From mark at psych.adelaide.edu.au Mon Mar 2 07:07:55 1998 From: mark at psych.adelaide.edu.au (Mark Brown) Date: Tue Dec 2 02:23:50 2003 Subject: NT DOM with linux RH5 on an Alpha Message-ID: <34FA5ACB.74087206@psychology.adelaide.edu.au> Can someone tell which combination of FLAGSM/LIBSM work for RH5 on a DEC Alpha? The one with the RH5 'label' doesn't seem to work properly. It compiles (with numerous warnings) but nmbd gives errors and dies. I have tried various other combos with and without -DAXPROC but no great success(The good thing is it only takes about 2 mins to do a complete make on the Alpha:-) ) Mark Brown. From webber at sj.univali.rct-sc.br Mon Mar 2 15:09:15 1998 From: webber at sj.univali.rct-sc.br (Celso Kopp Webber) Date: Tue Dec 2 02:23:50 2003 Subject: Login Failures Message-ID: <34FACB9B.5C4CB85A@sj.univali.rct-sc.br> Hi all, I'm trying samba-1.9.18p3 with NTDOMAIN support, and I could make NT Workstation 4.0 say "Welcome to SAMBA domain!". In the NTDOMAIN.txt doc, Luke says that in an alpha version of 1.9.18 he added the feature to automatically create an account for a computer in the domain. Well, I could only make it work adding the computer account in /etc/smbpasswd by hand. After that, I could make NT 4.0 join the domain. When rebooted, when I tried to login as a regular user present in /etc/smbpasswd, NT showed a message that it could not login the user because the computer account in the PDC was not OK. Anyone could know anything about this? Thanks in advance, Celso. From cartegw at Eng.Auburn.EDU Mon Mar 2 17:44:35 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:50 2003 Subject: Login Failures References: <34FACB9B.5C4CB85A@sj.univali.rct-sc.br> Message-ID: <34FAF003.CFF14178@eng.auburn.edu> Celso Kopp Webber wrote: > > Hi all, > > I'm trying samba-1.9.18p3 with NTDOMAIN support, and I could > make NT Workstation 4.0 say "Welcome to SAMBA domain!". In the > NTDOMAIN.txt doc, Luke says that in an alpha version of 1.9.18 he > added the feature to automatically create an account for a computer > in the domain. Well, I could only make it work adding the computer > account in /etc/smbpasswd by hand. > > After that, I could make NT 4.0 join the domain. When > rebooted, when I tried to login as a regular user present in > /etc/smbpasswd, NT showed a message that it could not login the user > because the computer account in the PDC was not OK. > 1. How do I download the latest Samba NT Domain Controller code? For general information on accessing the samba source code via CVS, see http://samba.anu.edu.au/cvs.html To download the latest Samba Domain Controller source code - Obtain a recent copy of the cvs client binary. The cvs source code is available from ftp://download.cyclic.com/pub/ - Now run the following command cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login when you are prompted for a password, enter 'cvs' without the quotes. - Now run the command cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co -r BRANCH_NTDOM samba - To update your source code run the following command cvs update -d -P If you want to update the entire archive of the BRANCH_NTDOM code make sure that you are located in the top directory of the samba tree ( ie. the samba directory ) j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From Jean-Francois.Micouleau at utc.fr Mon Mar 2 18:20:45 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list In-Reply-To: <199802101702.SAA13259@bordeaux.nijenrode.nl> Message-ID: What's the status of the todo list paul posted 3 weeks ago ? Does anybody started to work on some topics ? Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From lkcl at switchboard.net Mon Mar 2 19:32:12 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list In-Reply-To: Message-ID: On Tue, 3 Mar 1998, Jean-Francois Micouleau wrote: > > > What's the status of the todo list paul posted 3 weeks ago ? oo, good question. who have we got. jerry, you expressed an interest in doing the FAQ, i believe. jf wants to do \PIPE\spoolss. i want to be a brain surgeon. anyone else? luke From lkcl at switchboard.net Mon Mar 2 19:39:52 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list In-Reply-To: Message-ID: cross-reference to "To Do" thread: http://samba.anu.edu.au/listproc/samba-ntdom/0047.html > > > What's the status of the todo list paul posted 3 weeks ago ? > > Does anybody started to work on some topics ? i want to clear up the SMB / DCE/RPC abstraction a bit more. i'd also like to do some more of the \PIPE\samr stuff. also, to explore some of the DFS calls. and the trust domains and BDC stuff. in order of priority: - debug dce/rpc and abstraction of same - inter-domain / bdc trust relationships (big task: mixed in with others) - \PIPE\samr - DFS calls anyone want to volunteer for any of these or any of the tasks on the ToDo list? luke (samba team) Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From paul at argo.demon.co.uk Mon Mar 2 19:15:04 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list In-Reply-To: Message-ID: <888866238.0127806.0@no-dns-yet.demon.co.uk> At 04:25 03/03/98 +1000, Jean-Francois Micouleau wrote: >What's the status of the todo list paul posted 3 weeks ago ? >Does anybody started to work on some topics ? Well, Gerald has got to at least question 1 of the FAQ, and may even be working on question 2 as we speak :-) I've figured out the password change protocol and can decrypt the new password as passed over the wire. I just haven't had time to write the RPC yet. Luke's done all the glue for it though. err... any status reports? Cheers, Paul From cartegw at Eng.Auburn.EDU Mon Mar 2 19:50:32 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list References: Message-ID: <34FB0D88.FAE5F095@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > On Tue, 3 Mar 1998, Jean-Francois Micouleau wrote: > > > > > > > What's the status of the todo list paul posted 3 weeks ago ? > > oo, good question. who have we got. jerry, you expressed an interest in > doing the FAQ, i believe. jf wants to do \PIPE\spoolss. i want to be a > brain surgeon. anyone else? > > luke Yes. I am working on an FAQ. Have soem very pressing deadlines ( real paying work this time ) but hope to get a rough draft by next week. Once I do, I will post it for critique. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From AXEL.HELLMIG.AH at bayer-ag.de Mon Mar 2 20:18:55 1998 From: AXEL.HELLMIG.AH at bayer-ag.de (AXEL.HELLMIG.AH@bayer-ag.de) Date: Tue Dec 2 02:23:50 2003 Subject: subscribe Message-ID: <0006800001946447000002L072*@MHS> subscribe From lkcl at switchboard.net Mon Mar 2 21:20:56 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list In-Reply-To: <888866238.0127806.0@no-dns-yet.demon.co.uk> Message-ID: On Tue, 3 Mar 1998, Paul Ashton wrote: > At 04:25 03/03/98 +1000, Jean-Francois Micouleau wrote: > >What's the status of the todo list paul posted 3 weeks ago ? > > >Does anybody started to work on some topics ? > > Well, Gerald has got to at least question 1 of the FAQ, and may > even be working on question 2 as we speak :-) > > I've figured out the password change protocol and can decrypt > the new password as passed over the wire. totally rad! > I just haven't had time to write the RPC yet. which one? samr 0x38 or 0x37? i think i've done those, but haven't put them into use. > Luke's done all the glue for it though. yup. think so. > err... any status reports? oo, well. - my house is taking priority / time / money, so i'm kind-of off-development again for a bit (computers are under polythene, but actually plugged in and everything. for now). however, if there's anything urgent or anything i can get a real kick out of, i'll find time immediately :-) - i'm just doing an update merge (and having a ball doing it) creating a patch of appx 1.9.18p2 to appx 1.9.18p3, to keep BRANCH_NTDOM up to date. it will be committed in in a few minutes. it compiles, but i can't test it - sorry. i'll have to rely on reports from you (samba ntdom subscribers) and from unsuspecting people. lukes From lkcl at switchboard.net Mon Mar 2 21:43:44 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list In-Reply-To: <888866238.0127806.0@no-dns-yet.demon.co.uk> Message-ID: On Tue, 3 Mar 1998, Paul Ashton wrote: > err... any status reports? ok, i've just done the merge on BRANCH_NTDOM, from appx 1.9.18p2 to appx 1.9.18p3. it was messy, but not as laborious as last time (hand-editing of patch files to reflect the directory structure). it would be nice if BRANCH_NTDOM goes to the main branch, soon. lukes From mark at psych.adelaide.edu.au Tue Mar 3 05:43:00 1998 From: mark at psych.adelaide.edu.au (Mark Brown) Date: Tue Dec 2 02:23:50 2003 Subject: Using Policies and Profiles?? Message-ID: <34FB9864.9C9E5BD9@psychology.adelaide.edu.au> Hi, I have abandoned the Alpha for the moment and built Samba NT DOM on a pentium/linux. It works and I can have NT workstations join the domain - I am just trying to get a samba domain running and serving profiles and policies in order to register this years student accounts else I will be stuck with the existing mix of NT domain controller for authorization and samba for file/print serving for another year. So any pointers would be greatly appreciated. I think I am very close, but just about out of time. Can anyone point me at some words or give me a brief summary on the process of associating profiles/policies with a login. At the moment (with a real NT domain controller) we have for example mandatory profiles for honours students, third years etc and roaming profiles for staff as well as assorted policies. Is it just a matter of putting profiles etc in a netlogon dir and running some sort of logon script to substitute the NT User Manager associations? (and if so what sort of script :-) ) Thanks in advance, Mark Brown From danny at cs.huji.ac.il Tue Mar 3 08:11:41 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:50 2003 Subject: your mail In-Reply-To: Your message of Mon, 2 Mar 1998 21:11:57 +0000 (GMT) . Message-ID: <199803030811.IAA01923@peetoo.cs.huji.ac.il> In message you write: }On Mon, 2 Mar 1998, Danny Braniss wrote: } }> In message you write }: }> }On Mon, 2 Mar 1998, Danny Braniss wrote: }> } }> }> In message you wr }ite }> }: }> } }> }read NTDOMAIN.txt - you have the wrong domain password. }> } }> }> nothing like RTFM, i missed the part 'password must be lowercase', :-(, }> btw, when you say 'domain password' you mean: }> }> my_workstation's_name$:LM_XXX:NT_XXX:0080:other_fields_are_ignored: } }i meant the "workstation trust account password", and yes. } }> i'll have to wait till the morning to test it. } }cool. IT WORKS! thanks 10^6 danny From Jean-Francois.Micouleau at utc.fr Tue Mar 3 13:03:17 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list In-Reply-To: Message-ID: On Tue, 3 Mar 1998, Luke Kenneth Casson Leighton wrote: > ok, i've just done the merge on BRANCH_NTDOM, from appx 1.9.18p2 to appx > 1.9.18p3. it was messy, but not as laborious as last time (hand-editing > of patch files to reflect the directory structure). > > it would be nice if BRANCH_NTDOM goes to the main branch, soon. I agree but I would prefer to have a FAQ on ntdom and the last known bugs corrected before a merge. It will reduce both the questions from users and our time to answer. Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From danny at cs.huji.ac.il Tue Mar 3 16:16:31 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:50 2003 Subject: arcfour.c Message-ID: <199803031616.QAA02598@peetoo.cs.huji.ac.il> hi, where can i get it? danny From canfield at uindy.edu Tue Mar 3 17:03:52 1998 From: canfield at uindy.edu (dana canfield) Date: Tue Dec 2 02:23:50 2003 Subject: Status of the todo list In-Reply-To: Message-ID: Why isn't it in the main branch now? Just because it's not fully complete? On Tue, 3 Mar 1998, Luke Kenneth Casson Leighton wrote: > it would be nice if BRANCH_NTDOM goes to the main branch, soon. > From canfield at uindy.edu Tue Mar 3 17:12:29 1998 From: canfield at uindy.edu (dana canfield) Date: Tue Dec 2 02:23:51 2003 Subject: Multiple Subnet PDC In-Reply-To: Message-ID: I know this is explained in the documents, but I can't figure out which setup applies to me exactly, and nothing I've tried seems to work. We have a switched-ethernet backbone, with about 8 Class C networks sent over the same hardware (in other words, we aren't routing internally, you can have an xxx.xxx.100.xxx machine on the same hub as an xxx.xxx.101.xxx machine, as long as you point to the right router address). If I put machines on the same subnet as my Samba PDC, everything works fine. They can see each other, they can see the Samba machine, etc. If they are on a different subnet, they see nothing. I have samba running as a WINS server, and I have the NT workstations pointing to it as the WINS server, but nothing appears in the network neighborhood, and the workstations can't find the samba PDC. Is there something more I need to be doing? Would it be beneficial to put aliases on the ethernet port so that the Samba machine has an address on every subnet? I've read some things implying that our method of switching/unrouted maynot be such a good idea, but no real facts about it. If anyone can tell me if this is a bad way of doing things, I'd be interested in forwarding the info to our net admin. Thanks! From eilhard at warstein.owl.de Tue Mar 3 14:35:53 1998 From: eilhard at warstein.owl.de (Holger Eilhard) Date: Tue Dec 2 02:23:51 2003 Subject: Beginner Question: How to set up a Samba PDC Message-ID: <01BD46BA.0D9F0A70.eilhard@warstein.owl.de> Hello everybody, I'm trying to connect my NT Workstation to a Samba PC (that is running on a P90 and DLD-Linux 5.3, Samba is 1.9.18p3). Now my questions: 1. Can Samba act as a PDC? I've read it can, but do not know how!? I also read the docs, but I didn't find anything that could help me... 2. If it's true that it can be a PDC, what software do I need? I already got some packages via cvs, but haven't found anything that could help me!? There was some documentation in it, but that wasn't very up-to-date... 3. Can someone send me the settings that I need for the smb.conf? Thanks for your help Holger -- Holger Eilhard - eilhard@warstein.owl.de Ich darf beim Namensaufruf nicht dazwischenschreien: ?Sie ist tot". - B. Simpson From lkcl at switchboard.net Tue Mar 3 18:29:28 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: Status of the todo list In-Reply-To: Message-ID: On Wed, 4 Mar 1998, dana canfield wrote: > > > Why isn't it in the main branch now? Just because it's not fully > complete? because its impact and my style of development was considered too much of a risk: the alpha series, because of the large number of people that download it and the desire to keep them as stable as possible, can often be considered to be a beta series not an alpha. regards, luke > On Tue, 3 Mar 1998, Luke Kenneth Casson Leighton wrote: > > > it would be nice if BRANCH_NTDOM goes to the main branch, soon. > > > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From cartegw at Eng.Auburn.EDU Tue Mar 3 17:45:21 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: arcfour.c References: <199803031616.QAA02598@peetoo.cs.huji.ac.il> Message-ID: <34FC41B1.D9C9E552@eng.auburn.edu> Danny Braniss wrote: > > hi, > where can i get it? > > danny See the list archives at http://samba.anu.edu.au/listproc/samba-ntdom Don't remember the exact message at the moment. j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Tue Mar 3 18:34:32 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: Using Policies and Profiles?? In-Reply-To: <34FB9864.9C9E5BD9@psychology.adelaide.edu.au> Message-ID: hi mark, if you have configured NT servers to download policies and/or profiles, then you are in a very good position to understand what to do here, using samba PDC instead of NT PDC.... On Tue, 3 Mar 1998, Mark Brown wrote: > Hi, > > I have abandoned the Alpha for the moment and built Samba NT DOM > on a pentium/linux. It works and I can have NT workstations join > the domain - I am just trying to get a samba domain running and > serving profiles and policies in order to register this years > student accounts else I will be stuck with the existing mix of > NT domain controller for authorization and samba for file/print > serving for another year. So any pointers would be greatly > appreciated. I think I am very close, but just about out of time. > > Can anyone point me at some words or give me a brief summary on the > process of associating profiles/policies with a login. At the moment > (with a real NT domain controller) we have for example mandatory > profiles for honours students, third years etc and roaming profiles > for staff as well as assorted policies. > Is it just a matter of putting profiles etc in a netlogon dir and > running some sort of logon script to substitute the NT User Manager > associations? (and if so what sort of script :-) ) look up "logon script" and "profile path" and "home dir": these are the parameters you will need. also, the existing docs DOMAINS.txt etc etc: it's all there: [netlogon] share etc. should be easy to do. someone else from an aus. uni posted that they had got profiles set up, too: check the samba-ntdom archives, ok? good luck! luke From cmwirun at comcept.com Tue Mar 3 18:29:08 1998 From: cmwirun at comcept.com (Corey M. Wirun) Date: Tue Dec 2 02:23:51 2003 Subject: domain user as local machine admin? Message-ID: <01BD4697.97FF7830@PIHOME> Hello All, Small problem: I've compiled and am running the NTDOM branch of the samba code (downloaded a couple of weeks ago). My question is: when I do a domain login to my samba server, I don't have admin access to my local machine. e.g. can't edit network settings, etc. Is it possible to set up this domain id to be part of the local machine's admin group? I can't seem to do it in User Manager. I had thought that you could do it if you specified the id to be: DOMAIN/userid. Is this functionality not yet available in the samba NT DOM branch? Thanks in advance. Corey. From lkcl at switchboard.net Tue Mar 3 20:16:09 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: domain user as local machine admin? In-Reply-To: <01BD4697.97FF7830@PIHOME> Message-ID: > My question is: when I do a domain login to my samba server, I don't > have admin access to my local machine. e.g. can't edit network > settings, etc. Is it possible to set up this domain id to be part of > the local machine's admin group? domain admin users = domain guest users = etc. > > I can't seem to do it in User Manager. no, you can't. > Is this functionality not yet available in the samba NT DOM branch? it is. From twinders at SPC.cc.tx.us Tue Mar 3 19:39:38 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:51 2003 Subject: SUMMARY:Encrypt Passwords with no user entry Message-ID: I had asked last week what would happen if I enabled the 'encrypt passwords = yes' option but didn't have a user entry in the smbpasswd file. The general concensus would be that the user would not be connected. Luke said he THOUGHT it might depend on the GUEST_SESSETUP value in the local.h include file, but he wasn't sure. It looks like Luke was correct. I had already changed that value to 2 for other reasons and it looks like this will let people not having an entry in the smbpasswd database logon to the machine as guest. So, there you have it... --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From danny at cs.huji.ac.il Tue Mar 3 19:54:03 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:51 2003 Subject: arcfour.c In-Reply-To: Your message of "Tue, 03 Mar 1998 19:49:33 GMT." Message-ID: In message you write: }check the archives. } }luke i was doing that but the link was so slow that it was taking ages, anyway, i just got it, thanks. btw, once I got the logon working, it took less than 20 minutes to junk our old Gina and use Samba all the way! just days before the begining of the next semester! Now for some more RTFM & SDk hunting to figure out how to use one-time-password cards :-( danny From cartegw at Eng.Auburn.EDU Tue Mar 3 20:10:33 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: new option to smbpasswd Message-ID: <34FC63B9.9F42B3BE@eng.auburn.edu> I was working on the NTDOM FAQ a little was working on the part about adding machines to the smbpasswd file. Had a quick thought... Would it be beneficial to add a switch to smbpasswd so that machine accounts could be added directly? For example, something like smbpasswd -add -machine mymachine which would generate the the entry MYMACHINE$::0080: rather than the standard user entry which would then have to be modified. I realize that the plans are to be able to create these accounts automatically but in the meantime, this could be a quick hack. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Tue Mar 3 21:16:50 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: new option to smbpasswd In-Reply-To: <34FC63B9.9F42B3BE@eng.auburn.edu> Message-ID: yes, this is a good idea, as it could be automated from a script. luke On Wed, 4 Mar 1998, Gerald W. Carter wrote: > I was working on the NTDOM FAQ a little was working on the part about > adding machines to the smbpasswd file. Had a quick thought... > > Would it be beneficial to add a switch to smbpasswd so that machine > accounts could be added directly? For example, something like > > smbpasswd -add -machine mymachine > > which would generate the the entry > > MYMACHINE$::0080: > > rather than the standard user entry which would then have to be > modified. > > I realize that the plans are to be able to create these accounts > automatically but in the meantime, this could be a quick hack. > > > > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Tue Mar 3 21:14:23 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: arcfour.c In-Reply-To: Message-ID: On Tue, 3 Mar 1998, Danny Braniss wrote: > In message you write: > }check the archives. > } > }luke > > i was doing that but the link was so slow that it was taking ages, bleuh. > anyway, i just got it, thanks. rad. > btw, once I got the logon working, it took less than 20 minutes to > junk our old Gina and use Samba all the way! just days before the > begining of the next semester! totally rad. urr... you're using this in a production environment? holy cow. please tell me how things go, ok? we've got one person using this in production already, and it would be nice to know what kinds of numbers (users/machines) people are up to. luke From twinders at SPC.cc.tx.us Wed Mar 4 00:59:16 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:51 2003 Subject: Machine account Message-ID: I have compiled and installed the BRANCH_NTDOM which I downloaded last night. Going through the NTDOMAIN.txt file, I don't understand how to accomplish the adding of the workstation account. Specifically, I have a machine named OPT which I would like to add. So, I need an entry like: opt$:"16 byte hash of opt":"16 byte hash of opt":0080:anything else So, how do I generate the hash of opt? --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From cartegw at Eng.Auburn.EDU Wed Mar 4 02:26:13 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: Machine account In-Reply-To: Message-ID: On Wed, 4 Mar 1998, Tim Winders wrote: > Specifically, I have a machine named OPT which I would like to add. So, I > need an entry like: > > opt$:"16 byte hash of opt":"16 byte hash of opt":0080:anything else > > So, how do I generate the hash of opt? > smbpasswd -add nobody opt This will create the entry and you can then edit the username and replace it with opt$ as well as inserting the :0080: field following the password hash. PS : I am planning to look at possibily adding a -machine option to smbpasswd to generate these accounts tomorrow...unless soemone else had their heart set on doing it ;) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From twinders at SPC.cc.tx.us Wed Mar 4 02:35:38 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:51 2003 Subject: Machine account In-Reply-To: Message-ID: On Tue, 3 Mar 1998, Gerald W. Carter wrote: > smbpasswd -add nobody opt > > This will create the entry and you can then edit the username and replace > it with opt$ as well as inserting the :0080: field following the password > hash. Great. This created the account for nobody, I changed the name to opt$. So far, so good. It put in the nobody group number, but the NTDOMAIN.txt file doesn't list that. Does the group number need to be removed? What password did the above command put in the smbpasswd file? Does it matter? Thanks! --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From tridge at samba.anu.edu.au Wed Mar 4 03:10:19 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:23:51 2003 Subject: Status of the todo list References: Message-ID: <19980304031032Z12615535-21312+7877@samba.anu.edu.au> > it would be nice if BRANCH_NTDOM goes to the main branch, soon. Jeremy and I discussed this the other day. We are trying to work out a way to do this cleanly and without losing all the cvs history info in the main branch. I think I know how to do this but Jeremy has asked me to hold off for a week or two until he has done some stuff. Cheers, Andrew From cartegw at Eng.Auburn.EDU Wed Mar 4 03:42:54 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: Machine account In-Reply-To: Message-ID: On Tue, 3 Mar 1998, Tim Winders wrote: > On Tue, 3 Mar 1998, Gerald W. Carter wrote: > > > smbpasswd -add nobody opt > > > > This will create the entry and you can then edit the username and replace > > it with opt$ as well as inserting the :0080: field following the password > > hash. > > Great. This created the account for nobody, I changed the name to opt$. > So far, so good. It put in the nobody group number, but the NTDOMAIN.txt > file doesn't list that. Does the group number need to be removed? What > password did the above command put in the smbpasswd file? Does it matter? > Thanks! the password was set to the third parameter ( "opt" ). The only things that matter in the machine account entry are MACHINE$:uid:XXXXXXXXX......:......XXXXXXXX:0080: whete uid is whatever ( i have been using the nobody account uid and am not sure what part this integer actually plays in the logon process ). Note that the last ':' is necessary Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From twinders at SPC.cc.tx.us Wed Mar 4 04:06:38 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:51 2003 Subject: Machine account In-Reply-To: Message-ID: On Tue, 3 Mar 1998, Gerald W. Carter wrote: > On Tue, 3 Mar 1998, Tim Winders wrote: > > > On Tue, 3 Mar 1998, Gerald W. Carter wrote: > > > > > smbpasswd -add nobody opt > > > > > > This will create the entry and you can then edit the username and replace > > > it with opt$ as well as inserting the :0080: field following the password > > > hash. > > > > Great. This created the account for nobody, I changed the name to opt$. > > So far, so good. It put in the nobody group number, but the NTDOMAIN.txt > > file doesn't list that. Does the group number need to be removed? What > > password did the above command put in the smbpasswd file? Does it matter? > > Thanks! > > the password was set to the third parameter ( "opt" ). The only things > that matter in the machine account entry are > > MACHINE$:uid:XXXXXXXXX......:......XXXXXXXX:0080: > > whete uid is whatever ( i have been using the nobody account uid and am > not sure what part this integer actually plays in the logon process ). > Note that the last ':' is necessary Yes, I figured the last parameter was the password AFTER I sent the message. Doh! Luke - will you (or whoever is doing the NTDOMAIN.txt DOC) update the information to reflect the above uid and final : for the machine$ record? The "smbpasswd -add nobody password" might also be a good trick to list. Thanks! --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From twinders at SPC.cc.tx.us Wed Mar 4 04:12:43 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:51 2003 Subject: smbclient failing Message-ID: On my Alpha system running Digital Unix 4.0D, smbclient from the BRANCH_NTDOM stuff does not work. If I run it pointing to the local host, it shows me that shares, but no workgroup or other machine listing and if I try to point to another machine I get this: twinders> smbclient -L conan Added interface ip=206.76.17.2 bcast=206.76.17.255 nmask=255.255.255.0 Added interface ip=206.76.20.2 bcast=206.76.20.255 nmask=255.255.255.0 Added interface ip=206.76.21.2 bcast=206.76.21.255 nmask=255.255.255.0 Added interface ip=206.76.22.2 bcast=206.76.22.255 nmask=255.255.255.0 failed session setup client_init: connection failed warning: connection could not be established to conan<20> this version of smbclient may crash if you proceed Although, the SAME command from the smbclient from 1.9.18p3 gives the share list etc just fine. I have compiled with the default OSF stuff. --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From btenison at dibbs.net Wed Mar 4 12:40:11 1998 From: btenison at dibbs.net (Bruce Tenison) Date: Tue Dec 2 02:23:51 2003 Subject: New user question. Message-ID: <003301bd476a$af7619a0$0105a8c0@tenison.rstc.cc.al.us> Just recently subscribed to the mailing list, and am intersted in testing and possibly contributing to the effort. Basically, I'm interested in trusted and trusting functionality in the samba server (BRANCH_NTDOM). Is it already there? Or is it part of the todo list? Thanks! Bruce From cartegw at Eng.Auburn.EDU Wed Mar 4 15:08:02 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: NT-DOM FAQ draft #1 Message-ID: <34FD6E52.207945A6@eng.auburn.edu> A rough draft of the NTDOM FAQ in online at http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html Comments, additions, corrections, etc... welcome. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jgarber at eng.utoledo.edu Wed Mar 4 16:23:39 1998 From: jgarber at eng.utoledo.edu (jeremy garber) Date: Tue Dec 2 02:23:51 2003 Subject: [NTDOM] NISGINA revisited Message-ID: <199803041623.LAA13390@bacchus.eng.utoledo.edu.eng.utoledo.edu> I'm looking for some advice before I do some needless work... We are currently using NISGINA in production. I currently have the NTDOM code functional on a test basis. I also have NISGINA configured to automatically create and update the smbpasswd entries on a test basis when logging into a samba domain. Of course the NT policies (something we must have functional) that are stored on the samba server are not being pulled down when using the current NISGINA. What is wrong with my thinking that I can just rip the code out of NISGINA that creates a local account so that I am actually logging in under a domain account in the samba domain? There must be more to it than this. Will I have to add code to NISGINA so that it understands it is using a domain account rather than a local one? I understand that this would not be an option for everyone (not wanting to install software on the client side or not using NIS), but it sounds like it would work for us. Jeremy From cartegw at Eng.Auburn.EDU Wed Mar 4 16:44:38 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: [NTDOM] NISGINA revisited References: <199803041623.LAA13390@bacchus.eng.utoledo.edu.eng.utoledo.edu> Message-ID: <34FD84F6.A9E5D285@eng.auburn.edu> jeremy garber wrote: > > I currently have the NTDOM code functional on a test basis. > I also have NISGINA configured to automatically create and update the > smbpasswd entries on a test basis when logging into a samba domain. Of > course the NT policies (something we must have functional) that are > stored on the samba server are not being pulled down when using the > current NISGINA. Couldn't you specify an manual remote update from a share on a samba server which was configured using encrypted passwords? > What is wrong with my thinking that I can just rip the code out of > NISGINA that creates a local account so that I am actually logging in > under a domain account in the samba domain? There must be more to it > than this. There are two ways I could understand what you are saying. One is that the domain account already exists. In this case you would be authenticating twice. Don't see a need for that. If you are validating against the PDC why not just keep the default msgina.dll unless you have some secret way of synchronizing the passwords. ;) The second way would be that the domain account does not exist and you want NISgina to create it rather than a local account. This will not work since only certain accounts are authorized to add accounts to a domain. It has been tried ( check the NISgina mailing list archives ) by replacing the NULL parameter in NetUserAdd() with the name of the PDC. > Will I have to add code to NISGINA so that it understands it is using a > domain account rather than a local one? Gernot Bauer has added support to allow NISgina to login to a PDC or a NIS master. http://www.eikon.e-technik.tu-muenchen.de/nisgina/ You may already know about this j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From andre at lme.usp.br Wed Mar 4 17:02:12 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:51 2003 Subject: NT-DOM FAQ draft #1 In-Reply-To: <34FD6E52.207945A6@eng.auburn.edu> Message-ID: <3.0.1.32.19980304140212.00936450@ws10.lme.usp.br> At 01:12 AM 3/5/98 +1000, you wrote: >A rough draft of the NTDOM FAQ in online at > > http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html > >Comments, additions, corrections, etc... welcome. > > Well ... - Things you can do to debug problems ... Like, debug levels (-d option), compiler directives (MEM_MAN, DEBUG_PASSWD). A procedure on how to do this debugging. Luke wrote something about this in his messages to the list. >For tracing things on the Microsoft Windows NT, Network Monitor (aka. >netmon) is available on the Microsoft > Developer Network CD's, the Windows NT Server install CD and the >SMS CD's. The SMS version can be used to monitor the net. communications between two computers from a third machine. With the version included in the Windows NT Server install CD this is not possibe. Sincerely, Andre Gerhard Systems/Network Administrator Universidade de Sao Paulo - SP - Brazil From cartegw at Eng.Auburn.EDU Wed Mar 4 17:08:01 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file Message-ID: <34FD8A71.2447B0E0@eng.auburn.edu> Greetings once again... I have a question regarding lookups in smbpasswd. From the code, the smbpasswd utility does these line by line and I am assuming that the other code does the same thing. Preparing for deploying NT / Samba PDC in a public lab in a couple of months, I am cautious as to the limits on the number of entries without taking a performance hit. We currently have about 6,000 active accounts and while not all of the would be used in the lab, they would need to be accessible. Also would have to consider all the machine accounts as well. Could someone send me information on the largest number of entries they have been able to support? If this is a limitation, a possible solution would be to keep the standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag files ) similiar to NIS maps. Smbpasswd could be modified to interface directly iwith the DBM files. Also add an option to dump the map to a flat ASCII file. Thoughts / comments? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Wed Mar 4 17:31:33 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file References: <34FD8A71.2447B0E0@eng.auburn.edu> Message-ID: <34FD8FF5.6201DD56@whistle.com> Gerald W. Carter wrote: > > If this is a limitation, a possible solution would be to keep the > standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag > files ) similiar to NIS maps. Smbpasswd could be modified to interface > directly iwith the DBM files. Also add an option to dump the map to a > flat ASCII file. > That's a very good idea, and one I've been wanting to do for a while. Issues you will need to consider : 1). Concurrent updates - as I recall, most dbm hash libraries don't allow record locking for concurrent updates. smbpasswd will need this I think. 2). Transaction security - losing your password file due to a smbd/smbpasswd crash won't be popular. This may be solvable by keeping a ascii snapshot also but we should have some method of dealing with this. 3). Setuid security. smbpasswd is a setuid root program - adding dbm libraries to it means that the dbm libraries must also pass the strict security requirements for such a program. Do they ? These problems are why I haven't done the code work yet, I don't have good answers to them. Just my 2 cents worth.... Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Wed Mar 4 17:33:43 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:51 2003 Subject: NTDOM cutover to main branch. References: <34FD8A71.2447B0E0@eng.auburn.edu> Message-ID: <34FD9077.62319AC4@whistle.com> Hi all, With Luke's permission, we are hoping to cut over main Samba development to the code represented in the NTDOM branch. Our current timeline is for me to make sure that the changes in the current head cvs branch are propagated into the NTDOM branch, and then Andrew will do the cvs magic to discontinue the NTDOM branch - as it will become the main Samba development branch. We envisage this taking a couple of weeks as there are some changes in the head branch that aren't yet in NTDOM, plus I'd like to do a security review of the new code to make sure we don't get bitten again by buffer overrun problems. Once NTDOM is the main branch then everyone will need to change the method for checking out the code (not by much, it'll mainly be just changing the cvs checkout) but we'll let everyone know well in advance. Things I'm hoping to add once it's the main branch are : 1). Moving the machine accounts out of the main smbpasswd file (they don't really belong there) into a separate machine account file. 2). Addition of the NT specific SMB calls (adding NT ACL support & change notify to Samba). 3). Keep developing the NTDOM functionality to the level where we can ship a Samba-PDC as a standard release (just as a gut feeling I think the PDC-BDC replication may take a bit longer and not be in the main release, but hey, I've been severly pessimistic about our development cycles before :-). Just wanted to give everyone a heads-up of what we're hoping to do. Cheers, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Wed Mar 4 17:43:10 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file References: <34FD8A71.2447B0E0@eng.auburn.edu> <34FD8FF5.6201DD56@whistle.com> Message-ID: <34FD92AE.CF0089F4@eng.auburn.edu> Jeremy Allison wrote: > > Gerald W. Carter wrote: > > > > If this is a limitation, a possible solution would be to keep the > > standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag > > files ) similiar to NIS maps. Smbpasswd could be modified to interface > > directly iwith the DBM files. Also add an option to dump the map to a > > flat ASCII file. > > > > That's a very good idea, and one I've been wanting > to do for a while. Issues you will need to consider : > So in the meantime, what is a manageable smbpasswd. 500 entries? 1,000? 100? Any ideas? Or does this really just depend on the hardware of the samba server? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Wed Mar 4 17:53:22 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file References: <34FD8A71.2447B0E0@eng.auburn.edu> <34FD8FF5.6201DD56@whistle.com> <34FD92AE.CF0089F4@eng.auburn.edu> Message-ID: <34FD9512.63DECDAD@whistle.com> Gerald W. Carter wrote: > > So in the meantime, what is a manageable smbpasswd. 500 entries? > 1,000? 100? Any ideas? Or does this really just depend on the hardware > of the samba server? > I don't have a good answer for that I'm afraid. I know people are running with over 1000 concurrent users (so that at least works) - but as you say this will depend on the hardware of the server. Using the smbpasswd file isn't much worse than the standard UNIX /etc/passwd or /etc/shadow (although I agree with you, I don't like it much either :-) - how far do these scale (without using dbm technology like NIS or NIS+) ? Jeremy. -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Wed Mar 4 18:03:31 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: New user question. References: <003301bd476a$af7619a0$0105a8c0@tenison.rstc.cc.al.us> Message-ID: <34FD9773.3405BEA1@eng.auburn.edu> Bruce Tenison wrote: > > Just recently subscribed to the mailing list, and am intersted in testing > and possibly contributing to the effort. Basically, I'm interested in > trusted and trusting functionality in the samba server (BRANCH_NTDOM). > Is it already there? Or is it part of the todo list? > > Thanks! > Bruce It's on the TODO list. Not sure if anyone is currently working on this part. Check the list archives. There was a thread about this at the same time as WINS replication. Arhives are at http://samba.anu.edu.au/listproc/samba-ntdom j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Wed Mar 4 18:06:48 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file References: <34FD8A71.2447B0E0@eng.auburn.edu> <34FD8FF5.6201DD56@whistle.com> <34FD92AE.CF0089F4@eng.auburn.edu> <34FD9512.63DECDAD@whistle.com> Message-ID: <34FD9838.B274C785@eng.auburn.edu> Jeremy Allison wrote: > > Gerald W. Carter wrote: > > > So in the meantime, what is a manageable smbpasswd. 500 entries? > > 1,000? 100? Any ideas? Or does this really just depend on the > > hardware of the samba server? > > I don't have a good answer for that I'm afraid. I know > people are running with over 1000 concurrent users (so > that at least works) - but as you say this will depend > on the hardware of the server. Using the smbpasswd > file isn't much worse than the standard UNIX /etc/passwd > or /etc/shadow (although I agree with you, I don't like > it much either :-) True. but most large sites do use NIS / NIS+ rather than propogating copies /etc/passwd :) > how far do these scale (without using > dbm technology like NIS or NIS+) ? I have no idea. Anyone? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From twinders at SPC.cc.tx.us Wed Mar 4 18:11:54 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:51 2003 Subject: NTDOM cutover to main branch. In-Reply-To: <34FD9077.62319AC4@whistle.com> Message-ID: On Thu, 5 Mar 1998, Jeremy Allison wrote: > 3). Keep developing the NTDOM functionality to the level > where we can ship a Samba-PDC as a standard release (just > as a gut feeling I think the PDC-BDC replication may take > a bit longer and not be in the main release, but hey, I've > been severly pessimistic about our development cycles > before :-). What are the plans for multiple domain trusts? ie - WinNT PDC trusting a Samba-PDC? --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From jallison at whistle.com Wed Mar 4 18:18:42 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:51 2003 Subject: NTDOM cutover to main branch. References: Message-ID: <34FD9B02.13728473@whistle.com> Tim Winders wrote: > > > What are the plans for multiple domain trusts? ie - WinNT PDC trusting a > Samba-PDC? > Luke & Paul know much more about the difficulty of this so I'll leave it to them to answer authoritatively. I can't imagine that'd be too hard though, given that it's just a forwarding of the normal server -> PDC authentication request over another rpc (that has to be reverse engineered, of course). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From he at warstein.owl.de Wed Mar 4 18:41:27 1998 From: he at warstein.owl.de (Holger Eilhard) Date: Tue Dec 2 02:23:51 2003 Subject: Can't logon into domain Samba Message-ID: <199803041841.TAA01311@burns.homenet.de> Hi there, after a time and by the help of your (helpful!) FAQ I got my Samba PDC. But my NT Workstation says that a connection to the Domain-Controller isn't possible. In my log.nmb the following entries repeat while trying to connect to the PDC: send_backup_list_response: sending backup list for workgroup SAMBA to BART<00> IP 192.168.0.2 process_get_backup_list_request: request from BART<00> IP 192.168.0.2 to SAMBA<1b>. process_get_backup_list_request: Cannot find workgroup SAMBA on subnet UNICAST_SUBNET. process_logon_packet: Logon from 192.168.0.2: code = 7 process_logon_packet: GETDC request from BART at IP 192.168.0.2, reporting ???x? domain SAMBA ntversion=1 lm_nt=ffff lm_20=ffff My smb.conf looks like the following: [global] ; substitute your workgroup here workgroup = SAMBA ; a description of domain sids can be found elsewhere. ; you **MUST** begin the domain SID with S-1-5-21. ; the rest is up to you. domain sid = S-1-5-21-123-456-789-123 ; tells workstations to use SAMBA as its Primary Domain Controller. domain logons = yes domain controller = yes domain master = yes I also have an entry for my Workstation (bart$) in the smbpasswd file: bart$:generated by smbpasswd:generated by smbpasswd:0080:anything_else: What could be wrong?! I suppose it is something with the: process_get_backup_list_request: Cannot find workgroup SAMBA on subnet UNICAST_SUBNET. What does this mean? Is it normal? Any ideas would be welcome... Holger From cartegw at Eng.Auburn.EDU Wed Mar 4 18:56:00 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:51 2003 Subject: Can't logon into domain Samba References: <199803041841.TAA01311@burns.homenet.de> Message-ID: <34FDA3C0.F793865E@eng.auburn.edu> Holger Eilhard wrote: > > Hi there, > > after a time and by the help of your (helpful!) FAQ I got my Samba PDC. But > my NT Workstation says that a connection to the Domain-Controller isn't > possible. In my log.nmb the following entries repeat while trying to connect > to the PDC: > send_backup_list_response: sending backup list for workgroup SAMBA to BART<00> IP 192.168.0.2 > process_get_backup_list_request: request from BART<00> IP 192.168.0.2 to SAMBA<1b>. > process_get_backup_list_request: Cannot find workgroup SAMBA on subnet UNICAST_SUBNET. > process_logon_packet: Logon from 192.168.0.2: code = 7 Unless you set it the OS level defaults to 0 meaning that it most likely not will the bowsemaster electtion requests. Include 'os level = 64' in the global section of your smb.conf and see if that helps, One more question. What is the machine name of your Samba server? Do not name the server SAMBA and the workgroup SAMBA. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jgarber at eng.utoledo.edu Wed Mar 4 19:03:57 1998 From: jgarber at eng.utoledo.edu (jeremy garber) Date: Tue Dec 2 02:23:51 2003 Subject: [NTDOM] NISGINA revisited Message-ID: <199803041903.OAA13403@bacchus.eng.utoledo.edu.eng.utoledo.edu> Sorry, I was afraid that I wasn't clear enough in my original post and it appears I was correct. I'll try to help here: Gerald W. Carter wrote: > > jeremy garber wrote: > > > > I currently have the NTDOM code functional on a test basis. > > I also have NISGINA configured to automatically create and update the > > smbpasswd entries on a test basis when logging into a samba domain. Of > > course the NT policies (something we must have functional) that are > > stored on the samba server are not being pulled down when using the > > current NISGINA. > > Couldn't you specify an manual remote update from a share on a samba > server which was configured using encrypted passwords? > To do what? Load the policies? Sorry, I don't think I'm following you here. > > What is wrong with my thinking that I can just rip the code out of > > NISGINA that creates a local account so that I am actually logging in > > under a domain account in the samba domain? There must be more to it > > than this. > > There are two ways I could understand what you are saying. One is that > the domain account already exists. In this case you would be > authenticating twice. Don't see a need for that. > Yes, the domain account will already exist (in smbpasswd) because NISGINA put it there after the initial NIS authentication. Yes, it is a kludge that will probably end up authenticating twice: once to NIS and once to the samba PDC (on the same machine). > If you are validating against the PDC why not just keep the default > msgina.dll unless you have some secret way of synchronizing the > passwords. ;) > The secret password sync is to have NISGINA always keep smbpasswd current. NISGINA is also nice for being able to customize which buttons are active on the ctrl-alt-delete screens (e.g. lock, Shut Down, Task Manager). > The second way would be that the domain account does not exist and you > want NISgina to create it rather than a local account. This will not > work since only certain accounts are authorized to add accounts to a > domain. It has been tried ( check the NISgina mailing list archives ) > by replacing the NULL parameter in NetUserAdd() with the name of the > PDC. > Basically, that is what keeping smbpasswd current will do (i.e. create a domain account -- at least as much info as samba needs). Right? > > Will I have to add code to NISGINA so that it understands it is using a > > domain account rather than a local one? > > Gernot Bauer has added support to allow NISgina to login to a PDC or a > NIS master. > > http://www.eikon.e-technik.tu-muenchen.de/nisgina/ > > You may already know about this > Yes, I knew about this, but I had forgotten it. We have been using Gernot's version with a few changes. Thanks for reminding me... The code should already be there for the samba PDC login. I just have to get it to do both types (NIS first, then PDC) without creating a local account... right? Jeremy From jwf at platinum.com Wed Mar 4 18:22:08 1998 From: jwf at platinum.com (Jim Farrell) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file In-Reply-To: <34FD8FF5.6201DD56@whistle.com> Message-ID: On Thu, 5 Mar 1998, Jeremy Allison wrote: > Gerald W. Carter wrote: > > > > If this is a limitation, a possible solution would be to keep the > > standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag > > files ) similiar to NIS maps. Smbpasswd could be modified to interface > > directly iwith the DBM files. Also add an option to dump the map to a > > flat ASCII file. > > > > That's a very good idea, and one I've been wanting > to do for a while. Issues you will need to consider : > > 1). Concurrent updates - as I recall, most dbm hash > libraries don't allow record locking for concurrent > updates. smbpasswd will need this I think. I think sendmail solves this by using some scheme of locking the data file (flock()/lockf()/fcntl()) and inserting some internal record/token to inform other sendmails that the data base is being written to. The locking could really turn out be a nightmare ... especially if someone were crazy enough to run samba with a smbpasswd file on NFS ... and then of course converting smbpasswd to a data base format has some obvious ramifications on porting to NT/VMS/Novell, etc. so this would probably have to be a compile-time option of some sort. Something like NIS lookups would be nice ... however plain old NIS has no protections, so those smb passwords would be easily accessible. NIS+ might work out better, but could turn out to be just as bad if NIS compatibility were on and ill configured. > 2). Transaction security - losing your password > file due to a smbd/smbpasswd crash won't be popular. > This may be solvable by keeping a ascii snapshot also > but we should have some method of dealing with this. Once you go to a data base format, there will need to be some utility to write new entries .... that would either be smbpaswd or a utility like sendmail's makemap. If smbpasswd is used, that program could just automatically dump before/after snapshots for ease of mind. If makemap is used, then the flat file is already available. > 3). Setuid security. smbpasswd is a setuid root > program - adding dbm libraries to it means that > the dbm libraries must also pass the strict > security requirements for such a program. Do they ? Well, sendmail uses ndbm and such ;) I don't think that it in itself creates any additional security issues. Sendmail, Perl, NIS, and some BSD/auth all use ndbm in setuid executables. Someone might want to look at GNU's dbm or the new BSD DB package. Hope that helps .... -- jim From lkcl at switchboard.net Wed Mar 4 20:06:35 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: Machine account In-Reply-To: Message-ID: > PS : I am planning to look at possibily adding a -machine option to > smbpasswd to generate these accounts tomorrow...unless soemone else had > their heart set on doing it ;) -m and -machine. go for it, gerry. From lkcl at switchboard.net Wed Mar 4 20:11:11 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: Machine account In-Reply-To: Message-ID: > The "smbpasswd -add nobody password" might also be a good trick to list. done. From todd at edge.cis.mcmaster.ca Wed Mar 4 18:57:06 1998 From: todd at edge.cis.mcmaster.ca (Todd Pfaff) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file In-Reply-To: <34FD8FF5.6201DD56@whistle.com> Message-ID: On Thu, 5 Mar 1998, Jeremy Allison wrote: > Gerald W. Carter wrote: > > > > If this is a limitation, a possible solution would be to keep the > > standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag > > files ) similiar to NIS maps. Smbpasswd could be modified to interface > > directly iwith the DBM files. Also add an option to dump the map to a > > flat ASCII file. > > > > That's a very good idea, and one I've been wanting > to do for a while. Issues you will need to consider : > > 1). Concurrent updates - as I recall, most dbm hash > libraries don't allow record locking for concurrent > updates. smbpasswd will need this I think. > > 2). Transaction security - losing your password > file due to a smbd/smbpasswd crash won't be popular. > This may be solvable by keeping a ascii snapshot also > but we should have some method of dealing with this. > > 3). Setuid security. smbpasswd is a setuid root > program - adding dbm libraries to it means that > the dbm libraries must also pass the strict > security requirements for such a program. Do they ? > > These problems are why I haven't done the code > work yet, I don't have good answers to them. > > Just my 2 cents worth.... > > Jeremy Allison, > Samba Team. a quick solution that bypasses some or all of these concerns... just use the dbm file for lookups. the only code that has to be modified is function get_smbpwd_entry() in smbpass.c. it could even be conditional on whether or not smbpasswd.dir exists. continue applying changes to the text file and rebuild the dbm files whenever a change occurs. this can be accomplished with (under sunos anyway): system("makedbm smbpasswd smbpasswd"). this is similar to how the nis yppasswdd stuff works in sunos. yppasswd receives updates, applies them to passwd file, and then runs a yp make to rebuild the passwd map. mind you, this makedbm can take a long time for large passwd files. but at least it improves the lookup time. -- Todd Pfaff \ Email: pfaff@mcmaster.ca Computing and Information Services \ Voice: (905) 525-9140 x22920 ABB 132 \ FAX: (905) 528-3773 McMaster University \ Hamilton, Ontario, Canada L8S 4M1 \ From benny at HGS.SE Wed Mar 4 20:58:48 1998 From: benny at HGS.SE (Benny Holmgren) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file In-Reply-To: Message-ID: On Thu, 5 Mar 1998, Jim Farrell wrote: > On Thu, 5 Mar 1998, Jeremy Allison wrote: > > > Gerald W. Carter wrote: > > > > > > If this is a limitation, a possible solution would be to keep the > > > standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag > > > files ) similiar to NIS maps. Smbpasswd could be modified to interface > > > directly iwith the DBM files. Also add an option to dump the map to a > > > flat ASCII file. > > > > That's a very good idea, and one I've been wanting > > to do for a while. Issues you will need to consider : > > > > 1). Concurrent updates - as I recall, most dbm hash > > libraries don't allow record locking for concurrent > > updates. smbpasswd will need this I think. I'm not sure about other implementations but GNU dbm locks the whole file during read-write access which is probably enough. A few retries with random delay would probably make is reasonably solid. > Something like NIS lookups would be nice ... however plain old NIS has no > protections, so those smb passwords would be easily accessible. NIS+ > might work out better, but could turn out to be just as bad if NIS > compatibility were on and ill configured. Even in compat mode the access rights of a NIS+ table is in use. This means that you can have the hashed password fields non-readable for unauthenticated principals. The result when doing a plain NISv2 lookup would be *NP* in the password fields. So it all comes down to setting the access bits strict enough which is no different from having it in a plain file. Cheers, Benny -- Benny Holmgren email: benny@hgs.se University College of Gavle/Sandviken. phone: +46-(0)26-648887 Sweden mobile: +46-(0)70-6338298 From lkcl at switchboard.net Wed Mar 4 21:43:46 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file In-Reply-To: Message-ID: as per designs currently sitting in my head, and as per at least one request already, i'd like password accounts to be abstracted, such that different systems can be switched in/out. _one_ system will be the current private/smbpasswd system; another will be a privately used system by the above-mentioned requestor; another could be a dbm or other database system; another NIS+; another LDAP etc etc. luke On Thu, 5 Mar 1998, Todd Pfaff wrote: > On Thu, 5 Mar 1998, Jeremy Allison wrote: > > > Gerald W. Carter wrote: > > > > > > If this is a limitation, a possible solution would be to keep the > > > standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag > > > files ) similiar to NIS maps. Smbpasswd could be modified to interface > > > directly iwith the DBM files. Also add an option to dump the map to a > > > flat ASCII file. > > > > > > > That's a very good idea, and one I've been wanting > > to do for a while. Issues you will need to consider : > > > > 1). Concurrent updates - as I recall, most dbm hash > > libraries don't allow record locking for concurrent > > updates. smbpasswd will need this I think. > > > > 2). Transaction security - losing your password > > file due to a smbd/smbpasswd crash won't be popular. > > This may be solvable by keeping a ascii snapshot also > > but we should have some method of dealing with this. > > > > 3). Setuid security. smbpasswd is a setuid root > > program - adding dbm libraries to it means that > > the dbm libraries must also pass the strict > > security requirements for such a program. Do they ? > > > > These problems are why I haven't done the code > > work yet, I don't have good answers to them. > > > > Just my 2 cents worth.... > > > > Jeremy Allison, > > Samba Team. > > a quick solution that bypasses some or all of these concerns... > > just use the dbm file for lookups. the only code that has to be modified > is function get_smbpwd_entry() in smbpass.c. it could even be conditional > on whether or not smbpasswd.dir exists. > > continue applying changes to the text file and rebuild the dbm files > whenever a change occurs. this can be accomplished with (under sunos > anyway): system("makedbm smbpasswd smbpasswd"). > > this is similar to how the nis yppasswdd stuff works in sunos. yppasswd > receives updates, applies them to passwd file, and then runs a yp make to > rebuild the passwd map. mind you, this makedbm can take a long time for > large passwd files. but at least it improves the lookup time. > > -- > Todd Pfaff \ Email: pfaff@mcmaster.ca > Computing and Information Services \ Voice: (905) 525-9140 x22920 > ABB 132 \ FAX: (905) 528-3773 > McMaster University \ > Hamilton, Ontario, Canada L8S 4M1 \ > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From danny at cs.huji.ac.il Wed Mar 4 19:39:15 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file In-Reply-To: Your message of "Thu, 05 Mar 1998 03:11:30 +1000." <34FD8A71.2447B0E0@eng.auburn.edu> Message-ID: In message <34FD8A71.2447B0E0@eng.auburn.edu>you write: }Greetings once again... } firstly, thanks to everybody who helped me out! for the last 2 weeks or so, I have been trying out the PDC and finaly, today it's all bells & whistles. The last hurdle (well almost :-) was getting the logon to work (using arcfour). In the process I got familiar with the code, and I had to patch several versions, making samba work with my password server - which of cource had to be modified to accomodate NT/LanMan and finaly arcfour hashed passwords. While doing this, I'm still trying to come up with a simple way to include my mods in future samba releases. Since the mods are 'particular' to our site I see no point in including them in the distribution, but it would be nice to define some way a 'standard api' for authentication and so guys like me could add them localy. These are the routines that I had to modify: get_smbpwd_entry get_smbpwd_entries smb_passwords_check net_login_interactive In any case, I have only a few days to do some more testing, and if all goes well, next week, with the begining of the semeter it will go into production. thanks again to the samba team, danny From lkcl at switchboard.net Wed Mar 4 21:55:33 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: lookups in smbpasswd file In-Reply-To: Message-ID: On Thu, 5 Mar 1998, Danny Braniss wrote: > In message <34FD8A71.2447B0E0@eng.auburn.edu>you write: > }Greetings once again... > } > firstly, thanks to everybody who helped me out! > > for the last 2 weeks or so, I have been trying out the PDC and finaly, > today it's all bells & whistles. The last hurdle (well almost :-) was > getting the logon to work (using arcfour). > > In the process I got familiar with the code, and I had to patch > several versions, making samba work with my password server - which of > cource had to be modified to accomodate NT/LanMan and finaly arcfour > hashed passwords. > > While doing this, I'm still trying to come up with a simple way to > include my mods in future samba releases. Since the mods are > 'particular' to our site I see no point in including them in the > distribution, but it would be nice to define some way a 'standard api' > for authentication and so guys like me could add them localy. this is *exactly* what i want to see happen. luke From lkcl at switchboard.net Wed Mar 4 21:58:31 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:51 2003 Subject: new option to smbpasswd Message-ID: jf's written the "-machine" option. (if you want to know what's happening on the cvs stuff, it's a standard listproc mailing list: see http://samba.anu.edu.au/listproc, list is samba-cvs@samba.anu.edu.au). luke ---------- Forwarded message ---------- Date: Thu, 5 Mar 1998 07:10:23 +1000 From: Luke Leighton To: Multiple recipients of list Subject: CVS update: samba/source/utils/smbpasswd Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy Date: Thursday March 5, 1998 @ 7:08 Author: lkcl Update of /data/cvs/samba/source/utils/smbpasswd In directory samba:/tmp/cvs-serv4537 Modified Files: Tag: BRANCH_NTDOM smbpasswd.c Log Message: jean francois's patch to allow "smbpasswd -m machine_name" From dugan at libwais.sonoma.edu Wed Mar 4 23:30:49 1998 From: dugan at libwais.sonoma.edu (Michael Egan) Date: Tue Dec 2 02:23:51 2003 Subject: smbpasswd file(s) In-Reply-To: <34FD92AE.CF0089F4@eng.auburn.edu> Message-ID: Here people, There was a discussion earlier about merging the Samaba passwords into the UNIX passowrds and adding a field... I hope this does not mean that the option to have two separate password files with separate passwords (one for SMB shares and one for shell access) will be replaced... Could anyone confirm that the admins will be afforded both options, or at least be able to keep a seperate SMB user/password file? (Seperate files are good for security, and allow segmentation of access to the system.) Thanks, -M From danny at cs.huji.ac.il Thu Mar 5 07:38:47 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:23:51 2003 Subject: PDC Message-ID: <199803050738.HAA06377@peetoo.cs.huji.ac.il> One thing that keeps bothering me, how does Samba - or MS - ensure the that only one PDC for a given domain exists? danny From tomassoni at crisato.intra.oftalm.unisi.it Thu Mar 5 10:44:23 1998 From: tomassoni at crisato.intra.oftalm.unisi.it (Caldera OpenLinux User) Date: Tue Dec 2 02:23:52 2003 Subject: Annoying smbclient bug Message-ID: <199803051044.LAA11159@crisato.intra.oftalm.unisi.it> Hi all, by the first stages of the samba-ntdom development, I experienced a tiny-but-annoying bug afflicting the utils/smbclient/client.c source, which resulted in the smbclient prompt not being shown properly. I fixed my local sources by adding a: fflush(out_hnd); right below the existing fflush(bdf); I don't know if I am entitled to commit changes to the cvs repository, nor I really know which side-effects I could introduce in smbclient applying this fix. Better to let you, guys, know of the problem and the possible fi, isn't it? Take care, Giampaolo Tomassoni tomassoni@crisato.oftalm.unisi.it From nanik95 at indosat.net.id Thu Mar 5 15:12:50 1998 From: nanik95 at indosat.net.id (Nanik) Date: Tue Dec 2 02:23:52 2003 Subject: Help me to unsuubscribe Message-ID: <0612c4008150538MAIL1@indosat.net.id> Please kindly unsubscribe me from the list Thanks a lot Regards Nanik From pmorgan at nhnashville.com Thu Mar 5 15:37:20 1998 From: pmorgan at nhnashville.com (Philip Morgan) Date: Tue Dec 2 02:23:52 2003 Subject: PDC Message-ID: <19980305153957Z12600709-14660+9377@samba.anu.edu.au> Following is an excerpt from a Microsoft article entitled "Inside LAN Manager." While this was clearly not written with NT in mind, there are many LanMan holdovers in SMB and NT domain functions in general. Thus, this information may be relevant. I have not verified this with NT4.0, however... I hope this helps (and is not a waste of bandwidth)! When the Netlogon service is started on a server, the server sends out a NetGETDC00 request on \\mailslot\net\netlogon. All of the other servers in the domain that are running the netlogon service will be listening on this mailslot. If there is a primary domain controller in the domain, it will respond. If there is no primary domain controller in the domain, the server will check if it was a primary domain controller or if it knows of another primary domain controller that may not be available on the network at this time. The netlogon service can start even when there is no primary domain controller currently on the network, as long as the server has knowledge of any previously existing Primary domain controller. In such a case, the server will start the netlogon service in Deferred authentication mode. If the server itself is the primary domain controller, it announces its presence as a primary domain controller on \\mailslot\net\netlogon. All other servers running netlogon will be listening on the mailslot. The opcode in this mailslot is LOGON_START_PRIMARY. This opcode is not visible in the sniffer trace or the SMBtrace. At this time, if the primary domain controller name registered with the other server is different than this server, they will request a UAS synchronization through. At Netlogon startup time, the server will also send out a LOGON_CENTRAL_QUERY opcode in \\mailslot\net\netlogon to find out if there are any downlevel (LM1.0) servers on the network. All of this communication takes place using \\mailslot\net\netlogon with different opcodes. The sniffer traces and smbtrace will not show the opcodes. -- Philip Morgan, MCSE/MCT (and big Linux fan!). ---------- > From: Danny Braniss > To: Multiple recipients of list > Subject: PDC > Date: Thursday, March 05, 1998 1:42 AM > > > One thing that keeps bothering me, how does Samba - or MS - ensure the that > only one PDC for a given domain exists? > > danny > From cartegw at Eng.Auburn.EDU Thu Mar 5 15:52:20 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:52 2003 Subject: Samba NTDOM FAQ Draft #2 Message-ID: <34FECA34.3E80834E@eng.auburn.edu> On-line at http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html Thanks for all the comments on the first draft. j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From peter at NewCentury.NET Thu Mar 5 17:48:36 1998 From: peter at NewCentury.NET (Peter C. Norton) Date: Tue Dec 2 02:23:52 2003 Subject: Help me to unsuubscribe In-Reply-To: <0612c4008150538MAIL1@indosat.net.id> Message-ID: Additionally, I am finding that my unsubscription requests to this list are being ignored. What's the secret? -Peter On Fri, 6 Mar 1998, Nanik wrote: > Please kindly unsubscribe me from the list > > Thanks a lot > > Regards > Nanik > > -- A tribute to modern technology (DON'T DO THIS) char hang[] = { 0xf0, 0x0f, 0xc7, 0xc8 }; int main() { void (*k)() = hang; k(); } /* As an exercise left to the reader, embed this in a ActiveX app */ Disclaimer: I do not speak for my employer. From lkcl at switchboard.net Thu Mar 5 21:23:19 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: Annoying smbclient bug In-Reply-To: <199803051044.LAA11159@crisato.intra.oftalm.unisi.it> Message-ID: On Thu, 5 Mar 1998, Caldera OpenLinux User wrote: > Hi all, > > by the first stages of the samba-ntdom development, I experienced a tiny-but-annoying bug afflicting the utils/smbclient/client.c source, which resulted in the smbclient prompt not being shown properly. oh, so _that's_ why it didn't show! ta! From lkcl at switchboard.net Thu Mar 5 21:41:19 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: Annoying smbclient bug In-Reply-To: Message-ID: done. On Fri, 6 Mar 1998, Luke Kenneth Casson Leighton wrote: > On Thu, 5 Mar 1998, Caldera OpenLinux User wrote: > > > Hi all, > > > > by the first stages of the samba-ntdom development, I experienced a tiny-but-annoying bug afflicting the utils/smbclient/client.c source, which resulted in the smbclient prompt not being shown properly. > > oh, so _that's_ why it didn't show! > > ta! > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From silvajk at mylex.com Thu Mar 5 21:14:00 1998 From: silvajk at mylex.com (Silva JK) Date: Tue Dec 2 02:23:52 2003 Subject: Problems with messages from list server Message-ID: <34FF1598.19BD799@mylex.com> I am sorry to be posting this here, but we are experiencing problems with messages coming from this list server and I was wondering if anyone else has seen the problem. What happens is that the 1st line of the body is removed and where it should be there is a noop. If I retrieve the message in Yahoo mail, the body is intact with no problems. It happens consistently. Other messages coming from other list servers do not have this problem. Has anyone seen this problem, or know what we need to do to correct it. We have seen the problem using Netscape Messaging Server 3.5 and 3.0. Netscape Tech Support is looking into the problem for us, but I am curious if anyone on another mail platform may be seeing this type of problem. Thanks for your help, Jo Ann Silva From Jean-Francois.Micouleau at utc.fr Thu Mar 5 21:36:58 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:52 2003 Subject: Status of the todo list In-Reply-To: <888866238.0127806.0@no-dns-yet.demon.co.uk> Message-ID: On Tue, 3 Mar 1998, Paul Ashton wrote: > err... any status reports? > I have done some work on the spoolss pipe. A lot of functions need to be implemented (around 60), but I hope that in 2 weeks I'll be able to print with the pipe. I want to implement a maximum of the api,some of them are really cool like creating a printer on the samba server from the administrator workstation, or moving priorities of the jobs. Stay tunes ! ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From tomassoni at crisato.oftalm.unisi.it Fri Mar 6 03:01:07 1998 From: tomassoni at crisato.oftalm.unisi.it (Giampaolo Tomassoni) Date: Tue Dec 2 02:23:52 2003 Subject: R: Samba NTDOM FAQ Draft #2 Message-ID: <002f01bd48ac$1f892ba0$2a936397@famiglio> >On-line at > > http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html > > >Thanks for all the comments on the first draft. Hi Gerald, I have a couple of questions regarding the section <<2. How do I get my NT Workstation / Server to login to the Samba controlled Domain?>> of the FAQ Draft: According to it, seems that a workstation entry shall be of the form: my_workstation's_name$:LM_XXX:NT_XXX:0080:other_fields_are_ignored: I actually have declared my trusted workstations with lines like: my_workstation's_name$:65534:LM_XXX:NT_XXX:0080:: ^ nobody's uid and they seem to work pretty well... Is it an alterante form? Later in the same section the FAQ states that a domain sid is of the form: domain sid = S-1-5-21-XXX-XXX-XXX-XXX while I am actually using a S-1-5-21-XXX-XXX-XXX sid. Is the sid variable-length? If this is the case, I believe it is better to explicitly state that. Finally, I would like to read a deeper explanation of how to create roaming accounts, apart the ControlPanel->System->Profiles stuff which, at least for me, didn't work at all. Also what a NTUSER.DAT, ntuser.dat.LOG and ntlogin.pol files are and contains (at least roughly). This would help me a lot, so I believe it could help somebody else as well. Thanks, ------------------------------------------------------ Giampaolo Tomassoni Information Systems Consultant P.za 8 Aprile 1948, 4 Tel/Fax: +39 (578) 21100 I-53044 Chiusi (SI) e-mail: tomassoni@geocities.com ITALY homepage: http://www.geocities.com/Eureka/Park/2209/ From mark at psych.adelaide.edu.au Fri Mar 6 05:09:46 1998 From: mark at psych.adelaide.edu.au (Mark Brown) Date: Tue Dec 2 02:23:52 2003 Subject: Setting smb passwords? Message-ID: <34FF851A.F86A4D40@psychology.adelaide.edu.au> Is there a way to set passwords in the smbpasswd file other than entering them one by one with bin/smbpasswd. ie how can I set passwords en masse for a list of new or existing users? Mark Brown. From shiying at uclink4.berkeley.edu Fri Mar 6 05:22:33 1998 From: shiying at uclink4.berkeley.edu (Shiying Ling) Date: Tue Dec 2 02:23:52 2003 Subject: Join into your list Message-ID: <199803060522.VAA30207@uclink4.berkeley.edu> Please list me in, thanks. Shiying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx x x x Siwei Zhang x x 903 Riley Dr. x x Albany, CA 94706 x x Phone/Fax: 510-525-8951 x x x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx From venere at dc.ufscar.br Fri Mar 6 05:37:09 1998 From: venere at dc.ufscar.br (Guilherme Venere) Date: Tue Dec 2 02:23:52 2003 Subject: I need help desesperatelly ! Message-ID: Hi folks, First of all, i'm sorry for sending another question about windows 95 and samba. But i can't find any information about my questions, and i though that you guys can at least poit me to the right direction. If someone can help me, this is my problem: I have a network with 50 win95 clients, one AIX 4.1 acting as a samba server, and one Solaris 2.5.1 with NIS, authenticating user accounts. - The windows 95 clients connect to samba, which in this case has to authenticate the users in NIS domain. I've read the documentation and i understand that this is perfectly possible. - The problem is that Samba isn't authenticating any NIS domain user. It's authenticating only a local AIX user, like root or some other local user. - I have take a look at log.smb, and i saw that when an user try to connect from a win95 client, Samba is denying access because the WORKGROUP is wrong. BUT the workgroup is right ! when i try to connect using an account like root, win95 send the correct WORKGROUP name ! - the log files are attached to this e-mail, as the Makefile and smb.conf too. Please, if someone can help me, either by giving an answer or pointing me to some place with info on this, i'll be very grateful. I'm desesperatelly looking for this, because the semester has begun here and the labs are closed ! TIA Guilherme Venere System Administrator Federal University of Sao Carlos - Brasil -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 8747 bytes Desc: Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980306/a48a4253/attachment.obj From D.Bannon at latrobe.edu.au Fri Mar 6 07:44:49 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:23:52 2003 Subject: Setting smb passwords? In-Reply-To: <34FF851A.F86A4D40@psychology.adelaide.edu.au> Message-ID: <3.0.3.32.19980306174449.00822560@bioserve.biochem.latrobe.edu.au> At 15:04 06/03/1998 +1000, Mark Brown wrote: >ie how can I set passwords en masse for a list of new or existing >users? > I have replaced my 'passwd' programme with one that keeps the smbpasswd uptodate at the same time. Its pretty crude but seems to work for me. I am happy to make it available to anyone who wants it. Note : I do NOT use shadow passwords and it has directory info 'hard wired' in, so you will need to have a little play. Its written in C and is only a couple of pages long. David. ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From rmeyer at mhsc.com Fri Mar 6 08:51:06 1998 From: rmeyer at mhsc.com (Roeland M.J. Meyer) Date: Tue Dec 2 02:23:52 2003 Subject: new option to smbpasswd In-Reply-To: Message-ID: <3.0.3.32.19980306005106.009a7630@pop.mhsc.com> Damn! Does this mean I have to toss my Expect scripts? It would also be nice, in the longer run, to teach PERL how to generate these encrypted passwords, kind of like the way PERL's crypt() function works now. Maybe a smb_crypt() How about it? I got RDBMS triggers calling perl scripts to modify passwd file directly and calling smbpasswd from Expect scripts to modify smbpasswd file. Way far from clean solution. I'm doing JavaScript, SQL, perl, bash script, expect script, and Java, simultaneously here. Not fun! I'm about to rename this place to "New Hack City". At 06:38 04-03-98 +1000, Luke Kenneth Casson Leighton wrote: >yes, this is a good idea, as it could be automated from a script. > >luke > >On Wed, 4 Mar 1998, Gerald W. Carter wrote: > >> I was working on the NTDOM FAQ a little was working on the part about >> adding machines to the smbpasswd file. Had a quick thought... >> >> Would it be beneficial to add a switch to smbpasswd so that machine >> accounts could be added directly? For example, something like >> >> smbpasswd -add -machine mymachine >> >> which would generate the the entry >> >> MYMACHINE$::0080: >> >> rather than the standard user entry which would then have to be >> modified. >> >> I realize that the plans are to be able to create these accounts >> automatically but in the meantime, this could be a quick hack. >> >> >> >> >> j- >> ________________________________________________________________________ >> Gerald ( Jerry ) Carter >> Engineering Network Services Auburn University >> jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw >> >> "...a hundred billion castaways looking for a home." >> - Sting "Message in a Bottle" ( 1979 ) >> > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba and Network Consultancy > > ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: mailto:rmeyer@mhsc.com Personalweb pages: http://www.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com/ ___________________________________________ The web-server is finally fixed! From rmeyer at mhsc.com Fri Mar 6 09:07:53 1998 From: rmeyer at mhsc.com (Roeland M.J. Meyer) Date: Tue Dec 2 02:23:52 2003 Subject: lookups in smbpasswd file In-Reply-To: <34FD8FF5.6201DD56@whistle.com> Message-ID: <3.0.3.32.19980306010753.00a937d0@pop.mhsc.com> At 03:38 05-03-98 +1000, Jeremy Allison wrote: >Gerald W. Carter wrote: >> >> If this is a limitation, a possible solution would be to keep the >> standard smbpasswd file but translate it to a DBM hash ( *.dir & *.pag >> files ) similiar to NIS maps. Smbpasswd could be modified to interface >> directly iwith the DBM files. Also add an option to dump the map to a >> flat ASCII file. >> > >That's a very good idea, and one I've been wanting >to do for a while. Issues you will need to consider : > >1). Concurrent updates - as I recall, most dbm hash >libraries don't allow record locking for concurrent >updates. smbpasswd will need this I think. Take a lesson from sendmail and the way it handle alias files. Update the ASCII and have Samba detect the change and call the makemap program internally. That way Samba can force any passwd look-up to wait while its building the new files. I'd also declare the hash-type in the smb.conf file, as well as, the location/name. Some like 'has' and some like 'dbm'. But 'dbm' isn't universally supported by all Unices. This is also the way sendmail does things. sendmail is a 'pile' but it has some good ideas in there. >2). Transaction security - losing your password >file due to a smbd/smbpasswd crash won't be popular. >This may be solvable by keeping a ascii snapshot also >but we should have some method of dealing with this. With the method I outline (see above), you'll have both ASCII and DBM types, and they'll be in sync. >3). Setuid security. smbpasswd is a setuid root >program - adding dbm libraries to it means that >the dbm libraries must also pass the strict >security requirements for such a program. Do they ? sendmail v8.8.8 uses them and it also runs setuid root. I have the gdbm libraries here.Other setuid programs use them as well. >These problems are why I haven't done the code >work yet, I don't have good answers to them. > >Just my 2 cents worth.... I'll raise you a wooden nickle ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: mailto:rmeyer@mhsc.com Personalweb pages: http://www.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com/ ___________________________________________ The web-server is finally fixed! From cartegw at Eng.Auburn.EDU Fri Mar 6 14:16:03 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:52 2003 Subject: Samba NTDOM FAQ Draft #2 References: Message-ID: <35000523.4AF32877@eng.auburn.edu> Svante Sormark wrote: > > A mention of "pwdump" might be good. I found it very useful for > migrating users from nt o samba. > It would be good to have an entire document outlining some sort of migration strategy from NT Server to BRANCH_NTDOM. I don't use NT Server so I don't have to migrate :) Anybody got a plan of action that could share? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From koenigse at umw.cube.net Fri Mar 6 16:18:09 1998 From: koenigse at umw.cube.net (Christian Koenigseder) Date: Tue Dec 2 02:23:52 2003 Subject: How is the cvs-command syntax to get smbpasswd.c Message-ID: <350021C1.7DE1@umw.cube.net> Hi, I compiled cvs-1.9 then I did cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login Password is: cvs Now I don't know the command to get smpbasswd.c with this kind of information: -------------------------------------------------------- Date: Friday March 6, 1998 @ 6:56 Author: lkcl Update of /data/cvs/samba/source/utils/smbpasswd In directory samba:/tmp/cvs-serv6133 Modified Files: Tag: BRANCH_NTDOM smbpasswd.c Log Message: ---------------------------------------------------------- could someone please answer it with the correct "cvs" command syntax. Thanks, Christian -- Christian Koenigseder e-mail: koenigse@umw.cube.net Tel/Fax: +49 89 233-23619/-23442 From andre at lme.usp.br Fri Mar 6 16:32:54 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:52 2003 Subject: How is the cvs-command syntax to get smbpasswd.c In-Reply-To: <350021C1.7DE1@umw.cube.net> Message-ID: <3.0.1.32.19980306133254.00924410@ws10.lme.usp.br> At 02:19 AM 3/7/98 +1000, Christian Koenigseder wrote: >Hi, > >I compiled cvs-1.9 then I did > > > cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login > > Password is: cvs > To actually get the Samba NTDOM distribution (after your command above): cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co samba Will create a directory named samba with the current (updated) distribution. >Now I don't know the command to get smpbasswd.c with this kind of >information: > >-------------------------------------------------------- >Date: Friday March 6, 1998 @ 6:56 >Author: lkcl > >Update of /data/cvs/samba/source/utils/smbpasswd >In directory samba:/tmp/cvs-serv6133 > To update your current Samba distribution: cd to the directory samba created when you downloaded it, and cvs update -d -P You don't need to repeat the login process. From gemelli at sssup1.sssup.it Fri Mar 6 17:40:15 1998 From: gemelli at sssup1.sssup.it (Paolo & Marco Bizzarri) Date: Tue Dec 2 02:23:52 2003 Subject: Samba Linux Networking Guide Message-ID: <009C2CAF.630647E1.25@sssup1.sssup.it> Hi everybody, I have uploaded the version 0.1 of the Samba Linux Networking Guide. I would really like to include something about the NTDOM stuff. Anyone interested in this effort ? Paolo From gemelli at sssup1.sssup.it Fri Mar 6 17:52:15 1998 From: gemelli at sssup1.sssup.it (Paolo & Marco Bizzarri) Date: Tue Dec 2 02:23:52 2003 Subject: Address for Samba Linux Networking Guide Message-ID: <009C2CB1.0FC5EBFB.18@sssup1.sssup.it> Hi again, I am a bit confused, so I forgot the address for downloading the guied. The address is: camelot.sssup.it/pibizza/index.html The Guide is available in Tex, dvi and PS. Enjoy the reading Paolo From cartegw at Eng.Auburn.EDU Fri Mar 6 16:57:00 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:52 2003 Subject: How is the cvs-command syntax to get smbpasswd.c References: <3.0.1.32.19980306133254.00924410@ws10.lme.usp.br> Message-ID: <35002ADC.6D4D85D3@eng.auburn.edu> Andre Gerhard wrote: > > At 02:19 AM 3/7/98 +1000, Christian Koenigseder wrote: > >Hi, > > > >I compiled cvs-1.9 then I did > > > > > > cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login > > > > Password is: cvs > > > > To actually get the Samba NTDOM distribution (after your command > above): > > cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co samba > > Will create a directory named samba with the current (updated) > distribution. Should be cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co -r BRANCH_NTDOM samba to get BRANCH_NTDOM -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From Steve.Gadol at Eng.Sun.COM Fri Mar 6 18:01:28 1998 From: Steve.Gadol at Eng.Sun.COM (Steve Gadol) Date: Tue Dec 2 02:23:52 2003 Subject: SAMBA NTDOM FAQ Message-ID: <002201bd4929$e3f653a0$a9569281@flyer.eng.sun.com> http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html From lkcl at switchboard.net Fri Mar 6 19:07:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: R: Samba NTDOM FAQ Draft #2 In-Reply-To: <002f01bd48ac$1f892ba0$2a936397@famiglio> Message-ID: On Fri, 6 Mar 1998, Giampaolo Tomassoni wrote: > >On-line at > > > > http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html > > > > > >Thanks for all the comments on the first draft. > > > Hi Gerald, > > I have a couple of questions regarding the section <<2. How do I get my NT > Workstation / Server to login to the Samba controlled Domain?>> of the FAQ > Draft: > > According to it, seems that a workstation entry shall be of the form: > > my_workstation's_name$:LM_XXX:NT_XXX:0080:other_fields_are_ignored: incorrect. lines should be exactly same format as user accounts, except that the :0080: should be added. :0010: can be added to user accounts, but that's another story. this is only temporary anyway. > I actually have declared my trusted workstations with lines like: > > my_workstation's_name$:65534:LM_XXX:NT_XXX:0080:: > ^ > nobody's uid > > and they seem to work pretty well... Is it an alterante form? no. > Later in the same section the FAQ states that a domain sid is of the form: > > domain sid = S-1-5-21-XXX-XXX-XXX-XXX this is wrong, as far as i know. > while I am actually using a S-1-5-21-XXX-XXX-XXX sid. Is the sid this is correct. > Finally, I would like to read a deeper explanation of how to create roaming > accounts, apart the ControlPanel->System->Profiles stuff which, at least for > me, didn't work at all. Also what a NTUSER.DAT, ntuser.dat.LOG and > ntlogin.pol files are and contains (at least roughly). This would help me a > lot, so I believe it could help somebody else as well. this kind of info is available from microsoft docs. this is not to say that we don't need equivalents, and to explicitly point out the previous sentence as a source. From lkcl at switchboard.net Fri Mar 6 19:10:11 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: I need help desesperatelly ! In-Reply-To: Message-ID: hi guilherme, On Fri, 6 Mar 1998, Guilherme Venere wrote: > > Hi folks, > > First of all, i'm sorry for sending another question about windows 95 and > samba. But i can't find any information about my questions, and i though > that you guys can at least poit me to the right direction. your first sentence gives you the clue: this list is for the discussion of windows NT and samba, exclusively. may i recommend that you subscribe to samba@samba.anu.edu.au and post the same question there. good luck! luke From lkcl at switchboard.net Fri Mar 6 19:24:42 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: Address for Samba Linux Networking Guide In-Reply-To: <009C2CB1.0FC5EBFB.18@sssup1.sssup.it> Message-ID: hi people, paulo has been writing up some docs, and i would like to encourage him in his efforts to do this, but haven't had time to go over them. could someone with more resources kindly review them? thanks very much, luke On Sat, 7 Mar 1998, Paolo & Marco Bizzarri wrote: > camelot.sssup.it/pibizza/index.html > > The Guide is available in Tex, dvi and PS. > > Enjoy the reading > > > Paolo > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From cartegw at Eng.Auburn.EDU Fri Mar 6 18:41:58 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:52 2003 Subject: R: Samba NTDOM FAQ Draft #2 References: Message-ID: <35004376.CC4BB302@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > incorrect. lines should be exactly same format as user accounts, except > that the :0080: should be added. :0010: can be added to user accounts, > but that's another story. This was copied from NTDOMAIN.txt. Probably need to correct it there as well. > > domain sid = S-1-5-21-XXX-XXX-XXX-XXX > > this is wrong, as far as i know. Same thing here. Copied directory from NTDOMAIN.txt. Should update it as well. ( Unless it's decided to replace it with the FAQ ) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From crh at NTS.Umn.EDU Fri Mar 6 18:48:11 1998 From: crh at NTS.Umn.EDU (Christopher R. Hertel) Date: Tue Dec 2 02:23:52 2003 Subject: Address for Samba Linux Networking Guide In-Reply-To: from "Luke Kenneth Casson Leighton" at Mar 7, 98 04:45:03 am Message-ID: <199803061848.MAA07378@unet.unet.umn.edu> No promises (resources are thin), but I've already printed them out. I'll try to read through. Chris -)----- > > hi people, > > paulo has been writing up some docs, and i would like to encourage him in > his efforts to do this, but haven't had time to go over them. could > someone with more resources kindly review them? > > thanks very much, > > luke > > On Sat, 7 Mar 1998, Paolo & Marco Bizzarri wrote: > > > camelot.sssup.it/pibizza/index.html > > > > The Guide is available in Tex, dvi and PS. > > > > Enjoy the reading > > > > > > Paolo > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba and Network Consultancy > -- Christopher R. Hertel -)----- University of Minnesota crh@nts.umn.edu Networking and Telecommunications Services From lkcl at switchboard.net Fri Mar 6 19:46:53 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: R: Samba NTDOM FAQ Draft #2 In-Reply-To: <35004376.CC4BB302@eng.auburn.edu> Message-ID: On Fri, 6 Mar 1998, Gerald W. Carter wrote: > Luke Kenneth Casson Leighton wrote: > > > > incorrect. lines should be exactly same format as user accounts, except > > that the :0080: should be added. :0010: can be added to user accounts, > > but that's another story. > > This was copied from NTDOMAIN.txt. Probably need to correct it there as > well. ah ha. > > > domain sid = S-1-5-21-XXX-XXX-XXX-XXX > > > > this is wrong, as far as i know. > > Same thing here. Copied directory from NTDOMAIN.txt. Should update it > as well. ( Unless it's decided to replace it with the FAQ ) hm. i did. probably lost along the way... From edw at detel.com Fri Mar 6 20:51:05 1998 From: edw at detel.com (Ed Weinberg) Date: Tue Dec 2 02:23:52 2003 Subject: Why can't I print? Message-ID: <19980306205110Z12587994-21312+9274@samba.anu.edu.au> Greetings all! I am trying to get smb printing working on a RH 5 Linux System. I hope that any win95 machine can print to the network printer which the linux system is configured to print through. You can see my smb.conf at http://www.qletter.com/smb.txt (anything wrong?). The printer is a network printer on a DPI box. The guest user (nosam) can print to the printer when logged on from the Linux console. I hope I have it set so that users who print are "guest". I can see the printer on the linux machine from win95 explorer. I set it up as a printer from that win95 machine by browsing to the linux machine, so I know that the printer and host are spelled correctly. When I try to print, it says that it cannot find the name on the network. I am not sure if it is talking about the host or the printer. I have set up the Print Command to print to a file, and I get the same error. I have read the docs. Does anyone have any ideas? Thank you. -- Ed Weinberg edw@detel.com From Jean-Francois.Micouleau at utc.fr Fri Mar 6 21:24:36 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:52 2003 Subject: Why can't I print? In-Reply-To: <19980306205110Z12587994-21312+9274@samba.anu.edu.au> Message-ID: On Sat, 7 Mar 1998, Ed Weinberg wrote: > Greetings all! > Please repost your question on samba@samba.anu.edu.au where it will be more appropriate ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From tomassoni at crisato.oftalm.unisi.it Sat Mar 7 02:37:51 1998 From: tomassoni at crisato.oftalm.unisi.it (Giampaolo Tomassoni) Date: Tue Dec 2 02:23:52 2003 Subject: NTDOM and sharing in Win95 Message-ID: <000d01bd4972$08993680$31936397@famiglio> Hi all, I tried to share a resource on a Win95 box under a samba-controlled NT domain. Well, I couldn't complete the task since SAMBA was not sending any list of domain users, so I couldn't select which user had which access mode. Is it supposed to be implemented in NTDOM? Thanks, ------------------------------------------------------ Giampaolo Tomassoni Information Systems Consultant P.za 8 Aprile 1948, 4 Tel/Fax: +39 (578) 21100 I-53044 Chiusi (SI) e-mail: tomassoni@crisato.oftalm.unisi.it ITALY homepage: http://www.geocities.com/Eureka/Park/2209/ From cartegw at Eng.Auburn.EDU Sat Mar 7 03:07:40 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:52 2003 Subject: NTDOM and sharing in Win95 In-Reply-To: <000d01bd4972$08993680$31936397@famiglio> Message-ID: On Sat, 7 Mar 1998, Giampaolo Tomassoni wrote: > Hi all, > > I tried to share a resource on a Win95 box under a samba-controlled NT > domain. Well, I couldn't complete the task since SAMBA was not sending any > list of domain users, so I couldn't select which user had which access mode. > > Is it supposed to be implemented in NTDOM? from http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html 0. How do I know if I need Samba Primary Domain Controller (PDC) support and how much of its functionality is currently implemented? The ability to act as a PDC for Windows NT 3.51 and 4.0 clients. This includes adding NT machines to the domain and authenticating users logging into the domain. Domain account can be viewed using the "User Manager for Domains" for a small number ( ~4-8) of accounts. Viewing resources on the Samba PDC via the "Server Manager for Domains" from the NT client. Windows 95 clients will allow "user level" security to be set but will not currently allow browsing of accounts. [snip] Things tend to change very quickly though. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From tomassoni at crisato.oftalm.unisi.it Sat Mar 7 12:58:30 1998 From: tomassoni at crisato.oftalm.unisi.it (Giampaolo Tomassoni) Date: Tue Dec 2 02:23:52 2003 Subject: R: NTDOM and sharing in Win95 Message-ID: <001d01bd49c8$d5cfe3a0$2c936397@famiglio> On Sat, 7 Mar 1998, Gerald W. Carter wrote: > > Windows 95 clients will allow "user level" security > to be set but will not currently allow browsing of accounts. > [snip] > > > Things tend to change very quickly though. Hi Gerald, it is a matter of facts that NT domains are often a compound of NT and 95 workstations, so I believe that a more complete implementation of the user level security for Win95 in samba boxes would be really appreciate by most. Not even to mention that many installations miss a BackOffice server at all, so that they need a Win95 machine to send and receive faxes... After all, NTDOMAIN code actually support a user list (smbpasswd) and maybe groups (domain groups setting?). Now, is it so complex to reply to domain users enumeration requests issued by Win95? I would like to contribute to the NTDOMAIN efforts, so I'm tempted to say "I'll do that!". Nevertheless, I don't have a so deep knowledge about SMB/RPC or even Samba structure, and I feel I have to drop this challenge: the deadline is probably too close. Do you think it is so complex? How can I get documented about this matter? Take care, ------------------------------------------------------ Giampaolo Tomassoni Information Systems Consultant P.za 8 Aprile 1948, 4 Tel/Fax: +39 (578) 21100 I-53044 Chiusi (SI) e-mail: tomassoni@crisato.oftalm.unisi.it ITALY homepage: http://www.geocities.com/Eureka/Park/2209/ From Jean-Francois.Micouleau at utc.fr Sat Mar 7 16:24:06 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:52 2003 Subject: R: NTDOM and sharing in Win95 In-Reply-To: <001d01bd49c8$d5cfe3a0$2c936397@famiglio> Message-ID: On Sat, 7 Mar 1998, Giampaolo Tomassoni wrote: > After all, NTDOMAIN code actually support a user list (smbpasswd) and > maybe groups (domain groups setting?). Now, is it so complex to reply to > domain users enumeration requests issued by Win95? I think it's not so complex to implement it. I think it's implemented on the lanman pipe and some SMB transact functions. (if i'm wrong luke will correct me :) ) I don't have anymore a win95 pc to check. > I would like to contribute to the NTDOMAIN efforts, so I'm tempted to > say "I'll do that!". Nevertheless, I don't have a so deep knowledge > about SMB/RPC or even Samba structure, and I feel I have to drop this > challenge: the deadline is probably too close. Before starting the implementation, the first job is to know how much work it will require. So setup a NT4 PDC, and a WIN 95 station pointing to it. While you enumerate the users from the WIN95 pc, run netmon (from a sms distrib, it's better) on the PDC and grab the frames. Switch your NT4 PDC for a ntdom-samba server, and do the same. Compare the traces your captured, you will know how much work is necessary. Try also the KB and the MSDN articles, Visual C 5 contains a lot of info too. Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From lkcl at switchboard.net Sat Mar 7 17:18:24 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: Why can't I print? In-Reply-To: <19980306205110Z12587994-21312+9274@samba.anu.edu.au> Message-ID: On Sat, 7 Mar 1998, Ed Weinberg wrote: > Greetings all! > > I am trying to get smb printing working on a RH 5 Linux System. > I hope that any win95 machine can print to the network printer which the > linux system is configured to print through. hi ed, unless you intend to print to an NT machine, this question is best asked on the samba@samba.anu.edu.au list. regards, luke From lkcl at switchboard.net Sat Mar 7 17:20:33 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: NTDOM and sharing in Win95 In-Reply-To: <000d01bd4972$08993680$31936397@famiglio> Message-ID: On Sat, 7 Mar 1998, Giampaolo Tomassoni wrote: > Hi all, > > I tried to share a resource on a Win95 box under a samba-controlled NT > domain. Well, I couldn't complete the task since SAMBA was not sending any > list of domain users, so I couldn't select which user had which access mode. > > Is it supposed to be implemented in NTDOM? not yet. luke From lkcl at switchboard.net Sat Mar 7 17:27:40 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: R: NTDOM and sharing in Win95 In-Reply-To: Message-ID: On Sun, 8 Mar 1998, Jean-Francois Micouleau wrote: > On Sat, 7 Mar 1998, Giampaolo Tomassoni wrote: > > > After all, NTDOMAIN code actually support a user list (smbpasswd) and > > maybe groups (domain groups setting?). Now, is it so complex to reply to > > domain users enumeration requests issued by Win95? > > I think it's not so complex to implement it. agreed, probably not. > I think it's implemented > on the lanman pipe and some SMB transact functions. > (if i'm wrong luke will correct me :) ) ok, i'll say what i suspect is the case, without (like you) having win95 to check. that this is one of the rare instances where win95 has dce/rpc client-side code in it. namely, that it may be possible to tell a win95 machine "sorry, the request doesn't fit into an SMBtrans2 lanman packet" and it then makes a dce/rpc request. if we get the format of the response right in ipc.c, we can force win95 machines to make dce/rpc calls. either NetMonitor or paul leach might be able to help clarify things, here. luke From edw at detel.com Sat Mar 7 18:39:51 1998 From: edw at detel.com (Ed Weinberg) Date: Tue Dec 2 02:23:52 2003 Subject: Why can't I print? In-Reply-To: References: Message-ID: <35039466.7084256@mail.detel.com> On Sun, 8 Mar 1998 02:37:00 +1000, Luke Kenneth Casson Leighton wrote: >unless you intend to print to an NT machine, this question is best asked >on the samba@samba.anu.edu.au list. > >regards, > >luke > Thanks. did that. -- Ed Weinberg, Detel, Inc., An Internet Presence Provider edw@detel.com www.detel.com/ www.serverking.com www.q5.com/ <-- find someone to CoolTalk or chat with here From tomassoni at crisato.oftalm.unisi.it Sun Mar 8 04:16:01 1998 From: tomassoni at crisato.oftalm.unisi.it (Giampaolo Tomassoni) Date: Tue Dec 2 02:23:52 2003 Subject: Obsolete settings, still around Message-ID: <009e01bd4a48$eeb9d9e0$2c936397@famiglio> Dear all, I was looking for the actual code of the 'domain controller' setting and, unsurprisingly, I discovered it to be declared in loadparm.c, but never used elsewhere. Being curious, I made a small script to discover other samba settings declared but never used, by which I got the following list: announce as (lp_announce_as) announce version (lp_announce_version) preload, auto services (lp_auto_services) character set (lp_character_set) domain controller (lp_domain_controller) getwd cache (lp_getwdcache) keepalive (lp_keepalive) load printers (lp_load_printers) max packet, packet size (lp_maxpacket) time server (lp_time_server) volume (lp_volume) I don't know if any of them became obsolete with NTDOMAIN, if they are used by other means than their lp_ function (so not really being obsolete), nor if this is the right list to which report this stuff. Anyway, since you are going to merge the NTDOMAIN code to the main branch, I think it may be a good idea to update the docs and mans removing the obsolete settings, as well as remove their references from loadparm.c (to have them reported by testparm). By the way, some of the missings are quite a surprise (like "load printers", still reported on tons of docs and examples). Do you agree this settings are obsolete? Take care, ------------------------------------------------------ Giampaolo Tomassoni Information Systems Consultant P.za 8 Aprile 1948, 4 Tel/Fax: +39 (578) 21100 I-53044 Chiusi (SI) e-mail: tomassoni@crisato.oftalm.unisi.it ITALY homepage: http://www.geocities.com/Eureka/Park/2209/ From jjm at iname.com Sun Mar 8 10:51:33 1998 From: jjm at iname.com (Johan Meiring) Date: Tue Dec 2 02:23:52 2003 Subject: Possible solution to arcfour Message-ID: <199803081043.KAA19940@gpo.tsnxt.co.uk> Hi all, Arcfour seems to be a major stumbling block to samba-ntdom because of stupid US export laws. Unfortunately I don't know enough about C or Encryption, but the following may be a solution. I read in a recent copy of Conputer Consultant Magazine, that a company by the name of TIS http://www.tis.com/ released a library of C encryption routines that were approved for export by US Government. It sounds like if Samba could get a license for this product, then it may be freely distributed with the required encryption included. It also sounds like the product includes the correct routines needed by Samba. The product is described at http://www.tis.com/prodserv/recoverkey/rktoolkit.html Maybe somebosy could contact the company and ask them whether they are prepared to give samba a licence for free, as samba does not charge any money to end users. Johan Meiring From tjh at cryptsoft.com Sun Mar 8 11:12:21 1998 From: tjh at cryptsoft.com (Tim Hudson) Date: Tue Dec 2 02:23:52 2003 Subject: Possible solution to arcfour In-Reply-To: <199803081043.KAA19940@gpo.tsnxt.co.uk> from "Johan Meiring" at Mar 8, 98 08:57:16 pm Message-ID: <199803081112.VAA20648@pandora.cryptsoft.com> According to Johan Meiring: > Arcfour seems to be a major stumbling block to samba-ntdom because of > stupid US export laws. ARCFOUR and RC4 compatible implementations are *widely* available outside the USA. In this respect the US export laws are not relevant given that the code is produced and available entirely outside the USA. SSLeay includes all the required routines ... as do most other freely available encryption packages. For more information see details in the FAQ at http://www.psy.uq.oz.au/~ftp/Crypto/ ... however SSLeay includes a lot more than what you are looking for. You could just simply pick up draft-kaukonen-cipher-arcfour-01.txt and use the code provided in it. It describes the algorithm in detail and has test vectors and a sample implementation. Grab it from your local ietf mirror site. Tim. From lkcl at switchboard.net Sun Mar 8 13:02:15 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: Obsolete settings, still around In-Reply-To: <009e01bd4a48$eeb9d9e0$2c936397@famiglio> Message-ID: On Sun, 8 Mar 1998, Giampaolo Tomassoni wrote: > Dear all, > > I was looking for the actual code of the 'domain controller' setting and, unsurprisingly, I discovered it to be declared in loadparm.c, but never used elsewhere. > > Being curious, I made a small script to discover other samba settings declared but never used, by which I got the following list: > > announce as (lp_announce_as) > announce version (lp_announce_version) > preload, auto services (lp_auto_services) > character set (lp_character_set) > domain controller (lp_domain_controller) > getwd cache (lp_getwdcache) > keepalive (lp_keepalive) > load printers (lp_load_printers) > max packet, packet size (lp_maxpacket) > time server (lp_time_server) > volume (lp_volume) thanks, thomas. > I don't know if any of them became obsolete with NTDOMAIN, if they are used by other means than their lp_ function (so not really being obsolete), nor if this is the right list to which report this stuff. well, it may not exactly be the best place to report this (samba-bugs with subject line starting with BUG?: probably, but at least i can say that this list is cultivating some very helpful people. regards, luke From lkcl at switchboard.net Sun Mar 8 16:29:55 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: technical list ? In-Reply-To: Message-ID: On Mon, 9 Mar 1998, Jean-Francois Micouleau wrote: > > What is the goal of this list ? [samba-technical@samba.anu.edu.au] to discuss technical issues related to the development, implementation and deployment of samba. [a lot of such issues are currently being discussed on samba-ntdom, although by not specifying the exact purpose of the list [samba-ntdom] in its joining message, we are getting some useful questions from which a FAQ can be generated, specifically related to nt domains for UNIX]. the original purpose of samba@samba.anu.edu.au was for the development of samba: it soon turned into a help / admin list. samba-technical i believe is intended to re-address this. luke From lkcl at switchboard.net Sun Mar 8 19:21:29 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: technical list ? In-Reply-To: Message-ID: > > [samba-technical@samba.anu.edu.au] > > > > to discuss technical issues related to the development, implementation and > > deployment of samba. [a lot of such issues are currently being discussed [good example question regarding wins etc deleted] > Should I ask someone direct, unless you're paying them $$$, probably not. > ask the samba list yes, most definitely. > or the samba-technical > list? no, most definitely not. good luck in finding an answer, luke From rmeyer at mhsc.com Sun Mar 8 22:17:15 1998 From: rmeyer at mhsc.com (Roeland M.J. Meyer) Date: Tue Dec 2 02:23:52 2003 Subject: Possible solution to arcfour In-Reply-To: <199803081043.KAA19940@gpo.tsnxt.co.uk> Message-ID: <3.0.3.32.19980308141715.00c251d0@pop.mhsc.com> At 20:56 08-03-98 +1000, Johan Meiring wrote: >Hi all, > >Arcfour seems to be a major stumbling block to samba-ntdom because of >stupid US export laws. What the dolts in the USG seem to fail at realizing is that ALL of the encryption routines are available off-shore. In the event that it isn't, a hard-copy printout can be made and it is legal to take that off-shore and have a data-entry type re-enter the code listing. Voila, you have now brought it out of the US(dumb)A(ss) and not broken ANY laws, accordinbg to ITAR. >I read in a recent copy of Conputer Consultant Magazine, that a company by >the name of TIS http://www.tis.com/ released a library of C encryption >routines that were approved for export by US Government. It sounds like if >Samba could get a license for this product, then it may be freely >distributed with the required encryption included. It also sounds like the >product includes the correct routines needed by Samba. > >The product is described at >http://www.tis.com/prodserv/recoverkey/rktoolkit.html Th problem is that is *is* a product. I can't speak for the Samba-team, but thus far there are no commercially-bound codes therein. I would like for that pristine state to continue as long as possible. >Maybe somebosy could contact the company and ask them whether they are >prepared to give samba a licence for free, as samba does not charge any >money to end users. Being a commercial software house ourselves, I would think that there are exactly two chances, "slim" and "none". ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: mailto:rmeyer@mhsc.com Personalweb pages: http://www.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com/ ___________________________________________ SecureMail from MHSC.NET is coming soon! From rmeyer at mhsc.com Sun Mar 8 23:16:37 1998 From: rmeyer at mhsc.com (Roeland M.J. Meyer) Date: Tue Dec 2 02:23:52 2003 Subject: Possible solution to arcfour In-Reply-To: <199803081043.KAA19940@gpo.tsnxt.co.uk> Message-ID: <3.0.3.32.19980308151637.00c115d0@pop.mhsc.com> At 20:56 08-03-98 +1000, Johan Meiring wrote: >The product is described at >http://www.tis.com/prodserv/recoverkey/rktoolkit.html Besides, it is key-recovery technology. We don't want to encourage the childern. ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: mailto:rmeyer@mhsc.com Personalweb pages: http://www.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com/ ___________________________________________ SecureMail from MHSC.NET is coming soon! From nuno at lwp.ualg.pt Mon Mar 9 02:19:48 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:52 2003 Subject: 2 servers and routers between them.. Message-ID: Hi!! The lab (Lab1), I always talk about, with 25 computers and a linux as a PDC (Linux1) for them, and another lab (Lab2) about 7Km far away have to be "connected". The users of one lab are the users of the other lab... To connect the 2 Labs there's an ATM link and about 3 or 4 routers between them (in 2 university campus)... (I don't control this) The 2 labs are identical.. 1 linux as a NTDOM controller and NT4 wrkts on each. Well, I would like the users of (Lab2) to use (Linux1) as their PDC, or (Linux1) and (Linux2) to do replication. I want the users on both labs to have the same smbpassword.. Homedirs of (lab1) will be on (linux1) and homedirs of (lab2) will be on (linux2).. What's the best way to do this, or is this possible with samba? Thanks in Advance, Nuno Loureiro ----- Nuno Andre Henriques Loureiro http://lwp.ualg.pt/~nuno PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 Finger nuno@lwp.ualg.pt for more info From lkcl at switchboard.net Mon Mar 9 14:31:11 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:52 2003 Subject: 2 servers and routers between them.. In-Reply-To: Message-ID: hi nuno, there are a couple of ways to do this (one in the future, with inter-domain trust relationships worked out). which leaves this as an ordinary administration exercise to get round the lack of thingy. domain trust relationships. ok, your network is subdivided, yes? you can either use a %substitution macro which subdivides by netgroup (@lab1_pcs or @lab2_pcs) or by network address. then, you can do [global] include = /usr/local/samba/lib/smb.conf.%X where %X is the macro substitution for the netgroup or the network address. then, you create /usr/local/samba/lib/smb.conf.lab1 or .lab2 or .194.159.24. or .194.159.25. - whatever. smb.conf.lab1 contains: home dir = \\linux1\homes logon path = \\linux1\profiles\%U etc... you get the idea. luke On Mon, 9 Mar 1998, Nuno Loureiro wrote: > Hi!! > > The lab (Lab1), I always talk about, with 25 computers and a linux as a > PDC (Linux1) for them, and another lab (Lab2) about 7Km far away have to be > "connected". > > The users of one lab are the users of the other lab... > > To connect the 2 Labs there's an ATM link and about 3 or 4 routers > between them (in 2 university campus)... (I don't control this) > > The 2 labs are identical.. 1 linux as a NTDOM controller and NT4 wrkts > on each. > > Well, I would like the users of (Lab2) to use (Linux1) as their PDC, or > (Linux1) and (Linux2) to do replication. > > I want the users on both labs to have the same smbpassword.. > Homedirs of (lab1) will be on (linux1) and homedirs of (lab2) will be > on (linux2).. > > What's the best way to do this, or is this possible with samba? > > Thanks in Advance, > > Nuno Loureiro > > > > ----- > Nuno Andre Henriques Loureiro > http://lwp.ualg.pt/~nuno > PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 > Finger nuno@lwp.ualg.pt for more info > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From brianb at atc.ll.mit.edu Mon Mar 9 18:20:53 1998 From: brianb at atc.ll.mit.edu (Brian Burke x0839 ) Date: Tue Dec 2 02:23:53 2003 Subject: Printing to Samba served printer Message-ID: <199803091820.NAA21308@wilbur.ll.g41g42> A non-text attachment was scrubbed... Name: not available Type: text Size: 433 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980309/67c7560f/attachment.bat From lkcl at switchboard.net Mon Mar 9 19:51:34 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: Printing to Samba served printer In-Reply-To: <199803091820.NAA21308@wilbur.ll.g41g42> Message-ID: ok. which version of samba (or which cvs date did you last check out); which version of NT; which service pack; what unix server. luke On Tue, 10 Mar 1998, Brian Burke x0839 wrote: > When reading the NTDOM FAQ it seems that I should be having > problems printing to unix printers through Samba. I am not > having this problem. Is there something wrong with my config > which is lowering security or something? Or has this been > resolved, which I don't think is the case. On my NT workstations > I am able to browse the printers thought network neighborhood in > the normal way. > > Just wondering whats going on here. > -Brian > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From brianb at atc.ll.mit.edu Mon Mar 9 19:19:42 1998 From: brianb at atc.ll.mit.edu (Brian Burke x0839) Date: Tue Dec 2 02:23:53 2003 Subject: Printing to Samba served printer Message-ID: <199803091919.OAA21346@wilbur.ll.g41g42> > > which version of samba (or which cvs date did you last check out); which > version of NT; which service pack; what unix server. Using code checked out with cvs last Friday (checked for updates today also.) Using NT Workstation 4.0 Service Pack 3. Samba running on Solaris 2.6 I haven't compiled in the ARCFOUR code so I don't know if it might be related to that. > On Tue, 10 Mar 1998, Brian Burke x0839 wrote: > > > When reading the NTDOM FAQ it seems that I should be having > > problems printing to unix printers through Samba. I am not > > having this problem. Is there something wrong with my config > > which is lowering security or something? Or has this been > > resolved, which I don't think is the case. On my NT workstations > > I am able to browse the printers thought network neighborhood in > > the normal way. From andre at lme.usp.br Mon Mar 9 19:50:07 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:53 2003 Subject: Printing to Samba served printer In-Reply-To: <199803091919.OAA21346@wilbur.ll.g41g42> Message-ID: <3.0.1.32.19980309165007.0093fd80@ws10.lme.usp.br> At 06:22 AM 3/10/98 +1100, Brian Burke x0839 wrote: >> >> which version of samba (or which cvs date did you last check out); which >> version of NT; which service pack; what unix server. > >Using code checked out with cvs last Friday (checked for updates today >also.) Using NT Workstation 4.0 Service Pack 3. Samba running >on Solaris 2.6 > >I haven't compiled in the ARCFOUR code so I don't know if it might >be related to that. > >> On Tue, 10 Mar 1998, Brian Burke x0839 wrote: >> >> > When reading the NTDOM FAQ it seems that I should be having >> > problems printing to unix printers through Samba. I am not >> > having this problem. Is there something wrong with my config >> > which is lowering security or something? Or has this been >> > resolved, which I don't think is the case. On my NT workstations >> > I am able to browse the printers thought network neighborhood in >> > the normal way. > > If you do, in the NT Workstation: Start -> Settings -> Printers -> Add Printer -> select Network Printer Server -> Next -> select the printer -> OK, what happen ? From Jean-Francois.Micouleau at utc.fr Mon Mar 9 23:11:27 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:53 2003 Subject: Printing to Samba served printer In-Reply-To: <3.0.1.32.19980309165007.0093fd80@ws10.lme.usp.br> Message-ID: On Tue, 10 Mar 1998, Andre Gerhard wrote: > If you do, in the NT Workstation: > > Start -> Settings -> Printers -> Add Printer -> > select Network Printer Server -> Next -> select the printer -> OK, > > what happen ? Humm, let see, it open the spoolss pipe and do a enumprinters. I add it to my todo list, this one is easy. Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From nuno at lwp.ualg.pt Tue Mar 10 14:57:39 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:53 2003 Subject: 2 servers and routers between them.. Message-ID: luke said: >hi nuno, > >there are a couple of ways to do this (one in the future, with >inter-domain trust relationships worked out). will it be in the near future? >which leaves this as an ordinary administration exercise to get round the >lack of thingy. domain trust relationships. > >ok, your network is subdivided, yes? you can either use a %substitution >macro which subdivides by netgroup (@lab1_pcs or @lab2_pcs) or by network >address. > >then, you can do [global] include = /usr/local/samba/lib/smb.conf.%X where >%X is the macro substitution for the netgroup or the network address. > >then, you create /usr/local/samba/lib/smb.conf.lab1 or .lab2 or >.194.159.24. or .194.159.25. - whatever. > >smb.conf.lab1 contains: > >home dir = \\linux1\homes >logon path = \\linux1\profiles\%U > >etc... you get the idea. >From what I've understood, you say to use one PDC for the 2 labs (linux1) and 2 smb.conf (1 per each lab), and use the same smbpasswd, right? If it works, fine for me :) My doubt is : will lab2 see the PDC (linux1) knowing there are at least 3 or 4 routers between them?? I have no control on those routers, so I dunno how they are configurated.. I know NT4 can use Netbeui encapsulated on tcp/ip, but I'm not sure if it will see the domain... will it? ----- Nuno Andre Henriques Loureiro http://lwp.ualg.pt/~nuno PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 Finger nuno@lwp.ualg.pt for more info From lkcl at switchboard.net Tue Mar 10 15:57:48 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: 2 servers and routers between them.. In-Reply-To: Message-ID: On Wed, 11 Mar 1998, Nuno Loureiro wrote: > > luke said: > > >hi nuno, > > > >there are a couple of ways to do this (one in the future, with > >inter-domain trust relationships worked out). > > will it be in the near future? the amount of work needed hasn't been assessed yet, although doing so would be a trivial matter (creating or otherwise obtaining a netmon trace, and examining it) - half a day max? the rest of your message [deleted] is a standard samba admin issue: i recommend that you pursue this on the samba digest or in archives etc etc. luke From twinders at SPC.cc.tx.us Wed Mar 11 17:22:41 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:53 2003 Subject: Problem with /home mapping Message-ID: With BRANCH_NTDOM I have the following lines in my [global] section for smb.conf logon path = \\%N\profiles\%U\profile logon home = \\%N\%U auto services = homes If I understand correctly, this will emulate the roaming profiles and home paths as done with NT Server. The docs also recommend NOT using the home share for a roaming profile, thus the above configuration. I also have a [homes] and [profiles] shares. The problem is: When an NT or 95 user uses the syntax: net use h: /home It will map the h: drive to the PROFILES share. Should it map to the HOMES share? --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From lkcl at switchboard.net Wed Mar 11 21:17:15 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: Problem with /home mapping In-Reply-To: Message-ID: On Thu, 12 Mar 1998, Tim Winders wrote: > With BRANCH_NTDOM I have the following lines in my [global] section for > smb.conf > > logon path = \\%N\profiles\%U\profile > logon home = \\%N\%U > auto services = homes > > If I understand correctly, this will emulate the roaming profiles and home > paths as done with NT Server. The docs also recommend NOT using the home > share for a roaming profile, yep. > I also have a [homes] and [profiles] shares. > > The problem is: When an NT or 95 user uses the syntax: > > net use h: /home > > It will map the h: drive to the PROFILES share. oops. > Should it map to the HOMES share? it should map to the "logon home" parameter, which you configure as the HOMES share in this instance. oops. luke From twinders at SPC.cc.tx.us Wed Mar 11 20:55:55 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:53 2003 Subject: Problem with /home mapping In-Reply-To: Message-ID: Should I send this to samba-bugs, or are YOU samba-bugs On Wed, 11 Mar 1998, Luke Kenneth Casson Leighton wrote: > On Thu, 12 Mar 1998, Tim Winders wrote: > > > With BRANCH_NTDOM I have the following lines in my [global] section for > > smb.conf > > > > logon path = \\%N\profiles\%U\profile > > logon home = \\%N\%U > > auto services = homes > > > > If I understand correctly, this will emulate the roaming profiles and home > > paths as done with NT Server. The docs also recommend NOT using the home > > share for a roaming profile, > > yep. > > > I also have a [homes] and [profiles] shares. > > > > The problem is: When an NT or 95 user uses the syntax: > > > > net use h: /home > > > > It will map the h: drive to the PROFILES share. > > oops. > > > Should it map to the HOMES share? > > it should map to the "logon home" parameter, which you configure as the > HOMES share in this instance. > > oops. > > luke > --------------------------------------------------------------------- | Tim Winders, CNE | Email: twinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From brianb at atc.ll.mit.edu Thu Mar 12 02:16:27 1998 From: brianb at atc.ll.mit.edu (Brian Burke x0839) Date: Tue Dec 2 02:23:53 2003 Subject: RIDs and userid's and roaming profiles Message-ID: <199803120216.VAA17580@wilbur.ll.g41g42> I have NTDOM BRANCH samba (update checked today) running on a Solaris 2.6 host. I'm getting some strange behavior related to RIDs and the userid. According to some documents writted by Luke, the RID should be the userid + 1000 (or at least thats the way it seems to be) This isn't currently hapenning for my setup. When an user logs in they seem to get a RID of 500. The problem this is causeing relates to copying the domain profile for the use to the local machine. All users are getting a RID of 500, so the registry key used for profiles is HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Window NT/CurrentVersion/ProfileList/ S-1-5-21-XXX-XXX-XXX-500 which of course is now the same for every user. The key ProfileImagePath gets set to the appropriate value only for the first user to log in... then subsequent users have their profiles from samba overwrite that users local profile. This also means that I can't do things like have the profile not get copied on each login and logout. On one of my NT 4.0 workstations it used to work. I don't know when it stopped working or why, but on that workstation there were entries for S-1-5-21-XXX-XXX-XXX-11018 for a user with a uid of 10018 and S-1-5-21-XXX-XXX-XXX-4002 for a user with a uid of 3002 so the uid+1000 took place at some point but now it isn't working that way anymore. If anyone has some insight on this problem I'd appreciate it. Where is this 500 number coming from? Could something be going wrong with the NT Domain logon so the uid isn't being set and NT then picks 500 for the guest user or something like that? Thanks, -Brian From cartegw at Eng.Auburn.EDU Thu Mar 12 03:11:25 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:53 2003 Subject: RIDs and userid's and roaming profiles In-Reply-To: <199803120216.VAA17580@wilbur.ll.g41g42> Message-ID: On Thu, 12 Mar 1998, Brian Burke x0839 wrote: > HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Window NT/CurrentVersion/ProfileList/ > S-1-5-21-XXX-XXX-XXX-500 > > this 500 number coming from? Could something be going wrong with the > NT Domain logon so the uid isn't being set and NT then picks 500 for the > guest user or something like that? I thought 500 was the RID for the Administrator account. Could be wrong though. I'm sure it is one of the built-in accounts. Are the users specified in the 'domain admins =' parameter in smb.conf by chance? Interesting, though. I think one of my NT 4.0 boxes is having the same problem. I haven't traced it to the user RID yet but the symptoms are similar to the ones you descibe. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From brianb at atc.ll.mit.edu Thu Mar 12 03:18:44 1998 From: brianb at atc.ll.mit.edu (Brian Burke x0839) Date: Tue Dec 2 02:23:53 2003 Subject: RIDs and userid's and roaming profiles Message-ID: <199803120318.WAA17638@wilbur.ll.g41g42> > On Thu, 12 Mar 1998, Brian Burke x0839 wrote: > > > HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Window NT/CurrentVersion/ProfileList/ > > S-1-5-21-XXX-XXX-XXX-500 > > > > this 500 number coming from? Could something be going wrong with the > > NT Domain logon so the uid isn't being set and NT then picks 500 for the > > guest user or something like that? > > I thought 500 was the RID for the Administrator account. Could be wrong > though. I'm sure it is one of the built-in accounts. Are the users > specified in the 'domain admins =' parameter in smb.conf by chance? > > Interesting, though. I think one of my NT 4.0 boxes is having the same > problem. I haven't traced it to the user RID yet but the symptoms are > similar to the ones you descibe. > > > j- Your timing is amazing Jerry... as I was just walking back to my computer to write my own response to this problem your message arrived! Yes, the problem was the domain admin = param for some of the users. Is this the way it is supposed to work? I thought that I should be able to give certain users (such as myself), the ability to act as Administrator on any machine through the normal user account. The user that logged in to the Domain is brianb... not Administrator. I was thinking that this situation is similar to doing an su command in UNIX... having super-user access but still with username and uid of the calling user. -Brian From lkcl at switchboard.net Thu Mar 12 20:54:21 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: Problem with /home mapping In-Reply-To: Message-ID: On Wed, 11 Mar 1998, Tim Winders wrote: > Should I send this to samba-bugs, yep. subject "BUG: ..." > or are YOU samba-bugs every three to five weeks, i sometimes put that hat on... From lkcl at switchboard.net Thu Mar 12 21:06:56 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: RIDs and userid's and roaming profiles In-Reply-To: Message-ID: On Thu, 12 Mar 1998, Gerald W. Carter wrote: > On Thu, 12 Mar 1998, Brian Burke x0839 wrote: > > > HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Window NT/CurrentVersion/ProfileList/ > > S-1-5-21-XXX-XXX-XXX-500 > > > > this 500 number coming from? Could something be going wrong with the > > NT Domain logon so the uid isn't being set and NT then picks 500 for the > > guest user or something like that? > > I thought 500 was the RID for the Administrator account. .. mmm... 0x201? 'ang about: check the header files: that will give you the exact value. or see msvc's winnt.h file if you have msdn or msvc. From lkcl at switchboard.net Thu Mar 12 21:11:58 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: RIDs and userid's and roaming profiles In-Reply-To: <199803120318.WAA17638@wilbur.ll.g41g42> Message-ID: On Thu, 12 Mar 1998, Brian Burke x0839 wrote: > > > > On Thu, 12 Mar 1998, Brian Burke x0839 wrote: > > > > > HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Window NT/CurrentVersion/ProfileList/ > > > S-1-5-21-XXX-XXX-XXX-500 > > > > > > this 500 number coming from? Could something be going wrong with the > > > NT Domain logon so the uid isn't being set and NT then picks 500 for the > > > guest user or something like that? > > > > I thought 500 was the RID for the Administrator account. Could be wrong > > though. I'm sure it is one of the built-in accounts. Are the users > > specified in the 'domain admins =' parameter in smb.conf by chance? > > > > Interesting, though. I think one of my NT 4.0 boxes is having the same > > problem. I haven't traced it to the user RID yet but the symptoms are > > similar to the ones you descibe. > > > > > > j- > > Your timing is amazing Jerry... as I was just walking back to my computer > to write my own response to this problem your message arrived! > > Yes, the problem was the domain admin = param for some of the users. > Is this the way it is supposed to work? I thought that I should be > able to give certain users (such as myself), the ability to act as > Administrator on any machine through the normal user account. The user > that logged in to the Domain is brianb... not Administrator. I was > thinking that this situation is similar to doing an su command in UNIX... > having super-user access but still with username and uid of the calling > user. ok, this is where some assistance from microsoft would come in handy. info: paul ashton informs me that you can specify a username / password / domain in the LSA_SAMLOGON, and respond with a _different_ username and (effectively) an arbitrary Primary Group RID and Primary User RID. info: in the code, i append non-primary groups specified by "domain admin users" and "domain guest users" onto the list of groups. from what you are saying, this causes things to go awry. but maybe this is a _feature_ of NT workstation: if you specify that some of your users are administrators, they all share the same profile. luke From wes at markets.caltech.edu Sat Mar 14 03:48:36 1998 From: wes at markets.caltech.edu (Wes Boudville) Date: Tue Dec 2 02:23:53 2003 Subject: NT 4 to Irix 6.2 samba 1.9.18p3 failure Message-ID: <19980314035155Z12668641-14660+14397@samba.anu.edu.au> I have an NT 4.0 cluster and a unix cluster on the same subnet. The unix cluster uses NIS. On both clusters, I've defined the user "joe", with the same password. I want joe to be able to login to NT and see his unix home dir. [I've done this before under SunOS 4.1.3.] "Mine" is a unix NIS client, with a local disk with joe's home dir. It is an Indigo2 running irix 6.2. I compiled and installed samba 1.9.18p3 using the native cc, and ran the smbd and nmbd. I then ran the samba tests in DIAGNOSIS.txt. The first 7 tests worked. For test 8, I logged as joe on NT 4, and did net view \\mine This failed. Got "System error 5. Access is denied". Samba was compiled using the recommended flags FLAGSM = -DSGI6 -DSHADOW_PWD -DHAVE_TIMEZONE -DFAST_SHARE_MODES I recompiled with these FLAGSM = -DSGI6 -DHAVE_TIMEZONE -DFAST_SHARE_MODES -DNETGROUP After reinstalling, the test 8 above gives the same error. I tried compiling using gcc 2.8.0. But it then fails the test "smbclient -L mine". For all of the above, I've used the default smb.conf file, with only the following changes - workgroup = A11 hosts allow = 201.110.14.0/255.255.255.0 [tmp] comment = Temporary file space path = /tmp read only = no ; public = yes where my NT cluster is called "A11", and the subnet is "201.110.14". Actually, it's another IP range, which I don't wish to reveal. But the IPs are correct. From the NT and "mine", I can ping each other. From aperrin at demog.berkeley.edu Sat Mar 14 04:31:00 1998 From: aperrin at demog.berkeley.edu (Andrew Perrin) Date: Tue Dec 2 02:23:53 2003 Subject: NT 4 to Irix 6.2 samba 1.9.18p3 failure In-Reply-To: <19980314035155Z12668641-14660+14397@samba.anu.edu.au> Message-ID: Are you using encrypted passwords? If so, then your error sounds very similar to our still-unsolved bug using Solaris and encryption. Best, Andy Perrin UC Berkeley, Demography From wes at markets.caltech.edu Sat Mar 14 17:47:12 1998 From: wes at markets.caltech.edu (Wes Boudville) Date: Tue Dec 2 02:23:53 2003 Subject: NT 4 to Irix 6.2 samba 1.9.18p3 failure In-Reply-To: ; from "Andrew Perrin" at Mar 13, 98 8:31 pm Message-ID: <19980314020640Z12640917-391+2@samba.anu.edu.au> > Are you using encrypted passwords? If so, then your error sounds very > similar to our still-unsolved bug using Solaris and encryption. > Do you mean that on NT, when I do "net view \\mine", that my NT password is being passed encrypted to "mine"? If so, then I'm not sure. [I'm a new sysadmin on NT.] How does one check this? From cartegw at Eng.Auburn.EDU Mon Mar 16 14:49:56 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:53 2003 Subject: ERROR Verify - under BRANCH_NTDOM Message-ID: <350D3C14.817D9A11@eng.auburn.edu> Greetings! :-) Thought I would check here before posting to samba-bugs I am running BRANCH_NTDOM on Solaris 2.5.1 ( Sparc Ultra 1 ). Upon running the command on an NT 4.0 Wks C:\> copy h:\filename.ext c:\temp\filename.ext /v I get the following message "ERROR Verify - h:\filename.ext" Has anyone else experienced this? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Mon Mar 16 15:07:18 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:53 2003 Subject: ERROR Verify - under BRANCH_NTDOM References: <350D3C14.817D9A11@eng.auburn.edu> Message-ID: <350D4026.117DEE25@eng.auburn.edu> Gerald W. Carter wrote: > > Upon running the command on an NT 4.0 Wks > > C:\> copy h:\filename.ext c:\temp\filename.ext /v > > I get the following message > > "ERROR Verify - h:\filename.ext" > I should have added that the file does not appear to be corrupted in anyway and that I do not experience this behavior on 1.9.18p3 or 1.9.17p4. The only difference being that the standard servers do not use encrypted passwords. Also when trying to copy a ~3Mb file from the local disk on the NT box to the samba network drive using a command prompt, only 518 bytes are copied! This seems to work fine using the explorer to drag-n-drop the file. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jengelha at gac.edu Mon Mar 16 17:48:35 1998 From: jengelha at gac.edu (Jeff S Engelhardt) Date: Tue Dec 2 02:23:53 2003 Subject: designating domain users as administrators Message-ID: <199803161748.LAA27590@kilpinen.it.gac.edu> How do I get domain accounts to appear as administrators on the local machines? Is this even an option? If this is not a current option are there plans to make it so in the future? What I would like to have is a group to which certain users could belong if we want them to have administrator privileges on the local machine. We are running samba-pdc on a Sun running Solaris 2.5 serving NT 4.0 workstations. Thank you Jeff Engelhardt ================================================================ Jeff Engelhardt jengelha@gac.edu UNIX Systems Administrator http://www.gac.edu/~jengelha (507) 933 7042 FAX: 933 7041 Departments of Information Technology && Math/Computer Science Gustavus Adolphus College 800 West College Avenue St. Peter MN, 56082 ================================================================ From cartegw at Eng.Auburn.EDU Mon Mar 16 17:55:57 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:53 2003 Subject: designating domain users as administrators References: <199803161748.LAA27590@kilpinen.it.gac.edu> Message-ID: <350D67AD.402608D8@eng.auburn.edu> Jeff S Engelhardt wrote: > > How do I get domain accounts to appear as administrators on the local machines? > Is this even an option? If this is not a current option are there plans to > make it so in the future? What I would like to have is a group to which > certain users could belong if we want them to have administrator privileges on > the local machine. > > We are running samba-pdc on a Sun running Solaris 2.5 serving NT 4.0 workstations. > see 'domain admins' parameter in smb.conf man page j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From brianb at atc.ll.mit.edu Mon Mar 16 18:11:24 1998 From: brianb at atc.ll.mit.edu (Brian Burke x0839) Date: Tue Dec 2 02:23:53 2003 Subject: designating domain users as administrators Message-ID: <199803161811.NAA06881@wilbur.ll.g41g42> > > > > How do I get domain accounts to appear as administrators on the local machines? > > Is this even an option? If this is not a current option are there plans to > > make it so in the future? What I would like to have is a group to which > > certain users could belong if we want them to have administrator privileges on > > the local machine. > > > > We are running samba-pdc on a Sun running Solaris 2.5 serving NT 4.0 workstations. > > > > see 'domain admins' parameter in smb.conf man page > Just thought I'd share some of my experiences on this issue... Using the domain admins works, it allows you to have administrator privileges on any of the domain workstations... but... the behavior with regards to profiles is kinda strange (I'm assuming that you are using roaming profiles) When logging into the netork with roaming profiles, the users profile is copied from the Samba server to the local machine, then used from the local machine until logoff... if changes were made it gets copied back to the Samba server. There are keys in the registry that specify where the local copy is and where the network copy is. Each user should have their own keys for these values. The keys are stored in HKLM/Software/Microsoft/Windows NT/CurrentVersion/ ProfileList Each key there represents either a local user or a domain user. For the domain users the key is S-1-5-21-XXX-XXX-XXX-YYYYY where the X's represent the Domain SID and the Y's represent the user's RID (a mapping of their UserID) A problem arrises when you specify domain users. Each of these users gets asigned a RID of 500 which represents the Administrator account. So the key values of where to store the local copy of the profile gets set to the appropriate value for the first admin user who logs on, (lets say user1). Now when the second admin user logs on (user2) they get the right profile from Samba, but it gets copied locally to .../WinNT/Profiles/user1 The net effect is that everything seems to be working correctly, but to local copies of profiles are handled properly increasing login times and cause other undesireable (for me at least) behavior. My solution? Maintain administrator accounts on each machine seperately. I could set up one administrator account on the domain, but just haven't done that yet. Hope this gives you some useful info. -Brian Brian Burke MIT Lincoln Laboratory Air Traffic Surveillance From lkcl at switchboard.net Mon Mar 16 19:55:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: designating domain users as administrators In-Reply-To: <199803161748.LAA27590@kilpinen.it.gac.edu> Message-ID: hi jeff, well there is a "domain admin users" and a "domain guest users" option, but i'm not sure whether "domain admin users" actually grants local or domain or local admin rights :-) see smb.conf. luke On Tue, 17 Mar 1998, Jeff S Engelhardt wrote: > > How do I get domain accounts to appear as administrators on the local machines? > Is this even an option? If this is not a current option are there plans to > make it so in the future? What I would like to have is a group to which > certain users could belong if we want them to have administrator privileges on > the local machine. > > We are running samba-pdc on a Sun running Solaris 2.5 serving NT 4.0 workstations. oo, wow. how many simultaneous users? lukes From gemelli at sssup.it Tue Mar 17 11:05:15 1998 From: gemelli at sssup.it (Paolo Bizzarri) Date: Tue Dec 2 02:23:53 2003 Subject: Next Monday SAMBA Linux Networkign Guide v0.2 Message-ID: <350E58EA.50EE3EA9@sssup.it> Hi everybody, I am going to release the next Monday the version 0.2 of the SAMBA Linux Networking Guide. This version will include: - English clensing; - updates to the glossary; - a partial rewrite for the Domain Control documentation, in order to include NTDOM project. Please send me any contribution you feel I should include. I can deal with plain ASCII, Tex files or RTF files (no problem). Version 0.3 will include a complete rewriting of the Domain Control documentation, and will be probably generated using SGML tools. Thanks everybody who has sent comments to the version 0.1 Ciao Paolo -- Paolo Bizzarri Retis Lab. Scuola Superiore S. Anna 56100 Pisa, Italy Tel: +39 50 883 450 E-Mail: gemelli@sssup.it From D.Bannon at latrobe.edu.au Wed Mar 18 04:38:01 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:23:53 2003 Subject: Samba and Unix passwd sync In-Reply-To: <350021C1.7DE1@umw.cube.net> Message-ID: <3.0.3.32.19980318143801.00824e90@bioserve.biochem.latrobe.edu.au> Hi, I have had a number of people ask for a copy of my (very crude) programme that keeps the unix and samba password lists in sync. It is a replacement for 'passwd'. You will find it here http://bioserve.latrobe.edu.au/about/bannon.html on my page. Please let me say sorry to the person who sent a request for this a few days ago, I have not answered because I lost your message ! (would you use software written by someone who cannot even manage his own email ??) David. ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From Jean-Francois.Micouleau at utc.fr Wed Mar 18 14:25:06 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:53 2003 Subject: Status of the spoolss pipe Message-ID: Dear all samba-ntdom readers and users. Here is a small report on printing support for samba-ntdom: I have done some network analysis and coding on the spoolss pipe implementation for samba ntdom this last 3 weeks. Basically the spoolss pipe support is needed because that's the standard way for a NT4 workstation to print to a printer ( !!! ) in a domain. Well a solution was already given to print to a samba pdc server from a workstation inside the domain, but I consider it more like an hack than a definitive solution. As of today, I have coded the enumeration of printers and enumeration of jobs. So if you click on the printers folder on a samba pdc, you have the list of printers, and the list of jobs. Also if you do Start -> Control Panel -> Printers -> Add a network printer, you can see the list of printers of the samba pdc. Now the printing part. I have decoded most of the info, and I should be able to print sooner or later. As I can't work full time on samba, don't expect to see the spoolss pipe support in the next samba version. Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From lkcl at switchboard.net Wed Mar 18 20:49:53 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: Weird problem with Windows NT 4 Workstation and Samba PDC Message-ID: hi allan, i saw your posting regarding people getting annoyed with samba not working, and the clue to what you are doing is that you report the machine saying it is an NT 5.4 Primary Domain Controller. i then looked further down, and you are using 1.9.18p3 with -DNTDOMAIN compiled. this will *not* work. it is *vital* that you do not use -DNTDOMAIN in a production environment with the main branch: you *will* get the kinds of problems that you describe, as development of this code stopped at 1.9.18p12 and i went onto a separate cvs branch - BRANCH_NTDOM. if you absolutely must have NT Primary Domain Controller functionality in a production environment, then use the cvs tag of BRANCH_NTDOM and see http://samba.anu.edu.au/cvs.html. if you do not need PDC functionality, then recompile 1.9.18p3 _without_ -DNTDOMAIN and the experimental (and plain wrong, in places) code will be totally removed. otherwise, i recommend that you watch for developments on the various samba lists (samba, samba-ntdom, samba-technical, samba-announce) for information on when production quality PDC support and documentation is available. best regards, luke (samba team) p.s i'm still not on the samba digest: i'm on samba-technical, samba-cvs, samba-ntdom though. hope everyone's having fun on samba@samba.anu.edu.au! Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From tom at netvision.be Wed Mar 18 20:29:34 1998 From: tom at netvision.be (Tom Vandepoel) Date: Tue Dec 2 02:23:53 2003 Subject: accessing other workgroups Message-ID: <35102EAE.7C6EB815@netvision.be> Hi, I've succesfully setup a test samba PDC here (with the latest BRANCH-NTDOM cvs source). Logins and share access to this PDC work fine, but when I try to browse shares in other domains/workgroups I get 'access denied', even though I can mount these manually through NET USE. Anyone know if this is normal behaviour, or is it yet something to be smoothed out? Tom. -- | Tom Vandepoel | Sr.Network Engineer | NetVision nv tom@netvision.be http://www.netvision.be | | T. 32-16-31.00.15 | F. 32-16-31.00.12 From lkcl at switchboard.net Wed Mar 18 21:55:53 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: accessing other workgroups In-Reply-To: <35102EAE.7C6EB815@netvision.be> Message-ID: hi tom, we probably haven't implemented the RPC calls necessary to do this: these are probably the "domain trust relationship" calls. sorry. luke On Thu, 19 Mar 1998, Tom Vandepoel wrote: > Hi, > > I've succesfully setup a test samba PDC here (with the latest > BRANCH-NTDOM cvs source). Logins and share access to this PDC work fine, > but when I try to browse shares in other domains/workgroups I get > 'access denied', even though I can mount these manually through NET USE. > Anyone know if this is normal behaviour, or is it yet something to be > smoothed out? > > Tom. > > > -- > > | Tom Vandepoel > | Sr.Network Engineer > | > NetVision nv > tom@netvision.be > http://www.netvision.be > | > | T. 32-16-31.00.15 > | F. 32-16-31.00.12 > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Thu Mar 19 14:14:34 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: dfs function calls Message-ID: info copyright microsoft. this info will be useful in creating the dce/rpc calls which i believe to be on \PIPE\srvsvc, if you install DFS on your Build 1381 SP3 NT 4.0 server. luke Appendix I: Dfs Programming Interfaces Public Interfaces The file \public\sdk\inc\lmdfs.h is the final definition of these interfaces. There are flag and structure definitions in this file as well. However, they are reprinted here to provide a better idea of what they are. This interface applies to both the Win dows NT 4.0 and Directory Service versions of Dfs. NetDfsAdd The NetDfsAdd function either creates a new junction point, that is, a link to a server share, or adds shares to an existing junction point in a distributed file system (Dfs) tree structure. NET_API_STATUS NET_API_FUNCTION NetDfsAdd( LPWSTR DfsEntryPath, // Dfs entry path for this added volume or storage LPWSTR ServerName, // Name of server exporting the storage LPWSTR 0, // Existing share name for the storage LPWSTR Comment, // Optional comment for this volume or storage DWORD Flags, // Zero for no flags ); Parameters DfsEntryPath [in] Points to a null-terminated Unicode character string that specifies the Universal Naming Convention (UNC) path name of a junction point in a Dfs tree structure. The string must be of the form: Dfsname\sharename\path-to-junction-point where Dfsname is the name of a Windows NT server that hosts the Dfs root volume; sharename is the name of a share that is published on the Dfs host server; and path-to-junction-point specifies the UNC network path name to a physical shared volume. ServerName [in] Points to a null-terminated Unicode character string that specifies the name of the storage server that the junction point references. ShareName [in] Points to a null-terminated Unicode character string that specifies the name of the share on the storage server that the junction point references. Comment [in] Points to a null-terminated Unicode character string that contains an optional comment associated with the junction point. Flags [in] Specifies a flag value. If you set this parameter to the value DFS_ADD_VOLUME the NetDfsAdd function will fail if the junction point already exists. If you set this parameter to zero, the function either creates a new junction point if one does not e xist, or it adds a new share to an existing junction point. Return Values If the function succeeds, the return value is NERR_Success. If the function fails, the return value is a Win32 API error code. See Error Codes in the Appendix for a list of error codes. See Also: NetDfsEnum, NetDfsRemove NetDfsRemove The NetDfsRemove function removes a server share from a junction point in a distributed file system (Dfs) tree structure. If the specified share is the last share associated with the junction point, then the NetDfsRemove function also removes the junction point. NET_API_STATUS NET_API_FUNCTION NetDfsRemove( LPWSTR DfsEntryPath, // Dfs entry path for this volume or storage LPWSTR ServerName, // Name of server exporting the storage LPWSTR ShareName, // Name of share exporting the storage ); Parameters DfsEntryPath [in] Points to a null-terminated Unicode character string that specifies the Universal Naming Convention (UNC) path name of a junction point in a Dfs tree structure. The string must be of the form: Dfsname\sharename\path-to-junction-point where Dfsname is the name of a Windows NT server that hosts the Dfs root volume; sharename is the name of a share that is published on the Dfs host server; and path-to-junction-point specifies the UNC network path name to a physical shared volume. ServerName [in] Points to a null-terminated Unicode character string that specifies the name of the storage server that the junction point references. ShareName [in] Points to a null-terminated Unicode character string that specifies the name of the share on the storage server that the junction point references. Return Values If the function succeeds, the return value is NERR_Success. If the function fails, the return value is a Win32 API error code. See Error Codes in the Appendix for a list of error codes. See Also: NetDfsAdd, NetDfsEnum NetDfsEnum The NetDfsEnum function enumerates all the junction points in the named distributed file system (Dfs) tree structure. The function returns information about the junction points based on the level of information specified by the Level parameter. NET_API_STATUS NET_API_FUNCTION NetDfsEnum( LPWSTR DfsName, // Name of the Dfs for enumeration DWORD Level, // Level of information requested DWORD PrefMaxLen, // Advisory, but -1 means "get it all" LPBYTE* Buffer, // API allocates and returns buffer with requested info LPDWORD EntriesRead, // Number of entries returned LPDWORD ResumeHandle, // Must be 0 on first call, reused on subsequent calls ); Parameters DfsName [in] Points to a null-terminated Unicode character string that specifies the name of a Windows NT server that hosts the Dfs root volume. Level [in] Specifies the information level of the request. This parameter can be one of the following values: Value Meaning 1 Return Dfs volume names. The Buffer parameter will contain an array of DFS_INFO_1 structures. 2 Return Dfs volume names and volume information. The Buffer parameter will contain an array of DFS_INFO_2 structures. 3 Return Dfs names, volume information, and network path information. The Buffer parameter will contain an array of DFS_INFO_3 structures. PrefMaxLen [in] Specifies the preferred maximum number of bytes, in units of 8-bit bytes, that should be returned by this enumeration function call. Buffer [out] Points to the address of a buffer that contains the requested information structures. EntriesRead [out] Points to a DWORD that contains the actual enumerated junction point count. ResumeHandle [in/out] Points to a DWORD that contains a handle that is used to continue the enumeration. The handle should be zero on the first call and left unchanged for subsequent calls. Return Values If the function succeeds, the return value is NERR_Success. If the function fails, the return value is a Win32 API error code. See Error Codes in the Appendix for a list of error codes. Remarks Call the NetDfsEnum function with the ResumeHandle parameter set to zero to begin the enumeration. To retrieve information about additional junction points, call the function with the ResumeHandle returned by the previous call to NetDfsEnum. The NetDfsEnum function allocates the memory required for the information structure buffer. The size of the memory can be greater than the amount specified by the PrefMaxLen parameter. See Also: DFS_INFO_1, DFS_INFO_2, DFS_INFO_3, DFS_STORAGE_INFO, NetDfsAdd, NetDfsRemove NetDfsGetInfo The NetDfsGetInfo function retrieves information about a junction point in the named distributed file system (Dfs) tree structure. The function can return information specific to a server and share, or information specific to an entire junction point. NET_API_STATUS NET_API_FUNCTION NetDfsGetInfo( LPWSTR DfsEntryPath, // Dfs entry path for the volume LPWSTR ServerName OPTIONAL, // Name of server exporting the storage LPWSTR ShareName OPTIONAL, // Name of share exporting the storage DWORD Level, // Level of information requested LPBYTE* Buffer, // API allocates and returns buffer with requested info ); Parameters DfsEntryPath [in] Points to a null-terminated Unicode character string that specifies the Universal Naming Convention (UNC) path name of a junction point in a Dfs tree structure. The string must be of the form: Dfsname\sharename\path-to-junction-point where Dfsname is the name of a Windows NT server that hosts the Dfs root volume; sharename is the name of a share that is published on the Dfs host server; and path-to-junction-point specifies the UNC network path name to a physical shared volume. ServerName [in] Points to a null-terminated Unicode character string that specifies the name of the storage server that the junction point references. This parameter is optional. See the Remarks section for additional information. ShareName [in] Points to a null-terminated Unicode character string that specifies the name of the share on the storage server that the junction point references. This parameter is optional. See the Remarks section for additional information. Level [in] Specifies the information level of the request. This parameter can be one of the following values: Value Meaning 1 Return Dfs volume names. The Buffer parameter will contain an array of DFS_INFO_1 structures. 2 Return Dfs volume names and volume information. The Buffer parameter will contain an array of DFS_INFO_2 structures. 3 Return Dfs names, volume information, and network path information. The Buffer parameter will contain an array of DFS_INFO_3 structures. 100 Return a comment about this Dfs volume or server. The Buffer parameter will contain a DFS_INFO_100 structure. Buffer [out] Points to the address of a buffer that contains the requested information structures. Return Values If the function succeeds, the return value is NERR_Success. If the function fails, the return value is a Win32 API error code. See Error Codes in the Appendix for a list of error codes. Remarks If you specify both the ServerName and ShareName parameters, the NetDfsGetInfo function returns information specific to that server and share. If the parameters are not specified, the function returns information that is specific to the entire junction po int. See Also: DFS_INFO_1, DFS_INFO_2, DFS_INFO_3, DFS_INFO_100, DFS_STORAGE_INFO, NetDfsEnum NetDfsSetInfo The NetDfsSetInfo function associates information with a junction point in the named distributed file system (Dfs) tree structure. The function can set information relevant to a specific server and share, or information specific to an entire junction poin t. NET_API_STATUS NET_API_FUNCTION NetDfsSetInfo( LPWSTR DfsEntryPath, // Dfs entry path for the volume LPWSTR ServerName OPTIONAL, // Name of server exporting the storage LPWSTR ShareName OPTIONAL, // Name of share exporting the storage DWORD Level, // Level of information to be set LPBYTE Buffer, // Buffer holding information ); Parameters DfsEntryPath [in] Points to a null-terminated Unicode character string that specifies the Universal Naming Convention (UNC) path name of a junction point in a Dfs tree structure. The string must be of the form: Dfsname\sharename\path-to-junction-point where Dfsname is the name of a Windows NT server that hosts the Dfs root volume; sharename is the name of a share that is published on the Dfs host server; and path-to-junction-point specifies the UNC network path name to a physical shared volume. ServerName [in] Points to a null-terminated Unicode character string that specifies the name of the storage server that the junction point references. This parameter is optional. See the Remarks section for additional information. ShareName [in] Points to a null-terminated Unicode character string that specifies the name of the share on the storage server that the junction point references. This parameter is optional. See the Remarks section for additional information. Level [in] Specifies the information level of the set request. This parameter can only be the following value: Value Meaning 100 Return a comment about this Dfs volume or server. The Buffer parameter contains a DFS_INFO_100 structure. Buffer [in] Points to a buffer that contains the information structure. Return Values If the function succeeds, the return value is NERR_Success. If the function fails, the return value is a Win32 API error code. See Error Codes in the Appendix for a list of error codes. Remarks If you specify both the ServerName and ShareName parameters, the NetDfsSetInfo function returns information specific to that server and share. If the parameters are not specified, the function returns information that is specific to the entire junction po int. See Also: DFS_INFO_100, NetDfsEnum Dfs API Error Codes Value Meaning NERR_DfsInternalCorruption (NERR_BASE+560) The internal database that the Dfs Service maintains is corrupt. NERR_DfsVolumeDataCorrupt (NERR_BASE+561) One of the records in the internal database that the Dfs Service maintains is corrupt. NERR_DfsNoSuchVolume (NERR_BASE+562) There is no volume that matches the DfsEntryPath parameter. NERR_DfsVolumeAlreadyExists (NERR_BASE+563) A Dfs volume with the specified name already exists. NERR_DfsAlreadyShared NERR_BASE+564) The server share specified is already shared. NERR_DfsNoSuchShare (NERR_BASE+565) The indicated server share does not support the indicated volume. NERR_DfsNotALeafVolume (NERR_BASE+566) The operation is not valid on a non-leaf Dfs volume. NERR_DfsLeafVolume (NERR_BASE+567) The operation is not valid on a Dfs leaf volume. NERR_DfsVolumeHasMultipleServers(NERR_BASE+568) The Dfs Service is unable to complete this operation because the volume has multiple servers. NERR_DfsCantCreateJunctionPoint (NERR_BASE+569) The Dfs Service is unable to create this junction point. NERR_DfsServerNotDfsAware (NERR_BASE+570) The server is not Dfs-aware either because Dfs server software has not been installed or because the Distributed File Service has been terminated manually. NERR_DfsBadRenamePath (NERR_BASE+571) The specified rename target path is invalid. NERR_DfsVolumeIsOffline (NERR_BASE+572) The specified Dfs volume is offline. NERR_DfsNoSuchServer (NERR_BASE+573) The specified server is not a server for this Dfs volume. NERR_DfsCyclicalName (NERR_BASE+574) A cycle in the Dfs name was detected. NERR_DfsNotSupportedInServerDfs (NERR_BASE+575) This operation is not supported on a server-based Dfs; it is only supported on a domain-based Dfs. NERR_DfsInternalError (NERR_BASE+590) A Dfs internal error has occurred. Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From Jean-Francois.Micouleau at utc.fr Fri Mar 20 14:46:43 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:53 2003 Subject: Printing from an NT4 Wks to a samba PDC, hack version 2 Message-ID: You need to print to a samba PDC server and you can't wait for the spoolss support ? There are 2 solutions: Use Andre Gerhard ack: http://samba.anu.edu.au/listproc/samba-ntdom/0039.html or setup the printers doing the following: Start Menu -> Parameters -> Printers -> Add a printer -> This Computer -> Add a port -> Local Port and type the UNC of the printer: \\server-name\printer-share. You don't need to redirect lpt1. You can't see the spooled jobs in the queue, but you can print. Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From ink at inconnu.isu.edu Sat Mar 21 01:01:37 1998 From: ink at inconnu.isu.edu (Craig Kelley) Date: Tue Dec 2 02:23:53 2003 Subject: Invalid password length 18255 Message-ID: I've setup ntdomain passwords with samba before and it worked fine; today (March 20) I set it up again on a RedHat 4.2 box and I keep getting this message in the samba logs when I conencect (after it chooses [NT LM 0.12] as the protocol): [000] 00 00 52 58 4E 45 54 00 57 69 6E 64 6F 77 73 20 ..RXNET. Windows [010] 4E 54 20 31 33 38 31 00 00 57 69 6E 64 6F 77 73 NT 1381. .Windows [020] 20 4E 54 20 34 2E 30 00 00 NT 4.0. . switch message SMBsesssetupX (pid 17232) 03/20/1998 17:51:39: ERROR: Invalid password length 18255 your machine may be under attack by a user exploiting an old bug Attack was from IP=134.50.8.81 Closing connections The machine used to belong to the "RXNET" domain (NTServer) and I was attempting to switch it over to my samba domain, but the server is mis- interpreting the above message. (this was generated from attempting to browse the samba domain). The Windows message is "An unexpected network error occured". --- When I attempt to change over to the new domain (INKD), it gets a bit further (again, this snip is after the security is set to [NT LM 0.12]): smb_bcc=5 [000] 49 4E 4B 44 00 INKD. write_socket(5,78) write_socket(5,78) wrote 78 got smb length of 133 got message type 0x0 of len 0x85 03/20/1998 17:56:22 Transaction 2 of length 137 size=133 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=0 smb_pid=51966 smb_uid=0 smb_mid=0 smt_wct=13 smb_vwv[0]=117 (0x75) smb_vwv[1]=102 (0x66) smb_vwv[2]=61440 (0xF000) smb_vwv[3]=50 (0x32) smb_vwv[4]=0 (0x0) smb_vwv[5]=17253 (0x4365) smb_vwv[6]=0 (0x0) smb_vwv[7]=1 (0x1) smb_vwv[8]=18255 (0x474F) smb_vwv[9]=0 (0x0) smb_vwv[10]=0 (0x0) smb_vwv[11]=212 (0xD4) smb_vwv[12]=0 (0x0) smb_bcc=41 [000] 00 00 52 58 4E 45 54 00 57 69 6E 64 6F 77 73 20 ..RXNET. Windows [010] 4E 54 20 31 33 38 31 00 00 57 69 6E 64 6F 77 73 NT 1381. .Windows [020] 20 4E 54 20 34 2E 30 00 00 NT 4.0. . switch message SMBsesssetupX (pid 17253) 03/20/1998 17:56:22: ERROR: Invalid password length 18255 your machine may be under attack by a user exploiting an old bug Attack was from IP=134.50.8.81 I am using arcfour.o from the ssh distribution, which is the only thing I've done differently since the last time I setup samba PDC. Thanks, Craig Wheel is turning, but the hamster is dead. Craig Kelley -- kellcrai@isu.edu http://www.isu.edu/~kellcrai finger ink@inconnu.isu.edu for PGP block From cartegw at Eng.Auburn.EDU Sat Mar 21 13:02:38 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:53 2003 Subject: Invalid password length 18255 In-Reply-To: Message-ID: On Sat, 21 Mar 1998, Craig Kelley wrote: > I am using arcfour.o from the ssh distribution, which is the only thing > I've done differently since the last time I setup samba PDC. > Did you define USE_ARCFOUR_FROM_SSH rather than USE_ARCFOUR? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From ink at inconnu.isu.edu Sat Mar 21 13:15:59 1998 From: ink at inconnu.isu.edu (Craig Kelley) Date: Tue Dec 2 02:23:53 2003 Subject: Invalid password length 18255 In-Reply-To: Message-ID: On Sat, 21 Mar 1998, Gerald W. Carter wrote: > On Sat, 21 Mar 1998, Craig Kelley wrote: > > > I am using arcfour.o from the ssh distribution, which is the only thing > > I've done differently since the last time I setup samba PDC. > > > > Did you define USE_ARCFOUR_FROM_SSH rather than USE_ARCFOUR? Yes, it won't compile without that directive. From lkcl at switchboard.net Sat Mar 21 15:19:33 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:53 2003 Subject: Invalid password length 18255 In-Reply-To: Message-ID: > > Did you define USE_ARCFOUR_FROM_SSH rather than USE_ARCFOUR? > > Yes, it won't compile without that directive. yes it does, if you see: http://samba.anu.edu.au/listproc/samba-ntdom/0061.html luke From nuno at lwp.ualg.pt Mon Mar 23 19:23:32 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:53 2003 Subject: patch for smbstatus to log usage Message-ID: Hi there!! In attachement there's a patch to add a new option to smbstatus (-t). To apply this patch go to source/utils/smbstatus and do patch -p0 Hi I just must start with saying that I think everyone has done a GREAT job with Samba and Samba NTDOMAIN. I compiled with -DUSE_ARCFOUR_FROM_SSH_SOURCE and arcfour.c from ssh-1.2.22, but logins are still possible with the wrong password. My source is up to date with the CVS tree, with the modifications in Appendix A to Makefile. We use Solaris 2.6 and Samba is compiled with WorkShop Compilers 4.2 30 Oct 1996 C 4.2. I did notice that the option USE_ARCFOUR is used in more files than USE_ARCFOUR_FROM_SSH_SOURCE tatooine>grep USE_ARCFOUR */*/* lib/util/smbencrypt.c:#ifdef USE_ARCFOUR_FROM_SSH_SOURCE lib/util/smbencrypt.c:#ifdef USE_ARCFOUR lib/util/smbencrypt.c:#ifdef USE_ARCFOUR lib/util/smbencrypt.c:#ifdef USE_ARCFOUR_FROM_SSH_SOURCE tatooine>grep USE_ARCFOUR */*/*/* lib/rpc/parse/parse_net.c:#ifdef USE_ARCFOUR lib/rpc/server/srv_netlog.c:#ifdef USE_ARCFOUR TIA Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ --- Appendix A --- Index: Makefile =================================================================== RCS file: /cvsroot/samba/source/Makefile,v retrieving revision 1.106.2.30 diff -u -r1.106.2.30 Makefile --- Makefile 1998/03/02 20:46:23 1.106.2.30 +++ Makefile 1998/03/25 08:18:13 @@ -5,7 +5,7 @@ ########################################################################### # The base directory for all samba files -BASEDIR = /usr/local/samba +BASEDIR = /usr/local/samba-nt # The base manpages directory to put the man pages in # Note: $(MANDIR)/man1, $(MANDIR)/man5 and $(MANDIR)/man8 must exist. @@ -20,7 +20,7 @@ BINDIR = $(BASEDIR)/bin SBINDIR = $(BASEDIR)/bin LIBDIR = $(BASEDIR)/lib -VARDIR = $(BASEDIR)/var +VARDIR = /var/samba # The permissions to give the executables INSTALLPERMS = 0755 @@ -53,7 +53,7 @@ LMHOSTSFILE = $(LIBDIR)/lmhosts DRIVERFILE = $(LIBDIR)/printers.def SMB_PASSWD = $(BINDIR)/smbpasswd -SMB_PASSWD_FILE = $(BASEDIR)/private/smbpasswd +SMB_PASSWD_FILE = $(VARDIR)/private/smbpasswd WEB_ROOT = $(BASEDIR) # the directory where lock files go @@ -240,9 +240,9 @@ # This is for SUNOS5.4 and later (also known as Solaris 2.4 and later) # contributed by Andrew.Tridgell@anu.edu.au -# FLAGSM = -DSUNOS5 -DSHADOW_PWD -DNETGROUP -DFAST_SHARE_MODES -# LIBSM = -lsocket -lnsl -# AWK = nawk +FLAGSM = -DSUNOS5 -DSHADOW_PWD -DNETGROUP -DFAST_SHARE_MODES -DUSE_ARCFOUR_FROM_SSH_SOURCE -DQUOTAS +LIBSM = -lsocket -lnsl +AWK = nawk # This is for SUNOS 5.2 and 5.3 (also known as Solaris 2.2 and 2.3) # contributed by hdsi@newtech.net @@ -796,7 +796,7 @@ $(UTIL_SRC_DIR)time.o \ $(UTIL_SRC_DIR)membuffer.o \ $(UTIL_SRC_DIR)smbpass.o \ - $(UTIL_SRC_DIR)access.o \ + $(UTIL_SRC_DIR)access.o \ $(UTIL_SRC_DIR)credentials.o \ $(MM_SRC_DIR)mem_man.o # object code for smbd @@ -892,17 +892,19 @@ # object files for targets ###################################################################### +ARCFOUR_OBJ = from-ssh/arcfour.o + # object files for smbstatus -STATUS_OBJ = $(STATUSOBJ) $(ARCFOUR_OBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LOCKOBJ) +STATUS_OBJ = $(STATUSOBJ) $(ARCFOUR_OBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LOCKOBJ) $(UTIL_SRC_DIR)getsmbpass.o # object files for nmblookup -LOOKUP_OBJ = $(NMBLOOK_SRC_DIR)nmblookup.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(ARCFOUR_OBJ) $(NMBLIBOBJ) $(UTILOBJ) +LOOKUP_OBJ = $(NMBLOOK_SRC_DIR)nmblookup.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(ARCFOUR_OBJ) $(NMBLIBOBJ) $(UTILOBJ) $(UTIL_SRC_DIR)getsmbpass.o # object files for smbd -SMBD_OBJ = $(UTILOBJ) $(RPC_LIB_OBJ) $(RPC_SRV_OBJ) $(ARCFOUR_OBJ) $(SMBDOBJ) $(SMBLIBOBJ) $(UBIOBJ) $(RPC_OBJ) $(RPC_SERV_OBJ) $(VTP_OBJ) $(LOCKOBJ) +SMBD_OBJ = $(UTILOBJ) $(RPC_LIB_OBJ) $(RPC_SRV_OBJ) $(ARCFOUR_OBJ) $(SMBDOBJ) $(SMBLIBOBJ) $(UBIOBJ) $(RPC_OBJ) $(RPC_SERV_OBJ) $(VTP_OBJ) $(LOCKOBJ) $(UTIL_SRC_DIR)getsmbpass.o # object files for nmbd -NMBD_OBJ = $(NMBDOBJ) $(ARCFOUR_OBJ) $(SMBLIBOBJ) $(UTILOBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o +NMBD_OBJ = $(NMBDOBJ) $(ARCFOUR_OBJ) $(SMBLIBOBJ) $(UTILOBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTIL_SRC_DIR)getsmbpass.o # object files for smbclient CLIENT_OBJ = $(CLIENTOBJ) $(ARCFOUR_OBJ) $(SMBLIBOBJ) $(UTILOBJ) $(RPC_CLI_OBJ) $(RPC_LIB_OBJ) \ @@ -965,23 +967,23 @@ testparm: $(TSTPRM_SRC_DIR)testparm.o $(UTILOBJ) @echo Linking testparm - @$(CC) $(CFLAGS) -o testparm $(ARCFOUR_OBJ) $(TSTPRM_SRC_DIR)testparm.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o testparm $(ARCFOUR_OBJ) $(TSTPRM_SRC_DIR)testparm.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o testprns: $(TSTPRN_SRC_DIR)testprns.o $(UTILOBJ) @echo Linking testprns - @$(CC) $(CFLAGS) -o testprns $(ARCFOUR_OBJ) $(TSTPRN_SRC_DIR)testprns.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o testprns $(ARCFOUR_OBJ) $(TSTPRN_SRC_DIR)testprns.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o smbpasswd: $(SMBPWD_SRC_DIR)smbpasswd.o $(UTIL_SRC_DIR)getsmbpass.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) @echo Linking smbpasswd - @$(CC) $(CFLAGS) -o smbpasswd $(ARCFOUR_OBJ) $(SMBPWD_SRC_DIR)smbpasswd.o $(UTIL_SRC_DIR)getsmbpass.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o smbpasswd $(ARCFOUR_OBJ) $(SMBPWD_SRC_DIR)smbpasswd.o $(UTIL_SRC_DIR)getsmbpass.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o make_smbcodepage: $(SMBCPG_SRC_DIR)make_smbcodepage.o $(UTILOBJ) @echo Linking make_smbcodepage - @$(CC) $(CFLAGS) -o make_smbcodepage $(ARCFOUR_OBJ) $(SMBCPG_SRC_DIR)make_smbcodepage.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o make_smbcodepage $(ARCFOUR_OBJ) $(SMBCPG_SRC_DIR)make_smbcodepage.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o make_printerdef: $(PRTDEF_SRC_DIR)make_printerdef.o $(UTILOBJ) @echo Linking make_printerdef - @$(CC) $(CFLAGS) -o make_printerdef $(ARCFOUR_OBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(PRTDEF_SRC_DIR)make_printerdef.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o make_printerdef $(ARCFOUR_OBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(PRTDEF_SRC_DIR)make_printerdef.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o wsmbstatus: wsmbstatus.o $(UTILOBJ) @echo Linking wsmbstatus @@ -1092,7 +1094,7 @@ old-links: @$(SHELL) $(SCRIPT_SRC_DIR)links.sh $(ALLSRC) $(INCLUDES) @$(SHELL) $(SCRIPT_SRC_DIR)nmblinks.sh $(NMBDSRC) - + old-update: @$(SHELL) $(SCRIPT_SRC_DIR)update.sh $(ALLSRC) $(INCLUDES) @@ -1102,3 +1104,5 @@ ctags: ctags `find . -name "*.[ch]"` +$(ARCFOUR_OBJ): from-ssh/arcfour.c + gcc $(CFLAGS) -c from-ssh/arcfour.c -o from-ssh/arcfour.o From johanh at fusion.kth.se Thu Mar 26 00:28:35 1998 From: johanh at fusion.kth.se (johanh@fusion.kth.se) Date: Tue Dec 2 02:23:53 2003 Subject: -DUSE_ARCFOUR_FROM_SSH_SOURCE still enables to login with wr Message-ID: <9803258908.AA890815245@mail.crc.com> Hi I just must start with saying that I think everyone has done a GREAT job with Samba and Samba NTDOMAIN. I compiled with -DUSE_ARCFOUR_FROM_SSH_SOURCE and arcfour.c from ssh-1.2.22, but logins are still possible with the wrong password. My source is up to date with the CVS tree, with the modifications in Appendix A to Makefile. We use Solaris 2.6 and Samba is compiled with WorkShop Compilers 4.2 30 Oct 1996 C 4.2. I did notice that the option USE_ARCFOUR is used in more files than USE_ARCFOUR_FROM_SSH_SOURCE tatooine>grep USE_ARCFOUR */*/* lib/util/smbencrypt.c:#ifdef USE_ARCFOUR_FROM_SSH_SOURCE lib/util/smbencrypt.c:#ifdef USE_ARCFOUR lib/util/smbencrypt.c:#ifdef USE_ARCFOUR lib/util/smbencrypt.c:#ifdef USE_ARCFOUR_FROM_SSH_SOURCE tatooine>grep USE_ARCFOUR */*/*/* lib/rpc/parse/parse_net.c:#ifdef USE_ARCFOUR lib/rpc/server/srv_netlog.c:#ifdef USE_ARCFOUR TIA Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ --- Appendix A --- Index: Makefile =================================================================== RCS file: /cvsroot/samba/source/Makefile,v retrieving revision 1.106.2.30 diff -u -r1.106.2.30 Makefile --- Makefile 1998/03/02 20:46:23 1.106.2.30 +++ Makefile 1998/03/25 08:18:13 @@ -5,7 +5,7 @@ ########################################################################### # The base directory for all samba files -BASEDIR = /usr/local/samba +BASEDIR = /usr/local/samba-nt # The base manpages directory to put the man pages in # Note: $(MANDIR)/man1, $(MANDIR)/man5 and $(MANDIR)/man8 must exist. @@ -20,7 +20,7 @@ BINDIR = $(BASEDIR)/bin SBINDIR = $(BASEDIR)/bin LIBDIR = $(BASEDIR)/lib -VARDIR = $(BASEDIR)/var +VARDIR = /var/samba # The permissions to give the executables INSTALLPERMS = 0755 @@ -53,7 +53,7 @@ LMHOSTSFILE = $(LIBDIR)/lmhosts DRIVERFILE = $(LIBDIR)/printers.def SMB_PASSWD = $(BINDIR)/smbpasswd -SMB_PASSWD_FILE = $(BASEDIR)/private/smbpasswd +SMB_PASSWD_FILE = $(VARDIR)/private/smbpasswd WEB_ROOT = $(BASEDIR) # the directory where lock files go @@ -240,9 +240,9 @@ # This is for SUNOS5.4 and later (also known as Solaris 2.4 and later) # contributed by Andrew.Tridgell@anu.edu.au -# FLAGSM = -DSUNOS5 -DSHADOW_PWD -DNETGROUP -DFAST_SHARE_MODES -# LIBSM = -lsocket -lnsl -# AWK = nawk +FLAGSM = -DSUNOS5 -DSHADOW_PWD -DNETGROUP -DFAST_SHARE_MODES -DUSE_ARCFOUR_FROM_SSH_SOURCE -DQUOTAS +LIBSM = -lsocket -lnsl +AWK = nawk # This is for SUNOS 5.2 and 5.3 (also known as Solaris 2.2 and 2.3) # contributed by hdsi@newtech.net @@ -796,7 +796,7 @@ $(UTIL_SRC_DIR)time.o \ $(UTIL_SRC_DIR)membuffer.o \ $(UTIL_SRC_DIR)smbpass.o \ - $(UTIL_SRC_DIR)access.o \ + $(UTIL_SRC_DIR)access.o \ $(UTIL_SRC_DIR)credentials.o \ $(MM_SRC_DIR)mem_man.o # object code for smbd @@ -892,17 +892,19 @@ # object files for targets ###################################################################### +ARCFOUR_OBJ = from-ssh/arcfour.o + # object files for smbstatus -STATUS_OBJ = $(STATUSOBJ) $(ARCFOUR_OBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LOCKOBJ) +STATUS_OBJ = $(STATUSOBJ) $(ARCFOUR_OBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LOCKOBJ) $(UTIL_SRC_DIR)getsmbpass.o # object files for nmblookup -LOOKUP_OBJ = $(NMBLOOK_SRC_DIR)nmblookup.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(ARCFOUR_OBJ) $(NMBLIBOBJ) $(UTILOBJ) +LOOKUP_OBJ = $(NMBLOOK_SRC_DIR)nmblookup.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(ARCFOUR_OBJ) $(NMBLIBOBJ) $(UTILOBJ) $(UTIL_SRC_DIR)getsmbpass.o # object files for smbd -SMBD_OBJ = $(UTILOBJ) $(RPC_LIB_OBJ) $(RPC_SRV_OBJ) $(ARCFOUR_OBJ) $(SMBDOBJ) $(SMBLIBOBJ) $(UBIOBJ) $(RPC_OBJ) $(RPC_SERV_OBJ) $(VTP_OBJ) $(LOCKOBJ) +SMBD_OBJ = $(UTILOBJ) $(RPC_LIB_OBJ) $(RPC_SRV_OBJ) $(ARCFOUR_OBJ) $(SMBDOBJ) $(SMBLIBOBJ) $(UBIOBJ) $(RPC_OBJ) $(RPC_SERV_OBJ) $(VTP_OBJ) $(LOCKOBJ) $(UTIL_SRC_DIR)getsmbpass.o # object files for nmbd -NMBD_OBJ = $(NMBDOBJ) $(ARCFOUR_OBJ) $(SMBLIBOBJ) $(UTILOBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o +NMBD_OBJ = $(NMBDOBJ) $(ARCFOUR_OBJ) $(SMBLIBOBJ) $(UTILOBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTIL_SRC_DIR)getsmbpass.o # object files for smbclient CLIENT_OBJ = $(CLIENTOBJ) $(ARCFOUR_OBJ) $(SMBLIBOBJ) $(UTILOBJ) $(RPC_CLI_OBJ) $(RPC_LIB_OBJ) \ @@ -965,23 +967,23 @@ testparm: $(TSTPRM_SRC_DIR)testparm.o $(UTILOBJ) @echo Linking testparm - @$(CC) $(CFLAGS) -o testparm $(ARCFOUR_OBJ) $(TSTPRM_SRC_DIR)testparm.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o testparm $(ARCFOUR_OBJ) $(TSTPRM_SRC_DIR)testparm.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o testprns: $(TSTPRN_SRC_DIR)testprns.o $(UTILOBJ) @echo Linking testprns - @$(CC) $(CFLAGS) -o testprns $(ARCFOUR_OBJ) $(TSTPRN_SRC_DIR)testprns.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o testprns $(ARCFOUR_OBJ) $(TSTPRN_SRC_DIR)testprns.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o smbpasswd: $(SMBPWD_SRC_DIR)smbpasswd.o $(UTIL_SRC_DIR)getsmbpass.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) @echo Linking smbpasswd - @$(CC) $(CFLAGS) -o smbpasswd $(ARCFOUR_OBJ) $(SMBPWD_SRC_DIR)smbpasswd.o $(UTIL_SRC_DIR)getsmbpass.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o smbpasswd $(ARCFOUR_OBJ) $(SMBPWD_SRC_DIR)smbpasswd.o $(UTIL_SRC_DIR)getsmbpass.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o make_smbcodepage: $(SMBCPG_SRC_DIR)make_smbcodepage.o $(UTILOBJ) @echo Linking make_smbcodepage - @$(CC) $(CFLAGS) -o make_smbcodepage $(ARCFOUR_OBJ) $(SMBCPG_SRC_DIR)make_smbcodepage.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o make_smbcodepage $(ARCFOUR_OBJ) $(SMBCPG_SRC_DIR)make_smbcodepage.o $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o make_printerdef: $(PRTDEF_SRC_DIR)make_printerdef.o $(UTILOBJ) @echo Linking make_printerdef - @$(CC) $(CFLAGS) -o make_printerdef $(ARCFOUR_OBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(PRTDEF_SRC_DIR)make_printerdef.o $(UTILOBJ) $(LIBS) + @$(CC) $(CFLAGS) -o make_printerdef $(ARCFOUR_OBJ) $(RPC_SRC_DIR)parse/parse_misc.o $(RPC_SRC_DIR)parse/parse_prs.o $(PRTDEF_SRC_DIR)make_printerdef.o $(UTILOBJ) $(LIBS) $(UTIL_SRC_DIR)getsmbpass.o wsmbstatus: wsmbstatus.o $(UTILOBJ) @echo Linking wsmbstatus @@ -1092,7 +1094,7 @@ old-links: @$(SHELL) $(SCRIPT_SRC_DIR)links.sh $(ALLSRC) $(INCLUDES) @$(SHELL) $(SCRIPT_SRC_DIR)nmblinks.sh $(NMBDSRC) - + old-update: @$(SHELL) $(SCRIPT_SRC_DIR)update.sh $(ALLSRC) $(INCLUDES) @@ -1102,3 +1104,5 @@ ctags: ctags `find . -name "*.[ch]"` +$(ARCFOUR_OBJ): from-ssh/arcfour.c + gcc $(CFLAGS) -c from-ssh/arcfour.c -o from-ssh/arcfour.o From andre at lme.usp.br Wed Mar 25 12:52:22 1998 From: andre at lme.usp.br (Andre Gerhard) Date: Tue Dec 2 02:23:53 2003 Subject: Using PAM with RedHat 5.0 + Samba PDC Message-ID: <3.0.1.32.19980325095222.0093f100@ws10.lme.usp.br> Hello, I want to recompile my Samba PDC sources to use PAM ... Is it necessary to define a configuration file for smbd, nmbd in /etc/pam.d ? If the answer is yes, what should be the contents of this file ? Thanks in advance, Andre Gerhard Systems/Network Administrator Universidade de Sao Paulo - SP - Brasil From johanh at fusion.kth.se Wed Mar 25 13:04:04 1998 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:23:53 2003 Subject: -DUSE_ARCFOUR_FROM_SSH_SOURCE still enables to login with wr In-Reply-To: <9803258908.AA890815245@mail.crc.com> Message-ID: I figured out what was wrong with -DUSE_ARCFOUR_FROM_SSH_SOURCE and I have now made a patch to the current version of Samba NTDOMAIN for using with arcfour.c from ssh-1.2.22. The patch is included in Appendix A. It is tested and working with Solaris 2.6 and Win NT 4.0 Sp 3 (English version). Johan /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ --- Appendix A --- Index: lib/util/smbencrypt.c =================================================================== RCS file: /cvsroot/samba/source/lib/util/Attic/smbencrypt.c,v retrieving revision 1.1.2.3 diff -u -r1.1.2.3 smbencrypt.c --- smbencrypt.c 1998/01/31 11:47:56 1.1.2.3 +++ smbencrypt.c 1998/03/25 13:00:00 @@ -204,7 +204,7 @@ ArcfourContext ctx; arcfour_init(&ctx, sess_key, 16); - arcfour_encrypt(&ctx, pwd, pwd_c, 16); + arcfour_encrypt(&ctx, pwd_c, pwd, 16); #else return False; Index: lib/rpc/server/srv_netlog.c =================================================================== RCS file: /cvsroot/samba/source/lib/rpc/server/srv_netlog.c,v retrieving revision 1.1.2.3 diff -u -r1.1.2.3 srv_netlog.c --- srv_netlog.c 1998/02/05 06:33:12 1.1.2.3 +++ srv_netlog.c 1998/03/25 13:00:02 @@ -26,6 +26,10 @@ #include "includes.h" #include "nterr.h" +#ifdef USE_ARCFOUR_FROM_SSH_SOURCE +#include "arcfour.h" +#endif + extern int DEBUGLEVEL; extern BOOL sam_logon_in_ssb; @@ -485,16 +489,27 @@ { uint32 status = 0x0; -#ifdef USE_ARCFOUR - extern void arcfour(uint8 key[16], uint8 out[16], uint8 in[16]); +#if defined(USE_ARCFOUR) || defined(USE_ARCFOUR_FROM_SSH_SOURCE) char nt_pwd[16]; char lm_pwd[16]; unsigned char arc4_key[16]; +#ifdef USE_ARCFOUR + extern void arcfour(uint8 key[16], uint8 out[16], uint8 in[16]); memset(arc4_key, 0, 16); memcpy(arc4_key, vuser->dc.sess_key, 8); arcfour(arc4_key, lm_pwd, id1->arc4_lm_owf.data); arcfour(arc4_key, nt_pwd, id1->arc4_nt_owf.data); +#else + ArcfourContext ctx; + + memset(arc4_key, 0, 16); + memcpy(arc4_key, vuser->dc.sess_key, 8); + + arcfour_init(&ctx, arc4_key, 16); + arcfour_encrypt(&ctx, lm_pwd, id1->arc4_lm_owf.data, 16); + arcfour_encrypt(&ctx, nt_pwd, id1->arc4_nt_owf.data, 16); +#endif #ifdef DEBUG_PASSWORD DEBUG(100,("arcfour decrypt of lm owf password:")); Index: lib/rpc/parse/parse_net.c =================================================================== RCS file: /cvsroot/samba/source/lib/rpc/parse/parse_net.c,v retrieving revision 1.1.2.3 diff -u -r1.1.2.3 parse_net.c --- parse_net.c 1998/02/07 06:30:13 1.1.2.3 +++ parse_net.c 1998/03/25 13:00:04 @@ -24,6 +24,10 @@ #include "includes.h" #include "nterr.h" +#ifdef USE_ARCFOUR_FROM_SSH_SOURCE +#include "arcfour.h" +#endif + extern int DEBUGLEVEL; /******************************************************************* @@ -597,12 +601,16 @@ make_uni_hdr(&(id->hdr_user_name ), len_user_name , len_user_name , 4); make_uni_hdr(&(id->hdr_wksta_name ), len_wksta_name , len_wksta_name , 4); -#ifdef USE_ARCFOUR +#if defined(USE_ARCFOUR) || defined(USE_ARCFOUR_FROM_SSH_SOURCE) if (lm_cypher && nt_cypher) { +#ifdef USE_ARCFOUR void arcfour(uint8 key[16], uint8 out[16], uint8 in[16]); unsigned char arc4_key[16]; +#else + ArcfourContext ctx; +#endif #ifdef DEBUG_PASSWORD DEBUG(100,("lm cypher:")); dump_data(100, lm_cypher, 16); @@ -611,11 +619,17 @@ dump_data(100, nt_cypher, 16); #endif +#ifdef USE_ARCFOUR memset(arc4_key, 0, 16); memcpy(arc4_key, sess_key, 16); arcfour(arc4_key, arc4_lm_owf, lm_cypher); arcfour(arc4_key, arc4_nt_owf, nt_cypher); +#else + arcfour_init(&ctx, sess_key, 16); + arcfour_encrypt(&ctx, arc4_lm_owf, lm_cypher, 16); + arcfour_encrypt(&ctx, arc4_nt_owf, nt_cypher, 16); +#endif #ifdef DEBUG_PASSWORD DEBUG(100,("arcfour encrypt of lm owf password:")); From andre at lme.usp.br Thu Mar 26 04:54:01 1998 From: andre at lme.usp.br (andre@lme.usp.br) Date: Tue Dec 2 02:23:54 2003 Subject: Using PAM with RedHat 5.0 + Samba PDC Message-ID: <9803258908.AA890832420@mail.crc.com> Hello, I want to recompile my Samba PDC sources to use PAM ... Is it necessary to define a configuration file for smbd, nmbd in /etc/pam.d ? If the answer is yes, what should be the contents of this file ? Thanks in advance, Andre Gerhard Systems/Network Administrator Universidade de Sao Paulo - SP - Brasil From samba at aquasoft.com.au Wed Mar 25 13:28:37 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:54 2003 Subject: Using PAM with RedHat 5.0 + Samba PDC In-Reply-To: <3.0.1.32.19980325095222.0093f100@ws10.lme.usp.br> Message-ID: Andre, The answer to your question can be found by looking at the ~samba/packaging/redhat/RH50 directory. Look in particular at samba.spec, samba.pam, et al. cheers, John H Terpstra - Samba-Team (RPM producer) On Wed, 25 Mar 1998, Andre Gerhard wrote: > Hello, > > > I want to recompile my Samba PDC sources to use PAM ... > > Is it necessary to define a configuration file for smbd, nmbd in > /etc/pam.d ? > > If the answer is yes, what should be the contents of this file ? > > > Thanks in advance, > > Andre Gerhard > Systems/Network Administrator > Universidade de Sao Paulo - SP - Brasil > From nuno at lwp.ualg.pt Wed Mar 25 13:32:53 1998 From: nuno at lwp.ualg.pt (Nuno Loureiro) Date: Tue Dec 2 02:23:54 2003 Subject: status.dif URL Message-ID: I had some feedback reporting problems reading the attachement of my last mail, so here's the URL for smbstatus patch: http://lwp.ualg.pt/~nuno/status.dif come on... luke, gerald, all the others? ----- Nuno Andre Henriques Loureiro http://lwp.ualg.pt/~nuno PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 Finger nuno@lwp.ualg.pt for more info From johanh at fusion.kth.se Thu Mar 26 14:00:00 1998 From: johanh at fusion.kth.se (johanh@fusion.kth.se) Date: Tue Dec 2 02:23:54 2003 Subject: -DUSE_ARCFOUR_FROM_SSH_SOURCE still enables to login wit Message-ID: <9803258908.AA890833086@mail.crc.com> I figured out what was wrong with -DUSE_ARCFOUR_FROM_SSH_SOURCE and I have now made a patch to the current version of Samba NTDOMAIN for using with arcfour.c from ssh-1.2.22. The patch is included in Appendix A. It is tested and working with Solaris 2.6 and Win NT 4.0 Sp 3 (English version). Johan /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ --- Appendix A --- Index: lib/util/smbencrypt.c =================================================================== RCS file: /cvsroot/samba/source/lib/util/Attic/smbencrypt.c,v retrieving revision 1.1.2.3 diff -u -r1.1.2.3 smbencrypt.c --- smbencrypt.c 1998/01/31 11:47:56 1.1.2.3 +++ smbencrypt.c 1998/03/25 13:00:00 @@ -204,7 +204,7 @@ ArcfourContext ctx; arcfour_init(&ctx, sess_key, 16); - arcfour_encrypt(&ctx, pwd, pwd_c, 16); + arcfour_encrypt(&ctx, pwd_c, pwd, 16); #else return False; Index: lib/rpc/server/srv_netlog.c =================================================================== RCS file: /cvsroot/samba/source/lib/rpc/server/srv_netlog.c,v retrieving revision 1.1.2.3 diff -u -r1.1.2.3 srv_netlog.c --- srv_netlog.c 1998/02/05 06:33:12 1.1.2.3 +++ srv_netlog.c 1998/03/25 13:00:02 @@ -26,6 +26,10 @@ #include "includes.h" #include "nterr.h" +#ifdef USE_ARCFOUR_FROM_SSH_SOURCE +#include "arcfour.h" +#endif + extern int DEBUGLEVEL; extern BOOL sam_logon_in_ssb; @@ -485,16 +489,27 @@ { uint32 status = 0x0; -#ifdef USE_ARCFOUR - extern void arcfour(uint8 key[16], uint8 out[16], uint8 in[16]); +#if defined(USE_ARCFOUR) || defined(USE_ARCFOUR_FROM_SSH_SOURCE) char nt_pwd[16]; char lm_pwd[16]; unsigned char arc4_key[16]; +#ifdef USE_ARCFOUR + extern void arcfour(uint8 key[16], uint8 out[16], uint8 in[16]); memset(arc4_key, 0, 16); memcpy(arc4_key, vuser->dc.sess_key, 8); arcfour(arc4_key, lm_pwd, id1->arc4_lm_owf.data); arcfour(arc4_key, nt_pwd, id1->arc4_nt_owf.data); +#else + ArcfourContext ctx; + + memset(arc4_key, 0, 16); + memcpy(arc4_key, vuser->dc.sess_key, 8); + + arcfour_init(&ctx, arc4_key, 16); + arcfour_encrypt(&ctx, lm_pwd, id1->arc4_lm_owf.data, 16); + arcfour_encrypt(&ctx, nt_pwd, id1->arc4_nt_owf.data, 16); +#endif #ifdef DEBUG_PASSWORD DEBUG(100,("arcfour decrypt of lm owf password:")); Index: lib/rpc/parse/parse_net.c =================================================================== RCS file: /cvsroot/samba/source/lib/rpc/parse/parse_net.c,v retrieving revision 1.1.2.3 diff -u -r1.1.2.3 parse_net.c --- parse_net.c 1998/02/07 06:30:13 1.1.2.3 +++ parse_net.c 1998/03/25 13:00:04 @@ -24,6 +24,10 @@ #include "includes.h" #include "nterr.h" +#ifdef USE_ARCFOUR_FROM_SSH_SOURCE +#include "arcfour.h" +#endif + extern int DEBUGLEVEL; /******************************************************************* @@ -597,12 +601,16 @@ make_uni_hdr(&(id->hdr_user_name ), len_user_name , len_user_name , 4); make_uni_hdr(&(id->hdr_wksta_name ), len_wksta_name , len_wksta_name , 4); -#ifdef USE_ARCFOUR +#if defined(USE_ARCFOUR) || defined(USE_ARCFOUR_FROM_SSH_SOURCE) if (lm_cypher && nt_cypher) { +#ifdef USE_ARCFOUR void arcfour(uint8 key[16], uint8 out[16], uint8 in[16]); unsigned char arc4_key[16]; +#else + ArcfourContext ctx; +#endif #ifdef DEBUG_PASSWORD DEBUG(100,("lm cypher:")); dump_data(100, lm_cypher, 16); @@ -611,11 +619,17 @@ dump_data(100, nt_cypher, 16); #endif +#ifdef USE_ARCFOUR memset(arc4_key, 0, 16); memcpy(arc4_key, sess_key, 16); arcfour(arc4_key, arc4_lm_owf, lm_cypher); arcfour(arc4_key, arc4_nt_owf, nt_cypher); +#else + arcfour_init(&ctx, sess_key, 16); + arcfour_encrypt(&ctx, arc4_lm_owf, lm_cypher, 16); + arcfour_encrypt(&ctx, arc4_nt_owf, nt_cypher, 16); +#endif #ifdef DEBUG_PASSWORD DEBUG(100,("arcfour encrypt of lm owf password:")); From samba at aquasoft.com.au Wed Mar 25 13:50:35 1998 From: samba at aquasoft.com.au (samba@aquasoft.com.au) Date: Tue Dec 2 02:23:54 2003 Subject: Using PAM with RedHat 5.0 + Samba PDC Message-ID: <9803258908.AA890834440@mail.crc.com> Andre, The answer to your question can be found by looking at the ~samba/packaging/redhat/RH50 directory. Look in particular at samba.spec, samba.pam, et al. cheers, John H Terpstra - Samba-Team (RPM producer) On Wed, 25 Mar 1998, Andre Gerhard wrote: > Hello, > > > I want to recompile my Samba PDC sources to use PAM ... > > Is it necessary to define a configuration file for smbd, nmbd in > /etc/pam.d ? > > If the answer is yes, what should be the contents of this file ? > > > Thanks in advance, > > Andre Gerhard > Systems/Network Administrator > Universidade de Sao Paulo - SP - Brasil > From nuno at lwp.si.ualg.pt Wed Mar 25 13:50:35 1998 From: nuno at lwp.si.ualg.pt (nuno@lwp.si.ualg.pt) Date: Tue Dec 2 02:23:54 2003 Subject: status.dif URL Message-ID: <9803258908.AA890834439@mail.crc.com> I had some feedback reporting problems reading the attachement of my last mail, so here's the URL for smbstatus patch: http://lwp.ualg.pt/~nuno/status.dif come on... luke, gerald, all the others? ----- Nuno Andre Henriques Loureiro http://lwp.ualg.pt/~nuno PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 Finger nuno@lwp.ualg.pt for more info From lkcl at switchboard.net Wed Mar 25 15:23:18 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:54 2003 Subject: status.dif URL In-Reply-To: Message-ID: ah, a message that can be read! hi nuno, send your patch to samba-bugs@samba.anu.edu.au, with a subject line starting with PATCH: thank you! On Thu, 26 Mar 1998, Nuno Loureiro wrote: > > I had some feedback reporting problems reading the attachement of my last mail, > so here's the URL for smbstatus patch: > > http://lwp.ualg.pt/~nuno/status.dif > > come on... luke, gerald, all the others? > > > ----- > Nuno Andre Henriques Loureiro > http://lwp.ualg.pt/~nuno > PGP FingerPrint: 85 B2 B7 DA 28 C0 D9 BC E8 4D DC 23 8E 2B 72 B4 > Finger nuno@lwp.ualg.pt for more info > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From x7currie at lab2.cc.wmich.edu Wed Mar 25 19:31:14 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:23:54 2003 Subject: PAM problems Message-ID: <35195B82.7864AF03@unix.cc.wmich.edu> Hello, I'm new to this list. I'm experimenting w/ the latest NTDOM version of samba. I am having problems getting samba to authenticate through any method other than the smbpasswd file (whether or not I have PDC support in the conf file or not). I am running debian linux w/ PAM installed, I have created the 'samba' file in my /etc/pam.d directory as per the redhat specifications. Still, using smbclient I am unable to obatin a connection. I am also having trouble getting security = server to work with our local NT server. The log file says it keeps rejecting the password. Do I need to modify the server's registry to use plaintext passwords? Thanks, Kevin Currie From shyde at poboxes.com Wed Mar 25 20:19:33 1998 From: shyde at poboxes.com (Simon Hyde) Date: Tue Dec 2 02:23:54 2003 Subject: PAM problems In-Reply-To: <35195B82.7864AF03@unix.cc.wmich.edu> References: <35195B82.7864AF03@unix.cc.wmich.edu> Message-ID: <351960a8.84084171@pp2.shef.ac.uk> On Thu, 26 Mar 1998 06:34:41 +1100, you wrote: >Hello, I'm new to this list. I'm experimenting w/ the latest NTDOM version >of samba. I am having problems getting samba to authenticate through any >method other than the smbpasswd file (whether or not I have PDC support in >the conf file or not). I am running debian linux w/ PAM installed, I have >created the 'samba' file in my /etc/pam.d directory as per the redhat >specifications. Still, using smbclient I am unable to obatin a connection. Samba will not use anything but smbpasswd if you've got 'encrypted passwords = yes' in yout smb.conf. This is because there is no way to get MS Encrypted passwords <-> Unix crypted passwords (in either direction) > I am also having trouble getting security = server to work with our local NT >server. The log file says it keeps rejecting the password. Do I need to >modify the server's registry to use plaintext passwords? Nope, but you will want to follow up the following from the release notes of Samba 1.9.18p3: In the [global] section of smb.conf : networkstation user login This code (submitted by Rob Nielsen) allows the code many people were having problems with that queries an NT password server to be turned off at runtime rather than compile time. Please see the documentation in the smb.conf manual page for details. This is a security option - it must only be turned off after checks have been made to ensure that your NT password server does not suffer from the bug this code was meant to protect against ! From awilliam at whitemice.org Wed Mar 25 23:36:39 1998 From: awilliam at whitemice.org (Adam Williams) Date: Tue Dec 2 02:23:54 2003 Subject: smbpasswd & NIS Message-ID: <9803252336.ZM15915@estate1.whitemice.org> I've hacked a yppasswdd, yppasswd pair that updates both the NIS maps on the server and the smbpasswd file. I based in loosly on David Bannon's hack of the passwd program that does the same thing. I send a clear text new password to the server which encypts it and write it to /etc/passwd, and called smbpasswd {USERNAME} {PASSWORD} to set the SAMBA passwords. It would be best to do both encrpts at the client but I needed somethinq quick. If you interested send me e-mail. My programs were built on Redhat 5.0 from the src.rpm of yppasswd, also built on Redhat 4.2 (non glibc), and the yppasswd client on AIX 4.x From noguer at enserg.fr Thu Mar 26 06:55:35 1998 From: noguer at enserg.fr (NOGUER Laurent) Date: Tue Dec 2 02:23:54 2003 Subject: Share files between W95 and samba as a PDC References: <35195B82.7864AF03@unix.cc.wmich.edu> Message-ID: <3519FBE7.918BAD33@enserg.fr> HELLO I have the 1.9.18p3 samba release on a Linux Server. I want to Share some W95 files through my network. In the network configuratrion card of my computer, I give ACCESS control to the "users level". Therefore, when I want to share a file, system want a list of available users. When I click on the ADD button, W95 respond "This list is not valid at the moment, try later". My question is : "How samba can generate this list ??" and Is it possible to do it ? Thanks -- ---------------------------------------------------------------------------- PFT-CEM Laurent NOGUER 151, rue de la papeterie 38402 St Martin d'Heres Email noguer@enserg.fr Tel : 04-76-82-44-65 Fax : 04-76-82-44-57 --------------------------------------------------------------------------- From samba at aquasoft.com.au Thu Mar 26 07:49:26 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:54 2003 Subject: Share files between W95 and samba as a PDC In-Reply-To: <3519FBE7.918BAD33@enserg.fr> Message-ID: Samba-1.9.18p3 does NOT support what you want. It may come in 1.9.19 but do NOT hold your breath on it. Just for now, use only SHARE level access control. In short, we are still working on this but it is a lower priority than other NTDOM related issues. Cheers, John H Terpstra - Samba-Team On Thu, 26 Mar 1998, NOGUER Laurent wrote: > HELLO > > I have the 1.9.18p3 samba release on a Linux Server. > > I want to Share some W95 files through my network. > In the network configuratrion card of my computer, I give ACCESS control > to the "users level". > Therefore, when I want to share a file, system want a list of available > users. > When I click on the ADD button, W95 respond "This list is not valid at > the moment, try later". > > My question is : "How samba can generate this list ??" and Is it > possible to do it ? > > Thanks > > -- > ---------------------------------------------------------------------------- > PFT-CEM > Laurent NOGUER > 151, rue de la papeterie > 38402 St Martin d'Heres > Email noguer@enserg.fr > Tel : 04-76-82-44-65 > Fax : 04-76-82-44-57 > --------------------------------------------------------------------------- > > From rmeyer at mhsc.com Thu Mar 26 08:07:35 1998 From: rmeyer at mhsc.com (Roeland M.J. Meyer) Date: Tue Dec 2 02:23:54 2003 Subject: smbpasswd & NIS In-Reply-To: <9803252336.ZM15915@estate1.whitemice.org> Message-ID: <199803260807.AAA15542@condor.mhsc.com> Part of what I've been working on the past few months is bringing up a SSH-based mail service (If you want more on that then check my URL). Because we are a Caldera VAR we naturally are running OpenLinux as servers. I believe this is based on RedHat, although we have *many* add-on packages (about 52 of them, I believe). Since one of them is NIS (multiple servers) the Caldera user management system does not work and LISA sucks. We expect to handle up to 10K users per server plus corporate staff, in the same uuid space. With this type of load, manual user management, ala traditional Linux/BSD, is NOT an option. Especially, since normal users do not have shell access and Accountholders(customers) do not even get Samba access. We looked at PAM and decided that dox were not in good enough shape. KerbNet was actually tried, until we ran into the same documentation problem, that cost us a week (24x12). Critical pieces were missing. We reluctantly, about 5 weeks ago, came to the conclusion that we'd better write it ourselves and quite working so hard trying to do it the easy way. We could work on our own kludges more effectively. What we came up with was a four-tier user management system. Part of the user management is done on postgreSQL. However, it needed a bottom-end. This was a level layer of bash and mostly perl5 scripts. It is very generic, automates uuid assignments according to tier, creates $HOMEs, changes passwd and smbpasswd, adds and deletes users, moves users between tiers, different /home for each tier, etc. The system only adds one extra config file in /etc, it's flat text which could be dbm but it's small so why bother. Otherwise, there are about 20 scripts, three in bash and the rest in perl. The smbpasswd file is shared via NFS because NIS doesn't gain you anything. A shell account has equal chance at getting to it and an RPC failure will kill access equally. If NIS won't work then NFS won't either the converse is also true, for most failure-modes. It's still not quite finished since I also have to manage groups. But, I have to write this up anyway and it would be only a small problem to put in a little extra for distro. The question is, does anyone want it? In case anyone wants to know, being the CEO of this place does give me the authority to make this offer. At 12:47 3/26/98 +1100, Adam Williams wrote: > I've hacked a yppasswdd, yppasswd pair that updates both the NIS maps >on the server and the smbpasswd file. I based in loosly on David Bannon's hack >of the passwd program that does the same thing. I send a clear text new >password to the server which encypts it and write it to /etc/passwd, and called >smbpasswd {USERNAME} {PASSWORD} to set the SAMBA passwords. It would be best >to do both encrpts at the client but I needed somethinq quick. If you >interested send me e-mail. > > My programs were built on Redhat 5.0 from the src.rpm of yppasswd, > also built on Redhat 4.2 (non glibc), and the yppasswd client on AIX 4.x > ___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: mailto:rmeyer@mhsc.com Personalweb pages: http://www.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com/ ___________________________________________ SecureMail from MHSC.NET is coming soon! From lkcl at switchboard.net Thu Mar 26 09:42:50 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:54 2003 Subject: PAM problems In-Reply-To: <35195B82.7864AF03@unix.cc.wmich.edu> Message-ID: On Thu, 26 Mar 1998, Kevin Currie wrote: > Hello, I'm new to this list. I'm experimenting w/ the latest NTDOM version > of samba. I am having problems getting samba to authenticate through any > method other than the smbpasswd file (whether or not I have PDC support in > the conf file or not). I am running debian linux w/ PAM installed, I have > created the 'samba' file in my /etc/pam.d directory as per the redhat > specifications. Still, using smbclient I am unable to obatin a connection. > I am also having trouble getting security = server to work with our local NT > server. The log file says it keeps rejecting the password. Do I need to > modify the server's registry to use plaintext passwords? hi kevin, i don't think i added a "security = server" mode to the NT domain login code. sorry. is anyone maintaining an on-line TODO list? would anyone _like_ to maintain an html TODO list? gerry? :-) luke From lkcl at switchboard.net Thu Mar 26 09:56:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:54 2003 Subject: smbpasswd & NIS In-Reply-To: <9803252336.ZM15915@estate1.whitemice.org> Message-ID: you know, there's some _really_ good utilities coming out of this. maybe we ought to collate them in one place? luke On Thu, 26 Mar 1998, Adam Williams wrote: > I've hacked a yppasswdd, yppasswd pair that updates both the NIS maps > on the server and the smbpasswd file. I based in loosly on David Bannon's hack > of the passwd program that does the same thing. I send a clear text new > password to the server which encypts it and write it to /etc/passwd, and called > smbpasswd {USERNAME} {PASSWORD} to set the SAMBA passwords. It would be best > to do both encrpts at the client but I needed somethinq quick. If you > interested send me e-mail. > > My programs were built on Redhat 5.0 from the src.rpm of yppasswd, > also built on Redhat 4.2 (non glibc), and the yppasswd client on AIX 4.x > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Thu Mar 26 10:45:35 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:54 2003 Subject: Share files between W95 and samba as a PDC In-Reply-To: <3519FBE7.918BAD33@enserg.fr> Message-ID: On Thu, 26 Mar 1998, NOGUER Laurent wrote: > HELLO > > I have the 1.9.18p3 samba release on a Linux Server. > > I want to Share some W95 files through my network. > In the network configuratrion card of my computer, I give ACCESS control > to the "users level". > Therefore, when I want to share a file, system want a list of available > users. > When I click on the ADD button, W95 respond "This list is not valid at > the moment, try later". > > My question is : "How samba can generate this list ??" and Is it > possible to do it ? this is the _one_ known area where we _think_ Win95 can be coaxed to use DCE/RPC client code. it's on the TODO list (at least, the one in my head :-) luke From lkcl at switchboard.net Thu Mar 26 10:47:14 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:54 2003 Subject: Share files between W95 and samba as a PDC In-Reply-To: Message-ID: On Thu, 26 Mar 1998, Samba Bugs wrote: > > Samba-1.9.18p3 does NOT support what you want. ah, yes. thanks john: missed that. i automatically assume that people on this list are using the NT Domains version of samba... > It may come in 1.9.19 but > do NOT hold your breath on it. Just for now, use only SHARE level access > control. yep! > In short, we are still working on this but it is a lower priority than > other NTDOM related issues. yep. > Cheers, > John H Terpstra - Samba-Team > > On Thu, 26 Mar 1998, NOGUER Laurent wrote: > > > HELLO > > > > I have the 1.9.18p3 samba release on a Linux Server. > > > > I want to Share some W95 files through my network. > > In the network configuratrion card of my computer, I give ACCESS control > > to the "users level". > > Therefore, when I want to share a file, system want a list of available > > users. > > When I click on the ADD button, W95 respond "This list is not valid at > > the moment, try later". > > > > My question is : "How samba can generate this list ??" and Is it > > possible to do it ? From Jean-Francois.Micouleau at utc.fr Thu Mar 26 10:42:59 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:23:54 2003 Subject: PAM problems In-Reply-To: Message-ID: On Thu, 26 Mar 1998, Luke Kenneth Casson Leighton wrote: > is anyone maintaining an on-line TODO list? would anyone _like_ to > maintain an html TODO list? gerry? :-) that would be very helpful. What's the status of the samba whish list also ? What about a page, with the user whish list, the todo list and the done list ? Jean Francois ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From bernard at zeus.rug.ac.be Thu Mar 26 11:32:36 1998 From: bernard at zeus.rug.ac.be (Bernard Grymonpon) Date: Tue Dec 2 02:23:54 2003 Subject: NT4(SP3) and corrupted SAM files. Message-ID: Hi, I've encountered a very strange thing. I have installed the Samba Nt-domain, and everything works fine. The domain is there, i can log in, ... But, when someone tries to log in on the domain controlled by samba, or the local machine, and types in the wrong password, no password, of even a wrong username, the local SAM file is corrupted. It gives as error a number (Cxxxxxxx) where the x-es are random (mostly zero). When this has happened, noone can log in (even not the administrator) on the local machine or on the Domain controlled by Samba. We have to attach the hard disk to another NT machine, and delete the SAM file. The most strange thing is that when you reboot the computer with the corrupted SAM file, everybody can log on and the DOMAIN-box is gone. Anyone with the same problem, or with a solution for this? Thanks in advance Bernard Bernard@zeus.rug.ac.be Student University of Ghent From cartegw at Eng.Auburn.EDU Thu Mar 26 13:57:12 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:54 2003 Subject: PAM problems References: Message-ID: <351A5EB8.D39FC35A@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > is anyone maintaining an on-line TODO list? would anyone _like_ to > maintain an html TODO list? gerry? :-) > Sure. Could do a static one real quick. How 'bout a list of e-mail addresses for people currently working on the problems as well. I will start with the list posted by Paul a couple of months ago and work from there. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From frank at engineer.com Thu Mar 26 17:47:27 1998 From: frank at engineer.com (Frank Berger) Date: Tue Dec 2 02:23:54 2003 Subject: Solaris Samba-Server with NT-Clients Message-ID: <01bd58df$3e15a880$6664a8c0@pelle> Hi there ! Is it possible, to have the Solaris server (Samba) do the authentification of users logging on to an NT-client ? We've so far only managed to log onto the server when the user was already known to the NT-machine (not too good if you want 50 computers in your network with 100 users ... :-( Can samba do the authentification via NIS ? Or do we have to use an extra NT-Server just for this ? (And would an NT-_WORKSTATION_ then be enough ?) If someone out there has a Unix-server (samba and NIS) with NT-clients, could he/she please send me his/her smb.conf and settings I have to take care of ? And of course it is urgent :-( Thanks in advance ! Regards, Frank INet : frank@engineer.com Homepage : http://home.pages.de/~pelle/ From cartegw at Eng.Auburn.EDU Thu Mar 26 18:04:42 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:54 2003 Subject: Solaris Samba-Server with NT-Clients References: <01bd58df$3e15a880$6664a8c0@pelle> Message-ID: <351A98BA.B66CD85B@eng.auburn.edu> Frank Berger wrote: > > Hi there ! > > If someone out there has a Unix-server (samba and NIS) with NT-clients, > could he/she please send me his/her smb.conf and settings I have to take > care of ? Are you using Samba BRANCH_NTDOM as the PDC? You have to set encrypt passwords = yes in smb.conf to get the PDC support. If you do not want the PDC support, then use the standard distribution ( 1.9.18p3 ) and set things up as normal. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From santiago at lci.ufrj.br Fri Mar 27 03:05:43 1998 From: santiago at lci.ufrj.br (=?UNKNOWN-8BIT?Q?Maur=EDcio?= Santiago) Date: Tue Dec 2 02:23:54 2003 Subject: Problem compiling, any help will be very good. Message-ID: <351B1787.F50@lci.ufrj.br> Trying to compile with -DNTDOMAIN in Linux I get error for smbpass.c (below), I don't know a lot about gcc or compiling can anybody help? make Using CFLAGS = -O -DSMBLOGFILE="/usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr /local/samba/var/log.nmb" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTS FILE="/usr/local/samba/lib/lmhosts" -DLOCKDIR="/usr/local/samba/var/locks" -DSM BRUN="/usr/local/samba/bin/smbrun" -DCODEPAGEDIR="/usr/local/samba/lib/codepages " -DWORKGROUP="LCI" -DGUEST_ACCOUNT="nobody" -DDRIVERFILE="/usr/local/samba/lib/ printers.def" -O3 -m486 -DSHADOW_PWD -DLINUX -DNTDOMAIN -DQUOTAS -DFAST_SHARE_MO DES -DSMB_PASSWD="/usr/local/samba/bin/smbpasswd" -DSMB_PASSWD_FILE="/usr/ local/samba/private/smbpasswd" Using LIBS = -lshadow !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I always get stuck here, If this is to obvious, I'm sorry. Compiling smbpass.c gcc: Internal compiler error: program cc1 got fatal signal 6 make: *** [smbpass.o] Error 1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thanks, santiago@lci.ufrj.br From samba at aquasoft.com.au Fri Mar 27 03:10:48 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:23:54 2003 Subject: Problem compiling, any help will be very good. In-Reply-To: <351B1787.F50@lci.ufrj.br> Message-ID: You appear to have either a Slackware system or have installed an updated version of gcc that has a compiler bug. Slackware ships with a version of the gcc compiler that is not broken (refer to the root directory of the install CD) or update gcc again to a later version, or turn off all compiler optimisations. This should get it to compile. Let us know if this does not solve your problem. Cheers, John H Terpstra - Samba-Team On Fri, 27 Mar 1998, [UNKNOWN-8BIT] Maurício Santiago wrote: > Trying to compile with -DNTDOMAIN in Linux I get error for smbpass.c > (below), I don't know a lot about gcc or compiling can anybody help? > > > make > Using CFLAGS = -O -DSMBLOGFILE="/usr/local/samba/var/log.smb" > -DNMBLOGFILE="/usr > /local/samba/var/log.nmb" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" > -DLMHOSTS > FILE="/usr/local/samba/lib/lmhosts" > -DLOCKDIR="/usr/local/samba/var/locks" -DSM > BRUN="/usr/local/samba/bin/smbrun" > -DCODEPAGEDIR="/usr/local/samba/lib/codepages > " -DWORKGROUP="LCI" -DGUEST_ACCOUNT="nobody" > -DDRIVERFILE="/usr/local/samba/lib/ > printers.def" -O3 -m486 -DSHADOW_PWD -DLINUX -DNTDOMAIN -DQUOTAS > -DFAST_SHARE_MO > DES -DSMB_PASSWD="/usr/local/samba/bin/smbpasswd" > -DSMB_PASSWD_FILE="/usr/ > local/samba/private/smbpasswd" > Using LIBS = -lshadow > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I always get stuck here, If this is to > obvious, I'm sorry. > > Compiling smbpass.c > gcc: Internal compiler error: program cc1 got fatal signal 6 > make: *** [smbpass.o] Error 1 > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > > Thanks, > santiago@lci.ufrj.br > From santiago at lci.ufrj.br Fri Mar 27 03:39:13 1998 From: santiago at lci.ufrj.br (=?UNKNOWN-8BIT?Q?Maur=EDcio?= Santiago) Date: Tue Dec 2 02:23:54 2003 Subject: Problem compiling, any help will be very good. Message-ID: <351B1F61.23A4@lci.ufrj.br> In fact I have Slackware installed and gcc version is 2.7.2.3, compiled now with FLAGSM = -DLINUX only and still: Compiling smbpass.c gcc: Internal compiler error: program cc1 got fatal signal 6 make: *** [smbpass.o] Error 1 Can't I get a ready binary compiled with -DNTDOMAIN?, I mean is there a way to get it like there is for the samba without the DOMAIN feature? Thanks again, I love SAMBA, sorry to bother. santiago@lci.ufrj.br From johanh at fusion.kth.se Fri Mar 27 08:47:25 1998 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:23:54 2003 Subject: Problem compiling, any help will be very good. In-Reply-To: <351B1F61.23A4@lci.ufrj.br> Message-ID: Ofcource you have checked this, but just in case... You can get this the error you get if your out of disk space. /Johan Hedin On Fri, 27 Mar 1998, [UNKNOWN-8BIT] Maur?cio Santiago wrote: > In fact I have Slackware installed and gcc version is 2.7.2.3, compiled > now with FLAGSM = -DLINUX only and still: > > Compiling smbpass.c > gcc: Internal compiler error: program cc1 got fatal signal 6 > make: *** [smbpass.o] Error 1 > > Can't I get a ready binary compiled with -DNTDOMAIN?, I mean is there a > way to get it like there is for the samba without the DOMAIN feature? > > Thanks again, I love SAMBA, sorry to bother. > > santiago@lci.ufrj.br > From frank at engineer.com Fri Mar 27 10:41:04 1998 From: frank at engineer.com (Frank Berger) Date: Tue Dec 2 02:23:54 2003 Subject: Solaris Samba-Server with NT-Clients Message-ID: <01bd596c$d7da7440$6664a8c0@pelle> >Are you using Samba BRANCH_NTDOM as the PDC? You have to set Not yet. We tried the "normal" Samba so far, but it has not worked. >in smb.conf to get the PDC support. If you do not want the PDC support, >then use the standard distribution ( 1.9.18p3 ) and set things up as >normal. If I don't want PDC support, then the Sun doesn't authentificate, right ? I don't want that (no PDC) then :-) Frank From lkcl at switchboard.net Fri Mar 27 14:00:26 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:54 2003 Subject: NT4(SP3) and corrupted SAM files. In-Reply-To: Message-ID: On Thu, 26 Mar 1998, Bernard Grymonpon wrote: > > Hi, > > I've encountered a very strange thing. I have installed the Samba > Nt-domain, and everything works fine. The domain is there, i can log in, > .. which version? where did you obtain it from? what system are you using? what compiler? which version of the compiler? please also attach your smb.conf file. _then_ we can answer your question :-) you might also want to look at the "lsa-fix" - the hotfix from microsoft that solves the problem on the client-side that thee bug you outline below discovered in NT: your system is vulnerable to attack: but that depends on your security setup (internal / external access; firewall yes/no etc etc). luke (samba team) > But, when someone tries to log in on the domain controlled by samba, or > the local machine, and types in the wrong password, no password, of even a > wrong username, the local SAM file is corrupted. It gives as error a > number (Cxxxxxxx) where the x-es are random (mostly zero). When this has > happened, noone can log in (even not the administrator) on the local > machine or on the Domain controlled by Samba. We have to attach the hard > disk to another NT machine, and delete the SAM file. > The most strange thing is that when you reboot the computer with the > corrupted SAM file, everybody can log on and the DOMAIN-box is gone. > > Anyone with the same problem, or with a solution for this? > > Thanks in advance > Bernard > > Bernard@zeus.rug.ac.be Student University of Ghent > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at switchboard.net Fri Mar 27 14:01:55 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:54 2003 Subject: Samba Authentication (was PA (fwd) Message-ID: Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy ---------- Forwarded message ---------- Date: Thu, 26 Mar 1998 08:23:52 -0500 (EST) From: CURRIE KEVIN To: Luke Kenneth Casson Leighton Subject: Samba Authentication (was PA > i don't think i added a "security = server" mode to the NT domain login > code. sorry. > > is anyone maintaining an on-line TODO list? would anyone _like_ to > maintain an html TODO list? gerry? :-) Well, let me lay out what I am trying to do so that if it can't be done maybe it'd be something easy to add (it seems like it from an outside standpoint, but then I'm not the one doing all the coding ). Maybe someone could even point an alternative solution for me. I am a (student) supervisor of the Engineering College's computer lab on campus here. Basically what that means is that I pull enough weight to affect significant changes in my labs, but when it comes to campus wide systems, I'm a peon. I want to find a way to authenticate users to the campus NIS+ database so that the second a user walks into the lab they have to have a valid Unix account to even log into NT. The biggest reason we want this is for security and logging purposes, but there would be many other benefits to authenticating to a Samba server. Idealily what I would like to be able to do is have some computer somewhere off on campus (which I won't have access to) be running Samba, maybe not even w/ NTDOM support. This computer would have full access to the NIS+ database. I would then have another computer (probably a Linux box) sitting in my lab runnin the NTDOM version of Samba and having security = server pointing across campus. This would allow tight enough security to make all the admins happy, but still give individual domains the access they to manage what computers get into their domain and how to manage them. It seems like it wouldn't be to hard--but what to I really know-- to authenticate users (via a password server) and computers (via the smbpasswd file) seperately. After all, Samba has to go through a computer check and a user check anyway, it is just that both are in the same file. This is something that I can see as really helping Samba gain for ground in large Unix networks. Unfortunately I have no experiance at all in Unix programming (DOS is another story), or I'd dig around in the source myself and see if this were even possible; however I find myself rather confused the second a system call is made... Add it to the wish list I guess. :) Kevin Currie From bernard at zeus.rug.ac.be Fri Mar 27 13:51:50 1998 From: bernard at zeus.rug.ac.be (Bernard Grymonpon) Date: Tue Dec 2 02:23:54 2003 Subject: NT4(SP3) and corrupted SAM files. In-Reply-To: Message-ID: On Sat, 28 Mar 1998, Luke Kenneth Casson Leighton wrote: > On Thu, 26 Mar 1998, Bernard Grymonpon wrote: > > > I've encountered a very strange thing. I have installed the Samba > > Nt-domain, and everything works fine. The domain is there, i can log in, > > .. > > which version? where did you obtain it from? what system are you using? > what compiler? which version of the compiler? please also attach your > smb.conf file. samba version 1.2.18p3, (obtained as samba-latest from the samba.anu.edu.au ftp site) i am using debian (kernel version 2.0.33). I use the gcc compiler 2.7.2.1. > > _then_ we can answer your question :-) that would be helpfull... :-) [snip snip] to see the problem, look some messages back, the mail would come to long... I is just that when i log in incorrect, the SAM-file on the NT machines are corrupted... (so the administrator cant log on locally...--> problem!) Thanks Bernard Bernard@zeus.rug.ac.be Student University of Ghent Here is my smb.conf file : (cutted out the comment and the not used parameters, so those who are not mentioned are the default). The commented parameters are the ones i doubt about... ------start smb.conf------ # info: the server name (location of this smb.conf) is xxx.xxx.41.37 [global] workgroup = PDCZEUS server string = Samba Server (Einstein) hosts allow = xxx.xxx.41. 127.0.0.1 load printers = no security = user ; password server = encrypt passwords = yes socket options = TCP_NODELAY local master = yes os level = 33 domain master = yes preferred master = yes domain controller = no domain logons = yes ; logon path = \\%L\Profiles\%U wins support = yes ; wins server = xxx.xxx.41.37 ; wins proxy = yes dns proxy = no domain sid = S-1-5-21-123-456-789-123 domain hosts allow = xxx.xxx.41.32 xxx.xxx.41.38 xxx.xxx.41.34 debuglevel=4 domain admin users = bart bernard [homes] comment = Home Directories browseable = no writable = yes [netlogon] comment = Network Logon Service path = /usr/local/samba/lib/netlogon guest ok = yes writable = no share modes = no [Profiles] path = /usr/local/samba/profiles browseable = no guest ok = yes -------end smb.conf-------- From bias at pobox.com Fri Mar 27 14:22:44 1998 From: bias at pobox.com (Liston Bias) Date: Tue Dec 2 02:23:54 2003 Subject: Solaris Samba-Server with NT-Clients In-Reply-To: <01bd58df$3e15a880$6664a8c0@pelle> Message-ID: On Fri, 27 Mar 1998, Frank Berger wrote: > Is it possible, to have the Solaris server (Samba) do the authentification > of users logging on to an NT-client ? Please let me know if you get any replies to this query. We are looking to move to Samba authentication on Solaris Server, but have not had the time to really look into it. We currently use NISGina to authenticate via NIS and then have perl scripts customize the default profile for current user. It works well for our purposes right now, but we are always look to move forward. It is my believe that to perform Samba Authentication and remote profiles, you have to invest in maintaining two password files (NIS and Samba). This is easy to maintain once it is setup, but setting it up for the first time seems like a pain since users will have to retype their password for us to create the Samba Password. There is no way to convert an NIS password to Samba as there should not be. We have a couple hundred PC's here at the College of Engineering. We run NT on nearly all and have refused to get a NT Server. Regards, Liston ============================================================================== Liston Bias Systems Administrator Office: COE 310 Computing & Multimedia Services Phone: (850) 487-6478 FAMU-FSU College of Engineering << EMAIL PREFERRED >> 2525 Pottsdamer St. Tallahassee, FL 32310 http://www.eng.fsu.edu/~bias bias@pobox.com ============================================================================== From cartegw at Eng.Auburn.EDU Fri Mar 27 14:49:25 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:54 2003 Subject: NT4(SP3) and corrupted SAM files. References: Message-ID: <351BBC75.D2C1FF25@eng.auburn.edu> Bernard Grymonpon wrote: > > samba version 1.2.18p3, (obtained as samba-latest from the > samba.anu.edu.au ftp site) i am using debian (kernel version 2.0.33). I > use the gcc compiler 2.7.2.1. Perhaps you mean 1.9.18p3? :-) Anyways, you should download the latest BRANCH_NTDOM code. See http://www.eng.auburn.edu/users/cartegw/samba__ntdom_faq.html for the latest draft of the NTDOM FAQ. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Fri Mar 27 14:56:27 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:54 2003 Subject: Solaris Samba-Server with NT-Clients References: <01bd596c$d7da7440$6664a8c0@pelle> Message-ID: <351BBE1B.4B90D2EB@eng.auburn.edu> Frank Berger wrote: > > If I don't want PDC support, then the Sun doesn't authentificate, right? > I don't want that (no PDC) then :-) You can have you NT clients connect to shares from a samba server using NIS or any /etc/passwd equivalent. If you have SP3 installed opn the NT client and have not enabled PlainTextPasswords then you will not be able to connect to a non-encrypted samba server. See docs/NT4_*.reg for the exact setting. For a samba server to validate the NT login ( not share connection ), you will have to enable the PDC support and use encrypted passwords. Or as Liston pointed out, you can use NISgina which replaces msgina.dll and does validate against NIS ( but you don't get login scripts, system policies, etc... ). Hope this is makes sense. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Fri Mar 27 14:58:54 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:54 2003 Subject: Solaris Samba-Server with NT-Clients References: Message-ID: <351BBEAE.93FD4A49@eng.auburn.edu> Liston Bias wrote: > > It is my believe that to perform Samba Authentication and remote > profiles, you have to invest in maintaining two password files (NIS and > Samba). This is easy to maintain once it is setup, but setting it up for > the first time seems like a pain since users will have to retype their > password for us to create the Samba Password. There is no way to > convert an NIS password to Samba as there should not be. You are correct. What we are doing is making the user chanmge their password from a Sun which will probpagate the clear text password to the NIS passwd files and smbpasswd. > > We have a couple hundred PC's here at the College of Engineering. We > run NT on nearly all and have refused to get a NT Server. Congratulations! :-) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From venere at dc.ufscar.br Fri Mar 27 19:56:48 1998 From: venere at dc.ufscar.br (Guilherme Venere) Date: Tue Dec 2 02:23:54 2003 Subject: Problem compiling, any help will be very good. References: Message-ID: <351C047F.ED29FBBA@dc.ufscar.br> Johan Hedin wrote: > Ofcource you have checked this, but just in case... > You can get this the error you get if your out of disk space. > > > Compiling smbpass.c > > gcc: Internal compiler error: program cc1 got fatal signal 6 > > make: *** [smbpass.o] Error 1 > > > > Actually, i had the same problem compiling on my linux i386 box. I have a p166 with overclock to 200, the problem has been solved by downclocking it back to 166. Seens like linux dont like overclocked computers, and fail in big compilations. Of course that this can be your problem or not, i'm just sending my comment because i aways get the same error here. -- Guilherme Venere ---------------------------------------------------------------------------------------------- Federal University of Sao Carlos - SP - Brazil http://www.dc.ufscar.br/~venere Computer Science Bacharel mailto: venere@dc.ufscar.br Project: Secure Network Administration icq #: 1471812 ---------------------------------------------------------------------------------------------- From daniel at cibercafe.pt Fri Mar 27 18:44:47 1998 From: daniel at cibercafe.pt (Daniel Fonseca) Date: Tue Dec 2 02:23:54 2003 Subject: Problem compiling, any help will be very good. In-Reply-To: <351B1F61.23A4@lci.ufrj.br> Message-ID: On Fri, 27 Mar 1998, [UNKNOWN-8BIT] Maurício Santiago wrote: > In fact I have Slackware installed and gcc version is 2.7.2.3, compiled > now with FLAGSM = -DLINUX only and still: Please go into the Makefile and look for and strip all "-O?" occurrences, meaning that you should take off -O -O1 -O2 etc. not only in the FLAGSM, there are some more around there (obviously don't take them out in the commented sections! ;) > > Compiling smbpass.c > gcc: Internal compiler error: program cc1 got fatal signal 6 > make: *** [smbpass.o] Error 1 I've had these exact same error messages and it worked for me (yes, at first I only took the -O's off in the FLAGSM part, and then I perused the Makefile some more, because I verbosely saw some -O's while doing "make") > Can't I get a ready binary compiled with -DNTDOMAIN?, I mean is there a > way to get it like there is for the samba without the DOMAIN feature? It's complicated because we would have to have pre-compiled binaries with each and every little option compiled in (shadow, non-shadow, quota, PAM, etc). > Thanks again, I love SAMBA, sorry to bother. No bother at all. Keep loving it. I'm sure it loves you too! :) Compliments to all the Samba Team for their extraordinary works and efforts into making NT Servers useless! I wish I could put KDE in all Workstations without the users asking what kind of Windows 95/NT that was... ;) Daniel Fonseca - SysAdmin for Cibercafe http://www.cibercafe.pt - Your Internet Cafe in Oporto From jallison at whistle.com Sat Mar 28 02:10:47 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:54 2003 Subject: Samba 1.9.18p4 released. References: Message-ID: <351C5C27.7A79CB24@whistle.com> Tim Winders wrote: > > Have the changes for p4 been incorporated into the NTDOM_BRANCH yet? What > is the expect schedule for the two branches to be merged? > The NTDOM branch has been (is being) migrated into the Samba main (HEAD) branch. The remaining parts not yet merged are the new client functionality. The p4 functionality is in the main branch code stream. Luke was going to test the main branch NT Domain functionality this week, but got called away to a contract in Vienna. I will probably do the testing myself next week. Once we're sure the main branch has all the functionality that NTDOM had, in terms of serving NT clients, we'll put out an official announcement in the NTDOM list and ask people to move over to the main branch. I hope you don't mind but I'm CC:ing the samba-ntdom list so people using the NTDOM branch know what's going on. Hope this helps, Jeremy Allison Samba Team. -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Sat Mar 28 16:27:31 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:23:54 2003 Subject: NT4(SP3) and corrupted SAM files. In-Reply-To: Message-ID: On Fri, 27 Mar 1998, Bernard Grymonpon wrote: > On Sat, 28 Mar 1998, Luke Kenneth Casson Leighton wrote: > > > On Thu, 26 Mar 1998, Bernard Grymonpon wrote: > > > > > I've encountered a very strange thing. I have installed the Samba > > > Nt-domain, and everything works fine. The domain is there, i can log in, > > > .. > > > > which version? where did you obtain it from? what system are you using? > > what compiler? which version of the compiler? please also attach your > > smb.conf file. > > samba version 1.2.18p3, (obtained as samba-latest from the > samba.anu.edu.au ftp site) i am using debian (kernel version 2.0.33). I > use the gcc compiler 2.7.2.1. ta, bernard. ok, you will need BRANCHNTDOM version: see http://samba.anu.edu.au/cvs.html. also, you want "domain controller = yes" and "domain sid = S-1-5-21-123-456-789" - only three components after 21- you _will_ get problems if you use 1.9.18p3, absolutely guaranteed. luke > > > > _then_ we can answer your question :-) > that would be helpfull... :-) > > [snip snip] > to see the problem, look some messages back, the mail would come to > long... > I is just that when i log in incorrect, the SAM-file on the NT machines > are corrupted... (so the administrator cant log on locally...--> problem!) > > Thanks > Bernard > > Bernard@zeus.rug.ac.be Student University of Ghent > > > Here is my smb.conf file : (cutted out the comment and the not used > parameters, so those who are not mentioned are the default). > The commented parameters are the ones i doubt about... > > ------start smb.conf------ > # info: the server name (location of this smb.conf) is xxx.xxx.41.37 > [global] > workgroup = PDCZEUS > server string = Samba Server (Einstein) > hosts allow = xxx.xxx.41. 127.0.0.1 > load printers = no > security = user > ; password server = > encrypt passwords = yes > socket options = TCP_NODELAY > local master = yes > os level = 33 > domain master = yes > preferred master = yes > domain controller = no > domain logons = yes > ; logon path = \\%L\Profiles\%U > wins support = yes > ; wins server = xxx.xxx.41.37 > ; wins proxy = yes > dns proxy = no > > domain sid = S-1-5-21-123-456-789-123 > domain hosts allow = xxx.xxx.41.32 xxx.xxx.41.38 xxx.xxx.41.34 > debuglevel=4 > domain admin users = bart bernard > > [homes] > comment = Home Directories > browseable = no > writable = yes > > [netlogon] > comment = Network Logon Service > path = /usr/local/samba/lib/netlogon > guest ok = yes > writable = no > share modes = no > > [Profiles] > path = /usr/local/samba/profiles > browseable = no > guest ok = yes > > -------end smb.conf-------- > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From winadmin at osd.fau.edu Sat Mar 28 21:34:38 1998 From: winadmin at osd.fau.edu (Workstation Maintenance) Date: Tue Dec 2 02:23:54 2003 Subject: Samba PDC vs. NT Server and other clarifications. Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 2302 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980328/36d3664b/attachment.bin From steve at sjs.com Sat Mar 28 21:45:20 1998 From: steve at sjs.com (Steve) Date: Tue Dec 2 02:23:54 2003 Subject: NT Primary Controller problems. Message-ID: I have Samba running on a Linux platform and I used to have my NT V4.0 Primary Domain Controller successfully mounting Samba shares. Acouple of days ago, I installed NT V4.0 service Pak3 and I.E. V4.0 to my Primary Domain Controller. Everytime I try to connect to a Samba share on my NT machine, I now get this error: "The Account is not authorized to login from this station" . Has anyone seen these before? Does anyone know what I need to do to solve this? Best Regards, Steve Stuczynski From cartegw at Eng.Auburn.EDU Sat Mar 28 22:05:47 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:54 2003 Subject: NT Primary Controller problems. References: Message-ID: <351D743B.29506B0A@eng.auburn.edu> Steve wrote: > > I have Samba running on a Linux platform and I used to have my NT > V4.0 Primary Domain Controller successfully mounting Samba shares. > Acouple of days ago, I installed NT V4.0 service Pak3 and I.E. > V4.0 to my Primary Domain Controller. Everytime I try to connect to a > Samba share on my NT machine, I now get this error: "The Account is not > authorized to login from this station" . > Has anyone seen these before? Does anyone know what I need to do > to solve this? > Look at docs/NT4_EnablePlainTextPasswords.reg j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From heinig at hdz-ima.rwth-aachen.de Sat Mar 28 20:22:36 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:23:54 2003 Subject: Samba 1.9.18-NTDOM login failure - Domain not available Message-ID: <351D5C0C.D50F17CB@hdz-ima.rwth-aachen.de> Hi all, I got the latest CVS version of Samba - NTDOM (I got it on Friday the 27th March - yesterday..), compiled it (with a few modifications to the Makefile) and got it up and running. I tried to do a NT domain logon from an NT box and at first got the message "Successful login", or words to that effect (we have the german version of NT). However, after an interval of maybe 5-10 seconds I got the message "Domain unavailable" or rather, the german equivalent. It seems to me that one or two people have actually managed to log in, judging by the postings, or maybe I got something wrong... Just so there?s no mistake: I tried logging in to the NT workstation (v 4.0) with a user name that is NOT defined on the workstation, but defined on the UNIX (Solaris 2.6) server running Samba. (The user is in the smbpasswd file, with a valid password, the smb.conf has password encryption turned on, as has the NT box). It seems to me that I?m *very* *nearly* there, since the workstation says "successful login" but then complains about the domain being unavailable. Anyone have any ideas? cheers Gerald From cartegw at Eng.Auburn.EDU Sat Mar 28 22:42:32 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:54 2003 Subject: Samba PDC vs. NT Server and other clarifications. References: Message-ID: <351D7CD8.52D22426@eng.auburn.edu> Workstation Maintenance wrote: > > to the samba server. It may sound funny that I mention this, but I read > something in either ntdomain.txt or domains.txt that suggested this was > not possible (something about samba ignoring the password at logon, but > _not_ when connecting to shares). It would be nice for user/group info > from the samba server to work on the NT client as well (i.e. permissions > on files on the local machine) but I also suspect this is not possible See the link to the latest draft of the NTDOM FAQ off my page ( in my signature ). To validate logins you will need to define USE_ARCFOUR in the makefile. > yet. Basically I am unclear on the difference between a "real" PDC and > samba acting as one - I am a little late to these discussions and seem > to be missing such basic info. I have re-read the documentation included > with the samba source and found it a bit confusing and somewhat > contradicting. Not to criticize at all, I understand this stuff is > probably new to everyone and I think the documentation is terrific! Differences are things like some various pipe functionality as well as TRUST relationships, etc.... Sorry to be vague but pretty much most of what you need to run a Samba PDC in a lab is there ( i'm doing the same thing ) > I attempted to use samba 1.9.18p3 (with -Dntdomain added to the flagsm > line of the makefile) with out success. I (for lack of another way) > finally used the username m option in smb.conf to map the machine > username to another user, then I just changed that user's password to > also be the machine name - This changes the error message on the NT > client from "the domain server can not be accessed" to "the account > either does not exist or can not be accessed." The smb logs reflect the > following: s: do mismatch > It is purely a guess that this has to do with domain sid (only because > testparm says it is an unknown parameter)? Get the BRANCH_NTDOM version via CVS instruictions in the FAQ. PDC support in the main branch does not work. BRANCH_NTDOM branched from 1.9.18alpha11 but will be rejoining the MAIN branch soon i think. > Any clarification on compiling samba with ntdomain support, and setting > up the workstation accounts a bit easier, and what domain sids are. smbpasswd ( in BRANCH_NTDOM ) has an option -m to add machine accounts. Again see the FAQ. > > Thanks again, > Ivan Fetch j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From steve at sjs.com Sun Mar 29 20:22:19 1998 From: steve at sjs.com (Steve) Date: Tue Dec 2 02:23:54 2003 Subject: NT Primary Controller problems. In-Reply-To: <351D743B.29506B0A@eng.auburn.edu> Message-ID: Thanks to everyone who responded to my posting. I double clicked on NT4_PlainPassword.reg in the Samba docs directory, reboot the NT server and everything is now working the way that it used to. Best Regards, Steve Stuczynski From twinders at SPC.cc.tx.us Mon Mar 30 21:12:41 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:23:54 2003 Subject: PANIC ERROR in smb.log Message-ID: I was just browsing through my smb.log file and noticed a whole bunch of these errors: oplock_break: global_oplocks_open < 0 (-1). PANIC ERROR The (-1) number varies, I have seen -2 and -7 as well. What is going on? Is this a problem? I am using BRANCH_NTDOM last updated about 2 weeks ago on Digital UNIX 4.0D --------------------------------------------------------------------- | Tim Winders, CNE, MCP | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From brianb at atc.ll.mit.edu Mon Mar 30 21:53:35 1998 From: brianb at atc.ll.mit.edu (Brian Burke x0839) Date: Tue Dec 2 02:23:54 2003 Subject: PANIC ERROR in smb.log Message-ID: <199803302153.QAA00492@wilbur.ll.g41g42> I use to get these too... it seems that oplocks code in the NTDOM branch is broken (fixed in the main code) For me, this meant losing files on shares... particularly bad with Visual C++ saving its code/data to a unix share. If you disable oplocks, these problems go away and all works well (although slightly slower). Disable by putting oplocks = False in smb.conf > I was just browsing through my smb.log file and noticed a whole bunch of > these errors: > > oplock_break: global_oplocks_open < 0 (-1). PANIC ERROR > > The (-1) number varies, I have seen -2 and -7 as well. What is going on? > Is this a problem? I am using BRANCH_NTDOM last updated about 2 weeks > ago on Digital UNIX 4.0D > -Brian Brian Burke MIT Lincoln Laboratory Air Traffic Surveillance From frank at engineer.com Mon Mar 30 21:25:36 1998 From: frank at engineer.com (Frank Berger) Date: Tue Dec 2 02:23:54 2003 Subject: Solaris Samba-Server with NT-Clients Message-ID: <01bd5c22$6152c620$6664a8c0@pelle> >For a samba server to validate the NT login ( not share connection ), >you will have to enable the PDC support and use encrypted passwords. Or >as Liston pointed out, you can use NISgina which replaces msgina.dll and >does validate against NIS ( but you don't get login scripts, system >policies, etc... ). > >Hope this is makes sense. It does, but it doesn't make me very happy :-( Have you (or anybody else) ever tried to leave the authentification to an NT-Server ? (And ONLY that - and ONLY for the time samba being developed !) ;-) Thanx ! Mach's besser, Frank INet : frank@engineer.com Homepage : http://home.pages.de/~pelle/ From tridge at samba.anu.edu.au Tue Mar 31 02:10:23 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:23:54 2003 Subject: NTDOM support in main branch Message-ID: <19980331021025Z12583384-24328+6628@samba.anu.edu.au> Jeremy and I have both tested the main CVS branch and it now seems to correctly support the NT domain stuff. Jeremy did the merge a couple of weeks ago but we only found the last couple of merge bugs today. I'd appreciate it if a few people who have successfully used the domain controller support in BRANCH_NTDOM could test the main branch and let us know if anything doesn't work that works in the NTDOM branch. Please report back to this list. Note that: 1) you don't need to compile with -DNTDOMAIN, that is now the default 2) you don't need any external code or libraries. All the necessary code is built in. You still need to follow Lukes instructions on how to set this stuff up, which is why I'm particularly interested in hearing from people who have already successfully used the BRANCH_NTDOM code. If no problems are found with the main branch then development can stop in the BRANCH_NTDOM branch. Note that to checkout the main branch you just leave out the "-r BRANCH_NTDOM" option to cvs. Cheers, Andrew From jallison at whistle.com Tue Mar 31 02:29:50 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch References: <19980331021025Z12583384-24328+6628@samba.anu.edu.au> Message-ID: <3520551E.167EB0E7@whistle.com> Andrew Tridgell wrote: > > Jeremy and I have both tested the main CVS branch and it now seems to > correctly support the NT domain stuff. Jeremy did the merge a couple > of weeks ago but we only found the last couple of merge bugs today. > > I'd appreciate it if a few people who have successfully used the > domain controller support in BRANCH_NTDOM could test the main branch > and let us know if anything doesn't work that works in the NTDOM > branch. Please report back to this list. > > Note that: > > 1) you don't need to compile with -DNTDOMAIN, that is now the default > 2) you don't need any external code or libraries. All the necessary > code is built in. > > You still need to follow Lukes instructions on how to set this stuff > up, which is why I'm particularly interested in hearing from people > who have already successfully used the BRANCH_NTDOM code. > > If no problems are found with the main branch then development can > stop in the BRANCH_NTDOM branch. > > Note that to checkout the main branch you just leave out the "-r BRANCH_NTDOM" > option to cvs. > FYI: One thing that has changed is the definition of what is a 'machine' account in smbpasswd. Luke's NTDOM branch had a ':080:' field that encoded the account type, I have now changed this in the main branch to be an ASCII encoded :[W]: field (see the source for details, I haven't had time to write everything up for the docs). As any account ending in '$' is automatically treated as a workstation account even if it doesn't have the magic [W] field then old NTDOM smbpasswd files should still work ok - but you might want to note the change for future reference. Also, I'm still working on a strange problem with getting a 'machine account password incorrect' error message when loging in as a user from my NT server machine, so all may not be *quite* rosy yet :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Tue Mar 31 04:42:32 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:55 2003 Subject: Solaris Samba-Server with NT-Clients In-Reply-To: <01bd5c22$6152c620$6664a8c0@pelle> Message-ID: On Tue, 31 Mar 1998, Frank Berger wrote: > Have you (or anybody else) ever tried to leave the authentification to an > NT-Server ? > (And ONLY that - and ONLY for the time samba being developed !) ;-) > We make our users' change their passwd from a unix box which propagtes to changing the smbpasswd file. The password files are therefore in sync with no real extra effort. For now changing your passwd from an NT box is unsupported. This is still in the very early stages though. IMHO having the NT accounts and unix accounts all on the unix side makes passwd sync somewhat of a non-issue ( i know I'll get some comments on this on ;) ) Some of our users will nevet use an NT box so there's no reason to give them another account to keep up with. For those that need NT access thought, they simply change their passwd and viola! I will say that our process work in theory. Still very new and working on some stability issues on the server process side. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Tue Mar 31 14:35:06 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch References: <19980331021025Z12583384-24328+6628@samba.anu.edu.au> Message-ID: <3520FF1A.7DEE3BA0@eng.auburn.edu> Andrew Tridgell wrote: > > Jeremy and I have both tested the main CVS branch and it now seems to > correctly support the NT domain stuff. Jeremy did the merge a couple > of weeks ago but we only found the last couple of merge bugs today. > > I'd appreciate it if a few people who have successfully used the > domain controller support in BRANCH_NTDOM could test the main branch > and let us know if anything doesn't work that works in the NTDOM > branch. Please report back to this list. > > Note that: > > 1) you don't need to compile with -DNTDOMAIN, that is now the default > 2) you don't need any external code or libraries. All the necessary > code is built in. > > You still need to follow Lukes instructions on how to set this stuff > up, which is why I'm particularly interested in hearing from people > who have already successfully used the BRANCH_NTDOM code. I just replaced the BRANCH_NTDOM binaries with the latest main samba cvs ones. All appears to be working fine. I have not had a chance to add machine to the domain but will do so this afternoon. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From johanh at fusion.kth.se Tue Mar 31 14:51:25 1998 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:23:55 2003 Subject: tested NTDOM support in main branch Message-ID: We have tested the NTDOM support in the main branch on Solaris 2.6 with one NT 4 Sp3 workstation. Everything works fine, as in the old BRANCH_NTDOM. /Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ From cartegw at Eng.Auburn.EDU Tue Mar 31 18:26:02 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:23:55 2003 Subject: NTDOM support in main branch References: <3520551E.167EB0E7@whistle.com> Message-ID: <3521353A.F9D3E306@eng.auburn.edu> As an interesting consequence of merging NTDOM into the main branch, I no longer get the "ERROR verify : " when attempting to copy a file from network drive to the local disk via the command prompt. C:\> copy x:\test.txt c:\temp /v I posted something about this a couple of weeks ago but the point is moot now I guess. Thanks. :-) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From heinig at hdz-ima.rwth-aachen.de Tue Mar 31 18:26:00 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:23:55 2003 Subject: Samba 1.9.18-NTDOM login failure - Domain not available References: <351D5C0C.D50F17CB@hdz-ima.rwth-aachen.de> <35213E12.F8E59FD5@eng.auburn.edu> Message-ID: <35213537.895DEC15@hdz-ima.rwth-aachen.de> Gerald W. Carter wrote: > Gerald Heinig wrote: > > > > Hi all, > > > > I got the latest CVS version of Samba - NTDOM (I got it on Friday the > > 27th March - yesterday..), compiled it (with a few modifications to the > > Makefile) and got it up and running. I tried to do a NT domain logon > > from an NT box and at first got the message "Successful login", or words > > to that effect (we have the german version of NT). However, after an > > interval of maybe 5-10 seconds I got the message "Domain unavailable" or > > rather, the german equivalent. It seems to me that one or two people > > have actually managed to log in, judging by the postings, or maybe I got > > something wrong... > > Just so there?s no mistake: I tried logging in to the NT workstation (v > > 4.0) with a user name that is NOT defined on the workstation, but > > defined on the UNIX (Solaris 2.6) server running Samba. (The user is in > > the smbpasswd file, with a valid password, the smb.conf has password > > encryption turned on, as has the NT box). > > It seems to me that I?m *very* *nearly* there, since the workstation > > says "successful login" but then complains about the domain being > > unavailable. > > > > Anyone have any ideas? > > > > cheers > > > > Gerald > > Did you ever get an answer on this? > Yes, I did ..... from myself :-) :-) The problem was the netmask on the Solaris box: I had a netmask defined for a B type net ie. 255.255.0.0 and the NT box was (correctly) defined as 255.255.255.0 type C. In my experience this doesn?t usually bother UNIX systems, but NT is rather finnicky here. Before we all start cheering about the Microsoft TCP/IP implementation, though, I might add that NT behaved *very* strangely. It sometimes managed to see the Samba server first time, sometimes second time round, occasionally never... etc... The correct behaviour should be either it works fine ALL the time or it doesn?t work ALL the time. ....and the hack goes on.... Gerald From heinig at hdz-ima.rwth-aachen.de Tue Mar 31 18:38:37 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:23:55 2003 Subject: NT: Cannot update internal security to add computer to domain Message-ID: <3521382D.19931FCC@hdz-ima.rwth-aachen.de> Hi all, More fun whilst trying to add an NT 4.0 SP3 box to a Samba 1.9.18p4/Solaris 2.6 domain: I added the obligatory machine$ and 0080 entries to the smbpasswd file plus encrypted fields with machine name as password and tried to add a machine to the domain. I got the error message: "Could not update internal security to add computer to domain" or words to that effect in german (we have the german NT version here). Ideas, anyone? Gerald PS. I?m going to compile the latest 1.9.18p4 tarball tomorrow - I got the above version from the cvs repository. I?ll post any problems I encounter with the merged version... From william at hae.com Tue Mar 31 21:45:46 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:23:55 2003 Subject: Andrew Tridgell Sued by Microsoft! Message-ID: April Fools. William