I am using domain based authentication. Note this cdrom server isn't running as a domain controller, it's simply a member of the NT domain. My problem is I cannot get windows 95 machines to access the shares on my cdrom tower because all authentication with the password server is failing with a NT_STATUS_WRONG_PASSWORD. I think one the main problem is that the windows 95 machine isn't sending to passwords to the samba machine as encrypted passwords (hence the domain_client_validate: User passwords not in encrypted format.) while the NT clients are sending the passwords in encrypted format. From the quick look at the code around that error message it looks like the samba server is then encrypting the password before it tries to compare it using the password server. If I hack smbclient to not use encrypted passwords I get the same results. Does anybody have domain level authentication working browsing from both NT and Win95?? Thanks, hope somebody can help me out. Paul Epp ----------------------------- Here's a log output: 1998/06/19 13:52:26 Transaction 3 of length 169 switch message SMBsesssetupX (pid 6174) Domain=[CSC-PAC-SCC] NativeOS=[Windows 4.0] NativeLanMan=[Windows 4.0] sesssetupX:name=[PAC_TEST] Trying username pac_tesT Trying username pac_tesT domain_client_validate: User passwords not in encrypted format. resolve_name: Attempting lmhosts lookup for name S80102ABOTSFORD startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error was No such file or directory resolve_name: Attempting host lookup for name S80102ABOTSFORD resolve_name: Attempting wins lookup for name S80102ABOTSFORD<0x20> bind succeeded on port 0 Got a positive name query response from 172.22.5.19 ( 172.22.5.19 ) Connecting to 172.22.5.19 at port 139 cli_net_sam_logon: NT_STATUS_WRONG_PASSWORD domain_client_validate: unable to validate password for user pac_test in domain CSC-PAC-SCC to Domain controller S80102ABOTSFORD. Error was NT_STATUS_WRONG_PASSWORD. Trying username pac_tesT Trying username pac_tesT Couldn't find user pac_test 1998/06/19 13:52:28 error packet at line 685 cmd=115 (SMBsesssetupX) eclass=2 ec ode=2 error string = Connection refused end of file from client Closing connections 1998/06/19 13:52:29 Server exit (normal exit) From jallison at whistle.com Sat Jun 20 07:57:52 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code References: <3587DC47.15E9B9A1@eng.auburn.edu> Message-ID: <358B6B80.64657BB3@whistle.com> Gerald Carter wrote: > > So now I am experiencing stabiulity problems on samba. Most seems to be > categorized as the second nmbd process dieing ( the ont that preforms > the gethostbyname() stuff ). Obvously the Samba PDC is also acting as a > WINS server. > Core dumps anywhere ? Log traces ? It seems to work fine for me but I don't stress it as much as you. I won't be able to reply to this properly until next Thursday when I'm (officially) back at work, rather than just answering email, sorry. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Mon Jun 22 15:11:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:17 2003 Subject: pam_smb_passwd-0.1 . . . In-Reply-To: <13709.49724.594248.226589@canterbury.cps.msu.edu> Message-ID: message forwarded to samba-technical and samba-ntdom. > It isn't really ready for production yet, but, in the hopes it might > save someone else from having to duplicate my work (and considering > what little time I'll have in the coming weeks to work on it :-) ... [cathedral/bazaar] thanks, john, for mentioning this. i hate it when several people write identical code. > I've written a PAM passwd module (based on pam_ntdom, pam_smbpass, and > samba) to change users passwords on SMB servers (over the network). exactly how is this achieved? > I've only tested it against a samba server, and it currently only > works on Redhat 5.x (if you're intersted, it does compile under > Solaris 2.6, but pam_get_item doesn't return PAM_OLDAUTHTOK to me > correctly after the PRELIM) but pam_smb_passwd-0.1 is available from: > > http://www.cse.msu.edu/~lanejohn/en/hacks/pam_smb_passwd-0.1.tar.gz > > Being that 90+% of it is GPL'd code, it is GPL'd itself, and I, of > course, take no responsiblity for what damage it does to you or your > systems, etc. > > jrl. > > System Manager > Department of Computer Science > Michigan State University From lanejohn at cps.msu.edu Mon Jun 22 19:51:36 1998 From: lanejohn at cps.msu.edu (John R Lane) Date: Tue Dec 2 02:24:17 2003 Subject: pam_smb_passwd-0.1 . . . In-Reply-To: References: <13709.49724.594248.226589@canterbury.cps.msu.edu> Message-ID: <13710.45304.314881.309350@canterbury.cps.msu.edu> >> I've written a PAM passwd module (based on pam_ntdom, >> pam_smbpass, and samba) to change users passwords on SMB >> servers (over the network). Luke> exactly how is this achieved? Since samba release 1.9.17 (?), samba has included support for password changes on SMB servers -- specifcally via the cli_oem_change_password() function. I simply took the necessary stuff out of samba to make this function (and this one only) work, took code from pam_smbpass to change passwords and essentially altered it to work around this samba function. My intention was to have it bundled with Luke's pam_ntdom, but it isn't DCE/RPC -based (correct me if I'm wrong) as the rest of the pam_ntdom stuff is (or so I believe), and the current pam_ntdom code base doesn't support the cli_oem_change_password() function (though it is supposed to soon), so this had to wait. jrl. From gemelli at sssup.it Tue Jun 23 08:29:14 1998 From: gemelli at sssup.it (Paolo Bizzarri) Date: Tue Dec 2 02:24:17 2003 Subject: Article on PPTP protocol cryptoanalysis Message-ID: <358F675A.73A6E980@sssup.it> Hi everyone, it seems that no one has pointed the recent paper by Bruce Schneier and Peter Mudge "Cryptanalysis of Microsoft Point to Point Tunneling Protocol" it is quite interesting, as it describe in details problems related to the authentication problem of NT. However, it doesn't seems to cite any of the work of Samba team (however, L0phtcrack is cited). Moreover, I don't undestand fully the relations about protocols described here and protocols used inside SAMBA. For anyone interested, the address for the paper is http://www.counterpane.com/pptp-paper.html Paolo -- Paolo Bizzarri Retis Lab. Scuola Superiore S. Anna 56100 Pisa, Italy Tel: +39 50 883 450 E-Mail: gemelli@sssup.it From mhaigh at village.vut.edu.au Wed Jun 24 12:56:12 1998 From: mhaigh at village.vut.edu.au (Mick Haigh) Date: Tue Dec 2 02:24:17 2003 Subject: Internal error with domain login Message-ID: <3590F76C.E9A02FA8@village.vut.edu.au> Hiya everyone. I guess this isn't something that causes much concern, since it doesn't happen very often. When I try to log in to a domain as a user that has an invalidated password (32 Xs) Samba gets an internal error. I haven't really had a hard look at why it might be doing that as yet, but I thought I'd make you aware of the problem and ask if anyone has had similar problems. I am using an NT4.0 SP3 workstation and Samba code checked out of the main branch on July 17 (and as many versions as I can remember before that). If anyone wants a look at some log files, let me know. Have fun. Mick -------------- next part -------------- A non-text attachment was scrubbed... Name: vcard.vcf Type: text/x-vcard Size: 275 bytes Desc: Card for Mick Haigh Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980624/492ae66a/vcard.vcf From louis.botha at cs.up.ac.za Wed Jun 24 13:24:32 1998 From: louis.botha at cs.up.ac.za (louis.botha@cs.up.ac.za) Date: Tue Dec 2 02:24:17 2003 Subject: Samba PDC & NT domain logons Message-ID: <199806241324.PAA29450@pobox.cs.up.ac.za> Hi all, When I try to log in to a Samba PDC from an NT4SP3 workstation with a valid username but an invalid password, I get logged into the machine (but obviously not the shares). I compiled in the ARCFOUR code from ssh-1.2.22 (ie. used the -DUSE_ARCFOUR_FROM_SSH_SOURCE define and arcfour.o from the ssh source). Surely once I have compiled in the ARCFOUR encryption I should not be logged in to the workstation if I provide an incorrect password? Or did I misunderstand the docs? My source tree is the current CVS tree (23 June). The same behavior occurs both on Solaris 2.6 with gcc 2.7.2.3 and Linux 2.0.33 with gcc 2.7.2.1. Attached is my modified Makefile, showing my modified bits. I suppose what I need to know is whether my reasoning is correct, before I start spending hours debugging the SMB code :-) Louis -- ----------------------------------------------------------------------- Louis Botha Computer Science Department louis.botha@cs.up.ac.za University of Pretoria Tel: +27-12-420-3617 Pretoria Cell: +27-82-924-4616 South Africa http://www.cs.up.ac.za/~lbotha ----------------------------------------------------------------------- -------------- next part -------------- # This is for SUNOS5.4 and later (also known as Solaris 2.4 and later) # contributed by Andrew.Tridgell@anu.edu.au CC=gcc FLAGSM = -DSUNOS5 -DSHADOW_PWD -DNETGROUP -DFAST_SHARE_MODES -DUSE_ARCFOUR_FROM_SSH_SOURCE LIBSM = -lsocket -lnsl -L"./ssh-1.2.22/" AWK = nawk # ARCFOUR_OBJ = ./ssh-1.2.22/arcfour.o From lkcl at switchboard.net Wed Jun 24 18:06:41 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:17 2003 Subject: SPAM: Important Legislative Alert (fwd) Message-ID: this has serious ramifications for the "nt domains for unix" project. luke. ---------- Forwarded message ---------- Date: Tue, 23 Jun 1998 13:25:57 -0500 From: Simple Nomad To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: SPAM: Important Legislative Alert June 23rd, 1998 - The World Intellectual Property Organization treaty has already passed the US Senate and is close to passing in the House. The treaty would make it illegal, with extremely stiff penalties, to break security schemes without the permission of the company that makes the product. Programs like Pandora would be made illegal. People could not publish vulnerabilities in products and encryption schemes, as done by NMRC in the Hack FAQs. We would go back to the days of security vulnerabilities only circulating in the underground as mailing lists like Bugtraq, NTBugtraq, and Netware Hack are made illegal. Even products such as Net Nanny and CyberPatrol, which "bypass technology" by reverse engineering how various products work would become illegal. Technically you could not refuse a cookie from a web site, so web sites would be allowed to write files directly to your hard drive and you couldn't do a damn thing about it. This is plain and simple security through obscurity. Intellectual property owners are using the legal system to protect their products instead of the tried and true method of open systems and public review. How will we know if anything is secure if all the "white papers" and reports on a system's security are paid for by the manufacturers only? Unbiased, "Consumer Reports-like" groups will be outlawed. Say goodbye to NMRC, L0pht, Counterpane, and any consulting firm that does security assessment of commercial software. In addition, you will not be able to "quote" information from the Internet without written permission. For example, I lifted the bulk of this text from www.l0pht.com and re-edited it -- and under this proposed legislation this would be illegal without getting written permission. Reporters would be unable to "lift" quotes, students would be unable to "lift" research material, and you would be unable to "lift" security info for detailed reports without gaining the author's permission. This is NOT the way the print media operates -- this could impact everyone you know. Imagine pulling CD-ROMs from libraries and computers from elementary schools. H.R. 2281 passes and you have started down this path running. The Nomad Mobile Research Centre is vehemently opposed to this proposed treaty. It has serious freedom of speech implications. It also gives companies a license to produce shoddy, inadequate systems without fear of exposure. Call your House Representative today and voice your concerns. .o. Simple Nomad .oOo. Data warrior, knowledge hunter/gatherer www.nmrc.org .oOo. thegnome@nmrc.org .o. From scrappy at hub.org Wed Jun 24 18:23:55 1998 From: scrappy at hub.org (The Hermit Hacker) Date: Tue Dec 2 02:24:17 2003 Subject: SPAM: Important Legislative Alert (fwd) In-Reply-To: Message-ID: On Thu, 25 Jun 1998, Luke Kenneth Casson Leighton wrote: > this has serious ramifications for the "nt domains for unix" project. > luke. > > ---------- Forwarded message ---------- > Date: Tue, 23 Jun 1998 13:25:57 -0500 > From: Simple Nomad > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: SPAM: Important Legislative Alert > > June 23rd, 1998 - The World Intellectual Property Organization treaty has > already passed the US Senate and is close to passing in the House. The > treaty would make it illegal, with extremely stiff penalties, to break > security schemes without the permission of the company that makes the > product. How would this affect products written and maintained outside of the US? Its a US law, but what are its international remifaications? From cartegw at Eng.Auburn.EDU Wed Jun 24 18:25:53 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:17 2003 Subject: Samba PDC & NT domain logons References: <199806241324.PAA29450@pobox.cs.up.ac.za> Message-ID: <359144B1.47AACA1F@eng.auburn.edu> louis.botha@cs.up.ac.za wrote: > > Hi all, > > When I try to log in to a Samba PDC from an NT4SP3 workstation with a > valid username but an invalid password, I get logged into the machine > (but obviously not the shares). I compiled in the ARCFOUR code from > ssh-1.2.22 (ie. used the -DUSE_ARCFOUR_FROM_SSH_SOURCE define and > arcfour.o from the ssh source). This is unnecessary in the main branch code which you should be using. Sounds like you grabbed BRANCH_NTDOM. See the NTDOM FAQ for current instructions. > Surely once I have compiled in the ARCFOUR encryption I should not be > logged in to the workstation if I provide an incorrect password? Or > did I misunderstand the docs? > > My source tree is the current CVS tree (23 June). The same behavior > occurs both on Solaris 2.6 with gcc 2.7.2.3 and Linux 2.0.33 with gcc > 2.7.2.1. Attached is my modified Makefile, showing my modified bits. > > I suppose what I need to know is whether my reasoning is correct, > before I start spending hours debugging the SMB code :-) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Wed Jun 24 18:47:40 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:17 2003 Subject: SPAM: Important Legislative Alert (fwd) In-Reply-To: Message-ID: On Wed, 24 Jun 1998, The Hermit Hacker wrote: > On Thu, 25 Jun 1998, Luke Kenneth Casson Leighton wrote: > > > this has serious ramifications for the "nt domains for unix" project. > > luke. > > > > ---------- Forwarded message ---------- > > Date: Tue, 23 Jun 1998 13:25:57 -0500 > > From: Simple Nomad > > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > > Subject: SPAM: Important Legislative Alert > > > > June 23rd, 1998 - The World Intellectual Property Organization treaty has > > already passed the US Senate and is close to passing in the House. The > > treaty would make it illegal, with extremely stiff penalties, to break > > security schemes without the permission of the company that makes the > > product. > > How would this affect products written and maintained outside of the US? > Its a US law, but what are its international remifaications? i imagine that a number of things may potentially occur, which means that we are ahead of the game and can deal with them (or get this law stopped). 1) people in the u.s who want to use samba won't, because despite a possible misunderstanding of this law and its implications, the fact that there's anything at all going "wrong" may discourage them from using samba. "dang, one of the people that wrote samba is a law-breaker: i'm not having anything to do with it". 2) mirror sites inside the u.s may be requested to remove their copies of samba, as it contains "illegal" code. this is not insurmountable: a separate library, like the libdes one, could be stored on a server which does not have this law. 3) people wishing to work on samba (e.g me) will not be able to go to the states, for fear of being arrested if i set foot inside the u.s. anyone wishing to improve samba will not be able to either work from or live in the u.s. hm. luke From mblack at csihq.com Wed Jun 24 18:51:36 1998 From: mblack at csihq.com (Mike Black) Date: Tue Dec 2 02:24:17 2003 Subject: SPAM: Important Legislative Alert (fwd) Message-ID: <020401bd9fa1$1df4dea0$32de11cc@mblack.csihq.com> Sounds a little paranoid to me...and I quote from H.R. 2281: Re: http://thomas.loc.gov/cgi-bin/query/D?c105:1:./temp/~c105ALwm9K:e9304: Sec. 1201. Circumvention of copyright protection systems `(a) VIOLATIONS REGARDING CIRCUMVENTION OF TECHNOLOGICAL PROTECTION MEASURES- (1) No person shall circumvent a technological protection measure that effectively controls access to a work protected under this title This is talking about bypassing a copyright protection scheme with the sole purpose of doing so. So, things like: #1 - Video copier that can copy protected tapes -- has no other real purpose. #2 - Disk copier that can copy copy-protected disks -- has no other real purpose. This has nothing to do with the general tools which reverse engineer things or to general encryption schemes which are not targeted at copyright protection. Basically, it extends copyright protection to disallowing tools explicitly aimed at violating copyrights. The "copying of text" reference below has nothing to do with this bill. There's no mention made of anything other than copyright protection...So...if you aren't violating copyrights now this bill won't touch what you're doing. Question I would have relative to this list is "is the NT Domain protocol copyrighted??" If so, then reverse engineering it in any way (other than clean room) would seem illegal. -----Original Message----- From: Luke Kenneth Casson Leighton To: Multiple recipients of list Date: Wednesday, June 24, 1998 2:07 PM Subject: SPAM: Important Legislative Alert (fwd) >this has serious ramifications for the "nt domains for unix" project. >luke. > >---------- Forwarded message ---------- >Date: Tue, 23 Jun 1998 13:25:57 -0500 >From: Simple Nomad >To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM >Subject: SPAM: Important Legislative Alert > >June 23rd, 1998 - The World Intellectual Property Organization treaty has >already passed the US Senate and is close to passing in the House. The >treaty would make it illegal, with extremely stiff penalties, to break >security schemes without the permission of the company that makes the >product. > >Programs like Pandora would be made illegal. People could not publish >vulnerabilities in products and encryption schemes, as done by NMRC in the >Hack FAQs. We would go back to the days of security vulnerabilities only >circulating in the underground as mailing lists like Bugtraq, NTBugtraq, >and Netware Hack are made illegal. > >Even products such as Net Nanny and CyberPatrol, which "bypass technology" >by reverse engineering how various products work would become illegal. >Technically you could not refuse a cookie from a web site, so web sites >would be allowed to write files directly to your hard drive and you >couldn't do a damn thing about it. > >This is plain and simple security through obscurity. Intellectual property >owners are using the legal system to protect their products instead of the >tried and true method of open systems and public review. > >How will we know if anything is secure if all the "white papers" and >reports on a system's security are paid for by the manufacturers only? >Unbiased, "Consumer Reports-like" groups will be outlawed. Say goodbye to >NMRC, L0pht, Counterpane, and any consulting firm that does security >assessment of commercial software. > >In addition, you will not be able to "quote" information from the Internet >without written permission. For example, I lifted the bulk of this text >from www.l0pht.com and re-edited it -- and under this proposed >legislation this would be illegal without getting written permission. >Reporters would be unable to "lift" quotes, students would be unable to >"lift" research material, and you would be unable to "lift" security info >for detailed reports without gaining the author's permission. This is NOT >the way the print media operates -- this could impact everyone you know. >Imagine pulling CD-ROMs from libraries and computers from elementary >schools. H.R. 2281 passes and you have started down this path running. > >The Nomad Mobile Research Centre is vehemently opposed to this proposed >treaty. It has serious freedom of speech implications. It also gives >companies a license to produce shoddy, inadequate systems without fear of >exposure. Call your House Representative today and voice your concerns. > > .o. >Simple Nomad .oOo. Data warrior, knowledge hunter/gatherer >www.nmrc.org .oOo. thegnome@nmrc.org > .o. > From Michael.Hebenstreit at technikum.joanneum.ac.at Thu Jun 25 09:46:33 1998 From: Michael.Hebenstreit at technikum.joanneum.ac.at (Hebenstreit Michael) Date: Tue Dec 2 02:24:17 2003 Subject: Help:problem with user privileges Message-ID: I've got an NT-Domain (NT Server 4.0, Service Pack 3). The Domain controller handles security - and everything works well as long as the user trying to connect to the Samba Server (Version 1.9.18p8, running on a 2.0.32 Kernel) also has an account on the Linux mashine. But I want to restrict access to certain users which are only known to the NT-Domain. I tried to set up the rights using "valid users=" Result: for instance the user "kou" can not acces the share "kou" although she is member of the "valid users list". I included my smb.conf file - any help appreciated. regards Michael Hebenstreit <> TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ -FZT-TJ Dipl.-Ing Michael Hebenstreit Assistent Numerische Berechnungen Fachhochschul-StG "Fahrzeugtechnik - Automotive Engineering" Technikum Joanneum Joanneum Institute of Technology Alte Poststra?e 149, A-8020 Graz, Austria * +43 316 876 / 8413 Fax: +43 316 876 / 8855 e-mail: michael.hebenstreit@technikum.joanneum.ac.at TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ-FZT-TJ -FZT-TJ -------------- next part -------------- A non-text attachment was scrubbed... Name: smb.conf Type: application/octet-stream Size: 8695 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980625/57e1376f/smb.obj From canfield at uindy.edu Thu Jun 25 16:25:48 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:17 2003 Subject: Update Encrypted? Message-ID: <35927A0C.26FFCB09@uindy.edu> I've been using the "standard" way of Samba PDC for a while now, but before we move this into the labs, I wanted to see if using the "update encrypted" option would work for us so we don't have to ask the students to change their passwords. From a working PDC setup, what I did was run the registry file from the samba/doc directory, and changed the line Encrypted Passwords to read "no." When I do that, I can no longer join the domain. Is there something I'm missing? Thanks From ptkatcho at portal.ca Thu Jun 25 18:12:50 1998 From: ptkatcho at portal.ca (Pavel Tkatchouk) Date: Tue Dec 2 02:24:17 2003 Subject: smb_dont_catch_keepalive Message-ID: <01BDA02A.318EBAB0@pavelnt3> Hi, there! Tried to ask comp.protocols.smb, comp.os.linux.networking, vger.rutgers.edu with no success. Volker Lendecke (both lendecke@namu01.gwdg.de and vl@SerNet.DE) seems to be unreachable. Want to try luck here. OK, enough mumbling, Problem: Server - Windows NT workstation 4.0, shares a few dirs. Client - diskless Linux, kernel 2.0.30, mounts those dirs by smbmount. Problem - one client mounts just fine. When two+ clients attempt to mount same dirs at the same time only first succeeds, others fail with smb_dont_katch_keepalive:server->data_ready==NULL errmsg. Dir that fails mounting usually different from time to time. Ideas? Thanks, Pavel P.S. upgrade to 2.0.34 and smbfs-2.0.2 didn't help. From jallison at whistle.com Thu Jun 25 19:51:21 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code References: <358F1BC2.F1A0EDD0@ecr.mu.oz.au> Message-ID: <3592AA39.BA3324C7@whistle.com> Bernie Kirby wrote: > Same problem here. > core dump in 'get_nb_flags' called from line > 515 in nmbd_winsserver.c. > > That is the line > nb_flags = get_nb_flags(nmb->additional->rdata); > nmb->additional data is Null. > > Could this possibly be due to the preceeding line > memcpy((char *)&orig_reg_packet, userdata->data, sizeof(struct > packet_struct *)); > > Where it's only copying the size of a pointer and not the size of a > packet_struct? > No that's actually correct. It is copying a pointer to a 'locked' packet (which is why it does a unlock and then free_packet at the end of the call). > nmb->additional data is Null. This looks like memory corruption problems. In the function wins_process_name_registration_request() the same pointer (p->packet.nmb->additional) is used heavily. It is the contents of the pointer p that are copied into the userdata pointer, after the packet has been locked (line 807) so that the contents of the original packet are still kept for the wins_register_query_fail() function to use. If the nmb->additional pointer is non-zero in the wins_process_name_registration_request() then it should be non-zero in wins_register_query_fail(). If not - then someone is scribbling on memory. Now Chris has been adding some changes to the HEAD branch nmbd to make the transition to a sensible WINS back-end (gdbm) easier, and at SGI they've been running with the HEAD branch wins server code for a while, so I doubt that any of Chris's changes will have done this, but I'm CC:ing him just to be sure :-). To track this down you could try purify (if you have a copy) or compile Samba with -DMEM_MAN to link in the (simple) malloc/free checker that Andrew wrote. With this compiled in you can hit nmbd with a SIGUSR1 to have it check all malloced areas for corruption. Hope this helps, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Thu Jun 25 20:25:41 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code In-Reply-To: <3592AA39.BA3324C7@whistle.com> Message-ID: On Fri, 26 Jun 1998, Jeremy Allison wrote: > Bernie Kirby wrote: > > > Same problem here. > > core dump in 'get_nb_flags' called from line > > 515 in nmbd_winsserver.c. > > > > nmb->additional data is Null. > > This looks like memory corruption problems. > In the function wins_process_name_registration_request() > the same pointer (p->packet.nmb->additional) is used > heavily. It is the contents of the pointer p that > are copied into the userdata pointer, after the > packet has been locked (line 807) so that the > contents of the original packet are still kept > for the wins_register_query_fail() function > to use. If the nmb->additional pointer is non-zero > in the wins_process_name_registration_request() then > it should be non-zero in wins_register_query_fail(). This is where it showed up on me. > If not - then someone is scribbling on memory. > > Now Chris has been adding some changes to the > HEAD branch nmbd to make the transition to a > sensible WINS back-end (gdbm) easier, and at > SGI they've been running with the HEAD branch > wins server code for a while, so I doubt that > any of Chris's changes will have done this, > but I'm CC:ing him just to be sure :-). > > To track this down you could try purify (if you > have a copy) or compile Samba with -DMEM_MAN > to link in the (simple) malloc/free checker > that Andrew wrote. With this compiled in you > can hit nmbd with a SIGUSR1 to have it check > all malloced areas for corruption. > Will try the -DMEM_MAN compile and see what happens. Thanks Jeremy. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From crh at NTS.Umn.EDU Thu Jun 25 20:44:02 1998 From: crh at NTS.Umn.EDU (Christopher R. Hertel) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code In-Reply-To: <3592AA39.BA3324C7@whistle.com> from "Jeremy Allison" at Jun 25, 98 12:51:21 pm Message-ID: <199806252044.PAA20908@unet.unet.umn.edu> > Now Chris has been adding some changes to the > HEAD branch nmbd to make the transition to a > sensible WINS back-end (gdbm) easier, and at > SGI they've been running with the HEAD branch > wins server code for a while, so I doubt that > any of Chris's changes will have done this, > but I'm CC:ing him just to be sure :-). I've looked it over. I don't *see* anything but that doesn't mean much. The change I've made so far is to replace the linked list with a binary tree. As part of that, I did change the structure of the nmbd_record. Jeremy, is there any chance that someone has made assumptions about this structure in the NTDOM code? Chris -)----- -- Christopher R. Hertel -)----- University of Minnesota crh@nts.umn.edu Networking and Telecommunications Services From jallison at whistle.com Thu Jun 25 20:54:32 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code References: <199806252044.PAA20908@unet.unet.umn.edu> Message-ID: <3592B908.CAFC37E2@whistle.com> Christopher R. Hertel wrote: > > I've looked it over. I don't *see* anything but that doesn't mean much. > The change I've made so far is to replace the linked list with a binary > tree. As part of that, I did change the structure of the nmbd_record. > Jeremy, is there any chance that someone has made assumptions about this > structure in the NTDOM code? > I don't think so. This may be some unfortunate memory corruption that we have had for a time. Alternatively it could be a new one introduced to nmbd. Another check would be to test the HEAD branch smbd with the 1.9.18 branch nmbd to see if the problem doesn't occur there. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Thu Jun 25 21:17:14 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:17 2003 Subject: Solaris 2.6 and latest NTDOM code References: <3592B908.CAFC37E2@whistle.com> Message-ID: <3592BE5A.F47F9E34@eng.auburn.edu> Jeremy Allison wrote: > > I don't think so. This may be some unfortunate memory corruption > that we have had for a time. > > Alternatively it could be a new one introduced to nmbd. > Another check would be to test the HEAD branch smbd with > the 1.9.18 branch nmbd to see if the problem doesn't occur > there. > Jeremy, I've noticed similar behavior under 1.9.18p4 as of late. Samba is configured as a WINS server again. Have been a little to busy with the head branch to worry about it much. Happens about once every 24 hours during the last two weeks or so with no configuration changes. Sorry to be so vague. Will try to gather more information later. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From fschan at capgemini.com.sg Tue Jun 30 05:05:08 1998 From: fschan at capgemini.com.sg (Chan Fook Sheng) Date: Tue Dec 2 02:24:17 2003 Subject: using samba with nt Message-ID: <35987203.930C4AD8@hotmail.com> Hello everybody, I would appreciate if anyone can help me with the below: I have a FreeBSD 2.2.6 with samba 1.9.18.3, I wish to share out my harddisk on FreeBSD to Win95 users, and controlling access of directories on FreeBSD through WinNT Domain Controller, is this possible? Do I still need users account on the FreeBSD? If so are they normal unix users created by adduser? Can I use user groups (from NT domain controller) in samba to control directories access? I tried to join my freebsd to the nt domain, but when I type smbpasswd -j domain I got "./smbpasswd: Unable to get UNIX password entry for user." does this mean I have to create an account for domain? If so, how to do that? I have read the faq and mailing list on the samba site, but I just can't figure out what to do, I'm confused, pls help me. fook sheng From mblack at csihq.com Tue Jun 30 13:32:14 1998 From: mblack at csihq.com (Mike Black) Date: Tue Dec 2 02:24:17 2003 Subject: Administrator privileges Message-ID: <027401bda42b$7e4a00d0$32de11cc@mblack.csihq.com> I noticed map_gid_to_sid in the source but cannot figure out how to map Unix usernames or groups to NT RIDs (like Administrator). Is the capability there yet? How do I put this in smb.conf so that I can get my NT administrators the proper authority (and other RIDs too)? From mblack at csihq.com Tue Jun 30 13:40:01 1998 From: mblack at csihq.com (Mike Black) Date: Tue Dec 2 02:24:17 2003 Subject: Guest printing Message-ID: <027501bda42c$95037530$32de11cc@mblack.csihq.com> How do I set up to allow guest printing? I've got one workstation that users log into with a user name/password that is not on my domain controller. I'd like them to be able to print (but nothing else). Right now I've got an smb.conf printer entry like: [HPLJ5] printer name = HPLJ5 comment = HP Laserjet 5Si/Mx PCL/Postscript browseable = yes path = /usr/spool/public printable = yes public = yes writable = yes create mode = 0660 guest ok = yes printer driver = HP LaserJet 5Si/5Si MX PS However, samba is trying to validate the username (which fails) rather than allowing guest access during the session setup. password server MBLACK rejected the password NT Password did not match ! Defaulting to Lanman Is there another step involved here that we need to do? From mk at quadstone.co.uk Tue Jun 30 14:12:12 1998 From: mk at quadstone.co.uk (Michael Keightley) Date: Tue Dec 2 02:24:17 2003 Subject: Problems with Samba PDC and Citrix Winframe Message-ID: <6207.199806301412@subnode.quadstone.co.uk> We have a PC running Citrix Winframe Enterprise 1.7 SP5. It managed to join our domain ok after adding it to the hosts file and smbpasswd file. But when you try to login it fails. You get the following message in the event log: "The redirector received an SMB that was too short." Has anyone managed to get Citrix to work with Samba PDC? We are using Samba 1.9.19-prealpha from 17th May. Michael _________ Michael Keightley Email: mk@quadstone.co.uk Systems Manager Tel: +44 131 220 4491 Quadstone Ltd Fax: +44 131 220 4492 16 Chester Street Edinburgh EH3 7RA, Scotland From canfield at uindy.edu Tue Jun 30 15:23:11 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:17 2003 Subject: Has anyone made update encrypted work? Message-ID: <359902DF.AAC2B0B6@uindy.edu> Sorry to post on the same topic twice in a week, but I've been looking at the archives and I see a couple questions regarding this and no answers, so I'm wondering if anyone has gotten update encrypted to work. As I understand it, the way the option should work is this: You have an existing Unix password file with your users in it. Set up Samba as a PDC with update encypted on, and encrypted passwords off. Run the mksmbpasswd script to create an smbpasswd file with "empty" passwords. Use smbpasswd -a -m to add machine accounts to the smbpasswd file. Run the NT4 Plain Password registry hack found in docs directory. Run like this for a while, allowing your users to log into the Samba PDC, and it updates the encrypted smbpasswd file. Eventually change the registry back and enable encrypted passwords. Is this correct? It seems that I have to be missing something. When I add a user to the smbpasswd file using smbpasswd -a, creating an encrypted smbpasswd file entry, I'm OK. But trying to log into the PDC with a user who either doesn't have an smbpasswd entry, or has all X's as the password fails. Can anyone help? From cartegw at Eng.Auburn.EDU Tue Jun 30 15:59:10 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:17 2003 Subject: Has anyone made update encrypted work? In-Reply-To: <359902DF.AAC2B0B6@uindy.edu> Message-ID: On Wed, 1 Jul 1998, Dana Canfield wrote: > Sorry to post on the same topic twice in a week, but I've been looking > at the archives and I see a couple questions regarding this and no > answers, so I'm wondering if anyone has gotten update encrypted to work. Yup. Worked fine. Migrated over about 30 users. Small need for them. They never even knew. > As I understand it, the way the option should work is this: > > You have an existing Unix password file with your users in it. > Set up Samba as a PDC with update encypted on, and encrypted passwords > off. > Run the mksmbpasswd script to create an smbpasswd file with "empty" > passwords. > Use smbpasswd -a -m to add machine accounts to the smbpasswd file. > Run the NT4 Plain Password registry hack found in docs directory. > Run like this for a while, allowing your users to log into the Samba > PDC, and it updates the encrypted smbpasswd file. > Eventually change the registry back and enable encrypted passwords. Nope. You won't be able to use this option on your Samba PDC. > Is this correct? It seems that I have to be missing something. When I > add a user to the smbpasswd file using smbpasswd -a, creating an > encrypted smbpasswd file entry, I'm OK. But trying to log into the PDC > with a user who either doesn't have an smbpasswd entry, or has all X's > as the password fails. NT logins use encrypted passwords only. Here's how I used it. Local accounts on a WinFrame 1.6 box. Used the samba 1.9.18p7 server as the [homes] server. Specified H: to connect to \\server\ in the profile on the NT box. This way the connection would be made by passing the plain text password to the server and thus updating the smbpasswd file. After I had all the users, I merged the result of the new smbpasswd and the smbpasswd on the samba PDC thus allowing users to mount the shares from SAMBA_PDC instead and also allowing me to add the WinFrame box to the domain when I wanted to without causing login problems for my users. Make sense? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From canfield at uindy.edu Tue Jun 30 16:47:16 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:18 2003 Subject: Has anyone made update encrypted work? References: Message-ID: <35991694.F6688BDB@uindy.edu> I don't really know much about the WinFrame system. Is it a necessary item in this scheme? We are basically doing a new installation of NT (from Win '95), and I'm trying to avoid making the users jump through a bunch of hoops to get their usernames & passwords synchronized. It's looking now like the only real way to do this is to have an "accounts" login so that if a student comes in to the lab and has never used NT before, he logs in as "accounts", gets a web page (php script) that asks him for his username/password, and then calls the smbpasswd/passwd programs to sync/add the passwords. Does anyone know a better way of doing this for a "new" installation of NT, with a an existing installation of unix users? On a similar note, is there any reason why a user can't just use smbpasswd to change their password all the time from the unix box, so that the passwords are kept in sync? If not, does anyone have a password chat section from smb.conf that works well with redhat? Sorry for the number of questions (some are probably redundant). It's been working well for our test group, but now the chore of scaling it up is getting a bit tricky. Thanks in advance. Gerald W. Carter wrote: > NT logins use encrypted passwords only. > > Here's how I used it. > > Local accounts on a WinFrame 1.6 box. Used the samba 1.9.18p7 server as > the [homes] server. Specified H: to connect to \\server\ in the > profile on the NT box. This way the connection would be made by passing > the plain text password to the server and thus updating the smbpasswd > file. > > After I had all the users, I merged the result of the new smbpasswd and > the smbpasswd on the samba PDC thus allowing users to mount the shares > from SAMBA_PDC instead and also allowing me to add the WinFrame box to the > domain when I wanted to without causing login problems for my users. > > Make sense? > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Tue Jun 30 16:49:37 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:18 2003 Subject: Administrator privileges References: <027401bda42b$7e4a00d0$32de11cc@mblack.csihq.com> Message-ID: <35991721.910628F4@whistle.com> Mike Black wrote: > > I noticed map_gid_to_sid in the source but cannot figure out how to map Unix > usernames or groups to NT RIDs (like Administrator). > > Is the capability there yet? How do I put this in smb.conf so that I can get > my NT administrators the proper authority (and other RIDs too)? It's not there yet - it's still under development. When it's finished I will remove the 'domain admins' and 'domain users' parameters and the groupname map will allow these groups to be mapped to unix groups. If you need to do this today look into the older parameters. Cheers, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Tue Jun 30 16:52:11 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:18 2003 Subject: Problems with Samba PDC and Citrix Winframe References: <6207.199806301412@subnode.quadstone.co.uk> Message-ID: <359917BB.F872007C@whistle.com> Michael Keightley wrote: > > We have a PC running Citrix Winframe Enterprise 1.7 SP5. > It managed to join our domain ok after adding it to the hosts file and > smbpasswd file. But when you try to login it fails. You get the following > message in the event log: > > "The redirector received an SMB that was too short." > > Has anyone managed to get Citrix to work with Samba PDC? We are using Samba > 1.9.19-prealpha from 17th May. > Can you do a level 100 log of the conversation. Also, running tcpdump or netmon between the two machines may help to debug this. Thanks, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Tue Jun 30 17:58:06 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:18 2003 Subject: Has anyone made update encrypted work? In-Reply-To: <35991694.F6688BDB@uindy.edu> Message-ID: On Tue, 30 Jun 1998, Dana Canfield wrote: > I don't really know much about the WinFrame system. Is it a necessary item > in this scheme? WinFrame is basically Multi-user Windows NT 3.51 Server > It's looking now like the only real way to do this is to have an "accounts" > login so that if a student comes in to the lab and has never used NT before, > he logs in as > "accounts", gets a web page (php script) that asks him for his > username/password, and > then calls the smbpasswd/passwd programs to sync/add the passwords. Does > anyone > know a better way of doing this for a "new" installation of NT, with a an > existing installation > of unix users? That's basically the same thing we did. > On a similar note, is there any reason why a user can't just use smbpasswd to > change their password > all the time from the unix box, so that the passwords are kept in sync? If > not, does anyone have a > password chat section from smb.conf that works well with redhat? > ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Tue Jun 30 17:50:56 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:18 2003 Subject: smbpasswd (PR#8066) References: <19980630100205Z12607216-5467+4839@samba.anu.edu.au> Message-ID: <35992580.B602824B@whistle.com> janet@bioss.sari.ac.uk wrote: > > Hi > When I use smbpasswd to change a password consisting of all X's, (ie > pressing return when asked for Old smbpasswd) it gives me an error of : > > /usr/solaris/samba/source/smbpasswd: machine 127.0.0.1 rejected the > session setup. Error was : ERRSRV - ERRbadpw (Bad password - > name/password pair in a Tree Connect or Session Setup are invalid.). > > It works OK if used to change an existing password entry. > Janet, A password consisting of all 'X's is equivalent to a disabled account - no old password will match. To allow smbpasswd to change it, the current password must be either set locally via smbpasswd running as root, or be set to "NO PASSWORDXXXXXX..." and then changed by the user. Maybe this should be clarified in the docs (followups sent to the samba-ntdom list). Cheers, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From evanc at synapse.net Tue Jun 30 18:32:41 1998 From: evanc at synapse.net (Evan Champion) Date: Tue Dec 2 02:24:18 2003 Subject: Problems authenticating Win95 with ntdom server Message-ID: Sorry if this isn't really appropriate for the samba-ntdom list, but since I'm running the latest CVS code(as of this morning) I thought I'd start here. I have a samba server set to authenticate against an NT domain controller on the net. I have security = domain, encrypt passwords = yes. NT machines love my samba server; 95 machines always fail the authentication check. The samba server logs the NT_STATUS_WRONG_PASSWORD with the correct user and domain. These 95 machines are running OSR2, and I applied the VRDRUPD.EXE patch on top, so they should be using authenticated passwords. Does anyone have any suggestions as to what I could try to get this working? Thanks. Evan From xmj at cypress.com Tue Jun 30 19:54:08 1998 From: xmj at cypress.com (Matthew Jamison) Date: Tue Dec 2 02:24:18 2003 Subject: I need some help. Message-ID: <000001bda460$d86734e0$453d54c0@melchizedekmiss.cypress.com> I have been using samba sense January of 97. I recently decided to try the cvs version with the NTDOMAIN code and get this up and running. Let me list what I have done. 1. retrieved latest cvs samba code on 6/29/98 2. Compiled Samba with options for SUNOS5.4 with the -DNTDOMAIN flag. 3. Enabled Password encryption. 4. Tested password encryption with Windows98 system. It would let me see the shares on the samba server running encryption but not the samba server that was not running encryption. 5. Added "my computer's$" and the "Unix server's$" name in as a user in the /etc/passwd. 6. ran smbpasswd -a -m "my computer's" 7. ran smbpasswd -a -m "Unix server's" 8. I had already been using the old option for domain logins so domain logins = yes in my smb.conf. Stop and mail me if I have done something wrong so far. On the Windows98 side I did the following. 1. Changed to login to the domain called SAMBA. 2. Changed form password share mode to user share mode. 3. Changed my workgroup to SAMBA. 4. Rebooted the system for good measures. 5. I login to my system. It did have the DOMAIN set to SAMBA. This all works fine. 6. Tried to share a directory. I clicked on add to add a user and it come back with the error message stating. "you can not view the list of user at this time. Please try again later" 7. I try to run the user manager for domains for Windows95 and get the error message "The RPC server is unavailable" some more history about my setup. I am running 2 samba servers on the same subnet. One is the one everyone is using and the other is the one I have been describing. I am running 2 workgroups. One is CSDC and the other is SAMBA. The SAMBA workgroup is the one using the NTDOMAIN code. I am also listing my smb.conf in case anyone need it. I have looked through the logs and can not find anything that tells me where I am going wrong. I also have only one NT server Running WinDD (WinNT 3.5) I do not have the availability to use this in testing. [global] workgroup = SAMBA encrypt passwords = yes os level = 65 domain master = yes local master = yes admin users = xmj security = user server string= NewYork netbios name = NEWYORK domain controller = yes domain logons = yes preferred master = yes wins support=yes dns proxy = yes deadtime = 15 Time server = true printing = bsd printcap name = /opt/local/samba/lib/myprintcap print command = /usr/ucb/lpr -P%p %s ; rm %s lpq command=/usr/ucb/lpq -P%p lprm command=/usr/ucb/lprm -P%p %j load printers = yes guest account = nobody hosts allow = 192.84.61. log file = /opt/local/samba/var/logs/log.%m lock directory = /opt/local/samba/var/locks share modes = yes [homes] comment = Home Directories browseable = no read only = no create mode = 0755 [printers] comment = All Printers path = /tmp browseable = yes printable = yes public = yes writable = no create mode = 0755 Thanks for the help in advance. Matthew -------------------------------------------- Matthew Jamison xmj@cypress.com System Administrator Cypress Semiconductor 601-324-4609 (CSDC) -------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: Matthew Jamison.vcf Type: application/octet-stream Size: 569 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980630/2fd0d3ec/MatthewJamison.obj From jwf at platinum.com Tue Jun 30 20:52:35 1998 From: jwf at platinum.com (Jim Farrell) Date: Tue Dec 2 02:24:18 2003 Subject: Guest printing In-Reply-To: <027501bda42c$95037530$32de11cc@mblack.csihq.com> Message-ID: I asked this very same question about 5x on the regular samba list, and never got an answer. All I wanted to do was to enable some of my printers to accept any client connection for printing. I finally just set up another samba instance on a different server, ran it in "security = share" mode, and exported the printers only ... that ended up being good enough for what I wanted (I'm using solaris, and so just set all the printers to forward to the primary server). It worked out in the end because I've since also set up anonymous disk shares for visiting people to use for transferring data to/from the developers on our network. -- jim On Tue, 30 Jun 1998, Mike Black wrote: > How do I set up to allow guest printing? > > I've got one workstation that users log into with a user name/password that > is not on my domain controller. I'd like them to be able to print (but > nothing else). > > Right now I've got an smb.conf printer entry like: > [HPLJ5] > printer name = HPLJ5 > comment = HP Laserjet 5Si/Mx PCL/Postscript > browseable = yes > path = /usr/spool/public > printable = yes > public = yes > writable = yes > create mode = 0660 > guest ok = yes > printer driver = HP LaserJet 5Si/5Si MX PS > > However, samba is trying to validate the username (which fails) rather than > allowing guest access during the session setup. > > password server MBLACK rejected the password > NT Password did not match ! Defaulting to Lanman > > > Is there another step involved here that we need to do? From jallison at whistle.com Tue Jun 30 20:32:09 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:18 2003 Subject: Problems authenticating Win95 with ntdom server References: Message-ID: <35994B49.7B0BDF12@whistle.com> Evan Champion wrote: > > Sorry if this isn't really appropriate for the samba-ntdom list, but since > I'm running the latest CVS code(as of this morning) I thought I'd start > here. > > I have a samba server set to authenticate against an NT domain controller > on the net. I have security = domain, encrypt passwords = yes. > > NT machines love my samba server; 95 machines always fail the > authentication check. The samba server logs the NT_STATUS_WRONG_PASSWORD > with the correct user and domain. > Can you send a debug level 10 log - my guess is that the Win95 machines are only passing the lanman password hash response, not the NT one. This will cause the code that does the domain authentication in password.c to screw up. The log will confirm/deny this. Thanks, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From frank at engineer.com Tue Jun 30 20:47:44 1998 From: frank at engineer.com (Frank Berger) Date: Tue Dec 2 02:24:18 2003 Subject: Get me off that list !!! Message-ID: <01bda468$54c088a0$6664a8c0@192.168.100.102.wonderland.wg> PLEASE !!! I DON'T WANT ANY MORE MAIL ! Thanks! Frank From mg at plum.de Sat Jun 6 22:15:34 1998 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:26:27 2003 Subject: Integrating "locate" ? Message-ID: <3579BF86.F13E7FA8@plum.de> Hi, I just had a crazy idea. Are there some function calls in SMB to look for a file on the server ? and if yes , is it possible to use locate to return the filenames ? ppl here ask me way to often where they can find file xyz ... and a find via network takes some time on 50 gb :) regards, Michael -- Samba NT-Domain howto (in german ) http://www.connection-net.de/linux/samba/ From mg at plum.de Sun Jun 7 09:43:10 1998 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:26:27 2003 Subject: NT4 server & Samba logons..totally confused References: Message-ID: <357A60AE.5E298DB8@plum.de> Lanny Baron schrieb: > > Hello Samba users, > > note*** I am not subscribed to this list and if you answer it, please mail > me back directly at lnb@cybertouch.org..thanks > > I am really confused. I have read quite a few of the docs with > Samba-2.0.4b, with respect to having an NT server and Samba. With NT > running do you have domain logons = yes ? If so, what about [profiles] and > [homes]? Samba 2.0.4b can only act as a Domain Member, not as a controller. So you need a NT Server or a Samba CVS HEAD machine for the Domain logons. [profiles] and [homes] can be on the 2.0.4 server with no problmes, if told so. (i.e. on your HEAD machine add : logon home=\\<2.0.4 machine>\%U logon path=\\<2.0.4 machine>\profiles\%U\ ) > Maybe the question should be asked, if I have Samba running what do I need > NT for? I had win98 running before and everything was fine. I killed the > win98 box and installed NT4. I can't transfer (either by a windows ftp > client or via Network Neighborhood) my directories on the NT box so I can > go back to win98. 2.0.4b is still no good PDC ... :( The CVS head branch has however some quirks when it comes to File-Serving (wait until they merge the branches) so .. if you got a 2nd linux machine in spare go and install samba CVS HEAD. > My setup (topography) is one NT box, 2 FreeBSD/Samba boxes. You might ask > what the F--K am i trying to accomplish. Well, I want people to be able to > dialin via RAS (setting up PPP dialup is no easy task), then to be able to > logon to their /home/user on the FreeBSD/Samba box. Be able to use shares > set on the FreeBSD/Samba boxes. Again I ask, other than using NT for > dialup (RAS) and seeing the problems I now face, what is the purpose of NT > in a Samba run domain? > > It's quite apparent to me that I don't understand netlogon's, and could > really use some help by someone that understands what it is I am trying to > do. If it turns out that what I am doing is completely nuts, please let me > know. I have been at this since last Monday. Unable to upload from my NT > box to my FreeBSD/Samba boxes my directories that I crucially need so that tcpip working on NT correctly ?? > I can kill this NT box and put back Win98 and setup the smb.conf the way > it was. Working perfect. > > It's that old story coming to haunt me. Why fix that which is not broken? regards, Michael -- Samba NTDOM Howto (still in german) http://www.connection-net.de/linux/samba/ From mg at plum.de Tue Jun 9 08:50:55 1998 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:26:28 2003 Subject: References: <99060909411201.08998@tcpgate> Message-ID: <357CF76F.66C9415@plum.de> Joao Carvalho schrieb: > > i question i have been using in samba the > dfree command , but since some time now this option does not work > any changes to this argument. > ii have quota working on the system wich does not apear to the users, so i > wrote a dfree script that does that but now samba doesn't run it. > thanx guys . > You should compile samba with --enable-quotas if you want to use quotas. Then you should not need to play with the dfree command to get the disk-space reported correcty. regards, Michael -- Samba NT-Domain howto (in german ) http://www.connection-net.de/linux/samba/