From cartegw at Eng.Auburn.EDU Fri May 1 01:08:38 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:03 2003 Subject: User Manager for Domains In-Reply-To: <3.0.3.32.19980501094026.00832100@bioserve.biochem.latrobe.edu.au> Message-ID: On Fri, 1 May 1998, David Bannon wrote: > At 07:39 29/04/1998 +0000, Luke Kenneth Casson Leighton wrote: > >> Dial in access over a modem. > > >right, then i need to know what the RID of the "modem group" is, from a > >packet trace or some other lookup. > > Cool. > > I have checked the nt server, it has no intention of telling me what the > MODEM_USERS RID is. (if I needed to know that, I would have been born with > the information coded into my genes...., thanks Bill) > > Can you refer me to to some instructions on how to do a packet trace ? > Please ! > Do you have the Nt Server resource kit? you can use the getsid.exe utility. As well as checking out a recent thread on the NTBUGTRAQ mailing list about the admin sid. I think a URL was posted for a user2sid and sid2user ultilty. I'll try to dig it up if you want. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From mathewss at nutech.com Fri May 1 07:43:45 1998 From: mathewss at nutech.com (mathewss@nutech.com) Date: Tue Dec 2 02:24:03 2003 Subject: User Manager for Domains In-Reply-To: Message-ID: I finaly had time to move from BRANCH_NTDOM to the main branch and im now running 1.9.19-preaplha I can get usermgr/server mgr to run now.. but inside of usermgr i get some strange data.. I end up with a unprintable character after each user name? also i just tested the smbpasswd -a -m TEST and it tells me this User "TEST$" was not found in system password file. anyway im sure i missed something but not sure where to begin now :( i was doing ok with NTDOMAIN CVS but now it seems i need to catch up on the quirks of the main alpha branch.. Regards Sean M. From cartegw at Eng.Auburn.EDU Fri May 1 13:07:36 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:03 2003 Subject: User Manager for Domains References: Message-ID: <3549C918.AEDAE809@eng.auburn.edu> mathewss@nutech.com wrote: > > I finaly had time to move from BRANCH_NTDOM to > the main branch and im now running 1.9.19-preaplha > > I can get usermgr/server mgr to run now.. > but inside of usermgr i get some strange data.. > > I end up with a unprintable character after > each user name? No idea on this one. I've seen it before in earlier release but have no answer. > also i just tested the > smbpasswd -a -m TEST > and it tells me this > User "TEST$" was not found in system password file. Jeremy has made it neccessary to add the mahcine name to the passwd file in order for smbpasswd to add the machine. This is for future use. > anyway im sure i missed something but not sure > where to begin now :( i was doing ok with NTDOMAIN > CVS but now it seems i need to catch up on the > quirks of the main alpha branch.. As fast as Luke, Jeremey and all the other guys are coding, kind of hard for all of us :) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Fri May 1 14:31:59 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: Samba PDC as a password server In-Reply-To: <35488315.382F8F8F@uindy.edu> Message-ID: On Thu, 30 Apr 1998, Dana Canfield wrote: > scheme. The only "tidy" solution I can think of that might keep overhead low is to > create some kind of "pam_smbdb". This would work just like pam_pwdb, but would > work with NT-style encryption, meaning you could yank out /etc/passwd and replace > it with the contents of smbpasswd. oo. that would do it. From lkcl at regent.push.net Fri May 1 14:38:11 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: CVS update: samba/source/lib/rpc/server (fwd) In-Reply-To: <3548AE76.45C3BC7E@uindy.edu> Message-ID: On Thu, 30 Apr 1998, Dana Canfield wrote: > This is a great feature. It at least eliminates the lurking dilemna of > getting the majority of users into the system. But, I do have two quick > questions (sorry, I'm one of those that will jump, but wants to carry 6 > parachutes...): > > 1) Using this feature just requires changing a registry setting in NT4 SP3 > to use clear-text, right? for the time-being, yes. once you have done the migration, you can switch off the EnablePlainText. > 2) If so, are there are known problems running cleartext on SP3 besides the > "decreased security"? nt will not store cleartext passwords. therefore when you disconnect from a share (log out) when you reconnect you must type the password in again. every time. > Thanks all, it's getting exponentially better every day! > > Luke Kenneth Casson Leighton wrote: > > > fyi the way that this will be used is to have: > > > > encrypted passwords = no > > update encrypted = yes > > > > for a few days, have everyone log in with their clear-text password, and > > a private/smbpasswd file will automatically be generated. > > > > then switch to > > > > encrypted passwords = yes > > update encrypted = no > > > > and voila. > > > > if you were feeling _really_ adventurous you could have: > > > > include = smb.conf.%M > > > > and have one file smb.conf.MACHINE_CT (clear-text for short) > > with > > > > encrypted passwords = no > > update encrypted = yes > > > > and another file smb.conf.MACHINE > > > > with the other stuff in... > > > > luke > > > > ---------- Forwarded message ---------- > > Date: Thu, 30 Apr 1998 11:44:18 +1000 > > From: Jeremy Allison > > To: Multiple recipients of list > > Subject: CVS update: samba/source/lib/rpc/server > > > > Date: Thursday April 30, 1998 @ 11:39 > > Author: jra > > > > Update of /data/cvs/samba/source/lib/rpc/server > > In directory samba:/tmp/cvs-serv91/lib/rpc/server > > > > Modified Files: > > srv_netlog.c > > Log Message: > > Added patch from Bruce Tenison to allow encrypted > > passwords to be stored over time, allowing a smbpasswd file migration. > > Adds new parameter "update encrypted". > > Will also add to 1.9.18 branch. > > Docs update to follow. > > Jeremy. > > > From lkcl at regent.push.net Fri May 1 14:48:31 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: PAM and NT'ed Linux .. In-Reply-To: <199804301823.LAA09568@blighty.transmeta.com> Message-ID: > The pam notion of who is being authenticated is contained in the > PAM_USER item. How this item is filled is something a module has a > lot of control over. The default is for the application to supply > this value when you call pam_start, or for a module to make use of the > PAM_PROMPT item and call pam_get_user(). Alternatively, if your > module wants to explicitly prompt for: > > login: me > domain [default=here]: there oo! excellent idea! > password: XXXX > > and then translate the me/there combination into a local (UNIX) > username with the appropriate credentials, it can. All it does is > pam_set_item(..PAM_USER...) with the appropriate UNIX username. It that's exactly what we needed to know. > With "correctly" PAMified applications, this will likely "just work". > You may have problems with things like ftpd and popd whose protocols > are so restrictive that they don't support arbitrary user prompting... then would the username format of \DOMAIN\user (or DOMAIN/user) suffice in this instance? are you saying that arbitrary user prompting means "give me a username and a password and nothing else"? From lkcl at regent.push.net Fri May 1 14:51:37 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: User Manager for Domains In-Reply-To: <3.0.3.32.19980501094026.00832100@bioserve.biochem.latrobe.edu.au> Message-ID: see archives: lots of references. basically, install Netmonitor from your nt server cd or from SMS. On Fri, 1 May 1998, David Bannon wrote: > At 07:39 29/04/1998 +0000, Luke Kenneth Casson Leighton wrote: > >> Dial in access over a modem. > > >right, then i need to know what the RID of the "modem group" is, from a > >packet trace or some other lookup. > > Cool. > > I have checked the nt server, it has no intention of telling me what the > MODEM_USERS RID is. (if I needed to know that, I would have been born with > the information coded into my genes...., thanks Bill) > > Can you refer me to to some instructions on how to do a packet trace ? > Please ! > > David. > ------------------------------------------------------------ > David Bannon D.Bannon@latrobe.edu.au > School of Biochemistry Phone 61 03 9479 2197 > La Trobe University, Plenty Rd, Fax 61 03 9479 2467 > Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au > ------------------------------------------------------------ > ..... Humpty Dumpty was pushed ! > From lkcl at regent.push.net Fri May 1 14:53:20 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: User Manager for Domains In-Reply-To: <3549C918.AEDAE809@eng.auburn.edu> Message-ID: i need to do some more research into the SamrQueryDisplayInfo packet format. On Fri, 1 May 1998, Gerald Carter wrote: > mathewss@nutech.com wrote: > > > > I finaly had time to move from BRANCH_NTDOM to > > the main branch and im now running 1.9.19-preaplha > > > > I can get usermgr/server mgr to run now.. > > but inside of usermgr i get some strange data.. > > > > I end up with a unprintable character after > > each user name? > > No idea on this one. I've seen it before in earlier release > but have no answer. > > > also i just tested the > > smbpasswd -a -m TEST > > and it tells me this > > User "TEST$" was not found in system password file. > > Jeremy has made it neccessary to add the mahcine name to the > passwd file in order for smbpasswd to add the machine. This > is > for future use. > > > anyway im sure i missed something but not sure > > where to begin now :( i was doing ok with NTDOMAIN > > CVS but now it seems i need to catch up on the > > quirks of the main alpha branch.. > > As fast as Luke, Jeremey and all the other guys are coding, > kind of hard for all of us :) > > > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services > Auburn University > jerry@eng.auburn.edu > http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a > Bottle" ( 1979 ) > From wmperry at aventail.com Fri May 1 15:29:00 1998 From: wmperry at aventail.com (William M. Perry) Date: Tue Dec 2 02:24:03 2003 Subject: PAM and NT'ed Linux .. In-Reply-To: Luke Kenneth Casson Leighton's message of "Fri, 1 May 1998 14:48:31 +0000 (GMT)" References: Message-ID: <86pvhyj9hf.fsf@kramer.bp.aventail.com> Luke Kenneth Casson Leighton writes: > > The pam notion of who is being authenticated is contained in the > > PAM_USER item. How this item is filled is something a module has a > > lot of control over. The default is for the application to supply > > this value when you call pam_start, or for a module to make use of the > > PAM_PROMPT item and call pam_get_user(). Alternatively, if your > > module wants to explicitly prompt for: > > > > login: me > > domain [default=here]: there > > oo! excellent idea! > > > password: XXXX > > > > and then translate the me/there combination into a local (UNIX) > > username with the appropriate credentials, it can. All it does is > > pam_set_item(..PAM_USER...) with the appropriate UNIX username. It > > that's exactly what we needed to know. > > > With "correctly" PAMified applications, this will likely "just work". > > You may have problems with things like ftpd and popd whose protocols > > are so restrictive that they don't support arbitrary user prompting... > > then would the username format of \DOMAIN\user (or DOMAIN/user) suffice > in this instance? are you saying that arbitrary user prompting means > "give me a username and a password and nothing else"? No - arbitrary user prompting is the case where you give separate prompts for username, domain, and password, and potentially go through the rigamarole of changing the user's password if it has expired. This is why I have to have two different PAM modules for our server - one that fits into the old username/password only module, and one which is much more generic challenge/response and so can support any # of prompts to the user. The PAM apache module would suffer from the same drawbacks as pop and ftp as well. -Bill P. From morgan at transmeta.com Fri May 1 18:37:32 1998 From: morgan at transmeta.com (Andrew Morgan) Date: Tue Dec 2 02:24:03 2003 Subject: PAM and NT'ed Linux .. In-Reply-To: <86pvhyj9hf.fsf@kramer.bp.aventail.com> References: <86pvhyj9hf.fsf@kramer.bp.aventail.com> Message-ID: <199805011837.LAA08076@blighty.transmeta.com> William M. Perry writes: > Luke Kenneth Casson Leighton writes: > > then would the username format of \DOMAIN\user (or DOMAIN/user) suffice > > in this instance? are you saying that arbitrary user prompting means > > "give me a username and a password and nothing else"? > > No - arbitrary user prompting is the case where you give separate prompts > for username, domain, and password, and potentially go through the > rigamarole of changing the user's password if it has expired. This does not quite say it fully. By "arbitrary" you should think "any form of interaction with the user". Things like ftp and pop and apache have a hard time being this flexible -- they were not written with PAM in mind. What people have done is make th username+password available to PAM -- it is mostly a hack but as good as you can get really. In general, you might opt for "domain/username", perhaps having a module argument that can flip between this and more elaborate authentication "conversations" would be the best of both worlds..? Cheers Andrew From vorlon at netexpress.net Sat May 2 17:17:13 1998 From: vorlon at netexpress.net (Stephen Langasek) Date: Tue Dec 2 02:24:03 2003 Subject: Samba PDC as a password server In-Reply-To: Message-ID: On Fri, 1 May 1998, Luke Kenneth Casson Leighton wrote: > On Thu, 30 Apr 1998, Dana Canfield wrote: > > > scheme. The only "tidy" solution I can think of that might keep > > overhead low is to create some kind of "pam_smbdb". This would work > > just like pam_pwdb, but would work with NT-style encryption, meaning > > you could yank out /etc/passwd and replace it with the contents of > > smbpasswd. > oo. that would do it. This sounds a bit like a module I've been (sporadically) working on, called pam_smbpass. This module is intended to be usable for both password changes and authentication against an /etc/smbpasswd-type local database file. The password updates work fine, and I've been using it for a while now to keep passwords synched between the unix & smb databases, althoug I ran into a problem when I looked into stripping out all other authentication code from samba in favor of a pure PAM interface: since not even the version of the password as stored in the smbpasswd file is available to the server in a network transaction, the module has to be able to take the doubly-encrypted password and the original salt, re-encrypt the password from the database, and spit back a yes or no at the application. It's straightforward to fix, I just haven't gotten around to doing it yet... The current version is available at ftp://ftp.netexpress.net/pub/pam, for those who are interested. Hopefully it'll save someone out there some duplication of effort. :) -Steve Langasek -doink- From canfield at uindy.edu Sat May 2 20:46:55 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:03 2003 Subject: Samba PDC as a password server References: Message-ID: <354B863F.38BA72E0@uindy.edu> Another quick thought/question: A couple of times either Luke or Jeremy (can't remember, sorry) has said that in order to get group management and other things from User Manager for Domains working properly would require the ability to write to the smb.conf file. Why would you want to store that type of information in the smb.conf? Wouldn't it make more sense to store this info, on a per-user basis, in the smbpasswd file? Sorry if my memory is failing and the answer was obvious or something. Dana From tavis at mahler.econ.columbia.edu Sun May 3 21:15:33 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:03 2003 Subject: Version Confusion Message-ID: I've been confused in reading the archives about what's supported in different releases/branches and I'm wondering if somebody can help. (1) There was a message a short while back that the BRANCH_NTDOM code has been integrated into the main branch. I have 1.9.18.p4 running, but this version does not recognize the "domain sid" parameter, and NT workstations cannot find it as a domain controller, so I assume the support is not included in this version. Is there a pre-alpha of the main branch code that has this support built in, or will I still have to download the BRANCH_NTDOM code? (2) I extracted the NTDOM code using cvs and the instructions in the file CVS_ACCESS.txt in the docs section of the 1.9.18p4 release (by the way, these are different from the instructions in the faq at http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html and the former seem to be the correct instructions; the latter seem to describe how to update the main branch code). I found that it wouldn't compile; when it was linking smbd, I got an error that the symbol _getsmbpass wasn't defined: ... Linking smbd collect2: ld returned 2 exit status ld: Undefined symbol _getsmbpass _strtoul *** Error code 1 make: Fatal error: Command failed for target `smbd' ... [by the way, I'm running a Sparc with SunOS414] I then added getsmbpass.o to the libraries in my Makefile, as described in a previous post, and it got past that hurdle. But then it stopped (next line) because the symbol _strtoul wasn't defined. I couldn't find any files in the source code with an even vaguely similar name, so I have no idea what changes I need to the Makefile. Does anyone know how I can correct it? Why are these problems ocurring? Is the code for the NTDOM branch older and therefore previous to some bug fix? I'd greatly appreciate any help. Thanks, Tavis From D.Bannon at latrobe.edu.au Mon May 4 02:18:46 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:03 2003 Subject: group RIDs (Modem_Users) In-Reply-To: Message-ID: <3.0.3.32.19980504121846.00839600@bioserve.biochem.latrobe.edu.au> At 22:58 30/04/1998 +1000, Luke Kenneth Casson Leighton wrote: >On Wed, 29 Apr 1998, various people wrote: > >> If so, sould someone post a list of some of the more popular group RID's .. >> i already have the list from winnt.h, >> but i was not aware that there are more: things like "modem users". .. >> add "domain groups = the RID" in the smb.conf getsid.exe tells me : The SID for account BIO-LAB\Modem_Users is S-1-5-21-871122656-1776954347-317593308-1004 Now, I have to ask, which RID (of the last four) should be mentioned in the smb.conf file ? I have checked winnt.h and Modem_Users are not mentioned, I don't understand why there are four RIDs after the S-1-5-21- bit. The MS Developer site does not seem to list anything, could it be that these numbers are madeup on the fly and therefore will be different on every system ? David. ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From webber at sj.univali.rct-sc.br Mon May 4 06:00:16 1998 From: webber at sj.univali.rct-sc.br (Celso Kopp Webber) Date: Tue Dec 2 02:24:03 2003 Subject: Security hole? Message-ID: <354D596F.51A7B92E@sj.univali.rct-sc.br> Hi all! I'm currently running the last sources from the samba CVS tree, and it works very well. I've heard recently that NT had a weakness because it accepted the so called 'null sessions', so that one machine could administer another NT remotely, without providing a username and password. I found a small program on Internet, named QTIP, that can query any NT machine and get many useful information from it, such as a list of users, list of shares, information about a user (for instance, user cannot change password). I've tested this program against one NT4 server under my administration, accross the Internet, and it worked! The bad part is that it worked against SAMBA NTDOM too! Am I mistaked? Does this really constitute a security hole that samba is vulenrable? I've heard also that NT4 with SP3 can, if the administrator knows, be setup on the registry to not accept 'null sessions'. Wouldn't it be interesting to samba do the same? Thanks in advance, and sorry if I'm saying any nonsense. Sincerely, Celso Kopp Webber. From Frey at sdc.bno.cdrail.cz Mon May 4 06:23:12 1998 From: Frey at sdc.bno.cdrail.cz (=?iso-8859-2?Q?Frey_Tom=E1=B9?=) Date: Tue Dec 2 02:24:03 2003 Subject: No subject Message-ID: > set samba-ntdom mail postpone From tridge at samba.anu.edu.au Mon May 4 06:30:15 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:03 2003 Subject: Security hole? In-Reply-To: <354D596F.51A7B92E@sj.univali.rct-sc.br> (message from Celso Kopp Webber on Mon, 4 May 1998 16:03:42 +1000) References: <354D596F.51A7B92E@sj.univali.rct-sc.br> Message-ID: <19980504063023Z12669373-28446+15@samba.anu.edu.au> > I've heard recently that NT had a weakness because it accepted > the so called 'null sessions', so that one machine could administer > another NT remotely, without providing a username and password. I > found a small program on Internet, named QTIP, that can query any NT > machine and get many useful information from it, such as a list of > users, list of shares, information about a user (for instance, user > cannot change password). I've tested this program against one NT4 > server under my administration, accross the Internet, and it worked! > The bad part is that it worked against SAMBA NTDOM too! null sessions are needed to allow for browse list propogation. Without them two hosts can't synchronise their browse lists. (how would you enter a password while synchronizing browse lists?) You are right that null sessions can also be used to obtain information. You can obtain a shares list and the name of the workgroup etc. I never considered this to be a security hole. What you should be doing is using the "hosts allow" and "hosts deny" options to restrict access to your server to hosts that you want to be able to get in. Hosts not listed won't be able to synch browse lists, so you would normally set the list to include your organisations local subnets and loopback. > Am I mistaked? Does this really constitute a security hole that > samba is vulenrable? I've heard also that NT4 with SP3 can, if the > administrator knows, be setup on the registry to not accept 'null > sessions'. Wouldn't it be interesting to samba do the same? hmmm, if you set this option in NT then how does browse list propogation work? There is no way you could do inter-subnet browsing without null sessions. Cheers, Andrew From Jean-Francois.Micouleau at utc.fr Mon May 4 09:39:38 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:03 2003 Subject: group RIDs (Modem_Users) In-Reply-To: <3.0.3.32.19980504121846.00839600@bioserve.biochem.latrobe.edu.au> Message-ID: On Mon, 4 May 1998, David Bannon wrote: > getsid.exe tells me : > > The SID for account BIO-LAB\Modem_Users is > S-1-5-21-871122656-1776954347-317593308-1004 > > Now, I have to ask, which RID (of the last four) should be mentioned in the > smb.conf file ? the last one: 1004 ----------------------------------------------------------- : Jean Francois Micouleau : Email: jfm@utc.fr : : Universite de : Tel : 03 44 23 47 78 : : Technologie de : Service Informatique : : Compiegne France : Division IRNM : ----------------------------------------------------------- From marc at reston.ans.net Mon May 4 13:41:03 1998 From: marc at reston.ans.net (Marc Sherman) Date: Tue Dec 2 02:24:03 2003 Subject: group RIDs (Modem_Users) In-Reply-To: <3.0.3.32.19980504121846.00839600@bioserve.biochem.latrobe. edu.au> Message-ID: <199805041343.AA29801@interlock.reston.ans.net> At 12:21 PM 5/4/98 +1000, David Bannon wrote: >At 22:58 30/04/1998 +1000, Luke Kenneth Casson Leighton wrote: >>On Wed, 29 Apr 1998, various people wrote: >> >>> If so, sould someone post a list of some of the more popular group RID's >. >>> i already have the list from winnt.h, >>> but i was not aware that there are more: things like "modem users". >. >>> add "domain groups = the RID" in the smb.conf > >getsid.exe tells me : > >The SID for account BIO-LAB\Modem_Users is >S-1-5-21-871122656-1776954347-317593308-1004 I believe that "S-1-5-21-871122656-1776954347-317593308" is the domain SID for BIO-LAB, and 1004 is the RID for "modem users". More generally, for user and group SID's at least, I'll go out on a limb and state that everything up to but *not* including the last 32 bits is the domain SID, and the last 32 bits is always the RID. IOW, user and group SID's always contain the domain SID. > >Now, I have to ask, which RID (of the last four) should be mentioned in the >smb.conf file ? Correct me if I'm wrong, but I believe there is *always* only 1 RID, which is also counted as a subauthhority, and there can be from 1 to 8 subauthorities in a SID. In this particular SID, we have 5 subauthorities (21-871122656-1776954347-317593308-1004), and the last subauthority, 1004, is the RID. >I have checked winnt.h and Modem_Users are not mentioned, I don't >understand why there are four RIDs after the S-1-5-21- bit. The MS >Developer site does not seem to list anything, could it be that these >numbers are madeup on the fly and therefore will be different on every >system ? Yup, I've never found any detailed explanation about subauthorities. My only guess is that MS needs the extra bytes in order to ensure that a domain SID is unique across space and time. If they only had the 48 bit identifier authority to work with, (which is the 5 in the above SID), they probably wouldn't be able to make this claim. Having another 28 bytes gives them more leeway. ..Marc > >David. > > > > >------------------------------------------------------------ >David Bannon D.Bannon@latrobe.edu.au >School of Biochemistry Phone 61 03 9479 2197 >La Trobe University, Plenty Rd, Fax 61 03 9479 2467 >Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au >------------------------------------------------------------ >.... Humpty Dumpty was pushed ! > From cartegw at Eng.Auburn.EDU Mon May 4 13:45:48 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:03 2003 Subject: Version Confusion References: Message-ID: <354DC68C.BCA5B7B8@eng.auburn.edu> Tavis Barr wrote: > > (1) There was a message a short while back that the BRANCH_NTDOM code > has been integrated into the main branch. I have 1.9.18.p4 running, > but this version does not recognize the "domain sid" parameter, and NT > workstations cannot find it as a domain controller, so I assume the > support is not included in this version. Is there a pre-alpha of the > main branch code that has this support built in, or will I still have > to download the BRANCH_NTDOM code? Download the main branch via CVS. The current distributed version ( 1.9.18p4 ) does not have the PDC support. > (2) I extracted the NTDOM code using cvs and the instructions in the > file CVS_ACCESS.txt in the docs section of the 1.9.18p4 release (by > the way, > these are different from the instructions in the faq at > http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html > and the former seem to be the correct instructions; the latter seem to > describe how to update the main branch code). The on-line FAQ is correct. Current and future development of the NTDOM code will be in the main branch. BRANCH_NTDOM exists only for experiments. >From the on-line FAQ.... **NOTE TO THOSE THAT PREVIOUSLY HAD BEEN USING BRANCH_NTDOM** BRANCH_NTDOM is currently being merged into the main samba cvs distribution. Development os the BRANCH_NTDOM code will be discontinued shortly. This **does not** mean the development of the Samba PDC code will be discontinued. Future development will take place directly into the main samba branch. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Mon May 4 14:10:27 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:03 2003 Subject: Couple of FAQ Admin questions / info Message-ID: <354DCC53.F944A661@eng.auburn.edu> Here's a couple of quesitons I have for you guys.... 1. The On-line TODO list seems to have moved and I missed the bus. The address I have is http://peng1.uindy.edu/samba/todo.html but this comes up as **NOT FOUND**. Can comeone point me to the current location. 2. I am going to put up a mirror site for the FAQ since I have had a couple of people indicate they experienced problems reaching the current location. Will post the location as soon as I get things settled in. Thanks, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Mon May 4 14:18:13 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:03 2003 Subject: FAQ admin questions again Message-ID: <354DCE25.698269FF@eng.auburn.edu> Greetings, I'm trying to work on some connectivity problems to the on-line FAQ. If you've had timeouts occur trying to reach http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html Could you please let me know. Send e-mail directly to me. No need to clutter the list with responses. TA, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Mon May 4 17:56:59 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:03 2003 Subject: SAMBA-NTDOM digest 149 References: Message-ID: <354E016B.5656AEC7@whistle.com> Craig Kelley wrote: > After issuing this command, NT comes back with: > > ------- > > D:\>net use * \\inconnu\cdrom /user:rxnet\ink * > Type the password for \\inconnu\cdrom: > System error 86 has occurred. > > The specified network password is not correct. > > ------- > > The samba log complains that it couldn't logon to the PDC as the guest > user: > > ------- > > cli_net_sam_logon: NT_STATUS_WRONG_PASSWORD > domain_client_validate: unable to validate password for user guest in domain to > Domain controller DURBY. Error was NT_STATUS_WRONG_PASSWORD. > > -------- > > Am I missing something about setting up a guest account on our PDC? Nope - I suppose I'm asking too much if I ask if the password you're typing is correct for the domain user on the NT box DURBY ? Simply, everything is working correctly, except the NT box is telling Samba this is not a valid password for the account. Try changing that users password to a known value and trying again.... Let me know if you get it working, Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From canfield at uindy.edu Tue May 5 00:01:20 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:03 2003 Subject: Couple of FAQ Admin questions / info References: <354DCC53.F944A661@eng.auburn.edu> Message-ID: <354E56D0.220D3F6D@uindy.edu> Sorry about this. Out transition from Pentium to Alpha hasn't gone as smoothly as I would have liked, and as a result the web server has been up and down the past week or so. I should have everything restored tomorrow. Dana Gerald Carter wrote: > Here's a couple of quesitons I have for you guys.... > > 1. The On-line TODO list seems to have moved and I missed the > bus. The address I have is > http://peng1.uindy.edu/samba/todo.html > but this comes up as **NOT FOUND**. Can comeone point me > to the current location. > > 2. I am going to put up a mirror site for the FAQ since I have had > a couple of people indicate they experienced problems reaching > the current location. Will post the location as soon as I get > things settled in. > > Thanks, > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) From lkcl at regent.push.net Tue May 5 09:58:16 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:03 2003 Subject: Samba PDC as a password server In-Reply-To: Message-ID: On Sat, 2 May 1998, Stephen Langasek wrote: > On Fri, 1 May 1998, Luke Kenneth Casson Leighton wrote: > > > On Thu, 30 Apr 1998, Dana Canfield wrote: > > > > > scheme. The only "tidy" solution I can think of that might keep > > > overhead low is to create some kind of "pam_smbdb". This would work > > > just like pam_pwdb, but would work with NT-style encryption, meaning > > > you could yank out /etc/passwd and replace it with the contents of > > > smbpasswd. > > > oo. that would do it. > > This sounds a bit like a module I've been (sporadically) working on, > called pam_smbpass. This module is intended to be usable for both > password changes and authentication against an /etc/smbpasswd-type > local database file. The password updates work fine, and I've been using > it for a while now to keep passwords synched between the unix & smb > databases, althoug I ran into a problem when I looked into stripping out > all other authentication code from samba in favor of a pure PAM interface: > since not even the version of the password as stored in the smbpasswd file > is available to the server in a network transaction, the module has to be > able to take the doubly-encrypted password and the original salt, > re-encrypt the password from the database, and spit back a yes or no at > the application. It's straightforward to fix, I just haven't gotten > around to doing it yet... > > The current version is available at ftp://ftp.netexpress.net/pub/pam, for > those who are interested. Hopefully it'll save someone out there some > duplication of effort. :) yes it surely will. stephen, got a couple of things to say: 1) we've added some extra fields to the end of the smbpasswd file entries: it might be worthwhile grabbing the latest samba smbpass.c code to make sure that it reads in according to the latest format 2) we intend to put a read-only dbm cache into smbpasswd, where updates from mod_smbpwd_entry re-generate the dbm files from the (just modified) private/smbpasswd file. this will drastically improve performance for large numbers of users. i hope. 3) we intend to add compile-time options to read different back-end databases (e.g ldap, bruce's home-grown database system :-). therefore it would be sensible for us all to use the same API. 4) can i check in the latest copy of your code into samba's cvs repository? would you like to maintain it from there if i get permission for you to do so? luke (samba team) From lkcl at regent.push.net Tue May 5 09:59:35 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Samba PDC as a password server In-Reply-To: <354B863F.38BA72E0@uindy.edu> Message-ID: it was srvmgr.exe for which writing to smb.conf was required; usrmgr.exe policies would require mods to smb.conf, but yes: usrmgr.exe would definitely require writes to private/smbpasswd On Sun, 3 May 1998, Dana Canfield wrote: > Another quick thought/question: > > A couple of times either Luke or Jeremy (can't remember, sorry) has said that > in order to get group management and other things from User Manager for > Domains working properly would require the ability to write to the smb.conf > file. Why would you want to store that type of information in the smb.conf? > Wouldn't it make more sense to store this info, on a per-user basis, in the > smbpasswd file? > > Sorry if my memory is failing and the answer was obvious or something. > > Dana > From lkcl at regent.push.net Tue May 5 10:03:47 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: group RIDs (Modem_Users) In-Reply-To: <3.0.3.32.19980504121846.00839600@bioserve.biochem.latrobe.edu.au> Message-ID: On Mon, 4 May 1998, David Bannon wrote: > At 22:58 30/04/1998 +1000, Luke Kenneth Casson Leighton wrote: > >On Wed, 29 Apr 1998, various people wrote: > > > >> If so, sould someone post a list of some of the more popular group RID's > .. > >> i already have the list from winnt.h, > >> but i was not aware that there are more: things like "modem users". > .. > >> add "domain groups = the RID" in the smb.conf > > getsid.exe tells me : > > The SID for account BIO-LAB\Modem_Users is > S-1-5-21-871122656-1776954347-317593308-1004 > > Now, I have to ask, which RID (of the last four) should be mentioned in the > smb.conf file ? last one. > I have checked winnt.h and Modem_Users are not mentioned, i find this strange. you didn't create the group "Modem_Users" yourself, did you? > I don't > understand why there are four RIDs after the S-1-5-21- bit. The MS > Developer site does not seem to list anything, could it be that these > numbers are madeup on the fly and therefore will be different on every > system ? the S-1-5-21-87xxxxx-177xxxx-31xxxxx is the SID for the domain. concatenate this with a RID and you have a worldwide unique method to identify a user / group / entity. luke From lkcl at regent.push.net Tue May 5 10:25:46 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: <354D596F.51A7B92E@sj.univali.rct-sc.br> Message-ID: On Mon, 4 May 1998, Celso Kopp Webber wrote: > Hi all! > > I'm currently running the last sources from the samba CVS tree, and > it works > very well. > > I've heard recently that NT had a weakness because it accepted the > so called > 'null sessions', so that one machine could administer another NT > remotely, without > providing a username and password. I found a small program on Internet, > named > QTIP, that can query any NT machine and get many useful information from > it, > such as a list of users, list of shares, information about a user (for > instance, user > cannot change password). I've tested this program against one NT4 server > under > my administration, accross the Internet, and it worked! The bad part is > that > it worked against SAMBA NTDOM too! > > Am I mistaked? Does this really constitute a security hole that > samba is > vulenrable? you are absolutely correct :-) > I've heard also that NT4 with SP3 can, if the administrator > knows, > be setup on the registry to not accept 'null sessions'. Wouldn't it be > interesting to > samba do the same? yes. > > Thanks in advance, and sorry if I'm saying any nonsense. you are not speaking nonsense. dana, can you add this one to the TODO list, at the top :-) From lkcl at regent.push.net Tue May 5 10:28:04 1998 From: lkcl at regent.push.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: <19980504063023Z12669373-28446+15@samba.anu.edu.au> Message-ID: On Mon, 4 May 1998, Andrew Tridgell wrote: > > I've heard recently that NT had a weakness because it accepted > > the so called 'null sessions', so that one machine could administer > > another NT remotely, without providing a username and password. I > > found a small program on Internet, named QTIP, that can query any NT > > machine and get many useful information from it, such as a list of > > users, list of shares, information about a user (for instance, user > > cannot change password). I've tested this program against one NT4 > > server under my administration, accross the Internet, and it worked! > > The bad part is that it worked against SAMBA NTDOM too! > > null sessions are needed to allow for browse list propogation. Without > them two hosts can't synchronise their browse lists. (how would you > enter a password while synchronizing browse lists?) > > You are right that null sessions can also be used to obtain > information. You can obtain a shares list and the name of the > workgroup etc. I never considered this to be a security hole. > > What you should be doing is using the "hosts allow" and "hosts deny" > options to restrict access to your server to hosts that you want to be > able to get in. Hosts not listed won't be able to synch browse lists, > so you would normally set the list to include your organisations local > subnets and loopback. > > > Am I mistaked? Does this really constitute a security hole that > > samba is vulenrable? I've heard also that NT4 with SP3 can, if the > > administrator knows, be setup on the registry to not accept 'null > > sessions'. Wouldn't it be interesting to samba do the same? > > hmmm, if you set this option in NT then how does browse list > propogation work? There is no way you could do inter-subnet browsing > without null sessions. the win95 and nt clients, if you reject null sessions on IPC$, reconnect with the currently logged-in username and password. i have been mentioning this since january. it also solves the [homes] problem. luke From lkcl at switchboard.net Tue May 5 10:39:06 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Couple of FAQ Admin questions / info In-Reply-To: <354DCC53.F944A661@eng.auburn.edu> Message-ID: gerald, should probably go onto the samba site... andrew, what you reckon? On Tue, 5 May 1998, Gerald Carter wrote: > Here's a couple of quesitons I have for you guys.... > > 1. The On-line TODO list seems to have moved and I missed the > bus. The address I have is > http://peng1.uindy.edu/samba/todo.html > but this comes up as **NOT FOUND**. Can comeone point me > to the current location. > > 2. I am going to put up a mirror site for the FAQ since I have had > a couple of people indicate they experienced problems reaching > the current location. Will post the location as soon as I get > things settled in. > > > Thanks, > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From tridge at samba.anu.edu.au Tue May 5 11:00:09 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: (message from Luke Kenneth Casson Leighton on Tue, 5 May 1998 10:28:04 +0000 (GMT)) References: Message-ID: <19980505110011Z12663862-1176+2110@samba.anu.edu.au> > > hmmm, if you set this option in NT then how does browse list > > propogation work? There is no way you could do inter-subnet browsing > > without null sessions. > > the win95 and nt clients, if you reject null sessions on IPC$, reconnect > with the currently logged-in username and password. i have been > mentioning this since january. nope, that doesn't make sense. browse lists are maintained when there isn't anyone logged in. Browse syncs are also done by NT servers sitting in a corner without a keyboard attached. > it also solves the [homes] problem. nope, this is quite separate from the [homes] problem (if there is a [homes] problem!) Win95 and NT clients *only* generate null sessions when doing a browse sync of machines names, not when "browsing" for a list of shares. A Win95 or NT client cannot be made to do a null session connect when using network neighborhood or any other user initiated browse. Remember that a null session is a session with a null username and null password. Win95 and NT clients will generate attempted logins with a null password but not with a null username. browse synchronisation is a special case because there is no username that can possibly be sent as it is a function of the underlying browse protocol maintainence not of user actions. Cheers, Andrew From lkcl at switchboard.net Tue May 5 12:11:09 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: <19980505110011Z12663862-1176+2110@samba.anu.edu.au> Message-ID: On Tue, 5 May 1998, Andrew Tridgell wrote: > > > hmmm, if you set this option in NT then how does browse list > > > propogation work? There is no way you could do inter-subnet browsing > > > without null sessions. > > > > the win95 and nt clients, if you reject null sessions on IPC$, reconnect > > with the currently logged-in username and password. i have been > > mentioning this since january. > > nope, that doesn't make sense. why not? > browse lists are maintained when there isn't anyone logged in. ah, good point. information interchanged between... ah, but if you have two NT Domain Controllers, then they can interchange information using the "trust" account system (not that i've fully investigated this...) if your NT DC is contacting a non-NT-like machine, then it can use null sessions. > > it also solves the [homes] problem. > > nope, this is quite separate from the [homes] problem (if there is a > [homes] problem!) there is. the first (interactive) connection [by an nt or 95 client] is subverted by a null session. multiple tconXs are sent. if the first is to IPC$, then a null SMBsessetupX is sent. subsequent tconXs do not have a username in them, so samba does not have a substitution for its [homes] connection, and hence the username share that is created by [homes] does not appear: you get a share named after the guest account, instead. the difference is between a share level connection and a user level connection, and we currently still do not make the distinction correctly. if the first connection [by an nt or 95 client] is to a share name, then the SMBsessetupX _does_ contain a username. > Win95 and NT clients *only* generate null sessions when doing a browse > sync of machines names, not when "browsing" for a list of shares. yes it does. > A > Win95 or NT client cannot be made to do a null session connect when > using network neighborhood or any other user initiated > browse. i see this occur all the time. you have to deliberately disconnect the win95 or nt client session (use SRVMGR.EXE) and then do view | refresh on the "shares" window. > browse synchronisation is a special case because there is no username > that can possibly be sent as it is a function of the underlying browse > protocol maintainence not of user actions. this may be the case when talking to non-NT-like systems, which samba can currently be considered to be one such system in the browse sync respect. to solve this problem fully, we will need to investigate browsing between NT Trusted Domain Controllers. luke From samba at aquasoft.com.au Tue May 5 12:28:07 1998 From: samba at aquasoft.com.au (Samba Bugs) Date: Tue Dec 2 02:24:04 2003 Subject: PAM_NTDOM Message-ID: I am currently trying to help someone with implementation of pam_ntdom and would appreciate some help. The current source tree I downloaded by cvs from samba.anu.edu.au does not have much documentation. I am happy to produce this if it will help but would like some working examples and any documentation you may have. Also, it appears that pam_ntdom uses the deprecated /etc/pam.conf while Red Hat Linux systems use /etc/pam.d/"module_name". Are my observations correct? Your assistance is most appreciated. Cheers, John H Terpstra - Samba-Team From tridge at samba.anu.edu.au Tue May 5 13:00:09 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: (message from Luke Kenneth Casson Leighton on Tue, 5 May 1998 12:11:09 +0000 (GMT)) References: Message-ID: <19980505130020Z12583143-28446+2068@samba.anu.edu.au> > ah, good point. information interchanged between... ah, but if you have > two NT Domain Controllers, then they can interchange information using the > "trust" account system (not that i've fully investigated this...) They *could* use the trust account, but I don't think they do (not for browse synchronisation anyway). > if your NT DC is contacting a non-NT-like machine, then it can use null > sessions. again, what could be done and what is actually done by MS OSes are two different things. I believe 95 and NT use null sessions for browse sync. > there is. the first (interactive) connection [by an nt or 95 client] is > subverted by a null session. nope. Send me a sniff of a win95 box doing a null session connect for a user initiated browse and then maybe I'll believe you. win95 and NT always try a null password first, but that is not a null session. As long as you haven't stuffed around with the GUEST_SESSSETUP option at compile time in Samba then the null password will fail when the server is in user level security. The client then sends a proper session setup. John tried to convince me that NT and 95 could do a null session connect a few weeks back. We ran a sniff and found it didn't. > multiple tconXs are sent. if the first is to IPC$, then a null > SMBsessetupX is sent. subsequent tconXs do not have a username in > them tconXs never have usernames in them (unless you count the % hack). I could believe that this could be a problem with NT domain logins. It is just possible that a NT domain workstation will cache a null session used for browse synchronsation and carry that over to a attempted login. If you show me that this happens then I'm sure we can find a workaround. >, so samba does not have a substitution for its [homes] > connection, and hence the username share that is created by [homes] does > not appear: you get a share named after the guest account, instead. what worries me here is that this is exactly the symptoms you will get if you muck with the GUEST_SESSSETUP option (among other nasty side effects). Are you _sure_ you didn't have GUEST_SESSSETUP set when you saw this? Also, are you sure it was a null session (ie. username was null in sessionsetupX) and not just a null password? I'm very skeptical :-) > the difference is between a share level connection and a user level > connection, and we currently still do not make the distinction correctly. > yes it does. > > > A > > Win95 or NT client cannot be made to do a null session connect when > > using network neighborhood or any other user initiated > > browse. > I believe we do, but a sniff will convince me otherwise :-) > i see this occur all the time. you have to deliberately disconnect the > win95 or nt client session (use SRVMGR.EXE) and then do view | refresh on > the "shares" window. I just tried it and didn't see a null session in a sniffer. Everything worked fine. This was with a NT4wks client doing a domain logon to a Samba server (current CVS tree). > this may be the case when talking to non-NT-like systems, which samba can > currently be considered to be one such system in the browse sync respect. > to solve this problem fully, we will need to investigate browsing between > NT Trusted Domain Controllers. as far as I know browse synchronisation works the same between NT as between 95 and NT (as far as authentication goes at least). Browse listing (ie. obtaining a list of shares) works differently, but thats a different kettle of fish! Cheers, Andrew From lkcl at switchboard.net Tue May 5 13:01:42 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: PAM_NTDOM In-Reply-To: Message-ID: hi john, some docs would be extremely helpful. i need to do an update of the libraries: they were last copied in january. get http://www.cb1.com/~lkcl/arcfour.c; add -DUSE_ARCFOUR from the Makefile; get Linux-PAM-0.65 - see http://www.cb1.com/~lkcl reference www.kernel.org; add pam_ntdom into modules/ directory; include pam_ntdom in modules/Makefile; do make install in PAM directory. On Tue, 5 May 1998, Samba Bugs wrote: > I am currently trying to help someone with implementation of pam_ntdom > and would appreciate some help. > > The current source tree I downloaded by cvs from samba.anu.edu.au does > not have much documentation. I am happy to produce this if it will help > but would like some working examples and any documentation you may have. > > Also, it appears that pam_ntdom uses the deprecated /etc/pam.conf while > Red Hat Linux systems use /etc/pam.d/"module_name". Are my observations > correct? > > Your assistance is most appreciated. > > Cheers, > John H Terpstra - Samba-Team > From lkcl at switchboard.net Tue May 5 13:19:36 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: <19980505130020Z12583143-28446+2068@samba.anu.edu.au> Message-ID: On Tue, 5 May 1998, Andrew Tridgell wrote: > They *could* use the trust account, but I don't think they do (not for > browse synchronisation anyway). > > > if your NT DC is contacting a non-NT-like machine, then it can use null > > sessions. > > again, what could be done and what is actually done by MS OSes are two > different things. I believe 95 and NT use null sessions for browse sync. > > > there is. the first (interactive) connection [by an nt or 95 client] is > > subverted by a null session. > > nope. Send me a sniff of a win95 box doing a null session connect for > a user initiated browse and then maybe I'll believe you. i don't use win95: i can do an nt wksta one, though. > win95 and NT always try a null password first, but that is not a null > session. As long as you haven't stuffed around with the > GUEST_SESSSETUP option at compile time in Samba i haven't. > then the null password > will fail when the server is in user level security. The client then > sends a proper session setup. no it doesn't :-) it converts the user to the guest account (extract from reply.c): /* If no username is sent use the guest account */ if (!*user) { strcpy(user,lp_guestaccount(-1)); /* If no user and no password then set guest flag. */ if( *smb_apasswd == 0) guest = True; } strlower(user); strcpy(sesssetup_user,user); reload_services(True); add_session_user(user); /* Check if the given username was the guest user with no password. We need to do this check after add_session_user() as that call can potentially change the username (via map_user). */ > John tried to convince me that NT and 95 could do a null session > connect a few weeks back. We ran a sniff and found it didn't. > > > multiple tconXs are sent. if the first is to IPC$, then a null > > SMBsessetupX is sent. subsequent tconXs do not have a username in > > them > > tconXs never have usernames in them (unless you count the % hack). exactly: therein lies the problem. > I could believe that this could be a problem with NT domain logins. It > is just possible that a NT domain workstation will cache a null > session used for browse synchronsation and carry that over to a > attempted login. If you show me that this happens then I'm sure we can > find a workaround. it does, and so does win95. i don't use win95 any more, but i can get you an NT trace. > >, so samba does not have a substitution for its [homes] > > connection, and hence the username share that is created by [homes] does > > not appear: you get a share named after the guest account, instead. > > what worries me here is that this is exactly the symptoms you will get > if you muck with the GUEST_SESSSETUP option (among other nasty side > effects). Are you _sure_ you didn't have GUEST_SESSSETUP set when you > saw this? i am sure: it was at the default. i've never recompiled with GUEST_SESSETUP at anything other than the default: i don't like it. > Also, are you sure it was a null session (ie. username was null in > sessionsetupX) and not just a null password? I'm very skeptical :-) username was NULL: password was "length 1". i wouldn't have had a share named after "nobody" come up if it wasn't. > > the difference is between a share level connection and a user level > > connection, and we currently still do not make the distinction correctly. > > yes it does. > > > > > A > > > Win95 or NT client cannot be made to do a null session connect when > > > using network neighborhood or any other user initiated > > > browse. > > > > I believe we do, but a sniff will convince me otherwise :-) > > > i see this occur all the time. you have to deliberately disconnect the > > win95 or nt client session (use SRVMGR.EXE) and then do view | refresh on > > the "shares" window. > > I just tried it and didn't see a null session in a sniffer. Everything > worked fine. This was with a NT4wks client doing a domain logon to a > Samba server (current CVS tree). > > > this may be the case when talking to non-NT-like systems, which samba can > > currently be considered to be one such system in the browse sync respect. > > to solve this problem fully, we will need to investigate browsing between > > NT Trusted Domain Controllers. > > as far as I know browse synchronisation works the same between NT as > between 95 and NT (as far as authentication goes at least). Browse > listing (ie. obtaining a list of shares) works differently, but thats > a different kettle of fish! > > Cheers, Andrew > From cartegw at Eng.Auburn.EDU Tue May 5 13:46:48 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:04 2003 Subject: Eventlog messages Message-ID: <354F1847.FD52ABEE@eng.auburn.edu> Greetings, I have two eventlog entries I would like to run by everyone and see if I am an isolated case. Here's the setup. - 5 NT 4.0 Workstastions on subnet xxx.xxx.AAA.xxx - 1 Samba PDC running Solaris 2.5.1 on subnet xxx.xxx.BBB.xxx - The Samba PDC is the primary WINS server for the NT boxes. There is no secondary WINS server. The first eventlog entry seems to come in bursts EventID : 5719 No Windows NT Domain Controller is available for domain LENORE. (This event is expected and can be ignored when booting with the 'No Net' Hardware Profile.) The following error occurred: There are currently no logon servers available to service the logon request. The second one looks like this. It as well comes in bursts which would make sense I guess in the case of a large file transfer. EventID : 3006 The redirector received an SMB that was too short. Is anyone else logging such events? Is there a timeout value that I could set to reduce the occurrences of Event 5719? Is there a configuration error that cause Event 3006? Thanks for the information. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From tridge at samba.anu.edu.au Tue May 5 14:40:09 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: (message from Luke Kenneth Casson Leighton on Tue, 5 May 1998 13:19:36 +0000 (GMT)) References: Message-ID: <19980505144018Z12619724-1176+2205@samba.anu.edu.au> > i don't use win95: i can do an nt wksta one, though. ok. Upload it somewhere on samba.anu.edu.au. > > then the null password > > will fail when the server is in user level security. The client then > > sends a proper session setup. > > no it doesn't :-) it converts the user to the guest account (extract from > reply.c): > > /* If no username is sent use the guest account */ > if (!*user) > { you misread what I said. I said that a null password will fail in user level security. I didn't say that a null session would fail. They are very different things. You have to keep these two separate as they are dealt with quite dfferently. (in both cases Samba acts exactly as NT does, but the two cases are treated differently). > > tconXs never have usernames in them (unless you count the % hack). > > exactly: therein lies the problem. nope, that's a red herring I think. > it does, and so does win95. i don't use win95 any more, but i can get you > an NT trace. ok, an NT trace would be good. A win95 one would be better as it would eliminate any possibility that it is an interaction with the domain client code in NT. > username was NULL: password was "length 1". i wouldn't have had a share > named after "nobody" come up if it wasn't. not so. Don't infer stuff from what shows up on the screen! A sniff is the only real way of knowing what is going on. anyway, I'll look at a sniff. The good thing is that if there is a problem then it will probably be easy to fix. The solution would almost certainly be to return a particular error code in tconx if the vuid matched a null session. That is basically the only mechanism that would be available for a server to avoid this client problem. My bet is that it will turn out not to be a null session problem at all :-) There are funamental flaws in the user security model employed in SMB as I've explained on the CIFS digest a couple of times, and the problems are related to the handling of null passwords and null sessions, but the problems don't give rise to the symptoms you've described. Cheers, Andrew From eppinette at nlu.edu Tue May 5 14:47:25 1998 From: eppinette at nlu.edu (Chance W. Eppinette) Date: Tue Dec 2 02:24:04 2003 Subject: Trying to use CVS to get latest SAMBA Message-ID: <354F267D.2EC3B4A4@nlu.edu> Hello, I setup CVS on this system to retrieve the code for BRANCH_NTDOM. I am a little confused -- do I need to try pulling BRANCH_NTDOM into my existing extraction of samba-1.9.18p4-sol-sparc-2.5.1.tar or does the new code go into a new directory? I have tried both, but it will not try write over the existing directory with an error about CVSROOT: # cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co samba cvs server: existing repository /cvsroot does not match /cvsroot/samba cvs server: ignoring module samba The original extraction of samba-1.9.18p4 compilies & runs fine. When I pulled BRANCH_NTDOM into a new directory and modified Makefile for my site, it starts compiling but blows up when it reaches the linking stage for smbd & complains about a misreferenced value of getsmbpasswd or something. Can anyone tell me what I may be doing wrong? I may not have setup CVS properly, but the notes say all that is needed is a CVS client. Thanks, Chance Eppinette -- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ | | | Chance W. Eppinette Northeast Louisiana University | | Network Manager Computing Center | | Monroe, LA 71209 | | email: eppinette@nlu.edu | | phone: (318) 342-5021 fax: (318) 342-5018 | | office: Admin 1-155A "G R A Y V I P E R" | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ From lkcl at switchboard.net Tue May 5 15:09:02 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: <19980505144018Z12619724-1176+2205@samba.anu.edu.au> Message-ID: On Wed, 6 May 1998, Andrew Tridgell wrote: > > i don't use win95: i can do an nt wksta one, though. > > ok. Upload it somewhere on samba.anu.edu.au. > > > > then the null password > > > will fail when the server is in user level security. The client then > > > sends a proper session setup. > > > > no it doesn't :-) it converts the user to the guest account (extract from > > reply.c): > > > > /* If no username is sent use the guest account */ > > if (!*user) > > { > > you misread what I said. I said that a null password will fail in user > level security. I didn't say that a null session would fail. ah. > They are > very different things. You have to keep these two separate as they are > dealt with quite dfferently. (in both cases Samba acts exactly as NT > does, but the two cases are treated differently). in that case, i have never dealt with "null password" in user level security: i have only seen "null session" and "user/non-null-pass/domain" sessions. > > > tconXs never have usernames in them (unless you count the % hack). > > > > exactly: therein lies the problem. > > nope, that's a red herring I think. not really: if the SMBsessetupX was made with "null session" and the first tconX made with a null password to IPC$, we do not put out an error message when further tconXs come in [to connect to shares]. if we did, then the win95 clients would drop the connection and re-issue an SMBsessetupX, but this time with a username/non-null-password/domain connection. > > it does, and so does win95. i don't use win95 any more, but i can get you > > an NT trace. > > ok, an NT trace would be good. A win95 one would be better as it would > eliminate any possibility that it is an interaction with the domain > client code in NT. > > > username was NULL: password was "length 1". i wouldn't have had a share > > named after "nobody" come up if it wasn't. > > not so. Don't infer stuff from what shows up on the screen! A sniff is > the only real way of knowing what is going on. > > anyway, I'll look at a sniff. > > The good thing is that if there is a problem then it will probably be > easy to fix. The solution would almost certainly be to return a > particular error code in tconx if the vuid matched a null > session. this is what i have seen NT server do, and the win95 or nt client then sends a proper "user/non-null-pass/domain" request. luke From cartegw at Eng.Auburn.EDU Tue May 5 16:20:44 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:04 2003 Subject: Trying to use CVS to get latest SAMBA References: <354F267D.2EC3B4A4@nlu.edu> Message-ID: <354F3C5C.40AB44D@eng.auburn.edu> Chance W. Eppinette wrote: > > Hello, > I setup CVS on this system to retrieve the code for BRANCH_NTDOM. > I am a little confused -- do I need to try pulling BRANCH_NTDOM > into my existing extraction of samba-1.9.18p4-sol-sparc-2.5.1.tar > or does the new code go into a new directory? I have tried both, > but it will not try write over the existing directory with an > error about CVSROOT: > # cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co samba > cvs server: existing repository /cvsroot does not match /cvsroot/samba > cvs server: ignoring module samba > > The original extraction of samba-1.9.18p4 compilies & runs fine. > When I pulled BRANCH_NTDOM into a new directory and modified Makefile > for my site, it starts compiling but blows up when it reaches the > linking stage for smbd & complains about a misreferenced value of > getsmbpasswd or something. > > Can anyone tell me what I may be doing wrong? I may not have setup > CVS properly, but the notes say all that is needed is a CVS client. > Download the latest code for the main branch via cvs into a new directory and start from there. Do not use BRANCH_NTDOM. The NTDOM PDC support has been enabled in the main branch by default. Note that the main branch is newer code that the main distribution ( 1.9.18p4 ). j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From tavis at mahler.econ.columbia.edu Tue May 5 22:22:28 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:04 2003 Subject: NT workstation won't recognize controller Message-ID: SETUP: I've got the latest (as of Sunday) CVS update of Samba and two NT workstations, one running SP1 and the other running SP3. There is an NT server on the subnet that is running under a different domain from Samba. I've got my workstations pointing to the Samba server as the primary WINS server and the NT server as the secondary one. PROBLEM: The NT workstations can access the shares okay (actually the one running SP3 still won't authenticate even with plain text passwords set in the registry, but it still sees the computer; the SP1 workstation accesses shares just fine). However, when I change the domain of the workstations to the Samba domain, they come back telling me they can't locate a domain controller. Any suggestions? Thanks, Tavis P.S. Other details: I've set the debug level to 20; neither the smb.log nor the workstation logs register anything when I try to select Samba as my PDC. I'm enclosing my smb.conf file below [global] workgroup=MARKOV server string=Sparc2 in Sociology hosts allow = 128.59.226.78 , 128.59. , 127. guest account = nobody socket options = TCP_NODELAY domain sid = S-1-5-21-059-226-071 domain logons = yes domain master = yes local master = yes debug level = 20 os level = 100 security = user encrypt passwords = yes logon script = %U.bat logon drive = l: wins support = yes wins proxy = yes remote announce = 128.59.226.175 , 128.59.226.42 preferred master = yes printing = bsd printcap name = /etc/printcap load printers = yes log file = /usr/local/samba/log.%m lock directory = /usr/local/samba/var/locks share modes = yes [NETLOGON] path = /usr/local/samba/lib/netlogon writeable = no guest ok = yes share modes = no public = yes [homes] comment = Home Directories read only = no create mode = 0750 [printers] comment = All Printers printable = yes public = no writable = no create mode = 0700 From tridge at samba.anu.edu.au Wed May 6 04:10:13 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: (message from Luke Kenneth Casson Leighton on Tue, 5 May 1998 15:09:02 +0000 (GMT)) References: Message-ID: <19980506041016Z12637419-1176+3915@samba.anu.edu.au> > not really: if the SMBsessetupX was made with "null session" and the first > tconX made with a null password to IPC$, we do not put out an error > message when further tconXs come in [to connect to shares]. tconX always has a null password in user level security (the password field would be meaningless anyway). > if we did, then the win95 clients would drop the connection and re-issue > an SMBsessetupX, but this time with a username/non-null-password/domain > connection. errr, is this based on wishful thinking or experience? I think win95 clients are more likely to issue a totally unrelated error message or give "the app has performed an illegal operation". Are you sure you can tell win95 clients to "go back and authenticate again" ? What error code do you issue to do this? My bet is that there is no error code that will make them do this, I've certainly never seen one. Remember that SMB authentication is a very fragile thing. Clients don't do the "sensible thing" when they get an error back, they tend to die horrible deaths instead. > > The good thing is that if there is a problem then it will probably be > > easy to fix. The solution would almost certainly be to return a > > particular error code in tconx if the vuid matched a null > > session. > > this is what i have seen NT server do, and the win95 or nt client then > sends a proper "user/non-null-pass/domain" request. again, send me a sniff that shows this. I'm highly skeptical! note that my skepticise is based on spending quite a bit of time (admittedly quite a while ago) trying to get MS clients to do exactly this. I even tried modifying smbd to cycle through all possible error codes one at a time trying to find one that would make win95 clients behave like this. Now maybe I missed one, but I'm not going to be convinced by anything less than a sniff :-) Cheers, Andrew From lkcl at switchboard.net Wed May 6 12:18:59 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Security hole? In-Reply-To: <19980506041016Z12637419-1176+3915@samba.anu.edu.au> Message-ID: On Wed, 6 May 1998, Andrew Tridgell wrote: > > not really: if the SMBsessetupX was made with "null session" and the first > > tconX made with a null password to IPC$, we do not put out an error > > message when further tconXs come in [to connect to shares]. > > tconX always has a null password in user level security (the password > field would be meaningless anyway). > > > if we did, then the win95 clients would drop the connection and re-issue > > an SMBsessetupX, but this time with a username/non-null-password/domain > > connection. > > errr, is this based on wishful thinking or experience? experience. > I think win95 > clients are more likely to issue a totally unrelated error message or > give "the app has performed an illegal operation". no... ah, actually what _can_ happen is _three_ SMBsessetupXs are sent. 1) null session SMBsessetupX. server accepts. null tconX to IPC$. server accepts. null tconX to \\server\share: server rejects; client drops connection. 2) username/non-null-password/domain SMBsessetupX. server accepts. null tconX to \\server\share. server accepts. ****OR**** 2) username/non-null-password/domain SMBsesssetupX. server _validly_ rejects because the user/pass combination is wrong; client drops connection. 3) Network Neighbourhood throws up a password dialog (on win95) or a user/password dialog (on NT). new username/password/domain SMBsesssetupX. server accepts valid password. null tconX to \\server\share. server accepts. > Are you sure you can tell win95 clients to "go back and authenticate > again" ? yes. > What error code do you issue to do this? can't remember. i mistakenly put the standard DOS "invalid password" one whatever it is, once, and got a non-null-password SMBsesssetupX immediately afterwards. > My bet is that there > is no error code that will make them do this, I've certainly never > seen one. there is one. > Remember that SMB authentication is a very fragile thing. Clients > don't do the "sensible thing" when they get an error back, they tend > to die horrible deaths instead. we will have to walk the thin line to get the right path: it exists :-) > > > The good thing is that if there is a problem then it will probably be > > > easy to fix. The solution would almost certainly be to return a > > > particular error code in tconx if the vuid matched a null > > > session. > > > > this is what i have seen NT server do, and the win95 or nt client then > > sends a proper "user/non-null-pass/domain" request. > > again, send me a sniff that shows this. I'm highly skeptical! will do. > note that my skepticise is based on spending quite a bit of time > (admittedly quite a while ago) trying to get MS clients to do exactly > this. I even tried modifying smbd to cycle through all possible error > codes one at a time trying to find one that would make win95 clients > behave like this. Now maybe I missed one, but I'm not going to be > convinced by anything less than a sniff :-) i'll do me best, andrew. From 24currie at wmich.edu Wed May 6 13:09:39 1998 From: 24currie at wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:04 2003 Subject: Cannot Map Drives Message-ID: <35506113.787379D5@wmich.edu> Heres the setup: I have about 50 computers that are recently logging into a samba domain controller. I'm running a CVS tree of 1.9.18p4 from about 2 weeks ago. I have taken one good image and went around and "cloned" this to all the other computers using the Ghost software. Heres the problem: I cannot map to the administrative shares (or any for that matter) like C$ and such to do remote file updates. I get an error saying that the username is unknown or that the password is invalid, and yes I am damn sure that I have both right. I'm trying to attach as the the local admin, not a domain user. The reason that I think this may be a samba related problem is that I have other computers that I've used Ghost with (yes, I know the security ID's are the same when I do this) that connect via Novell's Client and a couple others that connect to an NT PDC with the same setup (other than a quick change of domina/server) that I can map the drives to. Has anyone else had this problem or know how I might be able to get around it? Thanks, Kevin Currie From lkcl at switchboard.net Wed May 6 13:21:21 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Cannot Map Drives In-Reply-To: <35506113.787379D5@wmich.edu> Message-ID: On Wed, 6 May 1998, Kevin Currie wrote: > Heres the setup: > I have about 50 computers that are recently logging into a samba > domain controller. I'm running a CVS tree of 1.9.18p4 from about 2 > weeks ago. I have taken one good image and went around and "cloned" this > to all the other computers using the Ghost software. > > Heres the problem: > I cannot map to the administrative shares (or any for that > matter) like C$ and such to do remote file updates. have you created C$, ADMIN$ etc on the samba machine, in the smb.conf file? From cartegw at Eng.Auburn.EDU Wed May 6 13:31:24 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:04 2003 Subject: Cannot Map Drives References: <35506113.787379D5@wmich.edu> Message-ID: <3550662C.1F52CA73@eng.auburn.edu> Kevin Currie wrote: > > a samba related problem is that I have other computers that I've used > Ghost with (yes, I know the security ID's are the same when I do this) > that connect via Novell's Client and a couple others that connect to > an NT PDC with the same setup (other than a quick change of > domina/server) that I can map the drives to. Side note, but look at the ntsid utility from www.sysinternals.com to change the machine SID after duplication. Also, to connect as a local account on a machine that is a member of a samba controled domain, use the follow syntax net use x: \\\share /user:\ Otherwise it will default to accepting the account name as a domain account. I'm assuming, I haven't done a netmon trace on it to verify. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From mathewss at nutech.com Wed May 6 14:25:01 1998 From: mathewss at nutech.com (mathewss@nutech.com) Date: Tue Dec 2 02:24:04 2003 Subject: Cannot Map Drives In-Reply-To: <35506113.787379D5@wmich.edu> Message-ID: On Wed, 6 May 1998, Kevin Currie wrote: Ya i have not yet been able to map a hidden share ither.. such as C$ since we moved to PDC via samba. Has not been on my hot list of issues to deal with but since you mentioned it i figured i would support your findings.. Regards > Heres the setup: > I have about 50 computers that are recently logging into a samba > domain controller. I'm running a CVS tree of 1.9.18p4 from about 2 > weeks ago. I have taken one good image and went around and "cloned" this > to all the other computers using the Ghost software. > > Heres the problem: > I cannot map to the administrative shares (or any for that > matter) like C$ and such to do remote file updates. I get an error > saying that the username is unknown or that the password is invalid, and > yes I am damn sure that I have both right. I'm trying to attach as the > the local admin, not a domain user. The reason that I think this may be > a samba related problem is that I have other computers that I've used > Ghost with (yes, I know the security ID's are the same when I do this) > that connect via Novell's Client and a couple others that connect to an > NT PDC with the same setup (other than a quick change of domina/server) > that I can map the drives to. > Has anyone else had this problem or know how I might be able to > get around it? > > Thanks, > Kevin Currie > > > > From lkcl at switchboard.net Wed May 6 17:33:42 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: communications disruption possible: again. Message-ID: hi, i may be incommunicado 'cos i have to move offices. i'll be moving 5 yards for two days, then either 100 yards or two miles after that. my email address as lkcl@cb1.com should be used directly if you are stuck. please use lkcl@switchboard.net instead of lkcl@regent.push.net, regardless. thank you, darlings! luke From x7currie at lab2.cc.wmich.edu Wed May 6 17:38:25 1998 From: x7currie at lab2.cc.wmich.edu (CURRIE KEVIN) Date: Tue Dec 2 02:24:04 2003 Subject: Update Encyrpted Message-ID: First question, is this in the HEAD branch or only the NTDOM branch at this point in time? I have the lastest head branch and a testparm accepts "update encrypted" as a parameter, however it does not appear to be modifying the smbpasswd file, and the samba machine ceases to function as a PDC. Any suggestions? Thanks, Kevin Currie From x7currie at lab2.cc.wmich.edu Wed May 6 17:48:36 1998 From: x7currie at lab2.cc.wmich.edu (CURRIE KEVIN) Date: Tue Dec 2 02:24:04 2003 Subject: Adding Machine Accounts Message-ID: I was wonderring if someone might be able to explain to me why a machine account has to be in /etc/passwd as well as smbpasswd? I understand the significance of having a valid uid; however, I really don't want 100+ computer accounts in my /etc/passwd file. I personally would like all of these accounts to use the "nobody" account's uid. I'm proposing that an option be added to smbpasswd so that us can do something along the lines of: smbpasswd -a -u 65534 -m machine and specify a uid for the machine right on the command line. This would greatly simplify adding/removing machine accounts. If there is some falicy in this logic that I am missing, could someone kindly point it out for me? Thanks. Kevin Currie From lkcl at switchboard.net Wed May 6 18:01:11 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: alternative password database, using ldap instead of , private/smbpasswd Message-ID: hee hee, jean francois is going to be annoyed. this code is still under "definite alpha" status, but i really, really wanted to get it in there asap. so, the latest cvs checkin adds the ability to use an ldap schema for the passwords, not that i know what one of those actually is (only kidding: i've just never set one up yet). here it is: Subject: LDAP schema objectclass sambaAccount requires ObjectClass, cn, objectSid allows accountExpires, adminCount, badPasswordTime, badPwdCount, c, codePage, comment, controlAccessRights, countryCode, dBCSPwd, description, desktopProfile, gecos, gidAccount, groupMembershipSAM, homeDirectory, homeDrive, lastLogoff, lastLogon, lmPwdHistory, localeID, loginShell, logonCount, logonHours, logonWorkstation, maxStorage, ntPwdHistory, ntHomeDirectory, o, operatorCount, otherLoginWorkstations, policyName, policyOptions, preferredOU, primaryGroupID, profilePath, pwdLastSet, securityDescriptor, scriptPath, revision, rid, uid, uidAccount, unicodePwd, userAccountControl, userFullName, userParameters, userPassword, userWorkstations your host for this wonderful set of code is mr Jean-Francois Micouleau please do not give him any hassle: i have just landed him in it by checking his development code in :-) :-) lots of love, luke From lkcl at switchboard.net Wed May 6 18:15:21 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Adding Machine Accounts In-Reply-To: Message-ID: On Thu, 7 May 1998, CURRIE KEVIN wrote: > > I was wonderring if someone might be able to explain to me why a > machine account has to be in /etc/passwd as well as smbpasswd? I > understand the significance of having a valid uid; however, I really don't > want 100+ computer accounts in my /etc/passwd file. I personally would > like all of these accounts to use the "nobody" account's uid. use "map username" option, put all the accounts with $ to map to nobody. > I'm proposing that an option be added to smbpasswd so that us can > do something along the lines of: > > smbpasswd -a -u 65534 -m machine for now, edit your smbpasswd file manually. bear in mind that this _may_ cause you problems later if you don't have unique unix uids per machine and you are using private/smbpasswd. luke From jallison at whistle.com Wed May 6 18:20:01 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:04 2003 Subject: Adding Machine Accounts References: Message-ID: <3550A9D1.773C2448@whistle.com> CURRIE KEVIN wrote: > > I was wonderring if someone might be able to explain to me why a > machine account has to be in /etc/passwd as well as smbpasswd? I > understand the significance of having a valid uid; however, I really don't > want 100+ computer accounts in my /etc/passwd file. I personally would > like all of these accounts to use the "nobody" account's uid. I made that decision, after initially starting down the path you are proposing. I decided to make the machine account mandatory in /etc/passwd after a long discussion with Luke on the requirement for NT RIDs synthesized from UNIX uids to be unique. > I'm proposing that an option be added to smbpasswd so that us can > do something along the lines of: > > smbpasswd -a -u 65534 -m machine > > and specify a uid for the machine right on the command line. This > would greatly simplify adding/removing machine accounts. If there is some > falicy in this logic that I am missing, could someone kindly point it out > for me? Thanks. > I originally did this. Although easier in the short term it will lead to immense pain later when we more fully integrate into an NT Domain environment. NT machines expect machine account RIDs to be unique within a domain - and they share the same namespace as userids and groups. The easiest way to do this is to ensure that the macgine account id's are already represented in the /etc/passwd file. Hope this helps, Jeremy Allison. Samba Team. From mormis at caro.net Wed May 6 22:34:56 1998 From: mormis at caro.net (Morgan A. Miskell) Date: Tue Dec 2 02:24:04 2003 Subject: Possible Connection Problems?!! Message-ID: <3550E590.688E6AC8@caro.net> Hello everyone, I've got several *NIX computers which are running samba version 1.9.16p11, the unix servers are sending print jobs to NT servers throughout the US. Most of the services work well except for one site (which should have plent of bandwith available). This site has the print jobs fail at the rate of about 50%. smbclient -L machine -U user password -N will work most of the time, however, if I do this command randomly I will occassionally get the following error message: error connecting to a.b.c.d:139 (Resource temporarily unavailable) Does anyone know why this failure happens and how to correct it? Thanks in advance! Morgan A. Miskell From kfleming at access-laserpress.com Wed May 6 22:46:50 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:04 2003 Subject: Do I need the main distribution or the main branch? Message-ID: <3550E85A.328276D0@access-laserpress.com> I'm getting ready to install Samba on a Solaris 2.5.1 box here to make some directories on that machine accessible to our PC users. The PC's are all running NT 4.0 Workstation, in a single domain. The new Samba machine will not be a PDC or a BDC, but will need to act as a member server for transparent authentication purposes. Given this scenario, is there anything in the current main branch code that would be a compelling reason to use it instead of the current main distribution code? From jallison at whistle.com Wed May 6 22:58:24 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:04 2003 Subject: Do I need the main distribution or the main branch? References: <3550E85A.328276D0@access-laserpress.com> Message-ID: <3550EB10.4A7B7C1D@whistle.com> Kevin P. Fleming wrote: > > I'm getting ready to install Samba on a Solaris 2.5.1 box here to make > some directories on that machine accessible to our PC users. The PC's > are all running NT 4.0 Workstation, in a single domain. The new Samba > machine will not be a PDC or a BDC, but will need to act as a member > server for transparent authentication purposes. > > Given this scenario, is there anything in the current main branch code > that would be a compelling reason to use it instead of the current main > distribution code? Yes - the support for security=domain. By setting this (not in the docs yet, search the email archives for info on setting this up) you can add the Samba machine to the domain, and all the user authentication will be done to the PDC (or list of DCs) in the same way that NT does it. You then don't need an smbpasswd file, just the same userlist in /etc/passwd as you have on the NT PDC (and they don't have to have the same/any passwords). Cheers, Jeremy Allison, Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From D.Bannon at latrobe.edu.au Thu May 7 03:07:20 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:04 2003 Subject: group RIDs (Modem_Users) In-Reply-To: <199805041343.AA29801@interlock.reston.ans.net> Message-ID: <3.0.3.32.19980507130720.00840930@bioserve.biochem.latrobe.edu.au> Some people may have noticed my postings towards getting Samba to authenticate users who are dialing into a NT server via RAS. Just so I don't get anyone's hopes up .... As things stand at present AND as I understand things, it will not work. I assumed (never assume) that the group, MODEM_USERS would have dial in permission, they don't and cannot be given dial in permission. Seems dial in permission is only available to be allocated on a user by user basis, not to groups. One wonders just what the MS created MODEM_USERS group is for.... The NT will allow domain users to have dial in access allocated to them but fails when we try, I guess we need to wait while Luke and his team (bless them) do their magic with the User Manager for Domains stuff. Thanks ... David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From cartegw at Eng.Auburn.EDU Thu May 7 03:39:43 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:04 2003 Subject: Do I need the main distribution or the main branch? In-Reply-To: <3550E85A.328276D0@access-laserpress.com> Message-ID: On Thu, 7 May 1998, Kevin P. Fleming wrote: > I'm getting ready to install Samba on a Solaris 2.5.1 box here to make > some directories on that machine accessible to our PC users. The PC's > are all running NT 4.0 Workstation, in a single domain. The new Samba > machine will not be a PDC or a BDC, but will need to act as a member > server for transparent authentication purposes. > > Given this scenario, is there anything in the current main branch code > that would be a compelling reason to use it instead of the current main > distribution code? > Wait until 1.9.19 series when the "security = domain" code is finalized. Your hope for the moment is to use "security = server" mode. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Thu May 7 11:12:40 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Do I need the main distribution or the main branch? In-Reply-To: <3550E85A.328276D0@access-laserpress.com> Message-ID: On Thu, 7 May 1998, Kevin P. Fleming wrote: > I'm getting ready to install Samba on a Solaris 2.5.1 box here to make > some directories on that machine accessible to our PC users. The PC's > are all running NT 4.0 Workstation, in a single domain. The new Samba > machine will not be a PDC or a BDC, but will need to act as a member > server for transparent authentication purposes. > > Given this scenario, is there anything in the current main branch code > that would be a compelling reason to use it instead of the current main > distribution code? the new "security = domain" option. see the samba-ntdom archives for jeremy's message on how to set this up. From lkcl at switchboard.net Thu May 7 11:21:37 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: group RIDs (Modem_Users) In-Reply-To: <3.0.3.32.19980507130720.00840930@bioserve.biochem.latrobe.edu.au> Message-ID: also, a RAS server binds to a NetBIOS name of type <06>.... On Thu, 7 May 1998, David Bannon wrote: > Some people may have noticed my postings towards getting Samba to > authenticate users who are dialing into a NT server via RAS. Just so I > don't get anyone's hopes up .... > > As things stand at present AND as I understand things, it will not work. I > assumed (never assume) that the group, MODEM_USERS would have dial in > permission, they don't and cannot be given dial in permission. Seems dial > in permission is only available to be allocated on a user by user basis, > not to groups. One wonders just what the MS created MODEM_USERS group is > for.... > > The NT will allow domain users to have dial in access allocated to them but > fails when we try, I guess we need to wait while Luke and his team (bless > them) do their magic with the User Manager for Domains stuff. > > Thanks ... > > David > ------------------------------------------------------------ > David Bannon D.Bannon@latrobe.edu.au > School of Biochemistry Phone 61 03 9479 2197 > La Trobe University, Plenty Rd, Fax 61 03 9479 2467 > Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au > ------------------------------------------------------------ > .... Humpty Dumpty was pushed ! > From x7currie at lab2.cc.wmich.edu Thu May 7 14:57:09 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:04 2003 Subject: Latest Tree borken? Message-ID: I've compiled the latest CVS tree (as of about 10pm last night) on both Solaris and Linux. There are a few problems in smbpasswd.c regarding the variable "vp" being passwd when the prototype is a void (sorry about the lack of details, I'm a little rushed right now) and the smb.conf parameter "logon drive" seems to be broken as well because NT workstations no longer get that drive mapped automatically and thus profiles don't work. Kevin From x7currie at lab2.cc.wmich.edu Thu May 7 16:19:06 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:04 2003 Subject: Adding Machine Accounts In-Reply-To: <3550A9D1.773C2448@whistle.com> Message-ID: > I originally did this. Although easier in the short term it > will lead to immense pain later when we more fully integrate > into an NT Domain environment. NT machines expect machine > account RIDs to be unique within a domain - and they share > the same namespace as userids and groups. The easiest way > to do this is to ensure that the macgine account id's are > already represented in the /etc/passwd file. Okay, just so long as there is a valid reason for all the extra account maintenance (which I know nobody likes to do...) :) Kevin From daniel at med.up.pt Thu May 7 16:20:39 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:04 2003 Subject: Single-login Message-ID: Hi all. Got a particular question for you. Do you find it feasible to have single NT logins? What I mean by this is one user logging in and samba automagically deny all future logon's by the same username (answering invalid password or whatever) thus making impossible for two different people to share the same username (I don't want to think that we're being cheated over here :-) at the same time, to get access to the WorkStations. I think this would be a rather nice feature, and don't mind working on it if I get the right directions. Just hack server.c and do some logged on user lookups? Maybe set a up a special group which has these restrictions and place (yet another) smb.conf directive like: "single-login = @students" or something. Tell me what do you think of this. Daniel From aperrin at demog.Berkeley.EDU Thu May 7 16:44:55 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:04 2003 Subject: domain groups information & observation Message-ID: 1.) I'd be interested in any advice about using the domain groups stuff in smb.conf -- specifically, how to map a unix group to an nt group (even just unix:ntusers -> users and unix:ntadmins -> Administrators). Has anyone successfully done this? 2.) After adding domain admins = to smb.conf, everyone in the list seems to have interchangeable profiles -- that is, if I do: domain admins = foo bar then login as foo and do something to my profile (say, copy something to the desktop), then log out and login as bar, the profile change takes effect for both, being copied into bar's profile directory. This does not seem to happen for non-admin users, just within the admin group. Is this normal or designed behavior? It seems significantly different from NT-alone behavior, where multiple users are called Administrators and have their own profiles with Administrator permissions. Thanks- --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From lkcl at switchboard.net Thu May 7 16:53:04 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Single-login In-Reply-To: Message-ID: daniel, can we move this one to samba-technical. yes, of course it's possible: i'd like to discuss how. there are four sets of structures that should be stored in shared memory. users, sessions, files and... forgotten (lib/rpc/include/rpc_srvsvc.h) oh yes, shares, but shares are kept in smb.conf and are not so dynamic. sessions and files are currently stored in shared memory; users are not. so, if that's done, then yes, this feature can be added. luke On Fri, 8 May 1998, Daniel Fonseca wrote: > > Hi all. > > Got a particular question for you. > > Do you find it feasible to have single NT logins? > > What I mean by this is one user logging in and samba automagically deny > all future logon's by the same username (answering invalid password or > whatever) thus making impossible for two different people to share the > same username (I don't want to think that we're being cheated over here > :-) at the same time, to get access to the WorkStations. > > I think this would be a rather nice feature, and don't mind working on it > if I get the right directions. Just hack server.c and do some logged on > user lookups? Maybe set a up a special group which has these restrictions > and place (yet another) smb.conf directive like: > "single-login = @students" or something. > > Tell me what do you think of this. > > Daniel > > From jallison at whistle.com Thu May 7 16:48:32 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:04 2003 Subject: Latest Tree borken? References: Message-ID: <3551E5E0.3B54AFBF@whistle.com> Kevin Currie wrote: > > I've compiled the latest CVS tree (as of about 10pm last night) on > both Solaris and Linux. There are a few problems in smbpasswd.c regarding > the variable "vp" being passwd when the prototype is a void (sorry about > the lack of details, I'm a little rushed right now) and the smb.conf > parameter "logon drive" seems to be broken as well because NT workstations > no longer get that drive mapped automatically and thus profiles don't > work. > > Kevin I fixed smbpasswd.c last night (around 6:30pm US pacific time). Re-checkout & it will work. Welcome to the bleeding edge :-). Question - does your "logon drive" parameter contain a %U ? If so I broke that in the main branch yesterday, I should be checking in a fix today. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Thu May 7 16:53:01 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:04 2003 Subject: domain groups information & observation References: Message-ID: <3551E6ED.7D55368C@whistle.com> Andrew Perrin - Demography wrote: > > 1.) I'd be interested in any advice about using the domain groups stuff in > smb.conf -- specifically, how to map a unix group to an nt group (even > just unix:ntusers -> users and unix:ntadmins -> Administrators). Has > anyone successfully done this? > That's something that needs work on in the code. It's on my todo list but it may take a couple of weeks to get to it (I need to fix the username map code first). > 2.) After adding domain admins = to smb.conf, everyone in > the list seems to have interchangeable profiles -- that is, if I do: > domain admins = foo bar > then login as foo and do something to my profile (say, copy something to > the desktop), then log out and login as bar, the profile change takes > effect for both, being copied into bar's profile directory. This does not > seem to happen for non-admin users, just within the admin group. Is this > normal or designed behavior? It seems significantly different from > NT-alone behavior, where multiple users are called Administrators and have > their own profiles with Administrator permissions. > Hmmmm. I'm not a profiles expert (but I know a man who is :-). Luke ..... comments ? Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Thu May 7 16:54:23 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: domain groups information & observation In-Reply-To: Message-ID: On Fri, 8 May 1998, Andrew Perrin - Demography wrote: > 1.) I'd be interested in any advice about using the domain groups stuff in > smb.conf -- specifically, how to map a unix group to an nt group (even > just unix:ntusers -> users and unix:ntadmins -> Administrators). Has > anyone successfully done this? > > 2.) After adding domain admins = to smb.conf, everyone in > the list seems to have interchangeable profiles -- that is, if I do: > domain admins = foo bar > then login as foo and do something to my profile (say, copy something to > the desktop), then log out and login as bar, the profile change takes > effect for both, being copied into bar's profile directory. This does not > seem to happen for non-admin users, just within the admin group. Is this > normal or designed behavior? the users end up with the same RID. NT maps profiles by RID. i suppose if we set them to have a local admin account it would work... luke From lkcl at switchboard.net Thu May 7 17:45:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: Latest Tree borken? In-Reply-To: <3551E5E0.3B54AFBF@whistle.com> Message-ID: > I fixed smbpasswd.c last night (around 6:30pm US pacific time). > Re-checkout & it will work. Welcome to the bleeding edge :-). oh, that will explain why... yes, ok! From lkcl at switchboard.net Thu May 7 17:57:19 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:04 2003 Subject: domain groups information & observation In-Reply-To: <3551E6ED.7D55368C@whistle.com> Message-ID: On Fri, 8 May 1998, Jeremy Allison wrote: > Andrew Perrin - Demography wrote: > > > > 1.) I'd be interested in any advice about using the domain groups stuff in > > smb.conf -- specifically, how to map a unix group to an nt group (even > > just unix:ntusers -> users and unix:ntadmins -> Administrators). Has > > anyone successfully done this? > > > > That's something that needs work on in the code. It's on my > todo list but it may take a couple of weeks to get to it (I > need to fix the username map code first). is it on dana canfield's TODO list? no it isn't. dana, can you put "add a 'map groupname' smb.conf parameter which does what map username does, but for unix->nt groups, instead?" on the "medium priority" TODO list? > Hmmmm. I'm not a profiles expert (but I know a man who is :-). > > Luke ..... comments ? wheuuur! what??? woke me up, there, for a minute. yes, we may have a bit of confusion where all users in "domain admin users" get mapped to the same RID... hm. i seem to have made a mistake. it is used in two places. one is in "name_to_rid()" where this converts _user_ RIDs to DOMAIN_USER_RID_ADMIN, and also in "get_domain_user_groups()" where this converts _group_ RIDs to DOMAIN_GROUP_RID_ADMINS. oops. AH! try this: "domain groups = admins". :-) From aperrin at demog.Berkeley.EDU Thu May 7 18:24:15 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:05 2003 Subject: domain groups information & observation In-Reply-To: Message-ID: Hmm. domain groups = admins sounds suspiciously like I'll need to have a group on the unix side called admins... right? Otherwise how will NT know who belongs to that group? --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Fri, 8 May 1998, Luke Kenneth Casson Leighton wrote: > On Fri, 8 May 1998, Jeremy Allison wrote: > > > Andrew Perrin - Demography wrote: > > > > > > 1.) I'd be interested in any advice about using the domain groups stuff in > > > smb.conf -- specifically, how to map a unix group to an nt group (even > > > just unix:ntusers -> users and unix:ntadmins -> Administrators). Has > > > anyone successfully done this? > > > > > > > That's something that needs work on in the code. It's on my > > todo list but it may take a couple of weeks to get to it (I > > need to fix the username map code first). > > is it on dana canfield's TODO list? > > no it isn't. dana, can you put "add a 'map groupname' smb.conf parameter > which does what map username does, but for unix->nt groups, instead?" on > the "medium priority" TODO list? > > > Hmmmm. I'm not a profiles expert (but I know a man who is :-). > > > > Luke ..... comments ? > > wheuuur! what??? woke me up, there, for a minute. yes, we may have a > bit of confusion where all users in "domain admin users" get mapped to the > same RID... > > hm. i seem to have made a mistake. it is used in two places. one is in > "name_to_rid()" where this converts _user_ RIDs to DOMAIN_USER_RID_ADMIN, > and also in "get_domain_user_groups()" where this converts _group_ RIDs to > DOMAIN_GROUP_RID_ADMINS. > > oops. > > AH! try this: > > "domain groups = admins". > > :-) > From lkcl at switchboard.net Thu May 7 18:46:09 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: domain groups information & observation In-Reply-To: Message-ID: On Thu, 7 May 1998, Andrew Perrin - Demography wrote: > Hmm. domain groups = admins sounds suspiciously like I'll need to have a > group on the unix side called admins... right? nope. > Otherwise how will NT know who belongs to that group? nt workstation knowing, and the administrator knowing because it's in smb.conf are two different things that, in my mind, you have mixed up in the two halves of your question. nt workstation knows because it is told so through the LsaSamLogon response. > --------------------------------------------------------------------- > Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support > Department of Demography - University of California at Berkeley > 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA > http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 > > On Fri, 8 May 1998, Luke Kenneth Casson Leighton wrote: > > > On Fri, 8 May 1998, Jeremy Allison wrote: > > > > > Andrew Perrin - Demography wrote: > > > > > > > > 1.) I'd be interested in any advice about using the domain groups stuff in > > > > smb.conf -- specifically, how to map a unix group to an nt group (even > > > > just unix:ntusers -> users and unix:ntadmins -> Administrators). Has > > > > anyone successfully done this? > > > > > > > > > > That's something that needs work on in the code. It's on my > > > todo list but it may take a couple of weeks to get to it (I > > > need to fix the username map code first). > > > > is it on dana canfield's TODO list? > > > > no it isn't. dana, can you put "add a 'map groupname' smb.conf parameter > > which does what map username does, but for unix->nt groups, instead?" on > > the "medium priority" TODO list? > > > > > Hmmmm. I'm not a profiles expert (but I know a man who is :-). > > > > > > Luke ..... comments ? > > > > wheuuur! what??? woke me up, there, for a minute. yes, we may have a > > bit of confusion where all users in "domain admin users" get mapped to the > > same RID... > > > > hm. i seem to have made a mistake. it is used in two places. one is in > > "name_to_rid()" where this converts _user_ RIDs to DOMAIN_USER_RID_ADMIN, > > and also in "get_domain_user_groups()" where this converts _group_ RIDs to > > DOMAIN_GROUP_RID_ADMINS. > > > > oops. > > > > AH! try this: > > > > "domain groups = admins". > > > > :-) > > > From tavis at mahler.econ.columbia.edu Fri May 8 01:54:49 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:05 2003 Subject: A few oddball things In-Reply-To: Message-ID: I'm having a few problems and I'm wondering if anyone has answers: (1) I've had some odd things happen with the CVS update from last weekend. First, when I run smbclient, I get Domain=[AMNESIA] OS=[Unix] Server=[Samba 1.9.18p3] Is the latest main branch update based on p3 rather than p4, or why does it list this? (2) The smbclient doesn't seem to work, and so I'm stuck with the smbclient from the p4 release. When I try to use smbclient against a remote Samba server running 1.9.18p4 that's set as a BDC, I get the following message: failed session setup client_init: connection failed warning: connection could not be established to mahler.econ.columbia.edu<20> this version of smbclient may crash if you proceed However the 1.9.18p4 version of smbclient works fine. (3) Samba does not want to browse across IP subnets, even when all machines are on the same router and NT machines have no trouble seeing each other. Is this normal? Thanks, Tavis From lkcl at switchboard.net Fri May 8 10:52:47 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: A few oddball things In-Reply-To: Message-ID: On Fri, 8 May 1998, Tavis Barr wrote: > > I'm having a few problems and I'm wondering if anyone has answers: > > (1) I've had some odd things happen with the CVS update from last > weekend. First, when I run smbclient, I get > > Domain=[AMNESIA] OS=[Unix] Server=[Samba 1.9.18p3] > > Is the latest main branch update based on p3 rather than p4, or why does > it list this? > > (2) The smbclient doesn't seem to work, and so I'm stuck with the > smbclient from the p4 release. When I try to use smbclient against a > remote Samba server running 1.9.18p4 that's set as a BDC, I get the > following message: > > failed session setup > client_init: connection failed > warning: connection could not be established to mahler.econ.columbia.edu<20> > this version of smbclient may crash if you proceed that is the BRANCH_NTDOM version of smbclient. use the main branch. From bernard at zeus.rug.ac.be Fri May 8 11:56:49 1998 From: bernard at zeus.rug.ac.be (Bernard Grymonpon) Date: Tue Dec 2 02:24:05 2003 Subject: Machine account after rebooting... Message-ID: Hi, I have installed samba (1.9.18p4-HEAD) on a Linux machine. Everything is working fine, except that the NT-machine's account is incorrect after a reboot of the NT-machine (NOT the linux machine). Before the reboot, all users could log in, log off, type incorrect passwords without crashing the machine, type nothing without logging in (arcfour),... Because I know how much you all like the log files, the config files,... i have not attached them to this mail, but have put them online at http://studwww.rug.ac.be/~bgrymonp/ More info can be found there. I hope someone can help me... Thanks in advance, Bernard -------------------------------------------------------------------------------- *** Make an idiot proof program, and someone will make a better idiot *** ------------------------------------------------------------------------------- Bernard Grymonpon Onderhoudsteam "Student 1" bernard@zeus.rug.ac.be Support PC "De Brug" Student University of Ghent Hardware verantwoordelijke "Zeus" ------------------------------------------------------------------------------- From lkcl at switchboard.net Fri May 8 14:03:52 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: Machine account after rebooting... In-Reply-To: Message-ID: the credentials are wrong: therefore the trust account password is either wrong or has got out of sync. you will need to sort this out by causing your computer to unjoin and then rejoin the domain, or by renaming the machine. On Fri, 8 May 1998, Bernard Grymonpon wrote: > > > Hi, > > I have installed samba (1.9.18p4-HEAD) on a Linux machine. Everything is > working fine, except that the NT-machine's account is incorrect after a > reboot of the NT-machine (NOT the linux machine). > Before the reboot, all users could log in, log off, type incorrect > passwords without crashing the machine, type nothing without logging > in (arcfour),... > Because I know how much you all like the log files, the config files,... i > have not attached them to this mail, but have put them online at > > http://studwww.rug.ac.be/~bgrymonp/ > > More info can be found there. > > I hope someone can help me... > > Thanks in advance, > Bernard > > -------------------------------------------------------------------------------- > *** Make an idiot proof program, and someone will make a better idiot *** > ------------------------------------------------------------------------------- > Bernard Grymonpon Onderhoudsteam "Student 1" > bernard@zeus.rug.ac.be Support PC "De Brug" > Student University of Ghent Hardware verantwoordelijke "Zeus" > ------------------------------------------------------------------------------- > > > From lkcl at switchboard.net Fri May 8 14:38:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: IMPORTANT change for people compiling from cvs Message-ID: you will now need to do "make proto; make". for this you will need awk (nawk or gawk). i have removed [the automatically generated] proto.h from the cvs repository. luke From bernard at zeus.rug.ac.be Fri May 8 14:59:02 1998 From: bernard at zeus.rug.ac.be (Bernard Grymonpon) Date: Tue Dec 2 02:24:05 2003 Subject: Machine account after rebooting... In-Reply-To: Message-ID: On Sat, 9 May 1998, Luke Kenneth Casson Leighton wrote: > the credentials are wrong: therefore the trust account password is either > wrong or has got out of sync. > > you will need to sort this out by causing your computer to unjoin and then > rejoin the domain, or by renaming the machine. Is there no other way to do this? It is very annoying to do this each time you boot a machine... Renaming is not an options, as i don't have any IP's free. Thanks Bernard > > On Fri, 8 May 1998, Bernard Grymonpon wrote: > > > > Hi, > > > > I have installed samba (1.9.18p4-HEAD) on a Linux machine. Everything is > > working fine, except that the NT-machine's account is incorrect after a > > reboot of the NT-machine (NOT the linux machine). > > Before the reboot, all users could log in, log off, type incorrect > > passwords without crashing the machine, type nothing without logging > > in (arcfour),... > > Because I know how much you all like the log files, the config files,... i > > have not attached them to this mail, but have put them online at > > > > http://studwww.rug.ac.be/~bgrymonp/ > > > > More info can be found there. > > > > I hope someone can help me... > > > > Thanks in advance, > > Bernard > > > > -------------------------------------------------------------------------------- > > *** Make an idiot proof program, and someone will make a better idiot *** > > ------------------------------------------------------------------------------- > > Bernard Grymonpon Onderhoudsteam "Student 1" > > bernard@zeus.rug.ac.be Support PC "De Brug" > > Student University of Ghent Hardware verantwoordelijke "Zeus" > > ------------------------------------------------------------------------------- > > > > > > > ___ * . * . * . o . |___| __ | |H| . . * ___ . . . . * || _|___ |H| __ __ *___ /==\ . __|O| . * /\| || |"""|___|H|/oo\__||___|"""|-scs-|oo|___|# #|\___/\ /\ /\ __|oo| /|/|/|/|/ | | " | # |H| <> | :: ::| " |.:::.| |.:.| I | # |""|""|""|~~| | | o o o o | ------------------------------------------------------------------------------- Bernard Grymonpon Onderhoudsteam "Student 1" bernard@zeus.rug.ac.be Support PC "De Brug" Student University of Ghent Hardware verantwoordelijke "Zeus" ------------------------------------------------------------------------------- From lkcl at switchboard.net Fri May 8 15:38:51 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: Machine account after rebooting... In-Reply-To: Message-ID: On Sat, 9 May 1998, Bernard Grymonpon wrote: > On Sat, 9 May 1998, Luke Kenneth Casson Leighton wrote: > > > the credentials are wrong: therefore the trust account password is either > > wrong or has got out of sync. > > > > you will need to sort this out by causing your computer to unjoin and then > > rejoin the domain, or by renaming the machine. > > Is there no other way to do this? It is very annoying to do this each time > you boot a machine... why do you need to do this each time you boot a machine? > Renaming is not an options, as i don't have any IP's > free. you don't have to change the ip address: just the netbios name. MACHINE to MACHINE1 (reboot) would do. From lkcl at switchboard.net Fri May 8 16:58:32 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: IMPORTANT change for people compiling from cvs In-Reply-To: Message-ID: scratch this :-) jeremy (who hasn't been receiving any email for the last 24 hours) considered that the risk of not having proto.h the same as when he compiled and tested the code before a release is too great. soooo, ignore this: we're back where we were a few hours ago. luke jeremy's email system: get well soon! On Fri, 8 May 1998, Luke Kenneth Casson Leighton wrote: > you will now need to do "make proto; make". for this you will need awk > (nawk or gawk). > > i have removed [the automatically generated] proto.h from the cvs > repository. > > luke > > From jallison at whistle.com Fri May 8 17:18:06 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:05 2003 Subject: Machine account after rebooting... References: Message-ID: <35533E4E.4B761E89@whistle.com> Bernard Grymonpon wrote: > > On Sat, 9 May 1998, Luke Kenneth Casson Leighton wrote: > > > the credentials are wrong: therefore the trust account password is either > > wrong or has got out of sync. > > > > you will need to sort this out by causing your computer to unjoin and then > > rejoin the domain, or by renaming the machine. > > Is there no other way to do this? It is very annoying to do this each time > you boot a machine... Renaming is not an options, as i don't have any IP's > free. > Make sure you are running the latest cvs head branch of the code (it will identify itself as 1.9.19-prealpha). The changing of the machine account password after a reboot was fixed a week or so ago. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Fri May 8 17:29:06 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:05 2003 Subject: A few oddball things References: Message-ID: <355340E2.7991A45@whistle.com> Tavis Barr wrote: > > I'm having a few problems and I'm wondering if anyone has answers: > > (1) I've had some odd things happen with the CVS update from last > weekend. First, when I run smbclient, I get > > Domain=[AMNESIA] OS=[Unix] Server=[Samba 1.9.18p3] > > Is the latest main branch update based on p3 rather than p4, or why does > it list this? > You are using a very old version of the head branch (the latest version.h is 1.9.19-prealpha). Update using : cvs update -d -P -A This will force a head branch update. Regards, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From kfleming at access-laserpress.com Fri May 8 18:42:40 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:05 2003 Subject: Solaris installation of Samba Message-ID: <35535220.8DE3A379@access-laserpress.com> (This is a little off-topic, but since there's so many experts here :-) OK, I successfully got the main branch downloaded via CVS to my Linux machine, copied the source tree over to my new Solaris machine, edited the Makefile properly, but it looks like I don't have a real C compiler on this machine (only a "cc" that reports an optional package hasn't been installed). Not being terribly familiar with Solaris' quirks, I'm guessing that Sun (in their infinite wisdom) licenses the C/C++ compilers/tools separately from the core OS. If this is true, I guess I should find out how to get GCC for this platform. Anyone out there have any pointers? From aperrin at demog.Berkeley.EDU Fri May 8 18:53:23 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:05 2003 Subject: Solaris installation of Samba In-Reply-To: <35535220.8DE3A379@access-laserpress.com> Message-ID: Yes, get GCC. You'll get nowhere without it :). ap --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Sat, 9 May 1998, Kevin P. Fleming wrote: > (This is a little off-topic, but since there's so many experts here :-) > > OK, I successfully got the main branch downloaded via CVS to my Linux > machine, copied the source tree over to my new Solaris machine, edited > the Makefile properly, but it looks like I don't have a real C compiler > on this machine (only a "cc" that reports an optional package hasn't > been installed). > > Not being terribly familiar with Solaris' quirks, I'm guessing that Sun > (in their infinite wisdom) licenses the C/C++ compilers/tools separately > from the core OS. If this is true, I guess I should find out how to get > GCC for this platform. > > Anyone out there have any pointers? > From kfleming at access-laserpress.com Fri May 8 19:20:04 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:05 2003 Subject: Solaris installation of Samba References: Message-ID: <35535AE4.A157102C@access-laserpress.com> Thanks everyone for all the instant and helpful responses... I ended up at http://sunsite.unc.edu/pub/packages/solaris/sparc, which had everything I wanted (GNU cc, make, m4, patch, zip and cvs). I also downloaded the latest Solaris patch cluster, so I'm off to screw up--- I mean fix up the machine. Thanks again. Andrew Perrin - Demography wrote: > > Yes, get GCC. You'll get nowhere without it :). > > ap > > --------------------------------------------------------------------- > Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support > Department of Demography - University of California at Berkeley > 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA > http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 > > On Sat, 9 May 1998, Kevin P. Fleming wrote: > > > (This is a little off-topic, but since there's so many experts here :-) > > > > OK, I successfully got the main branch downloaded via CVS to my Linux > > machine, copied the source tree over to my new Solaris machine, edited > > the Makefile properly, but it looks like I don't have a real C compiler > > on this machine (only a "cc" that reports an optional package hasn't > > been installed). > > > > Not being terribly familiar with Solaris' quirks, I'm guessing that Sun > > (in their infinite wisdom) licenses the C/C++ compilers/tools separately > > from the core OS. If this is true, I guess I should find out how to get > > GCC for this platform. > > > > Anyone out there have any pointers? > > From kfleming at access-laserpress.com Fri May 8 23:16:36 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:05 2003 Subject: Successful upgrade/new install Message-ID: <35539254.6C422311@access-laserpress.com> Well, after getting all my Solaris tools working, I've successfully installed 1.9.19-prealpha onto my Solaris machine, and upgraded my Linux machine from 1.9.17p4. Both are appearing just fine in my NT domain (as member servers). Firstly, let me say how thankful I am that all of you spend so much time making this stuff work so well. It went in without a hitch, and unless I'm sadly mistaken this version appears to respond _much_ more rapidly to browsing and file copying that 1.9.17p4 did. After reviewing the message archives, it appears as though the support for mapping groups that exist in the NT domain's SAM database to the local Unix groups on the Samba server hasn't been done yet... Is this correct? From cartegw at Eng.Auburn.EDU Sat May 9 02:19:35 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:05 2003 Subject: A few oddball things In-Reply-To: Message-ID: On Fri, 8 May 1998, Tavis Barr wrote: > (3) Samba does not want to browse across IP subnets, even when all > machines are on the same router and NT machines have no trouble seeing > each other. Is this normal? > Nope. Works fine for me. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Sat May 9 13:11:48 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: Successful upgrade/new install In-Reply-To: <35539254.6C422311@access-laserpress.com> Message-ID: > making this stuff work so well. It went in without a hitch, and unless > I'm sadly mistaken this version appears to respond _much_ more rapidly > to browsing and file copying that 1.9.17p4 did. yep. > After reviewing the message archives, it appears as though the support > for mapping groups that exist in the NT domain's SAM database to the > local Unix groups on the Samba server hasn't been done yet... Is this > correct? not in a documented, not-subject-to-change format :-) "domain users = admin 'power_ops'" or "domain guest users = guest_user etc etc". it's all there... From lkcl at switchboard.net Sat May 9 13:12:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: A few oddball things In-Reply-To: Message-ID: send us your smb.conf file: we'll have a look. On Sat, 9 May 1998, Gerald W. Carter wrote: > On Fri, 8 May 1998, Tavis Barr wrote: > > > (3) Samba does not want to browse across IP subnets, even when all > > machines are on the same router and NT machines have no trouble seeing > > each other. Is this normal? > > > > Nope. Works fine for me. > > > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > > Luke Kenneth Casson Leighton Samba and Network Development Samba and Network Consultancy From lkcl at cb1.com Mon May 11 10:46:20 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: email disruption again Message-ID: switchboard.net redirector's "temporary password" system is failing, therefore i cannot redirect switchboard.net from regent.push.net (which i am forced to move) to cb1.com. therefore: - if you send email to lkcl@cb1.com it will succeed (according to the usual laws of email physics) - if you send email to lkcl@samba.anu.edu.au it will succeed (and be redirected to cb1.com) - if you send email to lkcl@switchboard.net it may fail, but hopefully will be up again within a few days. this is my preferred option, but they are *seriously* trying my patience. - if you send email to lkcl@regent.push.net it will definitely fail, and will not be up again (ever). doo have fun attempting to contact me. i have changed all my lists over to cb1.com already, so will be keeping an eye on those... luke-the-uncontactable From phgrau at mail.wi-bw.tfh-wildau.de Mon May 11 11:26:45 1998 From: phgrau at mail.wi-bw.tfh-wildau.de (Philipp Grau) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with smbpasswd-program References: Message-ID: <19980511132645.15638@tampere> Hello, i have some troubles with the current smpasswd program, here some output: root@samba:~# smbpasswd root test smbpasswd: Failed to open password file /usr/local/samba/private/smbpasswd. smbpasswd: Address already in use. root@samba:~# ls -l /usr/local/samba/private/smbpasswd -rw------- 1 root root 18767 May 11 11:05 /usr/local/samba/private/smbpasswd root@samba:~# grep root /usr/local/samba/private/smbpasswd root:0:[...]:[...]:root:/root:/bin/bash when I try is as root for for another user: same problem When I try this for a maschine which is in /etc/passwd: root@samba:~# smbpasswd -a -m bs8 smbpasswd: Failed to open password file /usr/local/samba/private/smbpasswd. smbpasswd: Address already in use. "user@samba:~$ smbpasswd" runs fine!! What am I missing??? Any hints?? \bye Philipp -- Philipp Grau, phgrau@wi-bw.tfh-wildau.de in Wildau ---------------------------------------------The-Answer-is-42-!------ From x7currie at lab2.cc.wmich.edu Mon May 11 12:35:44 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:05 2003 Subject: smbpasswd questions Message-ID: Here's the setup: We have samba running, and by and large working nicely, as a PDC on a box which we are not allowing login's to. We're working on some password sync solutions (for Solaris 2.5.1) and are finding that from remote Sun stations, smbpasswd will not update a users password. It seems to be wanting to talk to (one of the) samba daemons. Do we have to install samba on every workstation we have to do this? What are some of the password sync solutions other people have been working on? I've seen some stuff here but have been unable to duplicate it. We want users to be able to change their (unix and smb) passwords from a unix prompt with one command (we're using NIS+). The ability to change the passwords from NT stations is completely secondary to this. Thanks, Kevin Currie From x7currie at lab2.cc.wmich.edu Mon May 11 12:36:54 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:05 2003 Subject: smbpasswd questions... again. Message-ID: Sorry, I forgot to paste in the error that smbpasswd is give us. /usr/local/samba/bin/smbpasswd: machine 127.0.0.1 rejected the session setup. Er ror was : ERRSRV - ERRbadpw (Bad password - name/password pair in a Tree Connect or Session Setup are invalid.). From lkcl at cb1.com Mon May 11 13:11:44 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with smbpasswd-program In-Reply-To: <19980511132645.15638@tampere> Message-ID: On Mon, 11 May 1998, Philipp Grau wrote: > Hello, > > i have some troubles with the current smpasswd program, > here some output: > > root@samba:~# smbpasswd root test > smbpasswd: Failed to open password file /usr/local/samba/private/smbpasswd. > smbpasswd: Address already in use. i get a "seek failed" error. > "user@samba:~$ smbpasswd" runs fine!! ??????? > What am I missing??? no idea! > Any hints?? panic!!!! :-) (serious suggestion: use an old version, use 1.9.18p3's smbpasswd command or something). From cartegw at Eng.Auburn.EDU Mon May 11 14:36:02 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:05 2003 Subject: smbpasswd questions References: Message-ID: <35570CD2.DC8B69D4@eng.auburn.edu> Kevin Currie wrote: > > Here's the setup: > We have samba running, and by and large working nicely, as a PDC > on a box which we are not allowing login's to. We're working on some > password sync solutions (for Solaris 2.5.1) and are finding that from > remote Sun stations, smbpasswd will not update a users password. It > seems to be wanting to talk to (one of the) samba daemons. Do we have > to install samba on every workstation we have to do this? > What are some of the password sync solutions other people have > been working on? I've seen some stuff here but have been unable to > duplicate it. We want users to be able to change their (unix and > smb) passwords from a unix prompt with one command (we're using NIS+). > The ability to change the passwords from NT stations is completely > secondary to this. Kevin, You should dig through the list archives for some existing solutions to this. There have been several threads recently ( within the past month or so ). What we do is an extension of our normal passwd change procedure. We run a mixture of SunOS4 / Solaris 2.5[& 6] in a NIS / NIS+ environment. A password client contacts a server process running on the NIS master which performs a yppasswd on the plain text password. If successful, the new passwd is sent to a process running our our secured samba pdc which will update the smbpasswd entry ( or add it if neccessary ) for the user. Some thing like this... pwclient -> NISpasswd -> SMBpasswd You are correct in that smbpasswd requires the smbpasswd file to be a local ( or appear that way via nfs ) file. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at cb1.com Mon May 11 14:53:32 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: smbpasswd questions In-Reply-To: <35570CD2.DC8B69D4@eng.auburn.edu> Message-ID: > You are correct in that smbpasswd requires the smbpasswd file to be a > local ( or appear that way via nfs ) file. remember that it's not adviseable to send smbpasswd files over-the-wire: they contain clear-text-equivalent 16 byte hashes. strong advice: keep the private/smbpasswd file on local disk. From aperrin at demog.Berkeley.EDU Mon May 11 15:23:53 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with smbpasswd-program In-Reply-To: <19980511132645.15638@tampere> Message-ID: Looks suspiciously similar to our problem: #@boserup:/usr/LOCAL/samba/bin>./smbpasswd aperrin ... New SMB password: Retype new SMB password: startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd ./smbpasswd: Failed to open password file /usr/LOCAL/samba/private/smbpasswd. ./smbpasswd: Error 0 using 1.9.19-prealpha on Solaris 2.6. It will work the first time (i.e., when there's no smbpasswd file) but always bombs subsequent times. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Mon, 11 May 1998, Philipp Grau wrote: > Hello, > > i have some troubles with the current smpasswd program, > here some output: > > root@samba:~# smbpasswd root test > smbpasswd: Failed to open password file /usr/local/samba/private/smbpasswd. > smbpasswd: Address already in use. > > root@samba:~# ls -l /usr/local/samba/private/smbpasswd > -rw------- 1 root root 18767 May 11 11:05 /usr/local/samba/private/smbpasswd > > root@samba:~# grep root /usr/local/samba/private/smbpasswd > root:0:[...]:[...]:root:/root:/bin/bash > > when I try is as root for for another user: same problem > > When I try this for a maschine which is in /etc/passwd: > > root@samba:~# smbpasswd -a -m bs8 > smbpasswd: Failed to open password file /usr/local/samba/private/smbpasswd. > smbpasswd: Address already in use. > > "user@samba:~$ smbpasswd" runs fine!! > > What am I missing??? > Any hints?? > > \bye > Philipp > > > -- > > Philipp Grau, phgrau@wi-bw.tfh-wildau.de in Wildau > ---------------------------------------------The-Answer-is-42-!------ > From william at hae.com Mon May 11 15:52:17 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with smbpasswd-program In-Reply-To: Message-ID: I have Andrew's problem too, on Red Hat. I didn't bug it because I thought it might be Red Hat specific. I have the exact same symtoms, gives error but works with no file, will not work subsequently. I'm using a 3-5 day old cvs tree (main branch) code. William On Tue, 12 May 1998, Andrew Perrin - Demography wrote: > Date: Tue, 12 May 1998 01:27:32 +1000 > From: Andrew Perrin - Demography > To: Multiple recipients of list > Subject: Re: Problems with smbpasswd-program > > Looks suspiciously similar to our problem: > > #@boserup:/usr/LOCAL/samba/bin>./smbpasswd aperrin > .. > New SMB password: > Retype new SMB password: > startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd > /smbpasswd: Failed to open password file > /usr/LOCAL/samba/private/smbpasswd. > /smbpasswd: Error 0 > > using 1.9.19-prealpha on Solaris 2.6. It will work the first time (i.e., > when there's no smbpasswd file) but always bombs subsequent times. > > --------------------------------------------------------------------- > Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support > Department of Demography - University of California at Berkeley > 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA > http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 > > On Mon, 11 May 1998, Philipp Grau wrote: > > > Hello, > > > > i have some troubles with the current smpasswd program, > > here some output: > > > > root@samba:~# smbpasswd root test > > smbpasswd: Failed to open password file /usr/local/samba/private/smbpasswd. > > smbpasswd: Address already in use. > > > > root@samba:~# ls -l /usr/local/samba/private/smbpasswd > > -rw------- 1 root root 18767 May 11 11:05 /usr/local/samba/private/smbpasswd > > > > root@samba:~# grep root /usr/local/samba/private/smbpasswd > > root:0:[...]:[...]:root:/root:/bin/bash > > > > when I try is as root for for another user: same problem > > > > When I try this for a maschine which is in /etc/passwd: > > > > root@samba:~# smbpasswd -a -m bs8 > > smbpasswd: Failed to open password file /usr/local/samba/private/smbpasswd. > > smbpasswd: Address already in use. > > > > "user@samba:~$ smbpasswd" runs fine!! > > > > What am I missing??? > > Any hints?? > > > > \bye > > Philipp > > > > > > -- > > > > Philipp Grau, phgrau@wi-bw.tfh-wildau.de in Wildau > > ---------------------------------------------The-Answer-is-42-!------ > > > > From cartegw at Eng.Auburn.EDU Mon May 11 17:40:49 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with smbpasswd-program References: Message-ID: <35573821.7BBE257A@eng.auburn.edu> Andrew Perrin - Demography wrote: > > Looks suspiciously similar to our problem: > > #@boserup:/usr/LOCAL/samba/bin>./smbpasswd aperrin > .. > New SMB password: > Retype new SMB password: > startsmbpwent: opening file /usr/LOCAL/samba/private/smbpasswd > /smbpasswd: Failed to open password file > /usr/LOCAL/samba/private/smbpasswd. > /smbpasswd: Error 0 > > using 1.9.19-prealpha on Solaris 2.6. It will work the first time > (i.e., when there's no smbpasswd file) but always bombs subsequent > times. Can someone ( Luke, Jeremy, etc... ) verify / discredit the following observation ------- smbpasswd .c ------------------------------------ /* * Open the smbpaswd file. */ vp = startsmbpwent(True); if (!vp && errno == ENOENT) { fp = fopen(lp_smb_passwd_file(), "w"); if (fp) { fprintf(fp, "# Samba SMB password file\n"); fclose(fp); vp = startsmbpwent(True); } } if (!fp) { err = errno; fprintf(stderr, "%s: Failed to open password file %s.\n", prog_name, lp_smb_passwd_file()); errno = err; perror(prog_name); exit(err); } --------------------------------------- It really appears that fp is set ( call to fopen() ) only if the call to startsmbpwent() fails ( returns a NULL pointer ). Therefore if startsmbpwent() returns a valid point meaning the SMB_PASSWD_FILE was opened, fopen never gets called and thus smbpasswd will exit complaining that it could not open the password file. Does that makes sense? This observation is from looking at the code not running it. I'm guessingh the call to "if (!fp)..." should be "if (!vp)..." j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at cb1.com Mon May 11 17:54:45 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with smbpasswd-program In-Reply-To: <35573821.7BBE257A@eng.auburn.edu> Message-ID: > Can someone ( Luke, Jeremy, etc... ) verify / discredit the following > observation > > ------- smbpasswd .c ------------------------------------ > > /* > * Open the smbpaswd file. > */ > vp = startsmbpwent(True); > if (!vp && errno == ENOENT) { > fp = fopen(lp_smb_passwd_file(), "w"); > if (fp) { > fprintf(fp, "# Samba SMB password file\n"); > fclose(fp); > vp = startsmbpwent(True); > } > } > if (!fp) { my email system is running so slow that jeremy had fixed this before i'd even received acknowledgement :-) From jallison at whistle.com Mon May 11 17:51:31 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with smbpasswd-program References: <35573821.7BBE257A@eng.auburn.edu> Message-ID: <35573AA3.ABD322C@whistle.com> Gerald, Indeed you are correct - thanks for that fix, I'm afraid it was a stupid typo of mine :-(. (that'll probably fix you smbpasswd problem Luke). Thanks once again & I've checked the change into the tree. If people having problems with smbpasswd could re-check out & test this change I'd be grateful. Thanks once again Gerald,, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at cb1.com Mon May 11 18:14:45 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with smbpasswd-program In-Reply-To: <35573AA3.ABD322C@whistle.com> Message-ID: On Tue, 12 May 1998, Jeremy Allison wrote: > Gerald, > > Indeed you are correct - thanks for that fix, > I'm afraid it was a stupid typo of mine :-(. > (that'll probably fix you smbpasswd problem Luke). yep: and everyone elses' :-) > Thanks once again & I've checked the change into > the tree. fixed quicker than i receive email, that's for sure From jallison at whistle.com Mon May 11 18:33:57 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:05 2003 Subject: smbpasswd questions References: Message-ID: <35574495.4487EB71@whistle.com> Kevin Currie wrote: > > Here's the setup: > We have samba running, and by and large working nicely, as a PDC > on a box which we are not allowing login's to. We're working on some > password sync solutions (for Solaris 2.5.1) and are finding that from > remote Sun stations, smbpasswd will not update a users password. It seems > to be wanting to talk to (one of the) samba daemons. Do we have to > install samba on every workstation we have to do this? No - use smbpasswd -r to point the password change to the machine that owns the master smbpasswd file. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Mon May 11 19:10:07 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:05 2003 Subject: Eventlog messages References: <354F1847.FD52ABEE@eng.auburn.edu> Message-ID: <35574D0F.CFC6D107@eng.auburn.edu> Gerald Carter wrote: > > I have two eventlog entries I would like to run by everyone and see > if I am an isolated case. > > Here's the setup. > > - 5 NT 4.0 Workstastions on subnet xxx.xxx.AAA.xxx > - 1 Samba PDC running Solaris 2.5.1 on subnet xxx.xxx.BBB.xxx > - The Samba PDC is the primary WINS server for the NT boxes. > There is no secondary WINS server. > > The first eventlog entry seems to come in bursts > > EventID : 5719 > > No Windows NT Domain Controller is available for > domain LENORE. (This event is expected and can be > ignored when booting with the 'No Net' Hardware Profile.) > The following error occurred: There are currently no > logon servers available to service the logon request. Hate to respond to myself ( kind of makes me feel that I am talking to myself... ) but someone else may find this interesting. I was able to cure this illness on my NT boxes ( the ones on a different subnet than the samba PDC ) by setting up a Samba server as the local browse master on the remote subnet for the domain. This would seem to point to a name resolution problem. Anyways, works now. Contact me for details if you need them. Gone for now, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From tavis at mahler.econ.columbia.edu Tue May 12 03:10:30 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:05 2003 Subject: Problems doing update In-Reply-To: <35574495.4487EB71@whistle.com> Message-ID: I am re-posting a question to the list at someone's suggestion. The problem is this: I _think_ I am using the latest CVS update of the code as of this afternoon. However, there are some things about the code that appear old: (1) When I run smbclient, I get a header that says Domain=[SAMBADC] OS=[Unix] Server=[Samba 1.9.18p3] (2) smbclient crashes when run against a remote server, stating for example: ... Connecting to 128.59.220.18 at port 139 error connecting to 128.59.220.18:139 (Connection refused) cli_establish_connection: failed to connect to MARKOV<00> (0.0.0.0) client_init: connection failed warning: connection could not be established to 128.59.220.18<20> this version of smbclient may crash if you proceed ~ % (3) log.nmbd indicates that nmbd is version 1.9.18p3 and doesn't recognize the parameter "domain sid" Nevertheless, the code is clearly new in some respects. testparm recognizes "domain sid" and the binary swat is installed as well. When I put this query in a few days ago, I got a bunch of responses saying "you need to update your code." So I did it _again_. I did this by typing (from the directory smb above the samba directory: smb % mv samba samba-old smb % cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login [enter password cvs] smb % cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co samba [lots of output, in the form of "Updating..."] smb % cd samba samba % cvs update -d -P -A [lots more similar output] samba % cd source [edit Makefile for SunOS 4 flags and CC=gcc and my domain] samba % make [compiling output] samba % make install I then restart Samba. Am I missing something really basic? I ran it by Luke and he thought it looked okay and might be something in my smb.conf file. I'm enclosing that below. I would strongly welcome any suggestions anyone has. Thanks, Tavis ; Configuration file for smbd. ; ============================================================================ [global] workgroup=SAMBADC server string=Sparc2 in Sociology hosts allow = 128.59.226.78 , 128.59. , 127. guest account = nobody socket options = TCP_NODELAY domain sid = S-1-5-21-059-226-071 domain logons = yes domain master = yes local master = yes os level = 100 security = domain encrypt passwords = no logon script = %U.bat logon drive = l: wins support = yes wins proxy = yes remote announce = 128.59.226.175 , 128.59.226.42, 128.59.194.255, 128.59.220.255 remote browse sync = 128.59.220.18 preferred master = yes printing = bsd printcap name = /etc/printcap load printers = yes log file = /usr/local/samba/log.%m debug level = 3 lock directory = /usr/local/samba/var/locks share modes = yes [NETLOGON] path = /usr/local/samba/lib/netlogon writeable = no guest ok = yes share modes = no public = yes [homes] comment = Home Directories read only = no create mode = 0750 [printers] comment = All Printers printable = yes public = no writable = no create mode = 0700 From lkcl at cb1.com Tue May 12 10:29:27 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: Problems doing update In-Reply-To: Message-ID: On Tue, 12 May 1998, Tavis Barr wrote: > > I am re-posting a question to the list at someone's suggestion. The me! me! > problem is this: I _think_ I am using the latest CVS update of the code > as of this afternoon. However, there are some things about the code > that appear old: > > (1) When I run smbclient, I get a header that says > > Domain=[SAMBADC] OS=[Unix] Server=[Samba 1.9.18p3] > > (2) smbclient crashes when run against a remote server, stating for example: > > .. > Connecting to 128.59.220.18 at port 139 > error connecting to 128.59.220.18:139 (Connection refused) > cli_establish_connection: failed to connect to MARKOV<00> (0.0.0.0) > client_init: connection failed > warning: connection could not be established to 128.59.220.18<20> > this version of smbclient may crash if you proceed > ~ % this is a BRANCH_NTDOM version, not the mail-line version. > (3) log.nmbd indicates that nmbd is version 1.9.18p3 and doesn't recognize > the parameter "domain sid" are you running from inetd or anything? you cannot be running the latest version if log.nmbd states that 1.9.18p3 is running, period. - are you running it as ./nmbd instead of just nmbd - did you do a make; make install; /usr/local/samba/bin/smbd; /usr/local/samba/bin/nmbd? - other > Nevertheless, the code is clearly new in some respects. testparm > recognizes "domain sid" and the binary swat is installed as well. bizarre. > > When I put this query in a few days ago, I got a bunch of responses > saying "you need to update your code." yes, because you are running old (and different!) versions of samba, probably from locations that you are not aware of. > smb % mv samba samba-old > smb % cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot login > [enter password cvs] > smb % cvs -d :pserver:cvs@samba.anu.edu.au:/cvsroot co samba > [lots of output, in the form of "Updating..."] > smb % cd samba > samba % cvs update -d -P -A > [lots more similar output] > samba % cd source > [edit Makefile for SunOS 4 flags and CC=gcc and my domain] > samba % make > [compiling output] > samba % make install > > I then restart Samba. Am I missing something really basic? I ran it by > Luke and he thought it looked okay and might be something in my smb.conf > file. I'm enclosing that below. I would strongly welcome any suggestions > anyone has. > > Thanks, > Tavis > > > ; Configuration file for smbd. > ; ============================================================================ > > [global] > workgroup=SAMBADC > server string=Sparc2 in Sociology > > hosts allow = 128.59.226.78 , 128.59. , 127. > guest account = nobody > socket options = TCP_NODELAY > domain sid = S-1-5-21-059-226-071 well done - someone who picked a sid that _isn't_ 123-456-789 :-) :-) > domain logons = yes > domain master = yes > local master = yes > os level = 100 > security = domain > encrypt passwords = no ok, you will need "encrypt passwords = yes", for sure. > logon script = %U.bat > logon drive = l: > > wins support = yes > wins proxy = yes > remote announce = 128.59.226.175 , 128.59.226.42, 128.59.194.255, 128.59.220.255 the use of remote announce is not recommended. > remote browse sync = 128.59.220.18 what the _heck_ is this parameter??? > preferred master = yes > > printing = bsd > printcap name = /etc/printcap > load printers = yes > > log file = /usr/local/samba/log.%m > debug level = 3 > > lock directory = /usr/local/samba/var/locks > share modes = yes add case sensitive = no case preserve = yes short case preserve = yes look these up in man smb.conf to check spelling. > > [NETLOGON] > path = /usr/local/samba/lib/netlogon > writeable = no > guest ok = yes > share modes = no > public = yes important: locking = no guest ok = no delete either public = yes or guest ok = yes - they are identical see man smb.conf :-) From lkcl at cb1.com Tue May 12 11:37:47 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: password API needed In-Reply-To: Message-ID: ok, short (1/2 hour) brainstorm yesterday with jeremy came up with some ideas on the password database system. jeremy doesn't want any new fields added to struct smb_pass, particularly those that will not be relevant to unix-side-only code (e.g "full name", "workstations" etc). this reflects NT's generation of "info levels", namely that you can obtain frequently used important information (username / pass) in one structure, and ask for larger and larger structures as the info level increases. so, i created sam_passwd, which contains _all_ NT SAM fields, and left smb_passwd alone. now there are two database systems: private/smbpasswd (smbpass.c) and LDAP (ldap.c) which are brought together in a single api (passdb.c). smbpass.c only supports the fields listed in struct smb_passwd, of which there are only 5 or so; ldap.c (as it is under development) will support all the fields listed in struct sam_passwd. so, in the spirit of leaving private/smbpasswd alone, and not extending it, jeremy suggested creating a private/sampasswd file which contains all the missing NT SAM fields. not only that, but both jean-francois and jeremy also suggested that if fields are missing (NULL) in either the private/sampasswd file or the LDAP database, that the default option from smb.conf is read. currently, this only means: - lp_homedir() - lp_logon_script() - lp_profile_path() - lp_homedrive() now, this is where there is a slight amount of contention. i want(ed) to add lp_workstations(); lp_logon_hours(); lp_kickoff_time(); lp_dialup_info() etc, and jeremy went "argh" and jean-francois went "argh". jeremy went "argh" because he didn't want extraneous parameters, and jean-francois went "argh" because i suggested doing include=smb.conf.%U and putting "workstations = WKS1 WKS2 ..." in a smb.conf.USERNAME file, but this was only as an example: you can also do include=smb.conf.%G (where G is substituted for the user's group) or you can use the NIS netgroup or whatever. jean-francois thought that i was suggesting the creation of 2,000 smb.conf.USERNAME files: one per user. _or_ you could do "workstations = %" where % is the substitution parameter for a NIS netgroup of workstations (i think unfortunately, though, that NT limits the number to 8 workstations: i'd be interested to see what happens if you put more...) i _still_ want to add the above-named parameters, particularly in light of the fact that they will only be used as fall-back parameters when either private/sampasswd or the LDAP database field for that parameter is blank. also, i would like to see swat or some other config tool be able to generate a full set of NT SAM fields in whatever password database is used. summary: - create a private/sampasswd file to work alongside private/smbpasswd and provide the full set of NT SAM fields - a blank field in private/sampasswd or the LDAP database means "fall back to a default value in smb.conf". - add new smb.conf parameters to offer the above-mentioned "default value" support for the full set of NT SAM fields. - configuration tools to create private/sampasswd entries or LDAP database entries _from_ the full set of SAM smb.conf options, so that those parameters are effectively cached and accessed far quicker. comments, anyone? From lkcl at cb1.com Tue May 12 11:37:52 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: SAMBA: new password database api Message-ID: a new samba password api has been written: http://samba.anu.edu.au/listproc/samba-technical/0521.html currently under development is an LDAP back-end password database. Robert Frank has written a NetInfo database as well, which requires integration with this new api: there is also someone else who particularly wanted such an api for their own local, non-standard database system (please contact me through samba-technical, whoever you are!) the new api supports the full set of NT SAM fields: logon hours, kickoff time, home directory, profile location, nt and lm password hashes, nt user and group rids, and also has extra fields for the unix uid and gid. the existing smbpasswd scheme is still supported. this file was originally solely to provide smb passwords. plans to add a separate file to sit alongside smbpasswd (sampasswd?) are under discussion, which will contain those extra fields (that it is not appropriate to tack on to the end of smbpasswd entries). for the benefit of the pam development list (why am i sending this to you?) i mention this just in case someone wants to extend pam_smbpass, pam_smb or pam_ntdom to read data such as "full name", "home directory" using the new samba password api instead of directly (and only) reading the private/smbpasswd file or anything like that. luke (samba team) From janet at bioss.sari.ac.uk Tue May 12 14:23:16 1998 From: janet at bioss.sari.ac.uk (Janet Dickson) Date: Tue Dec 2 02:24:05 2003 Subject: cvs update - wrong version of patch References: <35574FC8.6201DD56@whistle.com> Message-ID: <35585B54.899BD818@bioss.sari.ac.uk> Hi I have a minor problem in getting updates via cvs. My patch command (/usr/bin on Solaris 2.5.1) gives the message 'patch: Invalid option'. What should I be using ? Janet *************************************************************************** Janet Dickson | http://www.bioss.sari.ac.uk/~janet Biomathematics and Statistics Scotland | email: janet@bioss.sari.ac.uk The King's Buildings, Mayfield Rd | Telephone: +44 (0) 131 650 4888 Edinburgh EH9 3JZ, Scotland, UK. | Fax: +44 (0) 131 650 4901 *************************************************************************** From lkcl at cb1.com Tue May 12 14:36:23 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:05 2003 Subject: password API needed In-Reply-To: Message-ID: hi samba-ntdom subscribers, after all the wonderful discussions we've had on this list, i was wondering if people could comment on this thread (some of which is going on on samba-technical). questions like: do you think it's a good or a bad idea to add more NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain workstations", bearing in mind that these may have to go down to the granularity of a per-group or per-user basis? jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's vote is "if it's a configuration nightmare, absolutely not, and creating hundreds of smb.conf.%U files is a definite nightmare". luke From jan.van.rensburg at epiuse.com Tue May 12 15:14:50 1998 From: jan.van.rensburg at epiuse.com (jan van rensburg) Date: Tue Dec 2 02:24:05 2003 Subject: password API needed In-Reply-To: Message-ID: <001001bd7db8$b5118280$2b460dc4@tayla.epiuse.co.za> well, can't we start working on a different configuration mechanism. maybe a menu-driven interface or something, at least something a little more modular and a little less linear than a plain text file? it can even be extended it to an optional x interface. -jan > -----Original Message----- > From: samba-ntdom@samba.anu.edu.au > [mailto:samba-ntdom@samba.anu.edu.au]On Behalf Of Luke Kenneth Casson > Leighton > Sent: Tuesday, May 12, 1998 4:58 PM > To: Multiple recipients of list > Subject: Re: password API needed > > > hi samba-ntdom subscribers, > > after all the wonderful discussions we've had on this list, i was > wondering if people could comment on this thread (some of which is going > on on samba-technical). > > questions like: do you think it's a good or a bad idea to add more > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > workstations", bearing in mind that these may have to go down to the > granularity of a per-group or per-user basis? > > jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's vote is > "if it's a configuration nightmare, absolutely not, and creating hundreds > of smb.conf.%U files is a definite nightmare". > > luke > > From cbray at comp.uark.edu Tue May 12 15:23:16 1998 From: cbray at comp.uark.edu (Chris Bray) Date: Tue Dec 2 02:24:05 2003 Subject: Problems with ntdom In-Reply-To: Message-ID: So, I've been running the samba pdc code on my Sparc5 (Solaris 2.6) without any problems for quite a while, had several machines connected up as part of the domains, roaming profiles, etc, etc...it worked great...even made an almost daily ritual of updating my source tree from the main cvs tree as well... But starting late yesterday (after updating my code), everything stopped working. It compiled fine, but I don't show up in the network neighborhood, my nt workstation won't log in properly (uses locally cached profile instead of the roaming one), and I can't find the computer on the network neighborhood anymore (from multiple machines). I updated the code again today via cvs, recompiled and same thing. My conf files haven't changed, nor have my starting scripts. Has anybody else experienced any similar problems? My log.nmb file says that it starts, it's the master browser, etc. I just can't mount any drives, or log in... chris ============================================================================= Chris Bray | Alpha Geek @ MultiMedia Resource Center, cbray@comp.uark.edu | Computing Services, University of Arkansas ICQ# 6830763 | http://www.uark.edu/~cbray/ ============================================================================= Unix _is_ user friendly - it's just selective about who its friends are... ============================================================================= From mk at quadstone.co.uk Tue May 12 15:35:22 1998 From: mk at quadstone.co.uk (Michael Keightley) Date: Tue Dec 2 02:24:05 2003 Subject: different policies for different groups in a domain Message-ID: <3905.199805121535@subnode.quadstone.co.uk> I've created a default policy on an NT server and installed it in the netlogon share as NTConfig.pol on the Samba PDS. This seems to work ok, but is there anyway of setting up a policy just for a group of users using Samba? I'm using the latest main branch of Samba. Michael _________ Michael Keightley Email: mk@quadstone.co.uk Systems Manager Tel: +44 131 220 4491 Quadstone Ltd Fax: +44 131 220 4492 16 Chester Street Edinburgh EH3 7RA, Scotland From x7currie at lab2.cc.wmich.edu Tue May 12 15:35:50 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:05 2003 Subject: password API needed In-Reply-To: Message-ID: > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > workstations", bearing in mind that these may have to go down to the > granularity of a per-group or per-user basis? How many parameters are we talking about? If it has to come down to a per-group per-user basis, wouldn't it be a better idea to place this information in a database w/ user and group names? Kevin Currie From cartegw at Eng.Auburn.EDU Tue May 12 15:39:13 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed References: Message-ID: <35586D21.48210B5C@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > questions like: do you think it's a good or a bad idea to add more > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > workstations", bearing in mind that these may have to go down to the > granularity of a per-group or per-user basis? > > jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's > vote is "if it's a configuration nightmare, absolutely not, and > creating hundreds of smb.conf.%U files is a definite nightmare". Luke, After pseudo following these discussions as of late, here's my two cents... smb.conf is a global / service configuration file. **not** a user configuration file. AFAIK...the lookups in smb.conf are sequential. Is this correct? In this case user configuration information in a text file would be a major performance hit for a large site. However, certain account information is needed to make samba an equal PDC to an NT PDC. IMHO, the information you desire would be better stored in the password database. I understand that Jeremy does not want to add any more information into the smbpasswd file for reasons that the inforamtion would be extraneous for those not using samba as a PDC. However, since a password API is in the works, why not take the following approach... - If you want the extra user information, use the LDAP backend - The smbpasswd backend would simply return what was deemed as "default" settings which would be hardcoded / Compiler time / whatever. In other words, have the password API get the information for the user / group but have the backend implement whatever was desired. Again let me state that I really don't think user account information should go into smb.conf. Rather put it with the other user information. Your password API insulates you enough which is really what it is designed for. For what it's worth, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From x7currie at lab2.cc.wmich.edu Tue May 12 15:40:35 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:06 2003 Subject: Policies Message-ID: Hey, I'm not sure if this is a samba problem or not, but after a recent recompile of the CVS tree (less than a week ago), my NT clients will no longer download their policies from the netlogon share. I noticed this when changes weren't being updated on the client side. This worked fine a couple weeks ago and the only real change in the setup has been newer compiles of samba. I was wonderring if anyone else has seen this problem or could try and confirm it for me? I'm pretty sure that it isn't a client side problem because when I change the PDC to our NT server, all the updates happen as normal. Kevin From lkcl at cb1.com Tue May 12 15:50:28 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: <001001bd7db8$b5118280$2b460dc4@tayla.epiuse.co.za> Message-ID: programs exist that generate smb.conf files. e.g swat, smbedit... On Tue, 12 May 1998, jan van rensburg wrote: > well, > can't we start working on a different configuration mechanism. maybe a > menu-driven interface or something, at least something a little more modular > and a little less linear than a plain text file? it can even be extended it > to an optional x interface. > -jan > > > > -----Original Message----- > > From: samba-ntdom@samba.anu.edu.au > > [mailto:samba-ntdom@samba.anu.edu.au]On Behalf Of Luke Kenneth Casson > > Leighton > > Sent: Tuesday, May 12, 1998 4:58 PM > > To: Multiple recipients of list > > Subject: Re: password API needed > > > > > > hi samba-ntdom subscribers, > > > > after all the wonderful discussions we've had on this list, i was > > wondering if people could comment on this thread (some of which is going > > on on samba-technical). > > > > questions like: do you think it's a good or a bad idea to add more > > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > > workstations", bearing in mind that these may have to go down to the > > granularity of a per-group or per-user basis? > > > > jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's vote is > > "if it's a configuration nightmare, absolutely not, and creating hundreds > > of smb.conf.%U files is a definite nightmare". > > > > luke > > > > > > From lkcl at cb1.com Tue May 12 15:55:05 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: Message-ID: On Tue, 12 May 1998, Kevin Currie wrote: > > > > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > > workstations", bearing in mind that these may have to go down to the > > granularity of a per-group or per-user basis? > > How many parameters are we talking about? If it has to come down > to a per-group per-user basis, wouldn't it be a better idea to place this > information in a database w/ user and group names? the info will be available on a per-user basis. if that info is _not_ available, i would like to see the default smb.conf options read. for full details on the proposal, see the samba-technical report under the same thread name. lukes From aperrin at demog.Berkeley.EDU Tue May 12 16:12:25 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: Message-ID: Hmmm. Well, in my view there's not that much of a cost to adding (potential) entries to smb.conf, since excluding them is always an option and disk space is certainly getting cheaper and cheaper :). But I definitely agree with other posts that user-level config doesn't belong in smb.conf. And in principle, I'm generally against hard-coding anything that can't be un-hard-coded softly. So... I like the model that's been floated, of a separate private/sampasswd file containing information for PDS users/workstations, with 'fallback' to a default set in smb.conf. I suppose, alternatively, one could produce a sam.conf that contains configuration information just for PDC stuff, but that seems unnecessary. In my view, one of the beauties of Samba is the flexibility of smb.conf.%U, etc. -- I don't see a problem with allowing that option for crazy sysadmins who want to set user information that way. Hmm, what else... definitely against suggestions of "modular" and "graphical" configurations, unless they're just interpretive layers over text files; it's sounding distressingly close to NT. FWIW... --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Wed, 13 May 1998, Luke Kenneth Casson Leighton wrote: > hi samba-ntdom subscribers, > > after all the wonderful discussions we've had on this list, i was > wondering if people could comment on this thread (some of which is going > on on samba-technical). > > questions like: do you think it's a good or a bad idea to add more > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > workstations", bearing in mind that these may have to go down to the > granularity of a per-group or per-user basis? > > jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's vote is > "if it's a configuration nightmare, absolutely not, and creating hundreds > of smb.conf.%U files is a definite nightmare". > > luke > > From daniel at med.up.pt Tue May 12 16:13:56 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: Message-ID: On Wed, 13 May 1998, Luke Kenneth Casson Leighton wrote: > jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's vote is > "if it's a configuration nightmare, absolutely not, and creating hundreds > of smb.conf.%U files is a definite nightmare". I also go for jean-francoi; if it's kind of painless, it would be "funny" to have some nice tidbits. Personally what I find missing now is maybe only the password changing from within NT (have a nice workaround working, nevertheless, with poppassd) and the possibility of denying multiple logon's with the same account at the same time in different WStations. Other than that, it's just fine for me! Tremendous work, guys! Daniel From lkcl at cb1.com Tue May 12 16:23:09 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: <35586D21.48210B5C@eng.auburn.edu> Message-ID: > Again let me state that I really don't think user account information > should go into smb.conf. hm. that seems to be the general consensus. From lkcl at cb1.com Tue May 12 16:25:25 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: Policies In-Reply-To: Message-ID: kevin, can you possibly check out versions (use the -D date option) and compile until it works again? cheers! On Wed, 13 May 1998, Kevin Currie wrote: > > Hey, I'm not sure if this is a samba problem or not, but after a > recent recompile of the CVS tree (less than a week ago), my NT clients > will no longer download their policies from the netlogon share. I noticed > this when changes weren't being updated on the client side. This worked > fine a couple weeks ago and the only real change in the setup has been > newer compiles of samba. I was wonderring if anyone else has seen this > problem or could try and confirm it for me? > I'm pretty sure that it isn't a client side problem because when I > change the PDC to our NT server, all the updates happen as normal. > > Kevin > > > > From lkcl at cb1.com Tue May 12 16:45:40 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: possible cvs update problems Message-ID: there have been reports of getting corrupted checkouts from public cvs. you should be using the -d -P options, but if occasionally you get garbage, delete the entire tree and re-check-out. for those people doing development work using public cvs, please make a backup copy of your modifications before doing a cvs update -d -P to merge in the latest code into your local copy. cheers, luke From william at hae.com Tue May 12 16:58:49 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: Message-ID: On Wed, 13 May 1998, Luke Kenneth Casson Leighton wrote: > questions like: do you think it's a good or a bad idea to add more > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > workstations", bearing in mind that these may have to go down to the > granularity of a per-group or per-user basis? > IMHO, these are lower priority items, maybe even ver 2.1 items. I don't usually work on sites that require this level of security. I do believe though that these things should be supported eventually so that you can advertise a "fully functional" PDC. I don't quite understand the need for multiple smb.conf's here. These options should be supported regardless of entries in smb.conf. For example, kick off time should kick off the user (in some gracioius way) regardless of entries in the smb.conf, except for maybe a "use kickoff time = no" in the globals section. In regards to the domain workstations entry, this should require an smb.conf either. It should simply keep a list of workstations the user can login to. I think you mentioned a home directory entry in a eariler post. Is there a similar entry for profile location? This could be a neat option. You could have UNIX homes in a different place than SMB homes. I am assuming that you could specify a SMB mount point in this field. This would enable a design where you have a machine as PDC and another handling all file and print without NFS. sampasswd is probably where modem_users should be kept as well. Have a field containing a BOOL that determines wether this user can dialin. One final, minor note, sampasswd and smbpasswd are too alike in name... Might I suggest saminfo or samdb. William From jallison at whistle.com Tue May 12 16:58:43 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed References: Message-ID: <35587FC3.167EB0E7@whistle.com> Kevin Currie wrote: > > > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > > workstations", bearing in mind that these may have to go down to the > > granularity of a per-group or per-user basis? > > How many parameters are we talking about? If it has to come down > to a per-group per-user basis, wouldn't it be a better idea to place this > information in a database w/ user and group names? > Indeed - that's why I keep telling Luke not to add more stuff into smb.conf. I much prefer these things to be in a separate file, indexed by username/uid. If they aren't present, fake 'em with defaults embedded in the binary (null be default for all of them). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Tue May 12 17:04:30 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:06 2003 Subject: Problems with ntdom References: Message-ID: <3558811E.2781E494@whistle.com> Chris Bray wrote: > > So, I've been running the samba pdc code on my Sparc5 (Solaris 2.6) > without any problems for quite a while, had several machines connected > up as part of the domains, roaming profiles, etc, etc...it worked > great...even made an almost daily ritual of updating my source tree > from the main cvs tree as well... > > But starting late yesterday (after updating my code), everything > stopped working. It compiled fine, but I don't show up in the network > neighborhood, my nt workstation won't log in properly (uses locally > cached profile instead of the roaming one), and I can't find the computer > on the network neighborhood anymore (from multiple machines). > > I updated the code again today via cvs, recompiled and same thing. > My conf files haven't changed, nor have my starting scripts. > Well the main branch had a *major* update yesterday, as I excised the following functions from the tree : sprintf strcpy strcat as I wanted to make *sure* that some gimboid didn't give us the same pain we've just gone through with the 1.9.18 branch by announcing an erroneous 'security hole in Samba' message on BugTraq, when (a) there was *no* published exploit code and (b) the published analysis was wrong - the worst you could do was crash your own smbd, not gain root. I'm making *sure* this doesn't happen again. Get a debug log with smbd & check I haven't broken anything too badly (I did a check here, and everything seemed to be ok, which is why I checked in the code). Let me know what you find. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Tue May 12 17:14:07 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed References: Message-ID: <3558835F.E88D304E@eng.auburn.edu> Andrew Perrin - Demography wrote: > > Hmmm. Well, in my view there's not that much of a cost to adding > (potential) entries to smb.conf, since excluding them is always an > option and disk space is certainly getting cheaper and cheaper :). This statement really assumes a no cost lookup mechanism for flat text files. Including no management overhead for a smb.conf file 100,000 lines long. I would have to politely disagree. > But I definitely agree with other posts that user-level config doesn't > belong in smb.conf. And in principle, I'm generally against > hard-coding anything that can't be un-hard-coded softly. So... I like > the model that's been floated, of a separate private/sampasswd file > containing information for PDS users/workstations, with 'fallback' to > a default set in smb.conf. I suppose, alternatively, one could > produce a sam.conf that contains configuration information just for > PDC stuff, but that seems unnecessary. Rather than a fallback to the global configuration file, how about setting default values for newly created accounts. Once these accounts are created, the information, if not specified, is filled in. Therefore, there will never been an empty field in the acocunt record. Since the space would technically already be allocated in the struct ( with the exception of pointers such as char*...but then just assign "" ) as well as in the database record in the case of some relational password database. Someone please correct me if I am wrong, but isn't this how NT does it. I am referring to account information, not policy settings such as account lockout for failed login attempt, etc... > In my view, one of the beauties of Samba is the flexibility of > smb.conf.%U, etc. -- I don't see a problem with allowing that option > for crazy sysadmins who want to set user information that way. Agreed. Flexibilty in a piece of software is a beautiful thing. But the maintainability of the software configuration is well worth the effort in planning the initial install. I'm still going to stand my ground and say don't put user information in smb.conf. Another configuration file with the default information would be OK, but I think the more effecient route would be to put the default information in when the account is created. 1 file access vs. 1 file access + search through record + search through flat text file for admin set defaults + get compile / code set defaults if still empty OK. I'm through now :) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From infotecn at tin.it Tue May 12 16:19:10 1998 From: infotecn at tin.it (Sbragion Denis) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: Message-ID: <3.0.5.32.19980512181910.007ead60@MBox.InfoTecna.com> Hello, At 00.58 13/05/98 +1000, you wrote: >hi samba-ntdom subscribers, ... >jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's vote is >"if it's a configuration nightmare, absolutely not, and creating hundreds >of smb.conf.%U files is a definite nightmare". I followed the discussion a little. I'm quite with Jeremy. smb.conf should maintain only reasonable defaults for what can't be retrieved from a user/group database. I.E. system information should be in a system cfg files (current smb.conf), user/group information should be in user/group cfg file (sampasswd, smbpasswd or whatever you smb gurus think will be better). Just my modest opinion. Bye! Dr. Sbragion Denis InfoTecna Tel, Fax: +39 39 2324054 URL: http://space.tin.it/internet/dsbragio From lkcl at cb1.com Tue May 12 17:23:47 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: Message-ID: On Tue, 12 May 1998, William Stuart wrote: > > > On Wed, 13 May 1998, Luke Kenneth Casson Leighton wrote: > > > questions like: do you think it's a good or a bad idea to add more > > NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > > workstations", bearing in mind that these may have to go down to the > > granularity of a per-group or per-user basis? > > > > IMHO, these are lower priority items, maybe even ver 2.1 items. I don't > usually work on sites that require this level of security. I do believe > though that these things should be supported eventually so that you can > advertise a "fully functional" PDC. > > I don't quite understand the need for multiple smb.conf's here. These > options should be supported regardless of entries in smb.conf. For > example, kick off time should kick off the user (in some gracioius way) > regardless of entries in the smb.conf, except for maybe a "use kickoff > time = no" in the globals section. well, i would guess that setting "kickoff time = +1hr" would cause the nt workstation (not a win95) to log all users out after 1 hour. not setting this option would put a default of no forced logout. > In regards to the domain workstations entry, this should require an > smb.conf either. It should simply keep a list of workstations the user > can login to. yep. > I think you mentioned a home directory entry in a eariler post. Is there > a similar entry for profile location? these already exist: "home dir = " and "logon script = " and "profile path = ". > This could be a neat option. You > could have UNIX homes in a different place than SMB homes. uhh... yes, you can already do that. > I am assuming > that you could specify a SMB mount point in this field. it has to be a fully qualified UNC name (\\server\share\directory_path) > This would enable > a design where you have a machine as PDC and another handling all file and > print without NFS. yep! > sampasswd is probably where modem_users should be kept as well. Have a > field containing a BOOL that determines wether this user can dialin. ? > One final, minor note, sampasswd and smbpasswd are too alike in name... > Might I suggest saminfo or samdb. good point. From lkcl at cb1.com Tue May 12 17:33:06 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: <3.0.5.32.19980512181910.007ead60@MBox.InfoTecna.com> Message-ID: i _like_ these lists. you get some really useful feedback / opinions. ok, from opinions just over the last few hours, we've had a useful suggestion to name the "extra options" file private/samdb not private/sampasswd, and the following options: - don't like adding additional options to smb.conf: prefer private/samdb or ldap to read extra SAM fields. - do like adding additional options to smb.conf - prefer to have options in sampasswd or ldap, but wouldn't mind having defaults read from smb.conf if the options don't exist. if we go for the latter, and _also_ add an option (for speed purposes at really large sites) which disables the "default" capability of reading from smb.conf if any of the parameters do not exist, then that keeps everyone happy. you know what? in some ways i would like to go for the first option, as what i would _really_ like to see is "lp_logon_script()" and "lp_profile_path()" and "lp_homedir()" disabled altogether and replaced only with a private/samdb file, as they can cause quite a bit of trouble. but that's a bit radical... From lkcl at cb1.com Tue May 12 17:52:46 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: cvs update - wrong version of patch In-Reply-To: <35585B54.899BD818@bioss.sari.ac.uk> Message-ID: janet, suddenly realised what you were on about, here :-) i presume that cvs is calling the "patch" command. and you have a version of patch that is stuffed. obtain the source for the gnu version of patch from sunsite.doc.ic.ac.uk in the gnu directory, by either using ftp, nfs or smb. i had to do this eighteen months ago as NextStep does not have a proper diff _or_ patch command... On Wed, 13 May 1998, Janet Dickson wrote: > Hi > I have a minor problem in getting updates via cvs. My patch command > (/usr/bin on Solaris 2.5.1) gives the message 'patch: Invalid option'. > What should I be using ? > > Janet > > *************************************************************************** > Janet Dickson | > http://www.bioss.sari.ac.uk/~janet > Biomathematics and Statistics Scotland | email: janet@bioss.sari.ac.uk > The King's Buildings, Mayfield Rd | Telephone: +44 (0) 131 650 4888 > Edinburgh EH9 3JZ, Scotland, UK. | Fax: +44 (0) 131 650 4901 > *************************************************************************** > From lkcl at cb1.com Tue May 12 17:55:23 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: Problems with ntdom In-Reply-To: <3558811E.2781E494@whistle.com> Message-ID: > Well the main branch had a *major* update yesterday, as I > excised the following functions from the tree : > > sprintf > strcpy > strcat > Let me know what you find. one missed strcpy function in lib/rpc/server/srv_ldap_helpers.c, but as this file has been retired this is now irrelevant (and fixed). luke From lkcl at cb1.com Tue May 12 18:01:08 1998 From: lkcl at cb1.com (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: <3558835F.E88D304E@eng.auburn.edu> Message-ID: > Someone please correct me if I am wrong, but isn't this how NT does it. they have string pointers and such. the string is either empty or NULL if the option is not set in USRMGR.EXE. > I am referring to account information, not policy settings such as > account lockout for failed login attempt, etc... me too. i like your idea of putting default options [from smb.conf, please?] the first time if there is no entry in the private/samdb file. that way, all the user lp_xxx() options could be retired, and a separate "user management" utility created to edit private/samdb. > > In my view, one of the beauties of Samba is the flexibility of > > smb.conf.%U, etc. -- I don't see a problem with allowing that option > > for crazy sysadmins who want to set user information that way. > > Agreed. Flexibilty in a piece of software is a beautiful thing. But > the maintainability of the software configuration is well worth the > effort in planning the initial install. > > I'm still going to stand my ground and say don't put user information in > smb.conf. Another configuration file with the default information would > be OK, but I think the more effecient route would be to put the default > information in when the account is created. agreed. From lkcl at switchboard.net Tue May 12 18:05:58 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: login / profile download succeeds with current cvs version Message-ID: ok, i just checked that the password api mods made recently still work with NT: they do. some reported difficulties with the latest cvs version: can't remember who. From jallison at whistle.com Tue May 12 17:59:52 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed References: <3558835F.E88D304E@eng.auburn.edu> Message-ID: <35588E18.794BDF32@whistle.com> Gerald Carter wrote: > > > Rather than a fallback to the global configuration file, how about > setting default values for newly created accounts. Once these accounts > are created, the information, if not specified, is filled in. > Therefore, there will never been an empty field in the acocunt record. > Since the space would technically already be allocated in the struct ( > with the exception of pointers such as char*...but then just assign "" ) > as well as in the database record in the case of some relational > password database. > > Someone please correct me if I am wrong, but isn't this how NT does it. > I am referring to account information, not policy settings such as > account lockout for failed login attempt, etc... > Yes, that's a much better idea than putting everything in smb.conf. In case anyone hadn't noticed, smb.conf suffers from a serious case of parameter bloat :-). BTW: I'm working on removing the lp_domain_xx() stuff. But I'll need a buy off from everyone on this list before I break existing smb.conf files by removing the code. We still get people complaining that 'domain controller' changed from string to bool, and that was never used ! > > I'm still going to stand my ground and say don't put user information in > smb.conf. Another configuration file with the default information would > be OK, but I think the more effecient route would be to put the default > information in when the account is created. > Indeed - Luke, are you convinced yet. *No more NT account parameters in smb.conf* (even as defaults :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From kfleming at access-laserpress.com Tue May 12 18:15:00 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:06 2003 Subject: cvs update - wrong version of patch References: Message-ID: <355891A4.EFE7B26B@access-laserpress.com> You can also get a precompiled Solaris package for patch at http://sunsite.unc.edu/solaris... Luke Kenneth Casson Leighton wrote: > > janet, > > suddenly realised what you were on about, here :-) i presume that cvs is > calling the "patch" command. and you have a version of patch that is > stuffed. > > obtain the source for the gnu version of patch from sunsite.doc.ic.ac.uk > in the gnu directory, by either using ftp, nfs or smb. i had to do this > eighteen months ago as NextStep does not have a proper diff _or_ patch > command... > > On Wed, 13 May 1998, Janet Dickson wrote: > > > Hi > > I have a minor problem in getting updates via cvs. My patch command > > (/usr/bin on Solaris 2.5.1) gives the message 'patch: Invalid option'. > > What should I be using ? > > > > Janet > > > > *************************************************************************** > > Janet Dickson | > > http://www.bioss.sari.ac.uk/~janet > > Biomathematics and Statistics Scotland | email: janet@bioss.sari.ac.uk > > The King's Buildings, Mayfield Rd | Telephone: +44 (0) 131 650 4888 > > Edinburgh EH9 3JZ, Scotland, UK. | Fax: +44 (0) 131 650 4901 > > *************************************************************************** > > From cartegw at Eng.Auburn.EDU Tue May 12 18:40:15 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:06 2003 Subject: Removing lp_domain_xxx() [was Re: password API needed] References: <3558835F.E88D304E@eng.auburn.edu> <35588E18.794BDF32@whistle.com> Message-ID: <3558978F.8857DF6D@eng.auburn.edu> Jeremy Allison wrote: > > BTW: I'm working on removing the lp_domain_xx() stuff. But I'll > need a buy off from everyone on this list before I break existing > smb.conf files by removing the code. We still get people complaining > that 'domain controller' changed from string to bool, and that was > never used ! > Jeremy, Are you referring to the parameters such as "domain sid" as well? If so where will this be stored? I know I have heard suggestions to have the trandomly generated and stored in a "don't touch or the world will end" file. If this will be the way of the future, there will be a way to continue using the currently value for domain sid in the new code hopefully? Otherwise the dexisting domain will go down the toilet. This is actually one parameter I kind of like. :-) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From aperrin at demog.Berkeley.EDU Tue May 12 18:47:54 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: <35588E18.794BDF32@whistle.com> Message-ID: Okay, I guess I'm getting outvoted :) -- my only real plea is that as little as possible be compiled in; I like having the binary sit in one place on my network and individualizing specific machines using config files. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From Jean-Francois.Micouleau at utc.fr Tue May 12 18:47:38 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: Message-ID: On Wed, 13 May 1998, Luke Kenneth Casson Leighton wrote: > i like your idea of putting default options [from smb.conf, please?] the > first time if there is no entry in the private/samdb file. that way, all > the user lp_xxx() options could be retired, and a separate "user > management" utility created to edit private/samdb. not from smb.conf but from default_policy.conf or from the defaultUser, defaultGroup, Policy object classes when you use ldap. Jean Francois ----------------------------------------------------------- Pinky: "What are we going to do tonight, Brain?" Brain: "The same thing we do every night, Pinky : try to install Windows NT !" ----------------------------------------------------------- From jallison at whistle.com Tue May 12 18:50:24 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:06 2003 Subject: Removing lp_domain_xxx() [was Re: password API needed] References: <3558835F.E88D304E@eng.auburn.edu> <35588E18.794BDF32@whistle.com> <3558978F.8857DF6D@eng.auburn.edu> Message-ID: <355899F0.15FB7483@whistle.com> Gerald Carter wrote: > > > Are you referring to the parameters such as "domain sid" as well? If so > where will this be stored? I know I have heard suggestions to have the > trandomly generated and stored in a "don't touch or the world will end" > file. If this will be the way of the future, there will be a way to > continue using the currently value for domain sid in the new code > hopefully? Otherwise the dexisting domain will go down the toilet. > > This is actually one parameter I kind of like. :-) > Yes I am but don't worry. I intend to deprecate, but not remove (initially) the domain SID parameter, and instead store the domain sid in ascii text form in a file MACHINE.SID in the same directory as smbpasswd. Initially, if there is a 'domain sid' parameter in smb.conf, that will be used. If not, then the file will be consulted, if the file doesn't exist, then a random domain sid will be created and stored in the file. So to keep your existing SID just copy your domain sid parameter into the MACHINE.SID file as is. After a while (before the first alpha release, probably) I remove the 'domain sid' parameter in the smb.conf and issue a "don't change MACHINE.SID or the world will end" edict :-). The reason we need to do this is that I'm pretty sure (ok, own up who does this, I'm one :-) that most Samba PDC SID's are set to the example, S-1-5-21-123-456-789 SID right now. This has to change if we are to make this work in many systems :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Tue May 12 19:39:41 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: <35588E18.794BDF32@whistle.com> Message-ID: On Tue, 12 May 1998, Jeremy Allison wrote: > Gerald Carter wrote: > > > > > > Rather than a fallback to the global configuration file, how about > > setting default values for newly created accounts. Once these accounts > > are created, the information, if not specified, is filled in. > > Therefore, there will never been an empty field in the acocunt record. > > Since the space would technically already be allocated in the struct ( > > with the exception of pointers such as char*...but then just assign "" ) > > as well as in the database record in the case of some relational > > password database. > > > > Someone please correct me if I am wrong, but isn't this how NT does it. > > I am referring to account information, not policy settings such as > > account lockout for failed login attempt, etc... > > > > Yes, that's a much better idea than putting everything in smb.conf. > In case anyone hadn't noticed, smb.conf suffers from a serious case > of parameter bloat :-). > > BTW: I'm working on removing the lp_domain_xx() stuff. But I'll hooray. > need a buy off from everyone on this list before I break existing > smb.conf files by removing the code. We still get people complaining > that 'domain controller' changed from string to bool, and that was > never used ! it's one way to tell people that the parameter's not used :-) > > I'm still going to stand my ground and say don't put user information in > > smb.conf. Another configuration file with the default information would > > be OK, but I think the more effecient route would be to put the default > > information in when the account is created. > > > > Indeed - Luke, are you convinced yet. *No more NT account > parameters in smb.conf* (even as defaults :-). it's about 30/70 in favour of not putting nt sam stuff in smb.conf: i'm not yet convinced about creating them from smb.conf on-demand to stop heavy reloading of smb.conf files. but i suppose that could be done from an admin tool, anyway, with no involvement from smb.conf at all.... so, ok: i'm convinced. can we take out lp_logon_script() and lp_profile_path() etc using the same justification logic? ;-) From lkcl at switchboard.net Tue May 12 19:48:25 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: Removing lp_domain_xxx() [was Re: password API needed] In-Reply-To: <3558978F.8857DF6D@eng.auburn.edu> Message-ID: On Wed, 13 May 1998, Gerald Carter wrote: > Jeremy Allison wrote: > > > > BTW: I'm working on removing the lp_domain_xx() stuff. But I'll > > need a buy off from everyone on this list before I break existing > > smb.conf files by removing the code. We still get people complaining > > that 'domain controller' changed from string to bool, and that was > > never used ! > > > > Jeremy, > > Are you referring to the parameters such as "domain sid" as well? yes he is. > If so where will this be stored? in private/machine.sid > I know I have heard suggestions to have the > trandomly generated and stored in a "don't touch or the world will end" > file. If this will be the way of the future, there will be a way to > continue using the currently value for domain sid in the new code > hopefully? Otherwise the dexisting domain will go down the toilet. yes. i suggested to jeremy that if the private/machine.sid file doesn't exist, that then if a "domain sid" parameter is specified that the contents of "domain sid" are written into private/machine.sid. thereafter, "domain sid" is ignored. From jallison at whistle.com Tue May 12 19:49:29 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed References: Message-ID: <3558A7C9.59E2B600@whistle.com> Luke Kenneth Casson Leighton wrote: > > > so, ok: i'm convinced. > Good. > can we take out lp_logon_script() and lp_profile_path() etc using the same > justification logic? > No because it would break at least 1.5 million existing Samba smb.conf files at the last estimate. And I will *personally* send email to *every* one of those admins telling them to demand you come to their site and fix it, gratis, as you broke it :-). Before you write another line of code, read "The End of Eternity" (like I've told you to 30 times before :-) and send me an email telling me you know what the magic words 'Minimum Neccessary Change' *mean* ! :-) :-) :-) :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Tue May 12 20:03:03 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed In-Reply-To: <3558A7C9.59E2B600@whistle.com> Message-ID: On Tue, 12 May 1998, Jeremy Allison wrote: > Luke Kenneth Casson Leighton wrote: > > > > > > so, ok: i'm convinced. > > > > Good. > > > > can we take out lp_logon_script() and lp_profile_path() etc using the same > > justification logic? > > > > No because it would break at least 1.5 million existing Samba > smb.conf files at the last estimate. dang me. > Before you write another line of code, read "The End of > Eternity" (like I've told you to 30 times before :-) three times, so far. maybe four. > and > send me an email telling me you know what the magic words > 'Minimum Neccessary Change' *mean* ! surely they mean "if it ain't broke don't fix it" yeah? in that case, i'm off to buy a 12 lb sledge hammer. From william at hae.com Tue May 12 20:35:38 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:06 2003 Subject: NT Services for UNIX Message-ID: All: SAMBA gets some competition. http://www.microsoft.com/corpinfo/press/1998/May98/ntunixpr.htm For thouse of you not familiar with US law, this will probably be the "last straw" in the goverenment's case against Microsoft. Look for a proposal to breakup Microsoft, a la AT&T. William From matthew at law.usyd.edu.au Tue May 12 21:58:47 1998 From: matthew at law.usyd.edu.au (Matthew Geier) Date: Tue Dec 2 02:24:06 2003 Subject: Problems with ntdom In-Reply-To: <3558811E.2781E494@whistle.com> from "Jeremy Allison" at May 13, 98 03:41:30 am Message-ID: <199805122158.HAA27112@janus.law.usyd.edu.au> > Well the main branch had a *major* update yesterday, as I > excised the following functions from the tree : > > sprintf > strcpy > strcat > On a nice clean CVS checkout im getting - Linking smbd Undefined first referenced symbol in file vsnprintf slprintf.o ld: fatal: Symbol referencing errors. No output written to smbd *** Error code 1 This is Solaris 2.5.1 -- Matthew Geier, matthew@law.usyd.edu.au Computer Systems Manager, +61 2 9351 0240 Law School, University of Sydney +61 2 9351 0200 (fax) From jallison at whistle.com Tue May 12 22:08:33 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:06 2003 Subject: Problems with ntdom References: <199805122158.HAA27112@janus.law.usyd.edu.au> Message-ID: <3558C861.41C67EA6@whistle.com> Matthew Geier wrote: > On a nice clean CVS checkout im getting - > > Linking smbd > Undefined first referenced > symbol in file > vsnprintf slprintf.o > ld: fatal: Symbol referencing errors. No output written to smbd > *** Error code 1 > > This is Solaris 2.5.1 Ok - I did that (sorry) - I assumed all Solaris versions have vsnprintf - but only 2.6 (the version I have) does. I have just checked in changes to includes.h that fixes this for solaris. Check out again & let me know if it's ok. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From D.Bannon at latrobe.edu.au Tue May 12 22:40:30 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed, comments ... In-Reply-To: Message-ID: <3.0.3.32.19980513084030.00831dc0@bioserve.biochem.latrobe.edu.au> At 00:58 13/05/1998 +1000, Luke Kenneth Casson Leighton wrote: >wondering if people could comment on this thread (some of which is going >questions like: do you think it's a good or a bad idea to add more >NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain >workstations", bearing in mind that these may have to go down to the >granularity of a per-group or per-user basis? > >jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's vote is >"if it's a configuration nightmare, absolutely not, and creating hundreds >of smb.conf.%U files is a definite nightmare". > I'm with jean-francoi if it means that we cannot ignore these extra functions. The beauty of samba is that its easy (read quick) to get going and (especially) easy to keep going. Having to create and maintain individual config files ? No thanks ! David. ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From abs at maunsell.co.uk Tue May 12 23:03:40 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:06 2003 Subject: Problems with ntdom In-Reply-To: <3558C861.41C67EA6@whistle.com>; from Jeremy Allison on Wed, May 13, 1998 at 08:26:03AM +1000 References: <3558C861.41C67EA6@whistle.com> Message-ID: <19980513000339.36763@maunsell.co.uk> On Wed, May 13, 1998 at 08:26:03AM +1000, Jeremy Allison wrote: > > Matthew Geier wrote: > > vsnprintf slprintf.o > > ld: fatal: Symbol referencing errors. No output written to smbd > > *** Error code 1 > > > > This is Solaris 2.5.1 > > Ok - I did that (sorry) - I assumed all Solaris versions have > vsnprintf - but only 2.6 (the version I have) does. > > I have just checked in changes to includes.h that > fixes this for solaris. Check out again & let me know > if it's ok. I got that error this morning - I undef'd vsnprintf in includes.h which got it to compile clean, but the resulting binaries didn't run. testparm for instance returned without doing anything, telling me to 'Load smb config files from /usr/...' Anyway, just checked out again and :- Compiling util.c In file included from util.c:22: includes.h:340: parse error before `<' -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From abs at maunsell.co.uk Tue May 12 23:13:19 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:06 2003 Subject: running kixtart with NT Domain logins Message-ID: <19980513001319.52370@maunsell.co.uk> With the latest cvs version running, I am finding that kix32 crashes. The version from 'about a week ago' seemed to work OK with kix32 if I recall correctly and I dont think my conf file has changed substantially in the meantime. This is kix32 Version 3.45, Solaris-sparc [2.5.1] and NT 4.0/sp3. Thanks in advance for any suggestions. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From aperrin at demog.Berkeley.EDU Tue May 12 23:16:39 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:06 2003 Subject: Problems with ntdom In-Reply-To: <19980513000339.36763@maunsell.co.uk> Message-ID: This one I got this morning (the one about parse error before <). For some reason diffing didn't seem to work in (I think) proto.h. I just edited out the bit between <<< and === and it compiled fine, and seems to be working. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Wed, 13 May 1998, Andy Smith wrote: > On Wed, May 13, 1998 at 08:26:03AM +1000, Jeremy Allison wrote: > > > > Matthew Geier wrote: > > > vsnprintf slprintf.o > > > ld: fatal: Symbol referencing errors. No output written to smbd > > > *** Error code 1 > > > > > > This is Solaris 2.5.1 > > > > Ok - I did that (sorry) - I assumed all Solaris versions have > > vsnprintf - but only 2.6 (the version I have) does. > > > > I have just checked in changes to includes.h that > > fixes this for solaris. Check out again & let me know > > if it's ok. > > I got that error this morning - I undef'd vsnprintf in includes.h which > got it to compile clean, but the resulting binaries didn't run. testparm > for instance returned without doing anything, telling me to 'Load smb > config files from /usr/...' > > Anyway, just checked out again and :- > > Compiling util.c > In file included from util.c:22: > includes.h:340: parse error before `<' > > -- > _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 > /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 > ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk > / England. -or- abs@maunsl00.demon.co.uk > From tridge at samba.anu.edu.au Wed May 13 00:10:20 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:06 2003 Subject: possible cvs update problems In-Reply-To: (message from Luke Kenneth Casson Leighton on Tue, 12 May 1998 16:45:40 +0000 (GMT)) References: Message-ID: <19980513001034Z12641442-1176+16017@samba.anu.edu.au> Luke, just to explain a little ... The anonymous cvs comes from a mirror of the repository, not the repository itself (due to paranoid security concerns). The mirror re-syncs whenever the CVSROOT/history file changes. So if things get out of sync (which they shouldn't) then just do a cvs update in the non-anonymous tree and this will change the history file which will cause the next anonymous cvs access to do a total re-sync. in this case I think the problems were at the client end, not on the server. I just did a anonymous checkout myself and it compiled cleanly. Cheers, Andrew PS: Problems can happen if you do a checkout at exactly the same time as someone is doing a checkin. In that case all you can do is delete the affected files and checkout again. From jallison at whistle.com Wed May 13 02:47:18 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:06 2003 Subject: Samba 1.9.18p7 released. Message-ID: <355909B6.FF6D5DF@whistle.com> The Samba Team are pleased to announce Samba 1.9.18p7. It may be fetched via ftp from : ftp://samba.anu.edu.au/pub/samba/samba-1.9.18p7.tar.gz This release is a security patch fix for a security hole reported on BugTraq by Drago. No exploit code was published with the report, so no immediate 'canned' exploit was available to an attacker The security hole may have allowed authenticated users to subvert security on the server by overflowing a buffer in a filename rename operation. It is as yet undetermined whether the security hole is actually exploitable because of existing buffer overflow checks in Samba and the limitations on available characters in filenames on UNIX systems but the Samba Team considered the threat of a possible security hole enough to warrant a patch release. The previous release 1.9.18p6, which was intended to fix the security hole, has compile problems on several platforms, and should not be used. It is recommended that all sites assume that the security hole is exploitable and upgrade to version 1.9.18p7 of Samba. An extensive security review has taken place on the code in this release, and all code that has potential for a buffer overflow attack has been replaced with bounds checking equivalent code. As always, extra checking over the code for potential security problems is very welcome. Binary packages will be made available for this release, once feedback has shown this release fixes the exploit. Offets of binary Samba packages for various systems are welcome and should be sent to samba-bugs@samba.anu.edu.au. Without further ado, here are the release notes. Regards, The Samba Team. --------------------------------------------------------------------- WHATS NEW IN 1.9.18p7 - May 12th 1998. ====================================== This is the latest stable release of Samba. This is the version that all production Samba servers should be running for all current bug-fixes. This release is a security hole patch fix for a security hole reported on BugTraq by Drago. The security hole may have allowed authenticated users to subvert security on the server by overflowing a buffer in a filename rename operation. It is as yet undetermined whether the security hole is actually exploitable because of existing buffer overflow checks in Samba and the limitations on available characters in filenames but the Samba Team considered the threat of a possible security hole enough to warrant an immediate patch release. It is highly recommended that all sites assume that the security hole is exploitable and upgrade to version 1.9.18p7 of Samba. The previous release 1.9.18p6, which was intended to fix the security hole, has compile problems on several platforms, and should not be used. If you have problems, or think you have found a bug please email a report to : samba-bugs@samba.anu.edu.au As always, all bugs are our responsibility. Regards, The Samba Team. Previous release notes for 1.9.18p5 follow. ========================================================================= Note that most Samba Team effort is now going into working on the next major release which should contain some Windows NT Domain features. It is intended that any future work on the 1.9.18 series be maintenance only fixes. An announcement will be made when the first alpha release of the next Samba series is available. Added features in 1.9.18p5 -------------------------- New parameters -------------- passwd chat debug This parameter is to allow Samba administrators to debug their password chat scripts more easily when they have "unix password sync" set. It is provided as a debugging convenience only and should be enabled only when debugging. Full documentation is in the smb.conf man page. update encrypted The code for this parameter was kindly donated by Bruce Tenison. If this parameter is set to "yes" (it defaults to "no") and an smbpasswd file exists containing all the valid users of a Samba system but no encrypted passwords (ie. the Lanman hash and NT hash entries in the file are set to "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"), then as users log in with plaintext passwords that are matched against their UNIX password entries, their plaintext passwords will be hashed and entered into the smbpasswd file. After all the users have successfully logged in using unencrypted passwords, the smbpasswd file will have the Lanman and NT hashes of these users UNIX passwords correctly stored. At that point the administrator can convert Samba to use encrypted passwords (and configure the Windows 95 and NT clients to send only encrypted passwords) and migrate to an encrypted setup without having to ask users to re-enter all their passwords explicitly. Note that to use this option the "encrypt passwords" parameter must be set to "no" when this option is set to "yes". See the smb.conf man page for up to date information on this parameter. Updates to smbtar ----------------- The following changes were developed by Richard Sharpe for Canon Information Systems Research Australia (CISRA). The Samba Team would like to thank Canon Information Systems Research Australia for their funding this effort, as such sponsorship advances the Samba project significantly. 1. Restore can now restore files with long file names 2. Save now saves directory information so that we can restore directory creation times 3. tar now accepts both UNIX path names and DOS path names. New document in docs/ directory ------------------------------- A new document, PROFILES.txt has been added to the docs/ directory. This is still a work in progress (currently consisting of a series of email exchanges) and will be updated over the coming releases. The document covers the task of getting roving profiles to work with a Samba server with Windows 95 and Windows NT clients. Bugfixes added since 1.9.18p4 ----------------------------- 1). Samba should now compile cleanly with the gcc -Wstrict-prototypes option. 2). New code page 852 tranlation table created by Petr Hubeny. 3). New "update encrypted" parameter (described above). 4). New "passwd chat debug" parameter (described above). 5). Updates to smbtar (described above). 6). Fix to do correct null session connections from nmbd and smbd. 7). Synchronous open flag is now honoured. 8). security=server now logs out correctly. 9). Fix to stop long printer job listings causing Win95 and smbd to spin the CPU & network. 10). Multibyte character fix that prevented the "character set" parameter working in 1.9.18p4. 11). Fix for problems with security=share and the [homes] share. 12). NIS+ patch to get home directory info. 13). Added FTRUNCATE_NEEDS_ROOT define for systems with broken ftruncate() call. 14). Fix for nmbd not allowing log append mode. 15). Fix for nmbd as a WINS server doing a name query after a WACK with the 'recursion desired' bit set - this would cause problems if directed at a machine running a WINS server. 16). Correctly ignore "become backup browser" requests, rather than logging them as a problem. 17). Use compressed names correctly as requested by RFC1002. 18). Workaround for bug where NT allows a guest logon and doesn't set the guest bit (in security=server mode). 19). Added SOFTQ print type. 20). Free filename on file close (long standing small memory leak fix). 21). Fix for lp_defaultservice() getting overwritten by rotating string buffers. 22). Print time in international, rather than USA, format. 23). Fix to queue a trans2 open request when oplock break pending. 24). Added Simplified Chinese codepage (936). 25). Fixed expansion bug with %U, %G when multiple sessionsetups done in security > SHARE mode. 26). Change to DEC enhanced mode security code to allow the same binary to work when in enhanced and basic security mode. This change affects all systems that define OSF1_ENH_SEC at compile time. Previous release notes for 1.9.18p4 follow. ========================================================================= Added features in 1.9.18p4 -------------------------- Changing passwords now supported -------------------------------- Samba now supports changing the SMB password from a Windows 95 client, using the standard Windows 95 password changing dialog. Note that by default this changes the SMB password, not the UNIX password (Samba must be set up with encrypted passwords in order to support this). The smbpasswd program has been re-written to take advantage of this feature, and now has no need to be a setuid root program, thus eliminating a potential security hole. As a side effect of this change smbpasswd can now be used on a UNIX machine to change users passwords on an NT machine. The new password changing code can also synchronize a users UNIX password at the same time a SMB password is being changed, if Samba is compiled with password changing enabled, and the new parameter 'unix password sync' is set to True. By default this is off, as it allows the password change program to be called as root, which may be considered a security problem at some sites. Name resolution order now user selectable ----------------------------------------- The resolution of NetBIOS names into IP addresses can be done in several different ways (broadcast, lmhosts, DNS lookup, WINS). Previous versions of Samba were inconsistant in which commands used which methods to look up IP addresses from a name. New in this version is a parameter (name resolve order, mentioned in the new parameters list below) that allows administrators to select the methods of name resolution, and the order in which such methods are applied. All Samba utilities have been changed to use the new name to IP address name resolution code and so this can be controlled from a central place. Expanded multi-byte character support ------------------------------------- In previous versions of Samba, Kanji (Japanese) character support was treated as a special case, making it the only multi-byte character set natively supported in Samba. New code has been added to generalize the multi-byte codepage support, with the effect that other multibyte codepage support can be easily added. The new codepages that this version ships with are Korean Hangul and Traditional Chinese. New Parameters in 1.9.18p4 -------------------------- name resolve order = lmhosts wins hosts bcast This parameter allows control over the order in which netbios name to IP Address resolution is attempted. Any method NOT specified will be excluded from the name resolution process. If this parameter is not specified then the above default order will be observed - this is consistent with prior releases. See the smb.conf and smbclient man pages for full details. See the above text for the announcement on this feature. fake directory create times This parameter is a compatibility option for software developers using Microsoft NMAKE make tool, saving files onto a Samba share. Setting this parameter to true causes Samba to lie to the client about the creation time of a directory, so NMAKE commands don't re-compile every file. unix password sync This parameter is set to False by default. When set to True, it causes Samba to attempt to synchronize the users UNIX password when a user is changing their SMB password. This causes the password change program to be run as root (as the new password change code has no access to the plaintext of the old password). Because of this, it is set off by default to allow sites to set their own security policy regarding UNIX and SMB password synchronization. This parameter has no effect if Samba has been compiled without password changing enabled. Changed compile-time default in 1.9.18p4 ---------------------------------------- The maximum length of a printer share name has now been increased to 15 characters - the same as file share names. Any one who needs to revert back to 8 character printer share name support can do so by adjusting the #define in local.h. Bugfixes added since 1.9.18p3 ----------------------------- 1). Fix for nmbd leaving the child nmbd running when doing DNS lookups as a WINS server. 2). Fix core dump in smbd when acting as a logon server with security=share. 3). Workaround for a bug in FTP OnNet software NBT implementation. It does a broadcast name release for WORKGROUP<0> and WORKGROUP<1e> names and don't set the group bit. 4). Ensure all the NetBIOS aliases are added to all the known interfaces on nmbd initialization. 5). Fix bug in multiple query name responses print code. 6). Fix to send out mailslot reply on correct interface. 7). Fix retranmission queue to scan WINS server subnet so nmbd retransmits queries needed when acting as a WINS server. Thanks to Andrey Alekseyev for spotting this one. 8). Send host announcement to correct 0x1d name rather than 0x1e name. 9). Fix for WINS server when returning multi-homed record, was returning one garbage IP address. 10). Fix for Thursby Software's 'Dave' client - ensure that a vuid of zero is always returned for them when in share level security (the spec say's it shouldn't matter, but it was causing them grief). 11). Added KRB4 authentication code. 12). Fix to allow max printer name to be 15 characters (see above). 13). Fix for name mangling cache bug - cache wasn't being used in some cases. 14). Fix for RH5.0 broken system V shared memory include files. 15). Fix for broken redirector use of resume keys between deletes in a directory. Samba now returns zero as resume keys (as does NT) and uses the resume filename instead. 16). Fix for systems that have a broken implementation of isalnum() - was causing gethostbyname to fail. 17). Fix for 'hide files' bug not working correctly (bug in is_in_path function - fix from Steven Hartland . 18). Fixed bug in smbclient where debug log level on the command line was being overridden by the log level in smb.conf. 19). Fixed bug in USE_MMAP code where client sending a silly offset to readraw could cause a smbd core dump. Bugfixes added since 1.9.18p2 ----------------------------- 1). Fix to cause oplocked files to be broken when open file table is full before giving up and reporting 'too many open files'. This fix seems to help many applications on Win95. 2). Fix to stop extra files being closed in user logoff code. 3). Fix to stop padded packet being returned on trans2 call. This bug could cause Windows 95 to freeze on some (rare) occasions. 4). Added fix for Visual C++ filetime changes (see above). 5). Made security check code an option (see above). 6). Fixed printer job enumeration in smbclient. 7). Re-added code into smbclient that causes it to do NetBIOS broadcast name lookups (as it used to in 1.9.17). 8). Fixed code dump bug in smbtar. 9). Fixed mapping code between Appletalk and Kanji filenames. 10). Tuned shared memory size based on open file table size. 11). Made nmbd log file names consistant with smbd. 12). Fixed nmbd problem where packet queues could grow without bound when connection to WINS server was down. 13). Fix for DCE login code. 14). Fix for system V printing to remove extra space in printer name. 15). Patch to add a new substitution paramter (%p) in a service patchname. Adds NIS home path (see the man page on smb.conf for details). Patch from Julian Field. 16). Fix to stop smbpassword code from failing when parsing invalid uid fields. 17). Made volume serial number constant based on machine and service name. 18). Added expand environment variables code from Branko Cibej. See the man page on smb.conf for details. 19). Fixed warnings in change_lanman_password code. Bugfixes added since 1.9.18p1 ----------------------------- 1). A deadlock condition in the oplock code has been found and fixed. This occured under heavy load at large sites. Several of the sites who reported the original problem have now been testing the code in this (1.9.18p2) release for a week now with no problems (previously the problem occurred within 3-6 hours). (Thanks to Peter Crawshaw of Mount Allison University for his great help in tracking down this bug). 2). Fix for a share level security problem that caused 'valid users' not to work correctly. 3). Addition of Russian code page support. 4). Fix to the password changing code (thanks to Randy Boring at Thursby Software Systems for this). 5). More fixes to the Windows 95 printer driver support code from Herb Lewis at SGI. 6). Two NetBIOS over TCP source name type fixes in nmbd. 7). Memory leak in the dynamic loading of services in an smb.conf file fixed. 8). LPRng parsing code fix. 9). Fix to try and return a 'best guess' of create time under UNIX (which doens't store such a file attribute). 10). Added parameters to samba/examples/smb.conf.default file : Remote announce, Remote browse sync, username map, filename case preservation and sensitivity options. 11). Reply to trans2 calls now aligns all parameters and data on 4 byte boundary. 12). Fixed SIGTERM bug where nmbd would hang on exit. 13). Fixed WINS server bug to allow spaces in WINS names. Bugfixes added since 1.9.18 --------------------------- 1). Fix for oplock-break problem. If an open crossed with an oplock break on the wire it was possible for the same fnum to be re-used. This caused a rare but fatal problem. 2). Fix for adding printers to Windows NT 4.x. Now return correct "no space error" when buffer of zero given. 3). Fix for nmbd core dumps when running on architectures that cannot access structures on non-aligned boundaries (sparc, alpha etc). 4). Compiler warnings in nmbd fixed. 5). Makefile updated for Linux 2.0 versions (new smbmount commands should only be compiled for 2.1.x kernels). 6). Addition of a timestamp to attack warning messages. Changes in 1.9.18. ------------------ This release contains several major changes and much re-written code. The main changes are : 1). Oplock support now operational. ----------------------------------- Samba now supports 'exclusive' and 'batch' oplocks. These are an advanced networked file system feature that allows clients to obtain a exclusive use of a file. This allows a client to cache any changes it makes locally, and greatly improves performance. Windows NT has this feature and prior to this release this was one of the reasons Windows NT could be faster in some situations. Samba has now been benchmarked as out performing Windows NT on equivalently priced hardware. The oplock code in Samba has been extensively tested and is believed to be completely stable. Please report any problems to the samba-bugs alias. 2). NetBIOS name daemon re-written. ----------------------------------- The old nmbd that has caused some users problems has now been completely re-written and now is much easier to maintain and add changes to. Changes include support for multi-homed hosts in the same way as an NT Server with multiple IP interfaces behaves (registers with the WINS server as a multi-homed name type), and also support for multi-homed name registration in the Samba WINS server. Another added feature is robustness in the face of WINS server failure, nmbd will now keep trying to contact the WINS server until it is successful, in the same way as an NT Server. Also in this release is an implementation of the Lanman announce protocol used by OS/2 clients. Thanks to Jacco de Leeuw for this code. 3). New Internationalization support. ------------------------------------- With this release Samba no longer needs to be separately compiled for Japanese (Kanji) support, the same binary will serve both Kanji and non-Kanji clients. A new method of dynamically loading client code pages has been added to allow the case insensitivity to be done dependent on the code page of the client. Note that Samba still will only handle one client code page at a time. This will be fixed when Samba is fully UNICODE enabled. Please see the new man page for make_smbcodepage for details on adding additional client code page support. 4). New Printing support. ------------------------- An implementation of the Windows 95 automatic printer driver installation has been added to smbd. To use this new feature please read the document: docs/PRINTER_DRIVER.txt Thanks to Jean-Francois Micouleau, and also Herb Lewis of Silicon Graphics for this new code. Printer support on System V systems (notably Solaris) has been improved with the addition of code generously donated by Norm Jacobs of Sun Microsystems. Sun have also made a Solaris SPARC workstation available to the Samba Team to aid in their porting efforts. Changed code. ------------- Samba no longer needs the libdes library to support encrypted passwords. Samba now contains a restricted version of DES that can only be used for authentication purposes (to comply with the USA export encryption regulations and to allow USA Mirror sites to carry Samba source code). The 'encrypt passwords' parameter may now be used without recompiling. Much of the internals of Samba has been re-structured to support the oplock and Domain controller changes. Samba now contains an implementation of share modes using System V shared memory as well as the mmap() based code. This was done to allow the 'FAST_SHARE_MODES' to be used on more systems (especially HPUX 9.x) that have System V shared memory, but not the mmap() call. The System V shared memory code is used by default on many systems as it has benchmarked as faster on many systems. The Automount code has been slightly re-shuffled, such that the home directory (and profile location) can be specified by \\%N\homes and \\%N\homes\profiles respectively, which are the defaults for these values. If -DAUTOMOUNT is enabled, then %N is the server component of the user's NIS auto.home entry. Obviously, you will need to be running Samba on the user's home server as well as the one they just logged in on. The RPC Domain code has been moved into a separate directory rpc_pipe/, and a LGPL License issued specifically for code in this directory. This is so that people can use this code in other projects. Missing feature. ---------------- One feature that we wanted to get into this release that was not possible due to the re-write of the nmbd code was the scalability features in the Samba WINS server. This feature is now tentatively scheduled for the next release (1.9.19). Apologies to anyone who was hoping for this feature to be included. The nmbd re-write will make it much easier to add such things in future. New parameters in smb.conf. --------------------------- New Global parameters. ---------------------- Documented in the smb.conf man pages : "bind interfaces only" "lm announce" "lm interval" "logon drive" "logon home" "min wins ttl" "max wins ttl" "username level" New Share level parameters. --------------------------- Documented in the smb.conf man pages : "delete veto files" "oplocks" Nascent web interface for configuration. ---------------------------------------- source/wsmbconf.c is a cgi-bin program for editing smb.conf. It can also be run standalone. This is in a very early stage of development. Debugging support. ------------------ smbd and nmbd will now modify their debug log level when they receive a USR1 signal (increase debug level by one) and USR2 signal (decrease debug level by one). This has been added to aid administrators track down faults that only occur after long periods of time, or transiently. Reporting bugs. --------------- If you have problems, or think you have found a bug please email a report to : samba-bugs@samba.anu.edu.au Please state the version number of Samba that you are running, and *full details* of the steps we need to reproduce the problem. As always, all bugs are our responsibility. Regards, The Samba Team. From tavis at mahler.econ.columbia.edu Wed May 13 06:50:58 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:06 2003 Subject: Problems doing update In-Reply-To: Message-ID: On Tue, 12 May 1998, Luke Kenneth Casson Leighton wrote: > - are you running it as ./nmbd instead of just nmbd > - did you do a make; make install; /usr/local/samba/bin/smbd; > /usr/local/samba/bin/nmbd? > - other Yes, it was this basic. I had made a hard link from /usr/local/bin when I thought I had made a soft one. Really, Luke, I swear I'm not stupid. I'm sorry to take up your time like that. > [re remote browse sync] > what the _heck_ is this parameter??? Supposedly it allows two Samba WINS servers on different subnets to sync with each other's browse lists. I don't know if it works. I couldn't get it to do what I thought it was supposed to. > add case sensitive = no case preserve = yes short case preserve = yes look > these up in man smb.conf to check spelling. > important: > > locking = no > guest ok = no > delete either public = yes or guest ok = yes - they are identical see > man smb.conf :-) These changes made all the difference once I'd gotten everything else to work. I've suggested to jerry to include them in his faq since I didn't see it in any of the documentation. Thanks again, Tavis From lkcl at switchboard.net Wed May 13 12:22:34 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: Hello & LDAP In-Reply-To: <3558AD88.FA66EE44@tripleg.com> Message-ID: On Wed, 13 May 1998, Mark Lillywhite wrote: > Hi there! welcome, mark. samba-technical has a lot of well-informed lurkers on it, and we get some raging debates occasionally: one of the primary uses i have for it is archive purposes (http://samba.anu.edu.au/listproc) samba-ntdom is full of nt/unix - aware administrators who are very responsive to things like "hey, what do you want to see happen?" it's cool. From lkcl at switchboard.net Wed May 13 12:22:42 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: Hello & LDAP Message-ID: ---------- Forwarded message ---------- Date: Wed, 13 May 1998 06:23:03 +1000 From: Mark Lillywhite To: Multiple recipients of list Subject: Hello & LDAP Hi there! I just subb'd to the list on the advice of Luke and Jean-Francois, 'cos I've implemented some stuff on LDAP authentication. I didn't know about the ongoing debate at the time, I couln't find much info on it so I was (happily) surprised when I got email saying it was being worked on :) Most of my work is laid out at http://defiant.tripleg.com/samba I really just needed to do it to solve a problem of mine, but I'd like to help in some way, if I can. I'm really busy (aren't we all!) but getting Samba to authenticate with LDAP would be a great goal. I only currently have the U of M server. The LDAP stuff mentioned on my web page has been running here successfully for about 2 weeks. I have one person using Win 95 logins to Samba through that, and about 4 people using shares. I'm about to add some new people to do Win 95 logins... Anyway, I guess I'll just lurk for a while and see what the discussions are about, and then try to chip in with code and/or testing, etc. I don't know much about Samba internals (or LDAP, for that matter!) but I like hacking ;) Regards Mark -- Where do you want to go today, boy? From lkcl at switchboard.net Wed May 13 12:24:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:06 2003 Subject: password API needed Message-ID: (forwarded message) Subject: Re: SAMBA: new password database api One final observation. You are creating a policy database whether you recognize it or not. LDAP is well suited for such a task with inheritance and "references". There seems to be one set of information, arbitrarily long, that is associated with each machine machine id machine password machine type etc. Another for All Users login_directory %login% allowed_login_times password fail attempts BOOL All_Users_overrides_groups etc Another for a group group id group password applications allowed group_allowed_machines BOOL group_overrides_user etc Finally another for each user user id user password user login directory user profile directory These are all stuff which decides policy. Policy is most easily implemented using inheritance. (Administrator doesn't have to do anything explicit to maintain a constant policy.) What I think is needed is a hierarchical database much like LDAP. Perhaps the University of Michigan LDAP server should just be distributed with SAMBA? However, LDAP does have the problem of non-standard ACL support and no transactional support. Those two problems will be fixed. Also, LDAP does't do Unicode. That means that if your name is Chinese or Arabic, it will be difficult to search for it. That also will be fixed soon. Just some comments. From lkcl at switchboard.net Wed May 13 12:28:37 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed In-Reply-To: Message-ID: On Wed, 13 May 1998, Jean-Francois Micouleau wrote: > On Tue, 12 May 1998, Luke Kenneth Casson Leighton wrote: > > > > You have to make the distinction between users and trusts accounts. > > > > why? not in my book you don't, and not in an NT SAM you don't. trust > > accounts _are_ SAM users, but just with a different ACB_xxxx value. > > your book ? You found good books on microsoft #]}]&~i" protocols ? > > I mean with trust accounts you don't care about unix password > synchronization. correct, and something i hadn't thought about at all, and hadn't thought that someone else would consider it. > > > I don't like it, I prefer to follow RFC2037. > > wossat, then? what's that say (in a nutshell) > > I said I prefer to store the password as proposed in RFC 2037, cause NT5 > schema is not stable right now. that's what mark's already done with his ldap system - see http://samba.anu.edu.au/listproc/samba-technical/0542.html > We can take a look at NT5 schema (to know > how it looks like) but I'm sure it's not the definitive one that will be > in the shipping version of NT5. > > > then we will have to invent / use what microsoft does, which is to > > obfuscate with a long-term session key. > > It's in the case where you want to store clear text password. If you want > to obfuscate, you need to patch slapd, humm. > I should look on critical angle repository web server, there was something > there. > > Is there any ldap guru on this list ? calling all ldap gurus! calling all ldap gurus! please subscribe to samba-technical@samba.anu.edu.au and help us out! luke (samba team) From lkcl at switchboard.net Wed May 13 12:32:42 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed, comments ... In-Reply-To: <3.0.3.32.19980513084030.00831dc0@bioserve.biochem.latrobe.edu.au> Message-ID: On Wed, 13 May 1998, David Bannon wrote: > At 00:58 13/05/1998 +1000, Luke Kenneth Casson Leighton wrote: > >wondering if people could comment on this thread (some of which is going > > > >questions like: do you think it's a good or a bad idea to add more > >NT-SAM-like parameters to smb.conf, like "kickoff time" and "domain > >workstations", bearing in mind that these may have to go down to the > >granularity of a per-group or per-user basis? > > > >jeremy's vote is no, my vote is "fuzzy-logic-yes". jean-francoi's vote is > >"if it's a configuration nightmare, absolutely not, and creating hundreds > >of smb.conf.%U files is a definite nightmare". > > > > I'm with jean-francoi if it means that we cannot ignore these extra > functions. The beauty of samba is that its easy (read quick) to get going > and (especially) easy to keep going. Having to create and maintain > individual config files ? No thanks ! i do this all the time. smb.conf: .... [applications] read only = yes include = smb.conf.%U smb.conf.lkcl: [applications] read only = no [root_share] path = / that gives me a new share and changes permissions on [applications] from read-only to writeable. for me only. or i could do include=smb.conf.%g and grant all administrators the same rights... From lkcl at switchboard.net Wed May 13 12:51:50 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: Problems doing update In-Reply-To: Message-ID: On Wed, 13 May 1998, Tavis Barr wrote: > > On Tue, 12 May 1998, Luke Kenneth Casson Leighton wrote: > > > - are you running it as ./nmbd instead of just nmbd > > - did you do a make; make install; /usr/local/samba/bin/smbd; > > /usr/local/samba/bin/nmbd? > > - other > > Yes, it was this basic. I had made a hard link from /usr/local/bin when > I thought I had made a soft one. Really, Luke, I swear I'm not stupid. > I'm sorry to take up your time like that. no offence intended: just checking! > > [re remote browse sync] > > what the _heck_ is this parameter??? > > Supposedly it allows two Samba WINS servers on different subnets to sync > with each other's browse lists. oh yehhh. i'm out of date. tee hee. From jpr9c at cs.virginia.edu Wed May 13 13:33:06 1998 From: jpr9c at cs.virginia.edu (Scott Ruffner) Date: Tue Dec 2 02:24:07 2003 Subject: Compile grief with Solaris x86 2.5.1 Message-ID: <3559A112.1E4BC9EA@mail.cs.virginia.edu> Hi all, I just got the latest version (p7), and am still trying to get this to compile. I'm using gcc. Any ideas? Compiling ipc.c ipc.c: In function `api_RNetServerEnum': ipc.c:1194: warning: passing arg 4 of `qsort' from incompatible pointer type Compiling smbpass.c gcc: Internal compiler error: program cc1 got fatal signal 6 *** Error code 1 make: Fatal error: Command failed for target `smbpass.o' Scott -- Scott Ruffner Systems Engineer ruffner@cs.virginia.edu Computer Science Department 226E Olsson Hall University of Virginia (804)982-2219 From tridge at samba.anu.edu.au Wed May 13 15:00:38 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:07 2003 Subject: Compile grief with Solaris x86 2.5.1 In-Reply-To: <3559A112.1E4BC9EA@mail.cs.virginia.edu> (message from Scott Ruffner on Thu, 14 May 1998 00:46:25 +1000) References: <3559A112.1E4BC9EA@mail.cs.virginia.edu> Message-ID: <19980513150052Z12813950-682+33@samba.anu.edu.au> > Compiling smbpass.c > gcc: Internal compiler error: program cc1 got fatal signal 6 > *** Error code 1 > make: Fatal error: Command failed for target `smbpass.o' That's a compiler bug. If you can work out what the offending line is then maybe we can code around the bug for a future version but my basic advice would be to update your copy of gcc. Cheers, Andrew From cartegw at Eng.Auburn.EDU Wed May 13 16:18:50 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed References: Message-ID: <3559C7EA.4C251FFA@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > These are all stuff which decides policy. Policy is most easily > implemented using inheritance. (Administrator doesn't have to do > anything explicit to maintain a constant policy.) What I think is > needed is a hierarchical database much like LDAP. Excellent idea. I fully agree with the notion of a central policy to fallback on ( sounds like I'm contradicting myself from yesterday...perhaps I am ). If this contains minimal performance hits for large sites, I think it's the way to go. > However, LDAP does have the problem of non-standard ACL support and no > transactional support. Those two problems will be fixed. Hmmm...These are a big problem. How do you propose to fix it? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Wed May 13 16:20:43 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed, comments ... References: Message-ID: <3559C85B.2A66C48F@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > On Wed, 13 May 1998, David Bannon wrote: > > i do this all the time. > > smb.conf: > ... > [applications] > read only = yes > > include = smb.conf.%U > > smb.conf.lkcl: > [applications] > read only = no > > [root_share] > path = / > > that gives me a new share and changes permissions on [applications] > from read-only to writeable. for me only. or i could do > include=smb.conf.%g and grant all administrators the same rights... This is the equivalent of using the "valid users" parameter and "write list". Doesn't gain you anything really. Simply a matter of preference. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Wed May 13 17:28:04 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:07 2003 Subject: Compile problems, 19p7 (PR#7048) References: <19980513170944Z12863976-685+129@samba.anu.edu.au> Message-ID: <3559D824.4487EB71@whistle.com> estewart@dudley.lib.usf.edu wrote: > > On an Ultra 1 running Solaris 2.6 and using gcc 2.8.1 > > ipc.c: In function `api_RNetServerEnum': > ipc.c:1194: warning: passing arg 4 of `qsort' from incompatible pointer > type > > Compiling nmbd_incomingrequests.c > nmbd_incomingrequests.c: In function `process_node_status_request': > nmbd_incomingrequests.c:380: warning: passing arg 4 of `qsort' from > incompatible pointer type > > Compiling client.c > client.c: In function `browse_host': > client.c:2972: warning: passing arg 4 of `qsort' from incompatible pointer > type > > The compile keeps running and otherwise runs fine; this is the > first time that I've had any kind of warnings using gcc (18p4 compiled > fine with gcc 2.8.1). > Should I worry about this? I'd think that GCC would always be the > compiler of choice these days... Unfortunately we tested with the Sun compiler, c'est la vie :-). We missed one QSORT_CAST define in includes.h for Solaris. It is just a warning and can be ignored. If it really bugs you add : #ifndef QSORT_CAST #define QSORT_CAST (int (*)(const void *, const void *)) #endif /* QSORT_CAST */ to the SUNOS5 section of includes.h (which is what is in the main branch). This is fixed in the main branch but got missed for 1.9.18p7, sorry (we were rather busy on other issues :-). Regards, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From abs at maunsell.co.uk Wed May 13 18:15:27 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:07 2003 Subject: running kixtart with NT Domain logins Message-ID: <19980513191527.40597@maunsell.co.uk> Previously, I wrote :- > > With the latest cvs version running, I am finding that kix32 crashes. > The version from 'about a week ago' seemed to work OK with kix32 if I > recall correctly and I dont think my conf file has changed > substantially in the meantime. > > This is kix32 Version 3.45, Solaris-sparc [2.5.1] and NT 4.0/sp3. I have now dragged a binary back from backup, I am not imagining things, it did work fine with a version that introduced itself :- Server=[Samba 1.9.18-HEAD] OK, this binary was dated Apr 22 18:55 GMT, so my 'about a week ago' was way off, but when running this server, my login scripts work fine, even now with my current conf file. However, running todays CVS version :- Server=[Samba 1.9.19-prealpha] kix32 wont even start :- An Application error has occurred and an application error log is being generated. kix32.exe Exception access violation (0xc0000005), Address: 0x77822710 >From event log :- The description for Event ID ( 5 ) in Source ( KIXTART ) could not be found. It contains the following insertion string(s): UserModalsGet failed Error : Access is denied. (0x5/5). Does this give anyone any clues, I admit to being clueless myself. If the above message is to be believed, have I misconfigured my netlogin share? Not sure if I should be discussing this on the main list, but I am not a member there, all I am really after is domain logins. I am attaching my smbd.conf if anyone can spare the time, thanks. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk -------------- next part -------------- # Global parameters load printers = no workgroup = LON server string = Samba Server security = USER encrypt passwords = Yes homedir map = wcp.home log file = /var/log/smbd.%m.log max log size = 50 time server = Yes socket options = TCP_NODELAY domain sid = S-1-5-21-123-456-200 logon script = logon.bat logon drive = h: domain logons = Yes preferred master = Yes domain master = Yes dns proxy = No wins support = Yes unix realname = Yes NIS homedir = Yes create mask = 0664 directory mask = 0775 hosts allow = [snip] preserve case = Yes short preserve case = Yes hide dot files = No [netlogon] comment = Network Logon Service path = /opt/MSPolicy guest ok = No share modes = No locking = No [mspolicy] copy = netlogon From trep at dem.qc.ca Mon May 11 18:03:37 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:07 2003 Subject: Problems with smbpasswd-program In-Reply-To: from "Luke Kenneth Casson Leighton" at May 11, 98 11:22:44 pm Message-ID: <199805111803.OAA18363@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 852 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980511/949d7b1d/attachment.bat From trep at dem.qc.ca Wed May 13 20:30:17 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:07 2003 Subject: User permissions w/NT 4.0 In-Reply-To: <199805111803.OAA18363@ursula.dem.qc.ca> from "Pierre-Jules Tremblay" at May 14, 98 05:28:17 am Message-ID: <199805132030.QAA22488@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 1501 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980513/24ca2e57/attachment.bat From D.Bannon at latrobe.edu.au Wed May 13 22:55:26 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed, comments ... In-Reply-To: <3559C85B.2A66C48F@eng.auburn.edu> Message-ID: <3.0.3.32.19980514085526.0083f5b0@bioserve.biochem.latrobe.edu.au> At 02:53 14/05/1998 +1000, Gerald Carter wrote: >Luke Kenneth Casson Leighton wrote: >> smb.conf: >> ... >> [applications] >> read only = yes >> >> include = smb.conf.%U >> >> smb.conf.lkcl: >> [applications] >> read only = no >> >> [root_share] >> path = / >> >> that gives me a new share and changes permissions on [applications] >> from read-only to writeable. for me only. or i could do >> include=smb.conf.%g and grant all administrators the same rights... > >This is the equivalent of using the "valid users" parameter and "write >list". Doesn't gain you anything really. Simply a matter of >preference. Not really equivalent. The 'valid users' approach has all the info in one file and is much easy to maintain. You can see at a glance who are valid to do what for a particular share by looking in only one file. Might be different if we have a database approach with a nice clean interface to the administrator but even that nice clean interface will hide whats really going on. Sounds a bit like NT ?? David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From cartegw at Eng.Auburn.EDU Thu May 14 01:06:55 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:07 2003 Subject: Problems with smbpasswd-program In-Reply-To: <199805111803.OAA18363@ursula.dem.qc.ca> Message-ID: On Thu, 14 May 1998, Pierre-Jules Tremblay wrote: > > Index: smbpasswd.c > =================================================================== > RCS file: /cvsroot/samba/source/smbpasswd.c,v > retrieving revision 1.44 > diff -r1.44 smbpasswd.c > 649c649 > < if (!fp) { > --- > > if (!vp) { > This should was fixed yesterday i think. Jeremy patched the main branch. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Thu May 14 03:31:02 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:07 2003 Subject: Random domain sid now generated Message-ID: <355A6576.2C67412E@whistle.com> Ok everyone, I've implemented and checked in the code to auto generate machine/domain SIDs and stash them in a MACHINE.SID file in the same directory as smbpasswd if there is no 'domain sid' parameter in the smb.conf. Once the MACHINE.SID file exists, the 'domain sid' parameter is ignored (allowing a migration). Check it out & check it out :-). Cheers, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From mk at quadstone.co.uk Thu May 14 08:24:14 1998 From: mk at quadstone.co.uk (Michael Keightley) Date: Tue Dec 2 02:24:07 2003 Subject: problems with smbpasswd Message-ID: <7412.199805140824@subnode.quadstone.co.uk> I now seem to need to use the -r option with smbpasswd to change my password, why? Root doesn't need to use the option. I'm using the main branch of samba that I got on Tues 12th on Solaris 2.6. E.g. as a normal user: % smbpasswd Old SMB password: New SMB password: Retype new SMB password: smbpasswd: machine 127.0.0.1 rejected the session setup. Error was : code 131. "smbpasswd -r " works. Is this a new feature, or am I doing something wrong? Michael _________ Michael Keightley Email: mk@quadstone.co.uk Systems Manager Tel: +44 131 220 4491 Quadstone Ltd Fax: +44 131 220 4492 16 Chester Street Edinburgh EH3 7RA, Scotland From lkcl at switchboard.net Thu May 14 10:51:18 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed, comments ... In-Reply-To: <3.0.3.32.19980514085526.0083f5b0@bioserve.biochem.latrobe.edu.au> Message-ID: On Thu, 14 May 1998, David Bannon wrote: > At 02:53 14/05/1998 +1000, Gerald Carter wrote: > >Luke Kenneth Casson Leighton wrote: > > > >> smb.conf: > >> ... > >> [applications] > >> read only = yes > >> > >> include = smb.conf.%U > >> > >> smb.conf.lkcl: > >> [applications] > >> read only = no > >> > >> [root_share] > >> path = / > >> > >> that gives me a new share and changes permissions on [applications] > >> from read-only to writeable. for me only. or i could do > >> include=smb.conf.%g and grant all administrators the same rights... > > > >This is the equivalent of using the "valid users" parameter and "write > >list". Doesn't gain you anything really. Simply a matter of > >preference. the bit with the [applications] is equivalent, yes. i use the above method because i never got "valid users" and "write list" to work :-) the bit with the extra share [root_share] is definitely not equivalent. unless you want to do "browseable = no" "valid users" etc but even then that's not equivalent: some non-admin person will get an "access denied" error not a "share does not exist". personally i feel happier knowing that for certain users the share simply does not exist, period. From lkcl at switchboard.net Thu May 14 11:03:38 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: Random domain sid now generated In-Reply-To: <355A6576.2C67412E@whistle.com> Message-ID: On Thu, 14 May 1998, Jeremy Allison wrote: > Ok everyone, I've implemented and checked in the > code to auto generate machine/domain SIDs and > stash them in a MACHINE.SID file in the same directory > as smbpasswd if there is no 'domain sid' parameter > in the smb.conf. _excellent_. one more important bit of the puzzle. From lkcl at switchboard.net Thu May 14 12:16:33 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed Message-ID: this post goes to multiple samba lists and to comp.protocols.smb. NIS+. can anyone remember who offered, or does anyone want, to add NIS+ password database support to samba? there is a new password api (passdb.c) to which we wish to add some of the more powerful and secure databases currently available: LDAP, NetInfo, NIS+ etc. luke (samba team) From Frode.Stenstrom at pvv.org Thu May 14 12:59:57 1998 From: Frode.Stenstrom at pvv.org (Frode =?ISO-8859-1?Q?Stenstr=F8m ?=) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed In-Reply-To: Luke Kenneth Casson Leighton's message of "Thu, 14 May 1998 12:16:33 +0000" References: Message-ID: The following message is a courtesy copy of an article that has been posted to comp.protocols.smb as well. Luke Kenneth Casson Leighton writes: >this post goes to multiple samba lists and to comp.protocols.smb. > >NIS+. > >can anyone remember who offered, or does anyone want, to add NIS+ password >database support to samba? there is a new password api (passdb.c) to >which we wish to add some of the more powerful and secure databases >currently available: LDAP, NetInfo, NIS+ etc. > >luke (samba team) NIS+ support would be an EXTREMELY valuable feature. We use Samba and NIS+, but lack password sync features. We were planning on writing code to do the password sync things ourselves, once Samba can function as a PDC. But if this api could support NIS+, then a lot of work would be saved!!! Go for it!! - FrodeS - -- http://www.pvv.org/~frodeste From lkcl at switchboard.net Thu May 14 13:35:25 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: password API needed In-Reply-To: Message-ID: yOn Thu, 14 May 1998, Frode =?ISO-8859-1?Q?Stenstr=F8m ?= wrote: > The following message is a courtesy copy of an article > that has been posted to comp.protocols.smb as well. > > Luke Kenneth Casson Leighton writes: > > >this post goes to multiple samba lists and to comp.protocols.smb. > > > >NIS+. > > > >can anyone remember who offered, or does anyone want, to add NIS+ password > >database support to samba? there is a new password api (passdb.c) to > >which we wish to add some of the more powerful and secure databases > >currently available: LDAP, NetInfo, NIS+ etc. > > > >luke (samba team) > > > NIS+ support would be an EXTREMELY valuable feature. We use Samba > and NIS+, but lack password sync features. We were planning > on writing code to do the password sync things ourselves, once > Samba can function as a PDC. But if this api could support > NIS+, then a lot of work would be saved!!! tell me how to do it: send me some example code: anything. i don't have access to NIS+. write me some stub routines: whatever, i don't care. or, i can help you out in explaining what the basics needed are, and once those are done i can take it from there. i'm good with cut-and-paste (actually vi and sed) once some work has started, as i am sure that jean-francois and jeremy will bear witness to. From cartegw at Eng.Auburn.EDU Thu May 14 15:15:12 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:07 2003 Subject: ntconfig.pol Message-ID: <355B0A80.7A293771@eng.auburn.edu> Greetings again :) OK. I'm been dealing with the ntconfig.pol situation. I know that some people have reported that automatic updates stopped working with the latest code. I have binaries from May 5, and they updates are working. Can someone confirm that updates are not working for them? And send me specifics on the [netlogon] share from smb.conf as well as global settings, and the case of the ntconfig.pol file? I am going to check out the latest code and see what happens. Thanks, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From mblack at csihq.com Thu May 14 15:26:10 1998 From: mblack at csihq.com (Mike Black) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing Message-ID: <019301bd7f4c$9fd9e020$32de11cc@mblack.csihq.com> 98/05/14 - Got the latest CVS tree [Samba 1.9.19-prealpha] -- just a few changes to the smb.conf file and I can now see a new domain created. I can browse to it and connect to the shares just fine. However, trying to change an NT workstation to the new domain is not passing the password validation. Machine is "HOLLAND". I added "HOLLAND$" to /etc/passwd and did "smbpasswd -a HOLLAND$ holland" according to the docs. But, the trust account fails during the domain name change: I got a lot of errors during "smbpasswd" and during the domain change about: getsmbpwent: malformed password entry (uid not number) getsmbpwent: malformed password entry (uid not number) getsmbpwent: malformed password entry (uid not number) getsmbpwent: malformed password entry (no : after uid) getsmbpwent: malformed password entry (uid not number) getsmbpwent: malformed password entry (uid not number) getsmbpwent: malformed password entry (uid not number) getsmbpwent: returning passwd entry for user HOLLAND$, uid 2000 smb_password_ok: Checking SMB password for user HOLLAND$ smb_password_ok: Checking NT MD4 password smb_password_ok: NT MD4 password check failed Checking LM MD4 password smb_password_ok: LM MD4 password check failed session_trust_account: Trust Account HOLLAND$ - password failed My passwd entry looks like: HOLLAND$:8ApCAEEUAML2Y:2000:105:Don Holland::/bin/true And the resultant smbpasswd like: HOLLAND$:2000:32D2A6922D8E51ADAAD3B435B51404EE:C74E64C545603C8081B7502B42B41 87E:[U]:LCT-355B00C4: Suggestions? From aap at risca.com Thu May 14 17:30:45 1998 From: aap at risca.com (Tony) Date: Tue Dec 2 02:24:07 2003 Subject: Printing Message-ID: <98May14.133036edt.26881@sky.risca.com> We are trying to have a UNIX machine print via a shared printer on an NT 4.0 Workstation. The catch being the printer is attached to a NOVELL 4.11 Server which communicates with the NT using the IPX/SPX protocol only. Here is a more in-depth look at the problem: Using smbclient we connect to the NT and try to print via the shared printer using: /usr/local/bin/smbclient \\\\$NT\\$Printer $passwd -U $user -P which connects and gives the smb:\> prompt. Here is the following steps we use and the results: smb: \> translate CR/LF<->LF and print text translation now on smb: \> print ERRDOS - ERRnoaccess (Access denied.) opening printer for smb: \>quit Since the NT can print without any problems, our thinking is the problem lies in the changeover in protocols... TIA, Tony. From cartegw at Eng.Auburn.EDU Thu May 14 20:35:08 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing References: <019301bd7f4c$9fd9e020$32de11cc@mblack.csihq.com> Message-ID: <355B557C.8B1C2CFD@eng.auburn.edu> Mike Black wrote: > > Machine is "HOLLAND". I added "HOLLAND$" to /etc/passwd and did > "smbpasswd -a HOLLAND$ holland" according to the docs. But, the trust > account fails during the domain name change: Actually should be "smbpasswd -a -m holland" j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From x7currie at lab2.cc.wmich.edu Thu May 14 19:56:50 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:07 2003 Subject: password synching -- Grrr.. (fwd) Message-ID: Hello, This is a forwarded message from my unix sysadmin (he's taking care of the Unix side of things and I've got the NT side). Just a little background, we're trying to execute smbpasswd from within Sun's passwd program. We have the source. Thanks, Kevin ---------- Forwarded message ---------- Date: Thu, 14 May 1998 13:48:32 -0400 (EDT) From: "Leonard J. Peirce" Reply-To: leonard.peirce@wmich.edu To: CURRIE KEVIN Subject: password synching -- Grrr.. Hi... I'm working with the password syncing and running into a problem. Every time I try to exec smbpasswd from the passwd program everything runs ok until it tries to make the connection to the server and change the password. Then I get the message: smbpasswd: machine medusa rejected the session setup. Error was : ERRSRV - ERRbadpw (Bad password - name/password pair in a Tree Connect or Session Setup are invalid.). But if I just run smbpasswd from the command line everything looks ok. Could you possibly ask on your mailing list if they have any idea what's happening? Or perhaps some suggestions about debugging it? At the worst we could put a message in the passwd program telling people to run smbpasswd on their own to change their password. Not optimal but it might be acceptable until we can get things working correctly. - Leonard From jallison at whistle.com Thu May 14 20:55:41 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing References: <019301bd7f4c$9fd9e020$32de11cc@mblack.csihq.com> Message-ID: <355B5A4D.4A7B7C1D@whistle.com> Mike Black wrote: > > 98/05/14 - Got the latest CVS tree [Samba 1.9.19-prealpha] -- just a few > changes to the smb.conf file and I can now see a new domain created. I can > browse to it and connect to the shares just fine. > > However, trying to change an NT workstation to the new domain is not passing > the password validation. > > Machine is "HOLLAND". I added "HOLLAND$" to /etc/passwd and did > "smbpasswd -a $HOLLAND holland" according to the docs. But, the trust > account fails during the domain name change: > Ah - that's your error. You added HOLLAND$ as a *user* account, not a machine account. Remove the account and re-add with smbpasswd -a -m HOLLAND You shouldn't need the password when adding a machine account. > > My passwd entry looks like: > HOLLAND$:8ApCAEEUAML2Y:2000:105:Don Holland::/bin/true > You shouldn't have a UNIX password for this account - it should be set to be disabled. > And the resultant smbpasswd like: > HOLLAND$:2000:32D2A6922D8E51ADAAD3B435B51404EE:C74E64C545603C8081B7502B42B41 > 87E:[U]:LCT-355B00C4: > The [U] in the above shows it's a user account. It should say [W] for a machine account ('Workstation trust account'). Hope this helps, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From tavis at mahler.econ.columbia.edu Thu May 14 21:04:50 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing In-Reply-To: <355B557C.8B1C2CFD@eng.auburn.edu> Message-ID: On Fri, 15 May 1998, Gerald Carter wrote: > Mike Black wrote: > > > > Machine is "HOLLAND". I added "HOLLAND$" to /etc/passwd and did > > "smbpasswd -a HOLLAND$ holland" according to the docs. But, the trust > > account fails during the domain name change: > > Actually should be "smbpasswd -a -m holland" Jerry-- It has to be "smbpasswd -a -m HOLLAND", no? Let me know if I'm wrong; I'm still having trouble with the machine passwords. Also, can someone explain the file DOMAIN.MACINE.mac file in the private directory? There's a reference to it in the nmb log, but I can't find any documentation on it. Do I need to configure it to have NT4 machine accounts? What's the format? Thanks, Tavis From cartegw at Eng.Auburn.EDU Thu May 14 21:14:54 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing References: Message-ID: <355B5ECE.3A19EC4@eng.auburn.edu> Tavis Barr wrote: > > It has to be "smbpasswd -a -m HOLLAND", no? Let me know if I'm wrong; > I'm still having trouble with the machine passwords. Shouldn't matter. I haven't verified this in the source though. Am working on another problem right now. The smbpasswd program should insulate you from case anyways. > Also, can someone explain the file DOMAIN.MACINE.mac file in the > private directory? There's a reference to it in the nmb log, but I > can't find any documentation on it. Do I need to configure it to have > NT4 machine accounts? What's the format? Do you mean private/MACHINE.SID? This is the domain SID generated randomly if one has not been specified in smb.conf. After generation, this file is consulted rather than the smb.conf parameter. It's sometying Jeremy is currently working. No docs yet. There was a message about that file recently though from jeremy. Check the archives. Hope this helps, j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From abs at maunsell.co.uk Thu May 14 21:31:54 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:07 2003 Subject: password synching -- Grrr.. (fwd) In-Reply-To: ; from Kevin Currie on Fri, May 15, 1998 at 06:52:40AM +1000 References: Message-ID: <19980514223154.43421@maunsell.co.uk> On Fri, May 15, 1998 at 06:52:40AM +1000, Kevin Currie wrote: > > This is a forwarded message from my unix sysadmin (he's taking care of the > Unix side of things and I've got the NT side). Just a little background, > we're trying to execute smbpasswd from within Sun's passwd program. We > have the source. Been trying to do something similar here, but not having the source, I'm looking at passwd+ and npasswd. Trouble is, neither of these support NIS (well, the versions I've found anyway), so I've got a long way to go still. Does anyone know of a publicly available NIS aware passwd replacement? Thanks. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From x7currie at lab2.cc.wmich.edu Thu May 14 21:46:27 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:07 2003 Subject: ntconfig.pol In-Reply-To: <355B0A80.7A293771@eng.auburn.edu> Message-ID: > I have binaries from May 5, and they updates are working. Can someone > confirm that updates are not working for them? And send me specifics on > the [netlogon] share from smb.conf as well as global settings, and the > case of the ntconfig.pol file? I am going to check out the latest code > and see what happens. Okay, I had a problem with code from last Thursday (05/07). As soon as I got a new source tree (from yesterday [05/12]) things started working again, so it was definately a samba problem. The case of the file was/is NTConfig.POL, and you really don't want the setup of my netlogon as it is quite complicated. However, when policies were broke, login scripts were still working. Kevin From tavis at mahler.econ.columbia.edu Thu May 14 21:55:28 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing In-Reply-To: <355B5ECE.3A19EC4@eng.auburn.edu> Message-ID: On Thu, 14 May 1998, Gerald Carter wrote: > > It has to be "smbpasswd -a -m HOLLAND", no? [vs. holland in lower > > case -- TB] Let me know if I'm wrong; I'm still having trouble with > > the machine passwords. > > Shouldn't matter. I haven't verified this in the source though. Am > working on another problem right now. The smbpasswd program should > insulate you from case anyways. Actually, I just tried it and it does. It checks /etc/passwd, finds out that there is no machine named workstation$, and exits. On the other hand, if you add workstation$ to the /etc/passwd file, then it adds workstation$ in lower case to the smbpasswd file. From what I understand, the machine name has to be in upper case, and the password in lower case -- but then I keep getting these machine password invalid errors on the NT end, so I'm hardly one to know. > > Also, can someone explain the file DOMAIN.MACINE.mac file in the > > private directory? There's a reference to it in the nmb log, but I > > can't find any documentation on it. Do I need to configure it to have > > NT4 machine accounts? What's the format? > > Do you mean private/MACHINE.SID? This is the domain SID generated > randomly if one has not been specified in smb.conf. After generation, > this file is consulted rather than the smb.conf parameter. It's > sometying Jeremy is currently working. No docs yet. There was a > message about that file recently though from jeremy. Check the > archives. I take it back. It's no longer in the new version. My machines are now failing because I get errors like this for the domain server MARKOV when I try to connect workstations to the domain: Domain=[SOCIOLOGY] NativeOS=[Windows NT 1381] NativeLanMan=[] sesssetupX:name=[tavis] get_trust_account_password: Malformed trust password file (wrong length). domain_client_validate: unable to read the machine account password for machine MARKOV in domain SAMBADC. Nevertheless there is an entry for MARKOV$ in my smbpasswd file: MARKOV$:65534:F97C0A62568073BCAAD3B435B51404EE:E4367877FC5AF99CD2137B5\ B389C9965:[W]:LCT-355B62AF: [user 65534 is nobody] What is even more disturbing is that I can use smbclient to connect to this service ('\\markov\MARKOV$' -U MARKOV$ , password markov) if there is a valid home directory in the Unix password file. Maybe this loophole is too obvious to worry about but it didn't occur to me as I was putting these entries in my /etc/passwd file-- or rather because I didn't understand at first what I was doing I wasn't sure if the accounts would need a home directory. It would be nice if there were something in smbd that didn't allow [homes] logons for machine accounts. Well this is rambling.... Cheers, Tavis From cartegw at Eng.Auburn.EDU Thu May 14 22:19:18 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing References: Message-ID: <355B6DE6.96E8BFBD@eng.auburn.edu> Tavis Barr wrote: > > Actually, I just tried it and it does. It checks /etc/passwd, finds > out > that there is no machine named workstation$, and exits. On the other > hand, if you add workstation$ to the /etc/passwd file, then it adds > workstation$ in lower case to the smbpasswd file. From what I > understand, the machine name has to be in upper case, and the password > in lower case -- but then I keep getting these machine password > invalid errors on the NT end, so I'm hardly one to know. > Matter to smbpasswd and matter to the NT box are two different matters. Yes smbpasswd does matter, but I don't think that UPPER case is neccessary for things to work. The case conversion is handled internally to the samba code. > I take it back. It's no longer in the new version. My machines are > now failing because I get errors like this for the domain server > MARKOV when I try to connect workstations to the domain: > > Domain=[SOCIOLOGY] NativeOS=[Windows NT 1381] NativeLanMan=[] > sesssetupX:name=[tavis] > get_trust_account_password: Malformed trust password file (wrong length). > domain_client_validate: unable to read the machine account password for > machine MARKOV in domain SAMBADC. > > Nevertheless there is an entry for MARKOV$ in my smbpasswd file: > > MARKOV$:65534:F97C0A62568073BCAAD3B435B51404EE: E4367877FC5AF99CD2137B5B389C9965:[W]:LCT-355B62AF: I'll look into this tomorrow OK? Gotta get home and see the last Seinfield tonight ;) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Thu May 14 22:47:59 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing References: Message-ID: <355B749F.19A13460@whistle.com> Tavis Barr wrote: > I take it back. It's no longer in the new version. My machines are now > failing because I get errors like this for the domain server MARKOV when > I try to connect workstations to the domain: > > Domain=[SOCIOLOGY] NativeOS=[Windows NT 1381] NativeLanMan=[] > sesssetupX:name=[tavis] > get_trust_account_password: Malformed trust password file (wrong length). > domain_client_validate: unable to read the machine account password for > machine MARKOV in domain SAMBADC. > You've got 'security=domain' set on the Samba machine you want to be a PDC, haven't you. The trust account password message is a giveaway. You should only set 'security=domain' if you're adding a Samba server into a domain as a *member* of a domain, not as the PDC. I'll add code to make smbd die if you have it set as a PDC and 'security=domain' as people are obviously confusing the two. When Samba is a PDC there should be no DOMAIN.MACINE.mac file for the domain that Samba is serving as a PDC for. There will be a DOMAIN.MACINE.mac file on a Samba server acting as a server in a domain. There should always be a MACHINE.sid file. Delete the DOMAIN.MACINE.mac file, and change the 'security=domain' line to 'security=user' on the machine you want to act as the PDC. Jeremy. From awilliam at whitemice.org Thu May 14 18:58:51 1998 From: awilliam at whitemice.org (Adam Williams) Date: Tue Dec 2 02:24:07 2003 Subject: password synching -- Grrr.. (fwd) In-Reply-To: root "Re: password synching -- Grrr.. (fwd)" (May 14, 6:08pm) References: Message-ID: <9805141858.ZM16016@estate1.whitemice.org> > > This is a forwarded message from my unix sysadmin (he's taking care of the > > Unix side of things and I've got the NT side). Just a little background, > > we're trying to execute smbpasswd from within Sun's passwd program. We > > have the source. > > Been trying to do something similar here, but not having the source, > I'm looking at passwd+ and npasswd. Trouble is, neither of these support > NIS (well, the versions I've found anyway), so I've got a long way to go > still. Does anyone know of a publicly available NIS aware passwd replacement? > > I've written a yypasswd/yppasswdd that updates the passwd and smbpasswd if anyone is interested. The yppasswd accepts the password (authenticates it) and sends it to yppasswdd on the server which updates the passwd file and calls smbpasswd to fix the samba password. Send me a message if your interested in my code. I've gotten it to run on RedHat 4.2/5.0 and AIX 4.2.1 From tavis at mahler.econ.columbia.edu Fri May 15 03:15:51 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing In-Reply-To: <355B749F.19A13460@whistle.com> Message-ID: Thanks for looking at this. So what is the DOMAIN.MACHINE.mac file? A list of servers in the domain? A list of workstations for which previous authentication can be trusted? What's the format? Do we have to create it if we use security = domain, or is it automatically created? Thanks, Tavis On Thu, 14 May 1998, Jeremy Allison wrote: > Tavis Barr wrote: > > > I take it back. It's no longer in the new version. My machines are now > > failing because I get errors like this for the domain server MARKOV when > > I try to connect workstations to the domain: > > > > Domain=[SOCIOLOGY] NativeOS=[Windows NT 1381] NativeLanMan=[] > > sesssetupX:name=[tavis] > > get_trust_account_password: Malformed trust password file (wrong length). > > domain_client_validate: unable to read the machine account password for > > machine MARKOV in domain SAMBADC. > > > > You've got 'security=domain' set on the Samba machine you > want to be a PDC, haven't you. > > The trust account password message is a giveaway. > > You should only set 'security=domain' if you're adding > a Samba server into a domain as a *member* of a domain, > not as the PDC. > > I'll add code to make smbd die if you have it set as > a PDC and 'security=domain' as people are obviously > confusing the two. > > When Samba is a PDC there should be no DOMAIN.MACINE.mac > file for the domain that Samba is serving as a PDC for. > > There will be a DOMAIN.MACINE.mac file on a Samba server > acting as a server in a domain. > > There should always be a MACHINE.sid file. > > Delete the DOMAIN.MACINE.mac file, and change the > 'security=domain' line to 'security=user' on the > machine you want to act as the PDC. > > Jeremy. > From daniel at med.up.pt Fri May 15 08:23:22 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:07 2003 Subject: Printing In-Reply-To: <98May14.133036edt.26881@sky.risca.com> Message-ID: On Fri, 15 May 1998, Tony wrote: > smb: \> print > ERRDOS - ERRnoaccess (Access denied.) opening printer for > smb: \>quit I had this problem and it had to do with the permissions on the samba spool directory (/var/spool/samba in my case - default) Hope to help, Daniel From lkcl at switchboard.net Fri May 15 11:27:46 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing In-Reply-To: <019301bd7f4c$9fd9e020$32de11cc@mblack.csihq.com> Message-ID: On Fri, 15 May 1998, Mike Black wrote: > 98/05/14 - Got the latest CVS tree [Samba 1.9.19-prealpha] -- just a few > changes to the smb.conf file and I can now see a new domain created. I can > browse to it and connect to the shares just fine. > > However, trying to change an NT workstation to the new domain is not passing > the password validation. > > Machine is "HOLLAND". I added "HOLLAND$" to /etc/passwd and did > "smbpasswd -a HOLLAND$ holland" according to the docs. But, the trust smbpasswd -a -m holland$ > account fails during the domain name change: > > I got a lot of errors during "smbpasswd" and during the domain change about: > > getsmbpwent: malformed password entry (uid not number) > getsmbpwent: malformed password entry (uid not number) > getsmbpwent: malformed password entry (uid not number) > getsmbpwent: malformed password entry (no : after uid) > getsmbpwent: malformed password entry (uid not number) > getsmbpwent: malformed password entry (uid not number) > getsmbpwent: malformed password entry (uid not number) > getsmbpwent: returning passwd entry for user HOLLAND$, uid 2000 > smb_password_ok: Checking SMB password for user HOLLAND$ > smb_password_ok: Checking NT MD4 password > smb_password_ok: NT MD4 password check failed > Checking LM MD4 password > smb_password_ok: LM MD4 password check failed > session_trust_account: Trust Account HOLLAND$ - password failed > > My passwd entry looks like: > HOLLAND$:8ApCAEEUAML2Y:2000:105:Don Holland::/bin/true > > And the resultant smbpasswd like: > HOLLAND$:2000:32D2A6922D8E51ADAAD3B435B51404EE:C74E64C545603C8081B7502B42B41 > 87E:[U]:LCT-355B00C4: the above command (without the -m) has put [U] for user, not [W] for workstation: this is a crucial difference. edit your smbpasswd file by hand: change the [U] - ACB_NORMAL to [W] - ACB_WKSTRUST. oh, and re-join the domain because your credentials for HOLLAND may have got out of sync. From lkcl at switchboard.net Fri May 15 11:35:47 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: Initial testing In-Reply-To: Message-ID: On Fri, 15 May 1998, Tavis Barr wrote: > > > On Thu, 14 May 1998, Gerald Carter wrote: > > > > It has to be "smbpasswd -a -m HOLLAND", no? [vs. holland in lower > > > case -- TB] Let me know if I'm wrong; I'm still having trouble with > > > the machine passwords. > > > > Shouldn't matter. I haven't verified this in the source though. Am > > working on another problem right now. The smbpasswd program should > > insulate you from case anyways. > > Actually, I just tried it and it does. It checks /etc/passwd, finds out > that there is no machine named workstation$, and exits. this is correct behaviour. > On the other > hand, if you add workstation$ to the /etc/passwd file, then it adds > workstation$ in lower case to the smbpasswd file. From what I > understand, the machine name has to be in upper case, doesn't matter. > and the password in lower case does matter. > -- but then I keep getting these machine password invalid > errors on the NT end, so I'm hardly one to know. unjoin the domain; delete the HOLLAND$ smbpasswd entry; add the holland$/HOLLAND$ entry; re-join the domain. From x7currie at lab2.cc.wmich.edu Fri May 15 12:33:05 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:07 2003 Subject: Machine accounts invalid, sort of. Message-ID: I'm having a little oddity happenning over in my lab. Recently, all my machine accounts were added to the /etc/passwd file and now have unique uid's (as opposed to having them all set to nobody). The accounts were placed in the smbpasswd file using "smbpasswd -a -m". From some NT boxes, I cannot connect to the domain because the machine account is invalid; however, if I try the same account from another computer it works just fine. These machines that will not connect to the samba PDC connect to an NT PDC just fine. Is the smbpasswd file updated/modified at all when a machine connects to it? Kevin Currie From lkcl at switchboard.net Fri May 15 12:40:19 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: On Fri, 15 May 1998, Kevin Currie wrote: > > I'm having a little oddity happenning over in my lab. Recently, > all my machine accounts were added to the /etc/passwd file and now have > unique uid's (as opposed to having them all set to nobody). The accounts > were placed in the smbpasswd file using "smbpasswd -a -m". From some NT > boxes, I cannot connect to the domain because the machine account is > invalid; however, if I try the same account from another computer it works > just fine. These machines that will not connect to the samba PDC connect > to an NT PDC just fine. Is the smbpasswd file updated/modified at all > when a machine connects to it? ah. how many machines do you have: what is the length of the name of: - the user you are logging in as - the machine name can you do a case-by-case analysis for me, as there may be an alignment problem (it's what it sounds like) From x7currie at lab2.cc.wmich.edu Fri May 15 13:02:32 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:07 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: > ah. how many machines do you have: what is the length of the name of: about 120 eventaully, right now about 50. the length of the names is 8 characters including the dollar sign. > - the user you are logging in as usernames are all lowercase or numeric. i've tried a few of them, that x7currie, caetmp, caesmb as examples. > - the machine name machines names are as follows (using bash style brace expansion) cae-{a,b,c,d,z}{00-50}$ > can you do a case-by-case analysis for me, as there may be an alignment > problem (it's what it sounds like) we had an alignment problem compiling w/ gcc a long while back. compiling with sun c fixed this, but now we get lots of warnings w/ sun c (most about mismatches between signed and unsigned variable, nothing serious) and gcc comiles cleanly. I'll try it with a sun c compile and let the list know the results. if you need any more info, i'll see what i can get. I won't be here much longer today, but I can get an employee to get the tedious stuff if you need it. Kevin From lkcl at switchboard.net Fri May 15 13:42:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: On Fri, 15 May 1998, Kevin Currie wrote: > > > ah. how many machines do you have: what is the length of the name of: > > about 120 eventaully, right now about 50. the length of the names > is 8 characters including the dollar sign. every single machine is 8 characters in length? hm. > > - the user you are logging in as > > usernames are all lowercase or numeric. i've tried a few of them, > that x7currie, caetmp, caesmb as examples. > > > - the machine name > > machines names are as follows (using bash style brace expansion) > cae-{a,b,c,d,z}{00-50}$ > > > can you do a case-by-case analysis for me, as there may be an alignment > > problem (it's what it sounds like) > > we had an alignment problem compiling w/ gcc a long while back. ah, this is to do with the dce/rpc code... From lkcl at switchboard.net Fri May 15 13:42:55 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: On Fri, 15 May 1998, Kevin Currie wrote: > usernames are all lowercase or numeric. i've tried a few of them, > that x7currie, caetmp, caesmb as examples. try different usernames on machines that are failing. From trep at dem.qc.ca Fri May 15 13:41:23 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:07 2003 Subject: User permissions w/NT 4.0 In-Reply-To: from "Gerald W. Carter" at May 13, 98 08:10:29 pm Message-ID: <199805151341.JAA02226@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 1443 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980515/d2862ba1/attachment.bat From cartegw at Eng.Auburn.EDU Fri May 15 14:14:32 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:07 2003 Subject: User permissions w/NT 4.0 References: <199805151341.JAA02226@ursula.dem.qc.ca> Message-ID: <355C4DC8.6C4C92AC@eng.auburn.edu> Pierre-Jules Tremblay wrote: > > > > C:\> net time \\ursula /set /yes' fails with: > > > > > > System error 1726 has occurred. > > > > > > The remote procedure call failed. > > > I'm not sure I fully grasp what you're trying to say. Anyway, I did > more testing, and it turns out that NET TIME fails with the main > branch cvs source tree as of Monday, when run from an NT 4.0 WKST box, > whether the box is configured for DOMAIN or WORKGROUP. In both cases, > after reinstalling samba 1.9.18p4, NET TIME works fine. You are correct. I was responding to a different error. [blush...another soul damaged by a quick mouse finger] Sorry. I can verify this problem against the main branch as of May 5, 1998. Am having my owjn problems with the latest main branch code I am trying to track down. You're not alone :) Actually the problem I was remembering was "Access denied" in that case you must be logged in an admin type user. Also unless you have changed GUEST_SESSETUP in local.h you will need to be connected to the the server in some way in order to be validated ( ie. net use ... ) because "net time \\server" does not prompt for a password. Again, sorry for the misinformation. > > See the list archive for threads about "domain admin users" parameter > > Got it. Thanks. You're welcome :) j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Fri May 15 14:27:20 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: mknissmbpwtble.sh Message-ID: #!/bin/sh # # Creates smbpasswd table and smb group in NIS+ # nistbladm \ -D access=og=rmcd,nw= -c \ -s : smbpasswd_tbl \ name=S,nogw=r \ uid=S,nogw=r \ lmpwd=C,nw=,g=r,o=rm \ ntpwd=C,nw=,g=r,o=rm \ gcos=,nw+r \ home=,wn+r \ shell=,wn+r smbpasswd.org_dir.`nisdefaults -d` nisgrpadm -c smb.`nisdefaults -d` nischgrp smb.`nisdefaults -d` smbpasswd.org_dir.`nisdefaults -d` benny, other NIS+-ites, i want to have these additional fields (hee hee :-). what do the C, nw= g=r (group = read?) o=rm (other = read something) etc etc all mean? help, help (gloop) what's the difference between nw+r, wn+r and nogw=r? struct sam_passwd { time_t logon_time; /* logon time */ time_t logoff_time; /* logoff time */ time_t kickoff_time; /* kickoff time */ time_t pass_last_set_time; /* password last set time */ time_t pass_can_change_time; /* password can change time */ time_t pass_must_change_time; /* password must change time */ char *smb_name; /* username string */ char *full_name; /* user's full name string */ char *home_dir; /* home directory string */ char *dir_drive; /* home directory drive string */ char *logon_script; /* logon script string */ char *profile_path; /* profile path string */ char *acct_desc ; /* user description string */ char *workstations; /* login from workstations string */ char *unknown_str ; /* don't know what this is, yet. */ char *munged_dial ; /* munged path name and dial-back tel number */ int smb_userid; /* this is actually the unix uid_t */ int smb_grpid; /* this is actually the unix gid_t */ uint32 user_rid; /* Primary User ID */ uint32 group_rid; /* Primary Group ID */ unsigned char *smb_passwd; /* Null if no password */ unsigned char *smb_nt_passwd; /* Null if no password */ uint16 acct_ctrl; /* account info (ACB_xxxx bit-mask) */ uint32 unknown_3; /* 0x00ff ffff */ uint16 logon_divs; /* 168 - number of hours in a week */ uint32 hours_len; /* normally 21 bytes */ uint8 hours[MAX_HOURS_LEN]; uint32 unknown_5; /* 0x0002 0000 */ uint32 unknown_6; /* 0x0000 04ec */ }; From lkcl at switchboard.net Fri May 15 14:39:41 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:07 2003 Subject: mknissmbpwdtbl.sh Message-ID: this look any good? totally clooless! #!/bin/sh # # Creates smbpasswd table and smb group in NIS+ # nistbladm \ -D access=og=rmcd,nw= -c \ -s : smbpasswd_tbl \ name=S,nogw=r \ uid=S,nogw=r \ user_rid=S,nogw=r \ smb_grpid=,nw+r \ group_rid=,nw+r \ acb=,nw+r \ \ lmpwd=C,nw=,g=r,o=rm \ ntpwd=C,nw=,g=r,o=rm \ \ logon_t=,nw+r \ logoff_t=,nw+r \ kick_t=,nw+r \ pwdlset_t=,nw+r \ pwdlchg_t=,nw+r \ pwdmchg_t=,nw+r \ \ full_name=,nw+r \ home_dir=,nw+r \ dir_drive=,nw+r \ logon_script=,nw+r \ profile_path=,nw+r \ acct_desc=,nw+r \ workstations=,nw+r \ \ hours=,nw+r \ smbpasswd.org_dir.`nisdefaults -d` nisgrpadm -c smb.`nisdefaults -d` nischgrp smb.`nisdefaults -d` smbpasswd.org_dir.`nisdefaults -d` From jjorgens at bdsinc.com Fri May 15 14:44:39 1998 From: jjorgens at bdsinc.com (Jens B. Jorgensen) Date: Tue Dec 2 02:24:08 2003 Subject: password synching -- Grrr.. (fwd) References: Message-ID: <355C54D7.CC595C72@bdsinc.com> The passwd program must be setuid root. Are you explicitly passing the user name to smbpasswd? Otherwise smbpasswd probably just get's uid (which would be root). Kevin Currie wrote: > Hello, > This is a forwarded message from my unix sysadmin (he's taking care of the > Unix side of things and I've got the NT side). Just a little background, > we're trying to execute smbpasswd from within Sun's passwd program. We > have the source. > > Thanks, > Kevin > > ---------- Forwarded message ---------- > Date: Thu, 14 May 1998 13:48:32 -0400 (EDT) > From: "Leonard J. Peirce" > Reply-To: leonard.peirce@wmich.edu > To: CURRIE KEVIN > Subject: password synching -- Grrr.. > > Hi... > > I'm working with the password syncing and running into a problem. Every > time I try to exec smbpasswd from the passwd program everything runs ok > until it tries to make the connection to the server and change the password. > Then I get the message: > > smbpasswd: machine medusa rejected the session setup. Error was : ERRSRV - ERRbadpw (Bad password - name/password pair in a Tree Connect or Session Setup are invalid.). > > But if I just run smbpasswd from the command line everything looks ok. > > Could you possibly ask on your mailing list if they have any idea what's > happening? Or perhaps some suggestions about debugging it? > > At the worst we could put a message in the passwd program telling people to > run smbpasswd on their own to change their password. Not optimal but it might > be acceptable until we can get things working correctly. > > - Leonard -- Jens B. Jorgensen jjorgens@bdsinc.com From bigfoot at astrakan.hgs.se Fri May 15 15:06:15 1998 From: bigfoot at astrakan.hgs.se (Benny Holmgren) Date: Tue Dec 2 02:24:08 2003 Subject: mknissmbpwdtbl.sh In-Reply-To: Message-ID: On Fri, 15 May 1998, Luke Kenneth Casson Leighton wrote: > this look any good? totally clooless! > > nistbladm \ > -D access=og=rmcd,nw= -c \ the -D parameter specifies the default permission for the fields in this table. > -s : smbpasswd_tbl \ > name=S,nogw=r \ S means the field is searchable and nogw=w sets the permissions so that everyone can read the column but nothing else. The default values are overridden since the = operator is used. > uid=S,nogw=r \ > user_rid=S,nogw=r \ > smb_grpid=,nw+r \ nw+r adds read permission for nobody & world to the defalt values. The result will be owner=rmcd, group=rmcd, world=r, nobody=r (rmcd means r=read, m=modify, c=create, d=delete) the difference between nobody and world is that the principals with valid credentials in NIS+ (ie, valid Secure RPC keys) is in the world group while not even having valid credentials makes you a nobody. > group_rid=,nw+r \ > acb=,nw+r \ > \ > lmpwd=C,nw=,g=r,o=rm \ > ntpwd=C,nw=,g=r,o=rm \ C tells that this is an encrypted field. nw= sets the persmission for nobody and world to nothing, read permission for the group and read/modify for the owner. > \ > logon_t=,nw+r \ > logoff_t=,nw+r \ > kick_t=,nw+r \ > pwdlset_t=,nw+r \ > pwdlchg_t=,nw+r \ > pwdmchg_t=,nw+r \ > \ > full_name=,nw+r \ > home_dir=,nw+r \ > dir_drive=,nw+r \ > logon_script=,nw+r \ > profile_path=,nw+r \ > acct_desc=,nw+r \ > workstations=,nw+r \ > \ > hours=,nw+r \ > smbpasswd.org_dir.`nisdefaults -d` > > nisgrpadm -c smb.`nisdefaults -d` > > nischgrp smb.`nisdefaults -d` smbpasswd.org_dir.`nisdefaults -d` > Hope this helps Cheers, -- Benny Holmgren bigfoot@astrakan.hgs.se Astrakan Computer Club tel. +46-(0)26-183573 Sweden "It's not about length, it's shoesize" From trep at dem.qc.ca Fri May 15 15:15:27 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 In-Reply-To: from "Luke Kenneth Casson Leighton" at May 15, 98 02:08:14 pm Message-ID: <199805151515.LAA04348@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 486 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980515/3639ac78/attachment.bat From fuller at jade.agen.tamu.edu Fri May 15 15:36:40 1998 From: fuller at jade.agen.tamu.edu (Steve Fuller) Date: Tue Dec 2 02:24:08 2003 Subject: mknissmbpwtble.sh In-Reply-To: from "Luke Kenneth Casson Leighton" at May 16, 98 00:50:21 am Message-ID: <199805151536.KAA28245@jade.agen.tamu.edu> > > #!/bin/sh > # > # Creates smbpasswd table and smb group in NIS+ > # > > nistbladm \ > -D access=og=rmcd,nw= -c \ > -s : smbpasswd_tbl \ > name=S,nogw=r \ > uid=S,nogw=r \ > lmpwd=C,nw=,g=r,o=rm \ > ntpwd=C,nw=,g=r,o=rm \ > gcos=,nw+r \ > home=,wn+r \ > shell=,wn+r smbpasswd.org_dir.`nisdefaults -d` > > nisgrpadm -c smb.`nisdefaults -d` > > nischgrp smb.`nisdefaults -d` smbpasswd.org_dir.`nisdefaults -d` > > > benny, other NIS+-ites, > > i want to have these additional fields (hee hee :-). what do the C, nw= > g=r (group = read?) o=rm (other = read something) etc etc all mean? help, > help (gloop) > > what's the difference between nw+r, wn+r and nogw=r? Luke, Here are the relevant sections from nistbladm(1) and nischmod(1): Syntax for column definitions is: colname=[flags][,access] flags is a combination of: S Searchable. Specifies that searches can be done on the column's values (see nismatch(1)). I Case-insensitive (only makes sense in combina- tion with S). Specifies that searches should ignore case. C Crypt. Specifies that the column's values should be encrypted. B Binary data (does not make sense in combination with S). If not set, the column's values are expected to be null terminated ASCII strings. X XDR encoded data (only makes sense in combina- tion with B). access has the form: [ who ] op permission [ op permission ]... who is a combination of: n Nobody's permissions. o Owner's permissions. g Group's permissions. w World's permissions. a All, or owg. If who is omitted, the default is a. op is one of: + To grant the permission. - To revoke the permission. = To set the permissions explicitly. permission is any combination of: r Read. m Modify. c Create. d Destroy. THe 'nobody' column is used for unauthenticated requests. (guest or invalid credentials) Permissions can be set at the table, column, or row level. The other big weirdness is that the permissions are additive. If you have read access on the table, you have read access on the *entire* table, even if individual entries say otherwise. so the line: lmpwd=C,nw=,g=r,o=rm above is overridden by the table access permissions: access=og=rmcd,nw= giving the group modify,create and destroy access (unintentionally?). ps. I'd like to say thanks a million to you and the entire samba team for all your work on samba. It has made a world of difference to our department. -- Steve Fuller fuller@agen.tamu.edu System Administrator Agricultural Engineering - Texas A&M University From eppinette at nlu.edu Fri May 15 17:27:31 1998 From: eppinette at nlu.edu (Chance W. Eppinette) Date: Tue Dec 2 02:24:08 2003 Subject: Problem with Samba PDC & NT 3.51 Message-ID: <355C7B03.B0E8669D@nlu.edu> Hello, I have been watching the recent messages about the machine passwords and such and wondering if somewhere deep down this might as well be my problem. I recently had an NT 4.0 server set as a member of a SAMBA PDC. Logins where working properly from the PDC and such. Now, my next step is to make a CITRIX Winframe server do the same thing. I have setup the machine account for the Winframe server under private/smbpasswd and also have the account under /etc/passwd. I have tested the machine account with smbclient and it does allow the logon. I had Winframe join the Domain hosted under SAMBA and it did return with the "Welcome to domain NLUDORMS" I then restarted the Winframe server and when it came back up it allowed the option to logon to the Domain in question. But when attempting the logon with a working Samba account (tested also via smbclient) I receive the following info: - On the Citrix box, a window returns the following: The default domain administrator is not configured correctly. Notify your system administrator. Now attempting to logon user eppinett on domain NLUDORMS. (WITH AN OK BUTTON) After pressing the OK button, it basically blows the Citrix console away -- it still has the CITRIX logo background but it no longer will do anything. - Under var/log.smb I see the following type of messages: NT Password did not match ! Defaulting to Lanman - Under var/log.nmb I see the following type of messages: process_logon_packet: Logon from 192.135.131.5: code = 12 process_logon_packet: Logon from 192.135.131.5: code = 12 process_logon_packet: Logon from 192.135.131.5: code = 7 process_logon_packet: Logon from 192.135.131.5: code = 7 I am currently running Samba 1.9.19-prealpha & Citrix 1.6/SP3. Oh yea, what is the deal with the SIDs? Do I need to have one specified under smb.conf and what should I be using? Thanks Chance Eppinette -- +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ | | | Chance W. Eppinette Northeast Louisiana University | | Network Manager Computing Center | | Monroe, LA 71209 | | email: eppinette@nlu.edu | | phone: (318) 342-5021 fax: (318) 342-5018 | | office: Admin 1-155A "G R A Y V I P E R" | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ From jallison at whistle.com Fri May 15 17:45:25 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 References: <355C4DC8.6C4C92AC@eng.auburn.edu> Message-ID: <355C7F35.7AAE88DB@whistle.com> Gerald Carter wrote: > > Pierre-Jules Tremblay wrote: > > > > > > C:\> net time \\ursula /set /yes' fails with: > > > > > > > > System error 1726 has occurred. > > > > > > > > The remote procedure call failed. > > > > > I'm not sure I fully grasp what you're trying to say. Anyway, I did > > more testing, and it turns out that NET TIME fails with the main > > branch cvs source tree as of Monday, when run from an NT 4.0 WKST box, > > whether the box is configured for DOMAIN or WORKGROUP. In both cases, > > after reinstalling samba 1.9.18p4, NET TIME works fine. > Yep - almost certainly once you announce you do MS-RPC an NT box will start wanting to use an RPC we haven't yet implemented for a net time call. It's one of the gaps we need to fill in (but isn't currently high priority - if you disagree, shout about it :-). Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Fri May 15 18:02:42 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 In-Reply-To: <199805151515.LAA04348@ursula.dem.qc.ca> Message-ID: On Fri, 15 May 1998, Pierre-Jules Tremblay wrote: > > This time it is I who must apologize for the misinformation ;). I did > a "make clean; make" and now all is fine. How about adding a "make > depend" to the Makefile? ho hum. suggest it to samba-bugs: we're doing gnu autoconf, later. From lkcl at switchboard.net Fri May 15 18:09:28 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: mknissmbpwtble.sh In-Reply-To: <199805151536.KAA28245@jade.agen.tamu.edu> Message-ID: > so the line: lmpwd=C,nw=,g=r,o=rm above is overridden by the table access > permissions: access=og=rmcd,nw= giving the group modify,create and destroy > access (unintentionally?). dunno. benny? > ps. I'd like to say thanks a million to you and the entire samba team for > all your work on samba. It has made a world of difference to our department. it's a simple job: people write things, we make sure they go into samba. people tell us how to do things: we do it. cathedral/bazaar model. From cartegw at Eng.Auburn.EDU Fri May 15 18:15:48 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:08 2003 Subject: Problem with Samba PDC & NT 3.51 References: <355C7B03.B0E8669D@nlu.edu> Message-ID: <355C8654.C31E0E5@eng.auburn.edu> Chance W. Eppinette wrote: > > - On the Citrix box, a window returns the following: > > The default domain administrator is not > configured correctly. Notify your system > administrator. Now attempting to logon user > eppinett on domain NLUDORMS. (WITH AN OK BUTTON) > No idea... > - Under var/log.smb I see the following type of messages: > > NT Password did not match ! Defaulting to Lanman Normal as well I believe. > - Under var/log.nmb I see the following type of messages: > > process_logon_packet: Logon from 192.135.131.5: code = 12 > process_logon_packet: Logon from 192.135.131.5: code = 12 > process_logon_packet: Logon from 192.135.131.5: code = 7 > process_logon_packet: Logon from 192.135.131.5: code = 7 #define QUERYFORPDC 7 /* Query for PDC */ #define QUERYFORPDC_R 12 /* Query for PDC response */ These are normal. > I am currently running Samba 1.9.19-prealpha & Citrix 1.6/SP3. I'm guessing your mean SP5 ( which is the latest ). > Oh yea, what is the deal with the SIDs? Do I need to have one > specified under smb.conf and what should I be using? a private/MACHINE-SID file is generated automatically for a Samba PDC upon startup if it does not exist and there is no domain sid= parameter in smb.conf. Once the file is created, the domain sid= paraemeter is ignored. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Sat May 16 10:07:55 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 In-Reply-To: <355C7F35.7AAE88DB@whistle.com> Message-ID: On Sat, 16 May 1998, Jeremy Allison wrote: > Gerald Carter wrote: > > > > Pierre-Jules Tremblay wrote: > > > > > > > > C:\> net time \\ursula /set /yes' fails with: > > > > > > > > > > System error 1726 has occurred. > > > > > > > > > > The remote procedure call failed. > > > > > > > I'm not sure I fully grasp what you're trying to say. Anyway, I did > > > more testing, and it turns out that NET TIME fails with the main > > > branch cvs source tree as of Monday, when run from an NT 4.0 WKST box, > > > whether the box is configured for DOMAIN or WORKGROUP. In both cases, > > > after reinstalling samba 1.9.18p4, NET TIME works fine. > > > > Yep - almost certainly once you announce you do MS-RPC > an NT box will start wanting to use an RPC we haven't yet > implemented for a net time call. > ah, of course. if you can get (text print-out) a trace of an NT dce/rpc (i hate calling it "ms-rpc": what right have microsoft to take a standard and call it their own just because there are subtle differences SORRY off-soap) net time call to me, i can implement it. luke From mblack at csihq.com Sat May 16 12:12:28 1998 From: mblack at csihq.com (Mike Black) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 Message-ID: <00e801bd80c3$e66c30b0$0101a8c0@mikehome.csihq.com> Gee -- this works under 1.9.18p7 (has worked for quite while actually)-- why does the DOMAIN branch kill it? ---------------------------------------------------------------------------- ------------- Michael D. Black 407-676-2923,x203 FAX 407-676-2355 Principal Engineer, CSI Inc Melbourne FL mblack@csihq.com http://www.csihq.com -----Original Message----- From: Jeremy Allison To: Multiple recipients of list Date: Friday, May 15, 1998 2:05 PM Subject: Re: User permissions w/NT 4.0 >Gerald Carter wrote: >> >> Pierre-Jules Tremblay wrote: >> > >> > > > C:\> net time \\ursula /set /yes' fails with: >> > > > >> > > > System error 1726 has occurred. >> > > > >> > > > The remote procedure call failed. >> > > >> > I'm not sure I fully grasp what you're trying to say. Anyway, I did >> > more testing, and it turns out that NET TIME fails with the main >> > branch cvs source tree as of Monday, when run from an NT 4.0 WKST box, >> > whether the box is configured for DOMAIN or WORKGROUP. In both cases, >> > after reinstalling samba 1.9.18p4, NET TIME works fine. >> > >Yep - almost certainly once you announce you do MS-RPC >an NT box will start wanting to use an RPC we haven't yet >implemented for a net time call. > >It's one of the gaps we need to fill in (but isn't currently >high priority - if you disagree, shout about it :-). > >Jeremy Allison. >Samba Team. >-- >-------------------------------------------------------- >Buying an operating system without source is like buying >a self-assembly Space Shuttle with no instructions. >-------------------------------------------------------- > From bigfoot at astrakan.hgs.se Sat May 16 13:52:04 1998 From: bigfoot at astrakan.hgs.se (Benny Holmgren) Date: Tue Dec 2 02:24:08 2003 Subject: mknissmbpwtble.sh In-Reply-To: Message-ID: On Fri, 15 May 1998, Luke Kenneth Casson Leighton wrote: > > so the line: lmpwd=C,nw=,g=r,o=rm above is overridden by the table access > > permissions: access=og=rmcd,nw= giving the group modify,create and destroy > > access (unintentionally?). > > dunno. benny? No, when you create a table you can specify the default permission using the "-D access=" parameter which will be used as default for all columns. By adding parameters for each field you can alter the values per column. Depending on what operator you use you can set, add or delete permissions from the default. The parameter lmpwd=C,nw=,g=r,o=rm gives the following right on the column: nnnnooooggggwwww ----rm--r------ With the above default access lmpwd=C,g-mcd,o-cd would give the same result. Cheers, -- Benny Holmgren bigfoot@astrakan.hgs.se Astrakan Computer Club tel. +46-(0)26-183573 Sweden "It's not about length, it's shoesize" From x7currie at lab2.cc.wmich.edu Sun May 17 00:04:33 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:08 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: > try different usernames on machines that are failing. Well, almost all machines are failing now. I had them set up as cae2054-{00-50} as machine names. This was working great. I saw the information about bad things coming from having every machine account set to the same uid, so I had unique unix passwd entries made for each machine (now with names of cae-a{00-50} as stated before). I've gotten a total of two computers to connect to these new accounts. The machines that will connect will do so as a variety of the different machine names so I don't think the accounts are messed up. As far as more information goes, this might be of value. After changing from the old names to the new names, the new names didn't work. Then when I changed back to the old names, the old names didn't work! This is sort of a problem... :) Kevin From x7currie at lab2.cc.wmich.edu Sun May 17 00:06:39 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:08 2003 Subject: password synching -- Grrr.. (fwd) In-Reply-To: <355C54D7.CC595C72@bdsinc.com> Message-ID: > The passwd program must be setuid root. Are you explicitly passing the user name to smbpasswd? Otherwise smbpasswd probably just get's uid (which would be root). I'm not working on the source... according to Sun's license, I'm not allowed to see it (only about 5 people on campus are). I asked about this though, and the guy who is working on it said he set the uid and gid to the user before exec'ing smbpasswd. Kevin From lkcl at switchboard.net Sun May 17 13:49:23 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: On Sat, 16 May 1998, Kevin Currie wrote: > > > try different usernames on machines that are failing. > > Well, almost all machines are failing now. ah. is it one week yet? sounds suspiciously like the trust account password change code is failing, and is therefore knocking out each of your machines one by one... luke From x7currie at lab2.cc.wmich.edu Sun May 17 18:46:37 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:08 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: > ah. is it one week yet? sounds suspiciously like the trust account > password change code is failing, and is therefore knocking out each of > your machines one by one... Yeah, its been a little over a week as a matter of fact. I'm going to try and dump down the NT disk image that they worked with on Monday. If that doesn't work, I'm going to have my Unix sysadmin compile Samba w/ Sun C instead of GNU, and then if things still don't work I'd start to expect that the problem might be out of my control. I'll let the list know how things went after I try this stuff. Kevin From cartegw at Eng.Auburn.EDU Mon May 18 02:25:04 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:08 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: On Sun, 17 May 1998, Luke Kenneth Casson Leighton wrote: > On Sat, 16 May 1998, Kevin Currie wrote: > > ah. is it one week yet? sounds suspiciously like the trust account > password change code is failing, and is therefore knocking out each of > your machines one by one... > Kevin, Check the event logs for the machine account password change failing due to a "inconsistent with current credentials" message or something similar. I have seen this one pop up but no had time to track it down yet. Maybe it will help give some direction to your current problem. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Mon May 18 11:46:31 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: password API needed Message-ID: notes on the password database api. 1) calling databases from passdb.c ---------------------------------- all these routines in passdb.c have: some_fn() { #ifdef USE_SOMESORTOF_DB some_db_fn() #endif #ifdef USE_SOMEOTHERSORTOF_DB some_other_db_fn() #endif } 2) password api routines ------------------------ note: the sam21 routines (struct sam_passwd) have a user RID search, _not_ a unix uid search. the non-sam21 routines (struct smb_passwd) have a unix uid search, _not_ a user RID search. /* The following definitions come from passdb.c */ /* enumeration */ void *startsampwent(BOOL update); void endsampwent(void *vp); struct smb_passwd *getsampwent(void *vp); struct sam_passwd *getsam21pwent(void *vp); struct sam_info getsamdispent(void *vp) unsigned long getsampwpos(void *vp); BOOL setsampwpos(void *vp, unsigned long tok); /* add / modify entries */ BOOL add_sampwd_entry(struct smb_passwd *newpwd); BOOL add_sam21pwd_entry(struct sam_passwd *newpwd); BOOL mod_sampwd_entry(struct smb_passwd* pwd, BOOL override); BOOL mod_sam21pwd_entry(struct sam_passwd* pwd, BOOL override); /* search */ struct smb_passwd *getsampwnam(char *name); struct smb_passwd *getsampwuid(uid_t smb_userid); struct sam_passwd *getsam21pwnam(char *name); struct sam_passwd *getsam21pwrid(uint32 rid); add --- add should return False without modifying the database if an entry with the same name exists, in the case of both the add_sam21pwd_entry and add_sampwd_entry routines. add should return False without modifying the database if an entry with the same rid or the same name exists, in the case of the add_sam21pwd_entry routine. search ------ inside passdb.c, there are _getsampwxxx and _getsam21pwxxx routines. these implement linear search by calling the enumeration routines, and can be used if the database engine being used does not have search capability, or if the implementor does not wish to write one straight away. 4) supporting both struct smb_passwd and sam_passwd --------------------------------------------------- for the sam21 (struct sam_passwd not smb_passwd) routines, databases are expected to create default entries for fields if either: - the underlying database does not support all the sam21 fields (which is bad) - the underlying database has a blank entry for a particular field. detailed example. in smbpass.c, private/smbpasswd only has user, unix uid, NTLM hashes, acb info, password last set time. therefore: - lp_profile_path(), lp_homedir() etc shall be read from smb.conf. if fields do not exist they shall be set to "". - all times except password last set time shall be set to -1 - the NT user RID shall be filled in by calling uid_to_user_rid(). - the NT group RID shall be filled in by doing getpwent(unix uid), obtaining the unix gid and calling gid_to_group_rid(). future versions of smbpass.c will also have a private/samdb file, which shall contain the missing struct sam_passwd fields. if any of those fields are empty in the samdb file for a given user, the above defaults shall be used. 5) query display info --------------------- a future API routine to be added soon (oh, i seem to have just added it) will be: struct sam_info getsamdispent(void *vp) struct sam_info { char *smb_name; char *smb_full_name; uint32 rid; }; a first pass at this may hide the necessity for its specific implementation in all databases by calling getsampwent and dragging the three key member variables out of struct sam_passwd. in fact, i think i'll do that now :-) this function is expected to be called for the "display" side of USRMGR.EXE and SRVMGR.EXE support (lib/rpc/server/srv_samr.c - SamrQueryDispInfo). From lkcl at switchboard.net Mon May 18 11:46:38 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: NIS+ enumeration of all database entries Message-ID: how, in NIS+, do you enumerate all the entries in a database table? From cartegw at Eng.Auburn.EDU Mon May 18 12:38:58 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:08 2003 Subject: NIS+ enumeration of all database entries In-Reply-To: Message-ID: On Mon, 18 May 1998, Luke Kenneth Casson Leighton wrote: > how, in NIS+, do you enumerate all the entries in a database table? > command line utilities include niscat, nismatch, etc.... niscat passwd.org_dir On Solaris 2.5.1, the following functions are defined in You could just use a loop to enumerate all entries in a table. I can send you the entire set of man pages if you need them. j- -------------- man nis_tables ----------------------------------- nis_tables(3N) Network Functions nis_tables(3N) NAME nis_tables, nis_list, nis_add_entry, nis_remove_entry, nis_modify_entry, nis_first_entry, nis_next_entry - NIS+ table functions SYNOPSIS cc [ flag... ] file... -lnsl [ library... ] #include nis_result *nis_list(const nis_name name, const u_long flags, int (*callback)(const nis_name table_name, const nis_object *object, const void *userdata), const void *userdata); nis_result *nis_add_entry(const nis_name table_name, const nis_object *object, const u_long flags); nis_result *nis_remove_entry(const nis_name name, const nis_object *object, const u_long flags); nis_result *nis_modify_entry(const nis_name name, const nis_object *object, const u_long flags); nis_result *nis_first_entry(const nis_name table_name); nis_result *nis_next_entry(const nis_name table_name, const netobj *cookie); void nis_freeresult(nis_result *result); DESCRIPTION These functions are used to search and modify NIS+ tables. nis_list() is used to search a table in the NIS+ namespace. nis_first_entry() and nis_next_entry() are used to enumerate a table one entry at a time. nis_add_entry(), nis_remove_entry(), and nis_modify_entry() are used to change the information stored in a table. nis_freeresult() is used to free the memory associated with the nis_result structure. Entries within a table are named by NIS+ indexed names. An indexed name is a compound name that is composed of a search criteria and a simple NIS+ name that identifies a table object. A search criteria is a series of column names and their associated values enclosed in bracket `[]' characters. Indexed names have the following form: [ colname=value, ... ],tablename The list function, nis_list(), takes an indexed name as the value for the name parameter. Here, the tablename should be a fully qualified NIS+ name unless the EXPAND_NAME flag (described below) is set. The second parameter, flags, defines how the function will respond to various conditions. The value for this parameter is created by logically ORing together one or more flags from the following list. [snip] ---------------------------------------------------------- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From x7currie at lab2.cc.wmich.edu Mon May 18 12:58:38 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:08 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: > Check the event logs for the machine account password change failing due > to a "inconsistent with current credentials" message or something similar. > I have seen this one pop up but no had time to track it down yet. Maybe > it will help give some direction to your current problem. Well, that message isn't there... and now the computers are working. I'll check w/ my unix sysadmin and see if he changed anything or not, but I doubt that he did over the weekend. This is what I suspect happened. I saw several messages that the master broswer was stopped or restarted and that the client was forcing an election. Every computer was turned off over the weekend except the samba PDC which never gets turned off. I wonder if it simply needed to regain control as the master browser. Is it possible that anytime we HUP (or stop and restart for that matter) samba to force it into an election it is bound to win? I thought I had configured to do this, but if it is possible, I might have the parameters wrong... Here is what I have: domain master = yes local master = no preferred master = yes os level = 65 From lkcl at switchboard.net Mon May 18 13:10:45 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: On Mon, 18 May 1998, Kevin Currie wrote: > > > Check the event logs for the machine account password change failing due > > to a "inconsistent with current credentials" message or something similar. > > I have seen this one pop up but no had time to track it down yet. Maybe > > it will help give some direction to your current problem. > > Well, that message isn't there... and now the computers are > working. I'll check w/ my unix sysadmin and see if he changed anything or > not, but I doubt that he did over the weekend. > This is what I suspect happened. I saw several messages that the > master broswer was stopped or restarted and that the client was forcing an > election. Every computer was turned off over the weekend except the samba > PDC which never gets turned off. *ah*. > I wonder if it simply needed to regain > control as the master browser. Is it possible that anytime we HUP > (or stop and restart for that matter) samba to force it into an election > it is bound to win? I thought I had configured to do this, but if it is > possible, I might have the parameters wrong... Here is what I have: > > domain master = yes > local master = no local master = yes, not no, otherwise one of the wotsit machines (ms machines) will become a local master. this option = no causes "preferred master" option to be ignored, by the way. you also have "domain logons = yes", yes? > preferred master = yes > os level = 65 > > From bigfoot at astrakan.hgs.se Mon May 18 13:16:58 1998 From: bigfoot at astrakan.hgs.se (Benny Holmgren) Date: Tue Dec 2 02:24:08 2003 Subject: NIS+ enumeration of all database entries In-Reply-To: Message-ID: On Mon, 18 May 1998, Luke Kenneth Casson Leighton wrote: > how, in NIS+, do you enumerate all the entries in a database table? The nis_list() function does that. It can be used in two ways, either passing a function pointer to a callback routine which is called for each entry or without a callback routine which returns all the entries in one result structure. The first way is better for large tables ofcourse. I'll attach an example. The synopsis for the routine is: #include nis_result *nis_list(const nis_name name, const u_long flags, int (*callback)(const nis_name table_name, const nis_object *object, const void *userdata), const void *userdata) -------------- next part -------------- /* * Link with -lnsl */ #include #include int nis_callback(char *table_name, nis_object *object, void *userdata) { printf("%s:%s:%s:%s:%s:%s:%s\n", ENTRY_VAL(object, 0), ENTRY_VAL(object, 1), ENTRY_VAL(object, 2), ENTRY_VAL(object, 3), ENTRY_VAL(object, 4), ENTRY_VAL(object, 5), ENTRY_VAL(object, 6)); return(0); /* Returning 1 stops enumeration. */ } int main(int argc, char **argv) { char *nisname = "passwd.org_dir"; (void)nis_list(nisname, EXPAND_NAME, nis_callback, NULL); return(0); } From x7currie at lab2.cc.wmich.edu Mon May 18 13:50:50 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:08 2003 Subject: Machine accounts invalid, sort of. In-Reply-To: Message-ID: > local master = yes, not no, otherwise one of the wotsit machines (ms > machines) will become a local master. this option = no causes "preferred > master" option to be ignored, by the way. I'll get this changes asap... thanks. > you also have "domain logons = yes", yes? Yeah, I do. Kevin From lkcl at switchboard.net Mon May 18 16:26:15 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: NISPLUS define Message-ID: i have changed the name of this #define from NISPLUS to NISPLUS_HOME. this is to avoid confusion with -DUSE_NISPLUS_DB, which is for nis+ back-end password database support (alternative to private/smbpasswd). luke From jallison at whistle.com Mon May 18 17:31:34 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 References: <00e801bd80c3$e66c30b0$0101a8c0@mikehome.csihq.com> Message-ID: <35607076.59E2B600@whistle.com> Mike Black wrote: > > Gee -- this works under 1.9.18p7 (has worked for quite while actually)-- why > does the DOMAIN branch kill it? > ---------------------------------------------------------------------------- > Jeremy Allison wrote: > > > >Yep - almost certainly once you announce you do MS-RPC > >an NT box will start wanting to use an RPC we haven't yet > >implemented for a net time call. > > > >It's one of the gaps we need to fill in (but isn't currently > >high priority - if you disagree, shout about it :-). > > Well because the 1.9.18 branch doesn't announce itself as capable of doing MS-RPC, that's all. We need the MS-RPC for the domain code in the head branch and so have to announce ourselves as capable. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Mon May 18 18:02:38 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: password API needed In-Reply-To: Message-ID: oops! i nearly forgot. it's important that we add support for the unix password to these databases... From lkcl at switchboard.net Mon May 18 18:39:56 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: DAMN! can someone help! i've just deleted /usr/include/rpcsvc! Message-ID: can someone, preferably who has slackware 3.4, please .tar.gz up and send me /usr/include/rpcsvc? please!!! From lkcl at switchboard.net Mon May 18 19:22:43 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: DAMN! can someone help! i've just deleted /usr/include/rpcsvc! In-Reply-To: Message-ID: it's ok: i found it: in the libc5 include directory. don't know if this is correct, but it will have to do... luke On Tue, 19 May 1998, Luke Kenneth Casson Leighton wrote: > can someone, preferably who has slackware 3.4, please .tar.gz up and send > me /usr/include/rpcsvc? please!!! > > From twinders at SPC.cc.tx.us Mon May 18 19:29:28 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:08 2003 Subject: error compliing latest CVS code Message-ID: I just pulled down the latest HEAD CVS code and tried to complie under Digital Unix 4.0D and got this error: Compiling slprintf.c cc: Error: slprintf.c, line 89: In this declaration, the number of parameters differs from an earlier declaration of this function. int slprintf(va_alist) -----^ cc: Error: slprintf.c, line 89: In this declaration, the type of "slprintf" is not compatible with the type of a previous declaration of "slprintf" at line number 1807 in file proto.h. int slprintf(va_alist) -----^ make: *** [slprintf.o] Error 1 It won't go... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From twinders at SPC.cc.tx.us Mon May 18 19:32:43 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:08 2003 Subject: error with smbpasswd -a -m Message-ID: I am trying to add a machine account to my smbpasswd database but I am having problems. The machine name is phone. I have added a user called phone$ to the /etc/passwd database with a shell of /bin/false. When I try to add the account to the smbpasswd file I get this error: # smbpasswd -a -m phone smbpasswd: Failed to open password file /usr/local/samba/private/smbpasswd. smbpasswd: Invalid argument I thought there might be a problem with the code, so I downloaded the latest CVS HEAD branch, but it won't compile. This is on Digital Unix 4.0D. Any thoughts? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From william at hae.com Mon May 18 19:43:46 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:08 2003 Subject: DAMN! can someone help! i've just deleted /usr/include/rpcsvc! In-Reply-To: Message-ID: Done! --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." On Tue, 19 May 1998, Luke Kenneth Casson Leighton wrote: > Date: Tue, 19 May 1998 05:22:39 +1000 > From: Luke Kenneth Casson Leighton > To: Multiple recipients of list > Subject: DAMN! can someone help! i've just deleted /usr/include/rpcsvc! > > can someone, preferably who has slackware 3.4, please .tar.gz up and send > me /usr/include/rpcsvc? please!!! > > From Jean-Francois.Micouleau at utc.fr Mon May 18 20:04:12 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:08 2003 Subject: error compliing latest CVS code In-Reply-To: Message-ID: On Tue, 19 May 1998, Tim Winders wrote: Hi Tim, don't expect proto.h to be always clean, things are going fast with Luke those days ! You can do: make proto make clean make It will rebuild everything with clean headers. Jean Francois > I just pulled down the latest HEAD CVS code and tried to complie under > Digital Unix 4.0D and got this error: > > Compiling slprintf.c > cc: Error: slprintf.c, line 89: In this declaration, the number of > parameters differs from an earlier declaration of this function. > int slprintf(va_alist) > -----^ > cc: Error: slprintf.c, line 89: In this declaration, the type of > "slprintf" is not compatible with the type of a previous declaration of > "slprintf" at line number 1807 in file proto.h. > int slprintf(va_alist) > -----^ > make: *** [slprintf.o] Error 1 > > > It won't go... > > === Tim > > --------------------------------------------------------------------- > | Tim Winders, CNE, MCSE | Email: TWinders@SPC..cc.tx.us | > | Network Administrator | Phone: 806-894-9611 x 2369 | > | South Plains College | Fax: 806-897-4711 | > --------------------------------------------------------------------- > > > ----------------------------------------------------------- Pinky: "What are we going to do tonight, Brain?" Brain: "The same thing we do every night, Pinky : try to install Windows NT !" ----------------------------------------------------------- From twinders at SPC.cc.tx.us Mon May 18 20:42:16 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:08 2003 Subject: error compliing latest CVS code In-Reply-To: Message-ID: Nope, that didn't help... same error... On Mon, 18 May 1998, Jean-Francois Micouleau wrote: > On Tue, 19 May 1998, Tim Winders wrote: > > Hi Tim, > > don't expect proto.h to be always clean, things are going fast with Luke > those days ! > > You can do: > > make proto > make clean > make > > It will rebuild everything with clean headers. > > Jean Francois > > > > I just pulled down the latest HEAD CVS code and tried to complie under > > Digital Unix 4.0D and got this error: > > > > Compiling slprintf.c > > cc: Error: slprintf.c, line 89: In this declaration, the number of > > parameters differs from an earlier declaration of this function. > > int slprintf(va_alist) > > -----^ > > cc: Error: slprintf.c, line 89: In this declaration, the type of > > "slprintf" is not compatible with the type of a previous declaration of > > "slprintf" at line number 1807 in file proto.h. > > int slprintf(va_alist) > > -----^ > > make: *** [slprintf.o] Error 1 > > > > > > It won't go... > > > > === Tim > > > > --------------------------------------------------------------------- > > | Tim Winders, CNE, MCSE | Email: TWinders@SPC..cc.tx.us | > > | Network Administrator | Phone: 806-894-9611 x 2369 | > > | South Plains College | Fax: 806-897-4711 | > > --------------------------------------------------------------------- > > > > > > > > ----------------------------------------------------------- > Pinky: "What are we going to do tonight, Brain?" > Brain: "The same thing we do every night, Pinky : > try to install Windows NT !" > ----------------------------------------------------------- > === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From jallison at whistle.com Mon May 18 21:07:14 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:08 2003 Subject: error compliing latest CVS code References: Message-ID: <3560A302.2F1CF0FB@whistle.com> Tim Winders wrote: > > Nope, that didn't help... same error... > > On Mon, 18 May 1998, Jean-Francois Micouleau wrote: > > > On Tue, 19 May 1998, Tim Winders wrote: > > > > Hi Tim, > > > > don't expect proto.h to be always clean, things are going fast with Luke > > those days ! > > If you can hang on 1/2 hour I'll be checking in a big change that will fix this (Andrew & I forgot to add the same change to the head branch that we added to 1.9.18 to deal with the varargs problem). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Mon May 18 21:28:27 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:08 2003 Subject: error compliing latest CVS code References: Message-ID: <3560A7FB.7DE14518@whistle.com> Tim Winders wrote: > > Nope, that didn't help... same error... > Ok - check out now - I just checked in the fixes. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Mon May 18 22:13:55 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:08 2003 Subject: New location of NTDOM FAQ Message-ID: <3560B2A3.7EEB35E5@eng.auburn.edu> Just an FYI... The NTDOM FAQ has been moved to the main Samba site. There is a link off the main page or you can reach it directly at http://samba.anu.edu.au/samba/ntdom_faq/samba_ntdom_faq.html I will still maintain a mirrow of it at http://www.eng.auburn.edu/users/cartegw/samba_ntdom_faq.html j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From twinders at SPC.cc.tx.us Tue May 19 00:48:15 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:08 2003 Subject: error compliing latest CVS code In-Reply-To: <3560A302.2F1CF0FB@whistle.com> Message-ID: On Mon, 18 May 1998, Jeremy Allison wrote: > Tim Winders wrote: > > > > Nope, that didn't help... same error... > > > > On Mon, 18 May 1998, Jean-Francois Micouleau wrote: > > > > > On Tue, 19 May 1998, Tim Winders wrote: > > > > > > Hi Tim, > > > > > > don't expect proto.h to be always clean, things are going fast with Luke > > > those days ! > > > > > If you can hang on 1/2 hour I'll be checking in a > big change that will fix this (Andrew & I forgot to > add the same change to the head branch that we added > to 1.9.18 to deal with the varargs problem). Wonderful! I will get the new stuff now! === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From twinders at SPC.cc.tx.us Tue May 19 01:08:23 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:08 2003 Subject: Yeah! Message-ID: Thanks Jeremy! The new changes allowed samba to compile and now smbpasswd works as well! === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From trep at dem.qc.ca Tue May 19 01:34:16 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 In-Reply-To: <355C7F35.7AAE88DB@whistle.com> from "Jeremy Allison" at May 16, 98 04:03:44 am Message-ID: <199805190134.VAA28301@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 1070 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980518/6b6804af/attachment.bat From abs at maunsell.co.uk Tue May 19 08:49:49 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:08 2003 Subject: running kixtart with NT Domain logins Message-ID: <19980519094949.64123@maunsell.co.uk> Previously, I wrote :- > > Server=[Samba 1.9.19-prealpha] > > kix32 wont even start :- > > An Application error has occurred > and an application error log is being generated. > > kix32.exe > Exception access violation (0xc0000005), Address: 0x77822710 > > > From event log :- > > The description for Event ID ( 5 ) in Source ( KIXTART ) could not be > found. It contains the following insertion string(s): UserModalsGet failed > Error : Access is denied. (0x5/5). I have checked out this error message with the KiXtart author. I dont suppose his reply sheds any light wasn't obvious already, but in view of the current password API discussion, I thought it might be relevent :- > From: Ruud van Velsen > > Hi Andy, > > for one thing, it would appear that the samba team have somehow denied you > access to retrieve the UserModals info (KiXtart retrieves the maximum > password age using this info). This info should be available to all users, > so they must have added some restriction they shouldn't have (not in my > opinion, anyway). Because of the way KiXtart retrieves information, if the > UserModals information can't be retrieved, the user groups are also not > retrieved. > > This still does not explain the exception fault, because even without this > information KiXtart can and should run fine. > > It would be very interesting to know just which settings have been changed > on samba. Maybe that will tell you if/how this can be resolved. > > Kind regards, > > Ruud van Velsen -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From heinig at HDZ-IMA.RWTH-Aachen.de Tue May 19 19:54:06 1998 From: heinig at HDZ-IMA.RWTH-Aachen.de (heinig) Date: Tue Dec 2 02:24:08 2003 Subject: NIS+ Password support Message-ID: <3561E35E.584C@HDZ-IMA.RWTH-Aachen.de> Hi all, NIS+ Password support would be *EXTREMELY* *USEFUL* to us!! Go for it! Cheers, Gerald From cartegw at Eng.Auburn.EDU Tue May 19 12:56:10 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 References: <199805190134.VAA28301@ursula.dem.qc.ca> Message-ID: <3561816A.509D9C01@eng.auburn.edu> Pierre-Jules Tremblay wrote: > > I kind of disagree, if only because you stated a few weeks ago that > you guys would try and keep what's already working, working ;-). > the other hand, time-setting can be regarded as a low-priority > concern, until that time where I'm going to have problems with CVS > (we've got about 6 developers running cvs clients on NT boxes and > using a repository on the Linux box), but I can adress that problem > using an NTP client on NT. Or you could setup and second samba server on the same machine using the latest main distribution code. Configure no shares and #define GUEST_SESSETUP 2 in local.h (aside...I know about didling with this but if there are no shares to worry about IMHO it should be OK ). This will allow you to perform a 'net time \\server /set /yes' as the local / domain admin on the NT box but not have to log in to the samba server. You will have to set 'encrypt passwords = yes' but don't have to create an smbpasswd file because everyone will be validated as guest anyway. Make sense? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Tue May 19 15:59:45 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: User permissions w/NT 4.0 In-Reply-To: <199805190134.VAA28301@ursula.dem.qc.ca> Message-ID: > Is there any documentation on this rpc/dce stuff for samba? absolutely none except what is decoded using netmon. i intend to write a book about it. i've just sent a .cap file which jean francois created: from this, the net time code can be supported. luke From lkcl at switchboard.net Tue May 19 19:52:59 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:08 2003 Subject: NIS+ password database support Message-ID: calling all linux users: use altavista, specify "Thorsten Kukuk NIS+". click on his home page. download "Linux NIS+", follow complicated instructions if you have slackware 3.4 linux. get latest version of samba from cvs tree, enjoy! p.s if anyone gets the linux nis+ stuff working, can they tell me how to use it, pleease? :-) From william at hae.com Tue May 19 23:55:05 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:08 2003 Subject: Password changes from NT Message-ID: I remember seeing a post from Luke saying that password changes from NT were possible, in fact, remarkably similar to Win95 password changes. Has password changing from an NT box been implemented? Does it work for a SAMBA domain or a just a regular SAMBA box? My setup was an NT4SP3 server as a member of a RH40PAM SAMBA domain. I can't give you the messages I got because I have blown away my setup. --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." From cartegw at Eng.Auburn.EDU Wed May 20 01:39:28 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:09 2003 Subject: Password changes from NT In-Reply-To: Message-ID: On Wed, 20 May 1998, William Stuart wrote: > I remember seeing a post from Luke saying that password changes from NT > were possible, in fact, remarkably similar to Win95 password changes. Has > password changing from an NT box been implemented? Does it work for a > SAMBA domain or a just a regular SAMBA box? user password changes from a NT box to a samba PDC do not work. The mechanism is known from what I understand, but the encryption method / structures are the obstacles at the moment. The machine account password changes are done and working in the main branch as we speak. > My setup was an NT4SP3 server as a member of a RH40PAM SAMBA domain. I > can't give you the messages I got because I have blown away my setup. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From abs at maunsell.co.uk Wed May 20 09:51:12 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:09 2003 Subject: does smbpasswd -r need conf file? Message-ID: <19980520105112.19916@maunsell.co.uk> If I copy the binary for smbpasswd to some unix workstation not running samba and arrange for the user to invoke it as 'smbpasswd -r ' where is the unix server running samba as a pdc, it objects that it cant find it's configuration file. However, if I supply an empty configuration file (eg touch /usr/local/lib/samba/smbd.conf) it will quite happily change the encrypted passwd on the pdc, so would there be any implications if the requirement to successfully read a config file were relaxed when using the -r option? Incidently, I have noticed when testing this that the encrypted version of the passwd is always the same for the same clear text passwd (ie, when I return my smb passwd to the same value as my unix passwd, the string in private/smbpasswd is the same as it was originally) I presume this a shortcoming of the using encrypted passwords? -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From transier at rummelplatz.uni-mannheim.de Wed May 20 10:33:14 1998 From: transier at rummelplatz.uni-mannheim.de (Matthias Transier) Date: Tue Dec 2 02:24:09 2003 Subject: Problem joining domain Message-ID: When I try to join the samba domain (on an NT4-Workstation), I get an error message like 'Cannot update the local security to become a domain member' (That's a translation as I use the german version of NT). DOS- or WfW-Clients have no problems to logon the domain. From lkcl at switchboard.net Wed May 20 11:23:10 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Password changes from NT In-Reply-To: Message-ID: On Wed, 20 May 1998, William Stuart wrote: > I remember seeing a post from Luke saying that password changes from NT > were possible, in fact, remarkably similar to Win95 password changes. Has > password changing from an NT box been implemented? Does it work for a > SAMBA domain or a just a regular SAMBA box? > > My setup was an NT4SP3 server as a member of a RH40PAM SAMBA domain. I > can't give you the messages I got because I have blown away my setup. oops! ok, well... it is possible: we know how to do it: we are missing one piece. if anyone knows how the NTLMSSP encryption works, which is integrated into the dce/rpc code, we would love to know. luke From dugan at libwais.sonoma.edu Wed May 20 11:55:28 1998 From: dugan at libwais.sonoma.edu (Michael Egan) Date: Tue Dec 2 02:24:09 2003 Subject: does smbpasswd -r need conf file? In-Reply-To: <19980520105112.19916@maunsell.co.uk> Message-ID: I seem to recall that Hobbit and Mudge (spelling?) discussed that the NT passwors do not use a salt. Another shortcomming. If you set your password to be DOG on one domain, not only withh the first half of the encrypted version be the same on all the domains, but the last half will always start with CA CA (hex) since it is nulled, and the password tpyed is split and each split half is passed separately.... check out hsi paper on the passwords... On Wed, 20 May 1998, Andy Smith wrote: > Date: Wed, 20 May 1998 19:56:41 +1000 > From: Andy Smith > To: Multiple recipients of list > Subject: does smbpasswd -r need conf file? > > If I copy the binary for smbpasswd to some unix workstation not running > samba and arrange for the user to invoke it as 'smbpasswd -r ' > where is the unix server running samba as a pdc, it objects that > it cant find it's configuration file. > > However, if I supply an empty configuration file (eg touch > /usr/local/lib/samba/smbd.conf) it will quite happily change the > encrypted passwd on the pdc, so would there be any implications if the > requirement to successfully read a config file were relaxed when using > the -r option? > > Incidently, I have noticed when testing this that the encrypted version > of the passwd is always the same for the same clear text passwd (ie, > when I return my smb passwd to the same value as my unix passwd, the > string in private/smbpasswd is the same as it was originally) I > presume this a shortcoming of the using encrypted passwords? > > -- > _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 > /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 > ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk > / England. -or- abs@maunsl00.demon.co.uk > -------------------------------------------------------------------------- Systems Department Operating Systems Analyst for the Ruben Salazar Library of California State University at Sonoma. /UNIX(/BSD/SysV)\N_NW[.]VMS\WNTS\WNTW\W95\W311\WFWG\DOS:MacOS/NeXTSTEP -------------------------------------------------------------------------- From lkcl at switchboard.net Wed May 20 12:14:49 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Problem joining domain In-Reply-To: Message-ID: On Wed, 20 May 1998, Matthias Transier wrote: > When I try to join the samba domain (on an NT4-Workstation), > I get an error message like 'Cannot update the local security > to become a domain member' (That's a translation as I use the > german version of NT). up the debug log level to 100: publish its location on the web or post it here. > DOS- or WfW-Clients have no problems to logon the domain. dos and wfwg clients do not log in to a domain, therefore they have no problem :-) From cartegw at Eng.Auburn.EDU Wed May 20 12:36:01 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:09 2003 Subject: Problem joining domain References: Message-ID: <3562CE31.918C2EA0@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > > DOS- or WfW-Clients have no problems to logon the domain. > > dos and wfwg clients do not log in to a domain, therefore they have no > problem :-) Domain logons from WfW and MS-DOS client 3.0 are possible. Just FYI... j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Wed May 20 12:39:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: (fwd) Message-ID: ---------- Forwarded message ---------- Date: Wed, 20 May 1998 08:30:50 -0400 From: "Muniz, Ricardo" To: "'Terry_Lalonde@Mitel.COM'" , lkcl@switchboard.net, rmuniz@hellbringer.sbi.com Subject: RE: Terry, As it turns out, there isn't a problem at all. It seems that while there are versions of NT (WinDD, NTriuge) that will allow you to connect to a server with different usernames, the standard Microshaft... uh I mean Microsoft workstation software that comes with NT and the Client for Microsoft Networks that comes with Windows 95 will not. NFS Maestro works only because it uses it's own client software on NT/95. If you have access to an NT server, try connecting two drives to the same share using different usernames. The error is the same. "The credentials supplied conflict with an existing set of credentials" Rick -----Original Message----- From: Terry_Lalonde@Mitel.COM [mailto:Terry_Lalonde@Mitel.COM] Sent: Tuesday, May 19, 1998 5:29 PM To: lkcl@switchboard.net; rmuniz@hellbringer.sbi.com Subject: From: Terry Lalonde@MITEL on 05/19/98 05:29 PM Hello luke and Rick: Did you guys even figure this one out? I have the same problem using samba 1.9.18p2. Thanks, Terry lalonde On Tue, 23 Dec 1997, Rick Muniz wrote: > I have a group of users that are curently using NFS Maestro to connect to unix systems > from their NT 4.0 PC's. I am trying to move away from using NFS Maestro to just use > samba on the unix systems but I am running into a problem with users that are connecting > to a server using two different user names. > > Drive Share Username > j: \\frs\data1 bob > p: \\frs\data2 ted > > This works using NFS Maestro but when using the microsoft networking client, the first > connection works OK but the second connection get the error "The credentials supplied > conflict with an existing set of credentials". I have tried the same drive mappings from > an NTrigue system and in works OK. > > Is there a registry entry I can change in NT 4.0 to make this work? > > Is the fact that it works under NTrigue a specific NTrigue hack ? > > I am using Samba 1.9.17P4 on Solaris 2.5.1 with the following settings in my smb.conf: > security = server > workgroup = OFS > password server = nyntpdc > username map = /etc/opt/samba/users.map [i don't know about the username map option, so i can't advise on this] please could you try 1.9.17p3, and then 1.9.17p2, and let the list know if it works? best regards, luke From lkcl at switchboard.net Wed May 20 12:46:30 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Problem joining domain In-Reply-To: <3562CE31.918C2EA0@eng.auburn.edu> Message-ID: On Wed, 20 May 1998, Gerald Carter wrote: > Luke Kenneth Casson Leighton wrote: > > > > > DOS- or WfW-Clients have no problems to logon the domain. > > > > dos and wfwg clients do not log in to a domain, therefore they have no > > problem :-) > > Domain logons from WfW and MS-DOS client 3.0 are possible. Just FYI... ta. ok, what i should say (should have said) is that this probably uses the documented cifs protocol (SMBtrans2 NetUserGetInfo etc) calls, not the NT domain dce/rpc calls. sorry. luke From cartegw at Eng.Auburn.EDU Wed May 20 13:01:30 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:09 2003 Subject: (fwd) References: Message-ID: <3562D42A.7A7945F7@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > As it turns out, there isn't a problem at all. It seems that while > there are versions of NT (WinDD, NTriuge) that will allow you to > connect to a server with different usernames, the standard > Microshaft... uh I mean Microsoft workstation software that comes with > NT and the Client for Microsoft Networks that comes with Windows 95 > will not. NFS Maestro works only because it uses it's own client > software on NT/95. > > If you have access to an NT server, try connecting two drives to the > same share using different usernames. The error is the same. > > "The credentials supplied conflict with an existing set of > credentials" > There is a small workaround for this as Paul Aston has pointed out previously on the samba-ntdom list I think. The problem lies with the NT redirector. The workaround is to use a different server name ( or IP ) for the different user account. For example net use x: \\server\share1 /user:user1 net use z: \\xxx.xxx.xxx.xxx\share2 /user:user2 where xxx.xxx.xxx.xxx is the IP address of will succedd ( after you provide the respective passwords of course ). j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From aperrin at demog.Berkeley.EDU Wed May 20 19:55:49 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts Message-ID: Has anyone figured out a pattern and/or a preventative measure for the phenomenon of machines spontaneously not having valid machine accounts? It seems to happen every once in a while, and you have to un-join the domain and then re-join it; kind of a bother. ap --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From x7currie at lab2.cc.wmich.edu Wed May 20 20:13:13 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:09 2003 Subject: Update: Machine accounts invalid Message-ID: Okay, here is what is going on. This must have changed in the newer code, because what I was doing worked before. I can only connect to the domain when I use a "change domain" from control panel/network. And, I can only do this immediately after I reset the machine account's password with a "smbpasswd -m machine_name machine_name" Here after everything works fine until the machine is moved to a different domain or (this is the big problem) I rebuild the machine (either from scratch or using imaging software). Once this is done, I have to reset the password again. Is this supposed to happen like this? The reason I ask is because I used to be able to rebuild the machines and change the netbios names without having to rejoin the domain and everything would work nicely. This is also a problem for me because I don't have root access on the samba PDC to reset a machine account every time I rebuild a machine. (I have a linux box that I do all debugging on, then contact my unix sysadmin with solutions). Kevin Currie From Jean-Francois.Micouleau at utc.fr Wed May 20 20:47:40 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: On Thu, 21 May 1998, Andrew Perrin - Demography wrote: > Has anyone figured out a pattern and/or a preventative measure for the > phenomenon of machines spontaneously not having valid machine accounts? > It seems to happen every once in a while, and you have to un-join the > domain and then re-join it; kind of a bother. When you have this problem, could you stop smbd and restart it with a debug level of 100, turn off and on the workstation, try to login again ? and make the log available by ftp or http ? Jean Francois ----------------------------------------------------------- Pinky: "What are we going to do tonight, Brain?" Brain: "The same thing we do every night, Pinky : try to install Windows NT !" ----------------------------------------------------------- From cartegw at Eng.Auburn.EDU Wed May 20 20:57:37 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts References: Message-ID: <356343C1.9D30A884@eng.auburn.edu> Andrew Perrin - Demography wrote: > > Has anyone figured out a pattern and/or a preventative measure for the > phenomenon of machines spontaneously not having valid machine > accounts? It seems to happen every once in a while, and you have to > un-join the domain and then re-join it; kind of a bother. This is just an FYI... I have ~12 NT Workstations spread across 5 subnets (yes across routers) with no problems. Very Stable. The Samba PDC is a Sparc Ultra running Solaris 2.5.1 binaries compiled with gcc 2.7.2 -j -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From abs at maunsell.co.uk Wed May 20 21:29:04 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: <356343C1.9D30A884@eng.auburn.edu>; from Gerald Carter on Thu, May 21, 1998 at 07:07:59AM +1000 References: <356343C1.9D30A884@eng.auburn.edu> Message-ID: <19980520222904.44583@maunsell.co.uk> On Thu, May 21, 1998 at 07:07:59AM +1000, Gerald Carter wrote: > > I have ~12 NT Workstations spread across 5 subnets (yes across routers) > with no problems. Very Stable. Gulp. I have exactly that many already, spread across 3 subnets, I am installing another 16 in pairs starting tomorrow, adding another subnet. I've had nothing turn up so far that would warn me to be more cautious. Am I being too gung ho? (as if I have any choice now :-) OK, this is pre-alpha, and it's my risk and so on and so on, but how many people are using domain login support now? Is it 5, 50 or 500? Where does this sort of usage fit into the spectrum of current development experience? Am I a small site, medium or big? Just want to know what I've taken on. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From canfield at uindy.edu Wed May 20 22:19:34 1998 From: canfield at uindy.edu (Dana Canfield) Date: Tue Dec 2 02:24:09 2003 Subject: Update: Machine accounts invalid References: Message-ID: <356356F6.6C0DB519@uindy.edu> Are you using ghostwalker or something similar to change the machine's SID on each machine? As I understand it, changing the machine name is not enough. When you use ghost or other imaging software, the SID stays the same as the original machine you cloned until you drop out of the domain, then re-join. At least, that's my understanding. Kevin Currie wrote: > Okay, here is what is going on. This must have changed in the newer code, > because what I was doing worked before. I can only connect to the domain > when I use a "change domain" from control panel/network. And, I can only > do this immediately after I reset the machine account's password with a > "smbpasswd -m machine_name machine_name" > Here after everything works fine until the machine is moved to a different > domain or (this is the big problem) I rebuild the machine (either from > scratch or using imaging software). Once this is done, I have to reset > the password again. Is this supposed to happen like this? The reason I > ask is because I used to be able to rebuild the machines and change the > netbios names without having to rejoin the domain and everything would > work nicely. This is also a problem for me because I don't have root > access on the samba PDC to reset a machine account every time I rebuild a > machine. (I have a linux box that I do all debugging on, then contact my > unix sysadmin with solutions). > > Kevin Currie From D.Bannon at latrobe.edu.au Wed May 20 22:36:13 1998 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: <19980520222904.44583@maunsell.co.uk> Message-ID: <3.0.3.32.19980521083613.0083fdb0@bioserve.biochem.latrobe.edu.au> At 07:33 21/05/1998 +1000, Andy Smith wrote: >On Thu, May 21, 1998 at 07:07:59AM +1000, Gerald Carter wrote: >> >.... but how >many people are using domain login support now? Is it 5, 50 or 500? >Where does this sort of usage fit into the spectrum of current >development experience? Am I a small site, medium or big? > I only have 5 NTs but lots of Win95s filling in the gaps. Only one subnet though. Been running for almost a month but we don't encourage fiddling with paswords from the NT and similar things. Very stable. David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From matthias at transier.isdn.uni-heidelberg.de Thu May 21 00:38:17 1998 From: matthias at transier.isdn.uni-heidelberg.de (Matthias Transier) Date: Tue Dec 2 02:24:09 2003 Subject: Problem joining domain Message-ID: <35637778.A4F54372@transier.isdn.uni-heidelberg.de> On Wed, 20 May 1998, I wrote: > When I try to join the samba domain (on an NT4-Workstation), > I get an error message like 'Cannot update the local security > to become a domain member' (That's a translation as I use the > german version of NT). I'm sorry, but I wasn't able to get the same error message again. But it still doesn's work. So I put an extract of the log-file (debug level = 100) on the webserver because I think it's too long to attach it to the message. You will find it under http://webrum.uni-mannheim.de/math/transier/log.smb From heinig at hdz-ima.rwth-aachen.de Wed May 20 23:12:22 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:24:09 2003 Subject: Problem joining domain References: Message-ID: <35636356.46BB3E58@hdz-ima.rwth-aachen.de> Matthias Transier wrote: > When I try to join the samba domain (on an NT4-Workstation), > I get an error message like 'Cannot update the local security > to become a domain member' (That's a translation as I use the > german version of NT). > DOS- or WfW-Clients have no problems to logon the domain. If I remember correctly, you need to specify the domain or machine SID in the smb.conf file. I had identical problems about two months or so ago, but as I?ve been working on something else since then and haven?t touched Samba for at least that long, I?m not *entirely* sure. I definitely posted something like this at the time, so have a look in the Samba mailing list archives. Gerald From heinig at hdz-ima.rwth-aachen.de Wed May 20 23:13:02 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:24:09 2003 Subject: NIS+ Password support References: Message-ID: <3563637E.4D3EB1F5@hdz-ima.rwth-aachen.de> Frode Stenstr?m wrote: > >Hi all, > > > >NIS+ Password support would be *EXTREMELY* *USEFUL* to us!! > > > >Go for it! > > > >Cheers, > > > >Gerald > > We're working on it! I'm joining inn in the effort in two weeks. > You're welcome to help us if you like. > Aaarrgh!!! Murphy?s law, or what?!? I?ve got a load of exams coming up in July - I?ve just announced my hibernation period to my bosses/colleagues. This is BAD NEWS. I?ll see what I can do to help with the testing, but until the end of July things look fairly grim. Thereafter.... :-) cheers Gerald From heinig at hdz-ima.rwth-aachen.de Wed May 20 23:21:05 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:24:09 2003 Subject: NIS+ Password support References: Message-ID: <35636561.935E07F7@hdz-ima.rwth-aachen.de> Luke Kenneth Casson Leighton wrote: > he he. then can i exploit you for all it's worth, and ask you if you > could help testing? > > if so, then please compile with the above makefile, do the usual cvs > update whenever you feel like it, and send me bug reports. i'm just > downloading nis+ for linux, so i should be able to do some tests myself. > > no guarantees, though: i don't have sun, sgi or hp nis+. boo. > > best regards, > > luke > I?ll try and get it done next week-ish. Can?t promise much, though... I?ve been up to my ears in it sorting out a problem with one of our networks and I?ll be studying for exams after next week. I?ll see what I can do... :-) cheers Gerald From jallison at whistle.com Wed May 20 23:33:27 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:09 2003 Subject: Update: Machine accounts invalid References: Message-ID: <35636847.617E5E9@whistle.com> Kevin Currie wrote: > > Okay, here is what is going on. This must have changed in the newer code, > because what I was doing worked before. I can only connect to the domain > when I use a "change domain" from control panel/network. And, I can only > do this immediately after I reset the machine account's password with a > "smbpasswd -m machine_name machine_name" > Here after everything works fine until the machine is moved to a different > domain or (this is the big problem) I rebuild the machine (either from > scratch or using imaging software). Once this is done, I have to reset > the password again. Well once you leave and re-join a domain, the client will reset its machine account password, so yes it is supposed to do this. What *exactly* do you mean by rebuilding the machine ? If you mean re-install or any re-load of the registry LSA secrets hive then the old machine password will be lost and you will have to re-join the domain, after resetting the password on the PDC. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Wed May 20 23:43:22 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:09 2003 Subject: Problem joining domain References: <35637778.A4F54372@transier.isdn.uni-heidelberg.de> Message-ID: <35636A9A.FDA0C194@whistle.com> Matthias Transier wrote: > > I'm sorry, but I wasn't able to get the same error message again. But it > still doesn's work. > So I put an extract of the log-file (debug level = 100) on the webserver > because I think it's too > long to attach it to the message. You will find it under > http://webrum.uni-mannheim.de/math/transier/log.smb I just looked at your log and I see : size=89 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=1 smb_tid=102 smb_pid=51966 smb_uid=100 smb_mid=0 smt_wct=3 smb_vwv[0]=117 (0x75) smb_vwv[1]=70 (0x46) smb_vwv[2]=0 (0x0) smb_bcc=29 [000] 55 6E 69 78 00 53 61 6D 62 61 20 31 2E 39 2E 31 Unix.Sam ba 1.9.1 [010] 38 70 33 00 4D 41 54 52 41 4E 45 54 00 8p3.MATR ANET. ^^^^ |||| Danger Will Robinson ! The problem is : Unix.Sam ba ************1.9.18p3************ The domain controller code in that version is known not to work (and in fact is purposely disabled in later releases). *** gripe mode on **** (Just for Luke :-) I knew it was a mistake to ship any 1.9.18 version with *any* of that code inside. (sorry Luke :-) *** gripe mode off *** Are you running off the latest CVS branch of Samba (this announces itself as 1.9.19prealpha) ? That is the minimum requirement to get working PDC authentication with Samba. Cheers, Jeremy Allison. Samba Team. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From william at hae.com Thu May 21 01:58:29 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: This happens with an NT PDC. I was never able to figure it out. --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." On Thu, 21 May 1998, Jean-Francois Micouleau wrote: > Date: Thu, 21 May 1998 06:52:51 +1000 > From: Jean-Francois Micouleau > To: Multiple recipients of list > Subject: Re: Bad machine accounts > > On Thu, 21 May 1998, Andrew Perrin - Demography wrote: > > Has anyone figured out a pattern and/or a preventative measure for the > > phenomenon of machines spontaneously not having valid machine accounts? > > It seems to happen every once in a while, and you have to un-join the > > domain and then re-join it; kind of a bother. > > When you have this problem, could you stop smbd and restart it with a > debug level of 100, turn off and on the workstation, try to login again ? > > and make the log available by ftp or http ? > > Jean Francois > > ----------------------------------------------------------- > Pinky: "What are we going to do tonight, Brain?" > Brain: "The same thing we do every night, Pinky : > try to install Windows NT !" > ----------------------------------------------------------- > > From twinders at SPC.cc.tx.us Thu May 21 05:15:24 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:09 2003 Subject: errors compiling under DU4.0D Message-ID: I just downloaded the CVS source (12:00AM CST, 5/21/98) and received these errors during compile: (under Digital Unix 4.0D) cc: Warning: lib/rpc/server/srv_samr.c, line 110: In this statement, & before array "(r_u.pol.data)" is ignored. bzero(&(r_u.pol.data), POL_HND_SIZE); --------^ cc: Warning: lib/rpc/server/srv_samr.c, line 798: In this statement, & before array "(r_u.user_pol.data)" is ignored. bzero(&(r_u.user_pol.data), POL_HND_SIZE); --------^ cc: Warning: lib/rpc/server/srv_samr.c, line 1108: In this statement, & before array "(r_u.pol.data)" is ignored. bzero(&(r_u.pol.data), POL_HND_SIZE); --------^ Compiling passdb.c cc: Warning: passdb.c, line 814: In this statement, & before array "fline" is ignored. if(read(fd, &fline, sizeof(fline) -1 ) < 0) { --------------^ cc: Warning: smbpass.c, line 256: In this statement, the referenced type of the pointer value "p" is "unsigned char", which is not compatible with "signed char" .. pw_buf.acct_ctrl = pdb_decode_acct_ctrl(p); -------------------------^ cc: Warning: smbpass.c, line 478: In this statement, the referenced type of the pointer value "(char ...)malloc(...)" is "signed char", which is not compatible with "unsigned char". if((new_entry = (char *)malloc( new_entry_length )) == NULL) { ------^ Everything seems to run OK, so I don't know if I should ignore these errors or what exactly they mean... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From bernard at zeus.rug.ac.be Thu May 21 07:52:11 1998 From: bernard at zeus.rug.ac.be (Bernard Grymonpon) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: <19980520222904.44583@maunsell.co.uk> Message-ID: Hello, I have had this problem a time ago (see my messages to this list...). I was able to log in once, and when i rebooted the machine, re-installed it or something else so that NT was shut down once, it said the machine account was wrong in the PDC. So, after hours and hours of trying, i discovered this : My problem was solved after i inserted the line "locking = no" in the netlogon section of my config file. Maybe it helps, maybe it doesn't... Bernard -------------------------------------------------------------------------------- *** Make an idiot proof program, and someone will make a better idiot *** ------------------------------------------------------------------------------- Bernard Grymonpon Onderhoudsteam "Student 1" bernard@zeus.rug.ac.be Support PC "De Brug" Student University of Ghent Hardware verantwoordelijke "Zeus" ------------------------------------------------------------------------------- From lkcl at switchboard.net Thu May 21 11:43:00 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: On Thu, 21 May 1998, Andrew Perrin - Demography wrote: > Has anyone figured out a pattern how often does it occur? From lkcl at switchboard.net Thu May 21 11:44:52 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Update: Machine accounts invalid In-Reply-To: Message-ID: On Thu, 21 May 1998, Kevin Currie wrote: > > Okay, here is what is going on. This must have changed in the newer code, > because what I was doing worked before. I can only connect to the domain > when I use a "change domain" from control panel/network. And, I can only > do this immediately after I reset the machine account's password with a > "smbpasswd -m machine_name machine_name" > Here after everything works fine until the machine is moved to a different > domain or (this is the big problem) I rebuild the machine (either from > scratch or using imaging software). Once this is done, I have to reset > the password again. Is this supposed to happen like this? The reason I it's probably because we now support the "machine password change". From lkcl at switchboard.net Thu May 21 11:46:01 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: On Thu, 21 May 1998, Jean-Francois Micouleau wrote: > On Thu, 21 May 1998, Andrew Perrin - Demography wrote: > > Has anyone figured out a pattern and/or a preventative measure for the > > phenomenon of machines spontaneously not having valid machine accounts? > > It seems to happen every once in a while, and you have to un-join the > > domain and then re-join it; kind of a bother. > > When you have this problem, could you stop smbd and restart it with a > debug level of 100, turn off and on the workstation, try to login again ? it's too late by then, jean-f. you need to catch it _Before_ the failure, which means running at log level 100 for a week or so. you can do this for just one machine by having: include = smb.conf.%m and: smb.conf.some_machine: debug level = 100 From lkcl at switchboard.net Thu May 21 11:47:56 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: <19980520222904.44583@maunsell.co.uk> Message-ID: > Just want to know what I've taken on. so would i. can i ask people the favour of doing a "roll-call" of their site topology / number of samba pdc servers / number of nt 3.51 / 4.0 workstations? ta! From lkcl at switchboard.net Thu May 21 11:50:50 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: NIS+ Password support In-Reply-To: <3563637E.4D3EB1F5@hdz-ima.rwth-aachen.de> Message-ID: On Thu, 21 May 1998, Gerald Heinig wrote: > Frode Stenstrøm wrote: > > > >Hi all, > > > > > >NIS+ Password support would be *EXTREMELY* *USEFUL* to us!! > > > > > >Go for it! > > > > > >Cheers, > > > > > >Gerald > > > > We're working on it! I'm joining inn in the effort in two weeks. > > You're welcome to help us if you like. > > > > Aaarrgh!!! Murphy´s law, or what?!? > > I´ve got a load of exams coming up in July - I´ve just announced my > hibernation period to my bosses/colleagues. This is BAD NEWS. > > I´ll see what I can do to help with the testing, but until the end of July > things look fairly grim. Thereafter.... :-) hey, no worries. i think that everyone's got exams at the moment. hibernate away :-) From lkcl at switchboard.net Thu May 21 11:59:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: errors compiling under DU4.0D In-Reply-To: Message-ID: On Thu, 21 May 1998, Tim Winders wrote: > I just downloaded the CVS source (12:00AM CST, 5/21/98) and received these > errors during compile: (under Digital Unix 4.0D) > > cc: Warning: lib/rpc/server/srv_samr.c, line 110: In this statement, & > before array "(r_u.pol.data)" is ignored. > bzero(&(r_u.pol.data), POL_HND_SIZE); > --------^ > cc: Warning: lib/rpc/server/srv_samr.c, line 798: In this statement, & > before array "(r_u.user_pol.data)" is ignored. > bzero(&(r_u.user_pol.data), POL_HND_SIZE); > --------^ > cc: Warning: lib/rpc/server/srv_samr.c, line 1108: In this statement, & > before array "(r_u.pol.data)" is ignored. > bzero(&(r_u.pol.data), POL_HND_SIZE); > --------^ done. > > Compiling passdb.c > cc: Warning: passdb.c, line 814: In this statement, & before array "fline" > is ignored. > if(read(fd, &fline, sizeof(fline) -1 ) < 0) { > --------------^ done. > > cc: Warning: smbpass.c, line 256: In this statement, the referenced type > of the pointer value "p" is "unsigned char", which is not compatible with > "signed char" > . > pw_buf.acct_ctrl = pdb_decode_acct_ctrl(p); > -------------------------^ your compiler is lying to you: the function returns "uint16"; acct_ctrl is also a uint16. > cc: Warning: smbpass.c, line 478: In this statement, the referenced type > of the pointer value "(char ...)malloc(...)" is "signed char", which is > not compatible with "unsigned char". > if((new_entry = (char *)malloc( new_entry_length )) == NULL) { > ------^ done. > Everything seems to run OK, so I don't know if I should ignore these > errors ignore them. > or what exactly they mean... that's why i fixed them for you. thanks tim From x7currie at lab2.cc.wmich.edu Thu May 21 12:09:18 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: <356343C1.9D30A884@eng.auburn.edu> Message-ID: > I have ~12 NT Workstations spread across 5 subnets (yes across routers) > with no problems. Very Stable. We were doing okay too, until we got into the 50+ computer range. Then things started to go a little crazy. We fixed a lot of it by putting samba in inetd, but there are some things we're still trying to work out. Kevin From lkcl at switchboard.net Thu May 21 12:16:31 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: net time over dce/rpc (fwd) Message-ID: thanks to jean-francois, NET TIME \\SAMBA_PDC /set /yes from an nt 3.51 / 4.0 workstation is now supported. From x7currie at lab2.cc.wmich.edu Thu May 21 12:20:52 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: > so would i. can i ask people the favour of doing a "roll-call" of their > site topology / number of samba pdc servers / number of nt 3.51 / 4.0 > workstations? I've got a samba PDC which we're trying to use the campus wide user accounts with (read that as 10's of thousands) and my lab is the test lab. I've currently got about 50 NT 4.0 workstations attaching (when things are good ) and plan to add about 50 more in the semi-near future. Kevin From x7currie at lab2.cc.wmich.edu Thu May 21 12:28:06 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:09 2003 Subject: Update: Machine accounts invalid In-Reply-To: <35636847.617E5E9@whistle.com> Message-ID: > What *exactly* do you mean by rebuilding the machine ? > If you mean re-install or any re-load of the registry > LSA secrets hive then the old machine password will > be lost and you will have to re-join the domain, after > resetting the password on the PDC. When I say rebuild, I'm talking about a format of the HDD... which in a lab enviorment tends to happen quite often, especially since MS uses this damn registry thing. It is far easier to "clone" an image of a HDD around the lab then go to 100 computers and indiviually fix little bugs. Kevin From lkcl at switchboard.net Thu May 21 12:28:37 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: On Thu, 21 May 1998, Kevin Currie wrote: > > > I have ~12 NT Workstations spread across 5 subnets (yes across routers) > > with no problems. Very Stable. > > We were doing okay too, until we got into the 50+ computer range. > Then things started to go a little crazy. ah. was that 50 simultaneous logins or what? you thought of running smbd at "nice --10"? > We fixed a lot of it by putting > samba in inetd, but there are some things we're still trying to work out. like that "locking = no" in [netlogon]? we advise people to do that anyway, bernard, and also to put "read only = yes" etc etc. luke From x7currie at lab2.cc.wmich.edu Thu May 21 12:34:38 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:09 2003 Subject: Update: Machine accounts invalid In-Reply-To: Message-ID: > > it's probably because we now support the "machine password change". > Uhg... :( This could mean a lot of scripting work for me an my unix sysadmin finding a way to make him feel secure about me calling smbpasswd with as root in order to reset the machine accounts every time I want to rebuild the lab. How far are you guys from getting the "create machine account in the domian" check box functioning? I realize this could be a pain because each machine account is supposed to have a unique uid. As a stepping stone, how about having it reset the machine password for an account that is already there, and then have a parameter in the smb.conf file something like "machine reset users = " which says which users can reset the password for the already existing accounts? Regards, Kevin From x7currie at lab2.cc.wmich.edu Thu May 21 12:39:02 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: > ah. was that 50 simultaneous logins or what? you thought of running > smbd at "nice --10"? Yeah, 50 simultaneous logins... "nice --10"? I'll have to dig through the docs again. I thought I'd been through almost all of them, but I don't seem to remember that. > like that "locking = no" in [netlogon]? we advise people to do that > anyway, bernard, and also to put "read only = yes" etc etc. I'm getting those put in ASAP... :) Kevin From daniel at med.up.pt Thu May 21 12:49:02 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:09 2003 Subject: My use of SAMBA In-Reply-To: Message-ID: On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote: > > Just want to know what I've taken on. > > so would i. can i ask people the favour of doing a "roll-call" of their > site topology / number of samba pdc servers / number of nt 3.51 / 4.0 > workstations? Ok. Here's what I've got at the Faculty of Medicine - http://www.med.up.pt - 1 Samba PDC server / homes server / print server / accounting - 1 Samba File Sharer and Media Sharer (Public CD-Rom and Zip Drive) - 30 NT Workstations (NT4/SP3) - Heavy sharing - Couple of Windoze 95 (Near Future - implementation of this same system prototype across 16 (!!) Departments - 1 Samba PDC and loads of NT Wks) I was the SysAdmin for the Cibercafe of Oporto http://www.cibercafe.pt and now run it in a part-time basis (all the basic work has been done). - 1 Samba PDC / homes (30 Mb each user)/ file sharing plus All Internet Services server - 1 Linux Box running a web jukebox http://jukebox.cibercafe.pt where the customers ask for the music that is listened in the stereo loudspeakers of the whole cafe (I believe it to be the first one in the world), acting as print server for them also and permanently running a lib_svga program showing in a big monitor (led panel rotating like) which user is in each computer and for how long - pushing that Pentium 100 - 32 Mb RAM real hard! - Have also developed a system (using samba) where the users buy some amount of hours to spend on the PC's and the system automatically deducts those on-line hours for them until they have no credit left - their account is temporarily suspended until they buy more hours. You can see who's logged on in the cafe at all times: http://www.cibercafe.pt/cgi-bin/recarga/monitor.cgi All these programs are home-made! Mixture of C (heavy coding) with TCL (for the interfaces, cgi's and the jukebox server) plus lib_gdbm for the small databases of the users' times. - 12 Windows 95 clients in the costumers lounge plus 6 more from staff. I also run another site of public Internet access http://www.copivista.pt (basically same stuff) - 1 Samba PDC / homes (50 Mb each user) / file sharing plus All Internet Services server - 12 Windows 95 clients plus 3 more from staff. Sorry for all the extent and the details, but it's just to show all that can be put together with Samba/Linux and some nice work and imagination... in the real world! Really proud! Nice work guys! Daniel From cartegw at Eng.Auburn.EDU Thu May 21 12:53:45 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:09 2003 Subject: Update: Machine accounts invalid In-Reply-To: <356356F6.6C0DB519@uindy.edu> Message-ID: On Thu, 21 May 1998, Dana Canfield wrote: > Are you using ghostwalker or something similar to change the machine's SID on > each machine? > As I understand it, changing the machine name is not enough. When you use > ghost or other > imaging software, the SID stays the same as the original machine you cloned > until you drop out of the domain, then > re-join. At least, that's my understanding. > See http://www.sysinternals.com for a free utility oto change machine SID's. Comes with source j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From abs at maunsell.co.uk Thu May 21 12:53:57 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: ; from Luke Kenneth Casson Leighton on Thu, May 21, 1998 at 11:47:56AM +0000 References: <19980520222904.44583@maunsell.co.uk> Message-ID: <19980521135357.42456@maunsell.co.uk> On Thu, May 21, 1998 at 11:47:56AM +0000, Luke Kenneth Casson Leighton wrote: > > so would i. can i ask people the favour of doing a "roll-call" of their > site topology / number of samba pdc servers / number of nt 3.51 / 4.0 > workstations? Right now, spread over 4 subnets in a single office (civil engineers), using NIS (600 users total, 200 at this site) :- 1 Samba PDC (Sun Sparc 10/Solaris 2.5.1) 1 Samba Domain Client (Intel/Solaris 2.5.1) 2 Samba Domain Client (Sun Sparc 10/Solaris 2.5.1) 14 NT 4.0/sp3 wkstns *****no Microsoft NT server***** There's another 14 to go with these in the next week or so, then at least another 50 spread around the remote sites later in the summer. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From lkcl at switchboard.net Thu May 21 12:57:41 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Update: Machine accounts invalid In-Reply-To: Message-ID: On Thu, 21 May 1998, Kevin Currie wrote: > > > > it's probably because we now support the "machine password change". > > > Uhg... :( This could mean a lot of scripting work for me an my > unix sysadmin finding a way to make him feel secure about me calling > smbpasswd with as root in order to reset the machine accounts every time I > want to rebuild the lab. > > How far are you guys from getting the "create machine account in > the domian" check box functioning? requires reverse engineering or information from microsoft. > I realize this could be a pain because > each machine account is supposed to have a unique uid. that's not a problem. > As a stepping stone, how about having it reset the machine > password for an account that is already there, the "add" and "modify" SAM account info dce/rpc calls are encrypted: see above answer. From daniel at med.up.pt Thu May 21 12:59:13 1998 From: daniel at med.up.pt (Daniel Fonseca) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: On Thu, 21 May 1998, Kevin Currie wrote: > > > I have ~12 NT Workstations spread across 5 subnets (yes across routers) > > with no problems. Very Stable. > > We were doing okay too, until we got into the 50+ computer range. > Then things started to go a little crazy. We fixed a lot of it by putting > samba in inetd, but there are some things we're still trying to work out. Sorry... you mean to tell me that putting samba in inetd was the key for you? I always thought inetd to be used when samba is scarcely used. I had to take samba out of inetd because it would die due to excess of samba requests (I know you can change (nowait.max - default 40) the number of connection per minute the inetd can take before it thinks things are bad - but still making it standalone worked better/saffer for me) Can you confirm that taking samba out of inetd at this moment makes your 50+ setup fail? Daniel From lkcl at switchboard.net Thu May 21 13:01:38 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: On Thu, 21 May 1998, Kevin Currie wrote: > > ah. was that 50 simultaneous logins or what? you thought of running > > smbd at "nice --10"? > > Yeah, 50 simultaneous logins... "nice --10"? I'll have to dig > through the docs again. I thought I'd been through almost all of them, > but I don't seem to remember that. it's something i recommended to people running of of 12mb memory 486s: the smbd and nmbd processes get swapped out, and take two or three seconds to reload, by which time things like "browser announcements" and "netbios queries" get completely lost / ignored... From twinders at SPC.cc.tx.us Thu May 21 13:08:41 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:09 2003 Subject: errors compiling under DU4.0D In-Reply-To: Message-ID: Thanks for the fixes Luke! I will update my CVS and go from there! On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote: > On Thu, 21 May 1998, Tim Winders wrote: > > > I just downloaded the CVS source (12:00AM CST, 5/21/98) and received these > > errors during compile: (under Digital Unix 4.0D) > > > > cc: Warning: lib/rpc/server/srv_samr.c, line 110: In this statement, & > > before array "(r_u.pol.data)" is ignored. > > bzero(&(r_u.pol.data), POL_HND_SIZE); > > --------^ > > cc: Warning: lib/rpc/server/srv_samr.c, line 798: In this statement, & > > before array "(r_u.user_pol.data)" is ignored. > > bzero(&(r_u.user_pol.data), POL_HND_SIZE); > > --------^ > > cc: Warning: lib/rpc/server/srv_samr.c, line 1108: In this statement, & > > before array "(r_u.pol.data)" is ignored. > > bzero(&(r_u.pol.data), POL_HND_SIZE); > > --------^ > > done. > > > > > Compiling passdb.c > > cc: Warning: passdb.c, line 814: In this statement, & before array "fline" > > is ignored. > > if(read(fd, &fline, sizeof(fline) -1 ) < 0) { > > --------------^ > > done. > > > > > cc: Warning: smbpass.c, line 256: In this statement, the referenced type > > of the pointer value "p" is "unsigned char", which is not compatible with > > "signed char" > > . > > pw_buf.acct_ctrl = pdb_decode_acct_ctrl(p); > > -------------------------^ > > your compiler is lying to you: the function returns "uint16"; acct_ctrl is > also a uint16. > > > > cc: Warning: smbpass.c, line 478: In this statement, the referenced type > > of the pointer value "(char ...)malloc(...)" is "signed char", which is > > not compatible with "unsigned char". > > if((new_entry = (char *)malloc( new_entry_length )) == NULL) { > > ------^ > > done. > > > Everything seems to run OK, so I don't know if I should ignore these > > errors > > ignore them. > > > or what exactly they mean... > > that's why i fixed them for you. thanks tim > === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From twinders at SPC.cc.tx.us Thu May 21 13:09:47 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:09 2003 Subject: net time over dce/rpc (fwd) In-Reply-To: Message-ID: Yeah! Yeah! Yeah! Yeah! On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote: > thanks to jean-francois, NET TIME \\SAMBA_PDC /set /yes from an nt 3.51 / > 4.0 workstation is now supported. > === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From lkcl at switchboard.net Thu May 21 13:05:39 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: My use of SAMBA In-Reply-To: Message-ID: > All these programs are home-made! Mixture of C (heavy coding) with TCL > (for the interfaces, cgi's and the jukebox server) plus lib_gdbm for the > small databases of the users' times. totally _cool_ - we use samba at http://www.cb1.com too: it stores all the applications so that people can't destroy the machines. recreating a machine only requires a re-install and double-click on a set of .reg files (for netscrapie 4) and it's back again. good one, daniel. luke From lkcl at switchboard.net Thu May 21 13:09:01 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:09 2003 Subject: net time over dce/rpc (fwd) In-Reply-To: Message-ID: On Thu, 21 May 1998, Tim Winders wrote: > Yeah! Yeah! Yeah! Yeah! i don't know why everyone's so enthuiastic about this stuff. i mean, it's only saving them several thousands of pounds and stops your unix admin from being made redundant... From twinders at SPC.cc.tx.us Thu May 21 13:19:26 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:10 2003 Subject: net time over dce/rpc (fwd) In-Reply-To: Message-ID: On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote: > On Thu, 21 May 1998, Tim Winders wrote: > > > Yeah! Yeah! Yeah! Yeah! > > i don't know why everyone's so enthuiastic about this stuff. i mean, it's > only saving them several thousands of pounds and stops your unix admin > from being made redundant... > I have been waiting for the net time rpc stuff for a while. I almost put in a bug report saying my NT Workstation gets an rpc error when doing net time but my 95 boxes are OK, then I saw the discussions that, yeah, it doesn't work. It is one more step along a long journey... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From cartegw at Eng.Auburn.EDU Thu May 21 13:33:12 1998 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid References: Message-ID: <35642D18.14B61A2D@eng.auburn.edu> Kevin Currie wrote: > > When I say rebuild, I'm talking about a format of the HDD... which > in a lab enviorment tends to happen quite often, especially since MS > uses this damn registry thing. It is far easier to "clone" an image > of a HDD around the lab then go to 100 computers and indiviually fix > little bugs. Kevin, This is off topic. But NT should be stable enough to run in a lab w/o reloading the machine that often. IMHO I would try to lock down the permissions more. This has just been my experience for what it's worth ...probably about what you paid for it ;) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From twinders at SPC.cc.tx.us Thu May 21 14:02:11 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:10 2003 Subject: Long machine names... In-Reply-To: Message-ID: I just ran into a "problem" with the machine accounts requiring an entry in the /etc/passwd file for account creating. On *MY* system, unix account names can only be 8 characters. I have (had) an NT machine with the name SUPPORT2 (8 character) but to create the unix account, I needed 9 characters (SUPPORT2$) which wouldn't work. I created the account as SUPPORT2 and changed the entry to SUPPORT2$ and then ran smbpasswd -a -m support2 support2 but the NT machine said it could login because the account in the domain didn't exist or the password didn't match. I ended up changing the machine name to SUP2 and adding the appropriate entries and this worked... Hey! Wait a minute... now that I look again at my /etc/passwd file, there are NO machine entries there... does smbpasswd REMOVE the entries from /etc/passwd when the machine account is created? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From lkcl at switchboard.net Thu May 21 14:02:02 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:10 2003 Subject: Long machine names... In-Reply-To: Message-ID: ok, try using the "map username = " option. map "support2$" to "sup2$". OH. first i think we have to add this functionality into the password system, not just on the unix smbd side :-) wait for a bit, ok, while a "validate_unix_username()" function gets created... lukes On Thu, 21 May 1998, Tim Winders wrote: > I just ran into a "problem" with the machine accounts requiring an entry > in the /etc/passwd file for account creating. On *MY* system, unix > account names can only be 8 characters. I have (had) an NT machine with > the name SUPPORT2 (8 character) but to create the unix account, I needed 9 > characters (SUPPORT2$) which wouldn't work. I created the account as > SUPPORT2 and changed the entry to SUPPORT2$ and then ran smbpasswd -a -m > support2 support2 but the NT machine said it could login because the > account in the domain didn't exist or the password didn't match. I ended > up changing the machine name to SUP2 and adding the appropriate entries > and this worked... > > Hey! Wait a minute... now that I look again at my /etc/passwd file, there > are NO machine entries there... does smbpasswd REMOVE the entries from > /etc/passwd when the machine account is created? > > === Tim > > --------------------------------------------------------------------- > | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | > | Network Administrator | Phone: 806-894-9611 x 2369 | > | South Plains College | Fax: 806-897-4711 | > --------------------------------------------------------------------- > > > From danny at cs.huji.ac.il Thu May 21 14:07:33 1998 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:24:10 2003 Subject: "roll-call" was Bad machine accounts In-Reply-To: Your message of "Thu, 21 May 1998 21:58:47 +1000." Message-ID: In message you write: }> Just want to know what I've taken on. } }so would i. can i ask people the favour of doing a "roll-call" of their }site topology / number of samba pdc servers / number of nt 3.51 / 4.0 }workstations? } }ta! } samba 3 one as pdc. nt 3.51 1 server/ntrigue, & pdc (but hopefuly no pdc soon :-) nt 4.0 80 ws. w95 10 danny From twinders at SPC.cc.tx.us Thu May 21 14:21:59 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:10 2003 Subject: Long machine names... In-Reply-To: Message-ID: This isn't a BIG problem (yet), I just wanted to make you aware that this might be an issue for the future. This machine doesn't have any users connected to it, so changing the name was easy, but when you get the full PDC stuff for NT going, and I create shares with user permissions for the unix box and I have lots of people connecting to the box for those shares, changing the name could be a problem. ;-) On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote: > ok, try using the "map username = " option. map "support2$" to "sup2$". > OH. first i think we have to add this functionality into the password > system, not just on the unix smbd side :-) > > wait for a bit, ok, while a "validate_unix_username()" function gets > created... > > lukes > > On Thu, 21 May 1998, Tim Winders wrote: > > > I just ran into a "problem" with the machine accounts requiring an entry > > in the /etc/passwd file for account creating. On *MY* system, unix > > account names can only be 8 characters. I have (had) an NT machine with > > the name SUPPORT2 (8 character) but to create the unix account, I needed 9 > > characters (SUPPORT2$) which wouldn't work. I created the account as > > SUPPORT2 and changed the entry to SUPPORT2$ and then ran smbpasswd -a -m > > support2 support2 but the NT machine said it could login because the > > account in the domain didn't exist or the password didn't match. I ended > > up changing the machine name to SUP2 and adding the appropriate entries > > and this worked... > > > > Hey! Wait a minute... now that I look again at my /etc/passwd file, there > > are NO machine entries there... does smbpasswd REMOVE the entries from > > /etc/passwd when the machine account is created? > > > > === Tim > > > > --------------------------------------------------------------------- > > | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | > > | Network Administrator | Phone: 806-894-9611 x 2369 | > > | South Plains College | Fax: 806-897-4711 | > > --------------------------------------------------------------------- > > > > > > > === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From heinig at hdz-ima.rwth-aachen.de Thu May 21 14:18:20 1998 From: heinig at hdz-ima.rwth-aachen.de (Gerald Heinig) Date: Tue Dec 2 02:24:10 2003 Subject: Samba in use Message-ID: <356437AC.6E976285@hdz-ima.rwth-aachen.de> Hi all, We have: 50 Pentium 233s hooked up to a Sun SPARC 10 forming a remote-boot network which boots either DOS, Windows or Linux. We?re using Samba for the communication with the server when the clients boot DOS/Windows. A small network with one SPARC 20 serving 10 NT Workstations. This one runs NTDOM. Works fine. Soon: SPARC 20 serving some 30-40 odd NT workstations in our main department house. That?ll be set up sometime in July/August. cheers Gerald From Jean-Francois.Micouleau at utc.fr Thu May 21 14:32:52 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:10 2003 Subject: net time over dce/rpc (fwd) In-Reply-To: Message-ID: On Thu, 21 May 1998, Tim Winders wrote: > On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote: > > > On Thu, 21 May 1998, Tim Winders wrote: > > > > > Yeah! Yeah! Yeah! Yeah! > > > > i don't know why everyone's so enthuiastic about this stuff. i mean, it's > > only saving them several thousands of pounds and stops your unix admin > > from being made redundant... > > Send me the money, I will buy pizza :-) > I have been waiting for the net time rpc stuff for a while. I > almost put in a bug report saying my NT Workstation gets an rpc error when > doing net time but my 95 boxes are OK, then I saw the discussions that, > yeah, it doesn't work. It is one more step along a long journey... I saw a post on samba-ntdom last week-end, made a packet dump on sunday, wrote the patch on thusday night and debugged it yesterday. Jean Francois ----------------------------------------------------------- Pinky: "What are we going to do tonight, Brain?" Brain: "The same thing we do every night, Pinky : try to install Windows NT !" ----------------------------------------------------------- From twinders at SPC.cc.tx.us Thu May 21 14:52:37 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:10 2003 Subject: net time over dce/rpc (fwd) In-Reply-To: Message-ID: On Thu, 21 May 1998, Jean-Francois Micouleau wrote: > I saw a post on samba-ntdom last week-end, made a packet dump on sunday, > wrote the patch on thusday night and debugged it yesterday. I wish *I* had said something sooner... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From x7currie at lab2.cc.wmich.edu Thu May 21 15:10:12 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid In-Reply-To: Message-ID: > > As a stepping stone, how about having it reset the machine > > password for an account that is already there, > > the "add" and "modify" SAM account info dce/rpc calls are encrypted: see > above answer. Well, smbpasswd reads the smb.conf file, how about just having the "machine reset users = " parameter be interpreted by smbpasswd so that non-root users can reset the machine (and only machine) account passwords? Kevin From x7currie at lab2.cc.wmich.edu Thu May 21 15:13:42 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: > Sorry... you mean to tell me that putting samba in inetd was the key for > you? Yep... > I always thought inetd to be used when samba is scarcely used. There is more overhead, but our machine is fast enough to take it. > I had to take samba out of inetd because it would die due to excess of > samba requests (I know you can change (nowait.max - default 40) the number > of connection per minute the inetd can take before it thinks things are > bad - but still making it standalone worked better/saffer for me) Running stand alone, we'd take it down after 10-20 simultaneous connections. Samba would still be a running process, it just wouldn't fork anymore so nothing could really connect. By putting it in inetd we got around the problem by letting inetd fork (start actually) a new smbd. > Can you confirm that taking samba out of inetd at this moment makes your > 50+ setup fail? Unfortunately I don't have access to do this, and I have (by the looks of the lab right now) about 20 people sitting on the machines who wouldn't be too happy with me. Kevin From x7currie at lab2.cc.wmich.edu Thu May 21 15:15:06 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: > it's something i recommended to people running of of 12mb memory 486s: the > smbd and nmbd processes get swapped out, and take two or three seconds to > reload, by which time things like "browser announcements" and "netbios > queries" get completely lost / ignored... We're running samba on a dual processor ultrasparc... all our clients are at least pentium 90's w/ 32meg of ram. Kevin From aperrin at demog.Berkeley.EDU Thu May 21 15:26:12 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: Our setup: 1 Samba 1.9.19-prealpha (NTDOM) server, 2 NT 4.0 clients, and 1 Samba 1.9.18p7 server, all in SANDBOX domain (yes we're very much in testing mode here); 3 Samba 1.9.18p7 servers and ~25 NT 4.0 clients in DEMOG domain, working great. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote: > > Just want to know what I've taken on. > > so would i. can i ask people the favour of doing a "roll-call" of their > site topology / number of samba pdc servers / number of nt 3.51 / 4.0 > workstations? > > ta! > From aperrin at demog.Berkeley.EDU Thu May 21 16:02:45 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: Well, this morning I did a cvs update and now the machine logs in okay -- but something else broke, and since I now have a level 100 debug log I'll let y'all know anyway. There are three issues currently unresolved, all of which should show up in this log: 1.) the "detected a slow network connection" dialog on login, asking if the user wants to download the profile or use a local one: 2.) Can't connect to *any* shares on the PDC except those set guest only -- all others get invalid password errors. Until today, it worked fine to connect to a share on another Samba server in the domain with security = server and password server = . HOWEVER, 3.) Today's new issue is that the scheme above doesn't work quite right anymore. I can no longer browse the machine above, a Samba server but not a PDC, running 1.9.18p7 with security=server and password server = (our Samba PDC server). Browsing gets "access denied" but mounting works fine using NET USE. I'll put the log in http://demog.berkeley.edu/~aperrin/samba.twins.log for your reading enjoyment :) Thanks! --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Wed, 20 May 1998, Jean-Francois Micouleau wrote: > On Thu, 21 May 1998, Andrew Perrin - Demography wrote: > > Has anyone figured out a pattern and/or a preventative measure for the > > phenomenon of machines spontaneously not having valid machine accounts? > > It seems to happen every once in a while, and you have to un-join the > > domain and then re-join it; kind of a bother. > > When you have this problem, could you stop smbd and restart it with a > debug level of 100, turn off and on the workstation, try to login again ? > > and make the log available by ftp or http ? > > Jean Francois > > ----------------------------------------------------------- > Pinky: "What are we going to do tonight, Brain?" > Brain: "The same thing we do every night, Pinky : > try to install Windows NT !" > ----------------------------------------------------------- > From infotecn at tin.it Thu May 21 15:41:54 1998 From: infotecn at tin.it (Sbragion Denis) Date: Tue Dec 2 02:24:10 2003 Subject: Use of Samba Message-ID: <3.0.5.32.19980521174154.008b4500@MBox.InfoTecna.com> Hello, here are my two cents on Samba use. We are a small italian company that develops custom made software. We use Linux + Samba as our main server. Only 4 Win95 + 1 Nt clients, but really heavy loaded network (we transfer about 4 gig over the wire every week). The Linux server does all kind of work (DBMS Server, Internet connectivity, Intranet services, fax services + answering machine, automated backups, all sorts of tests, etc) with a single P150 and 32 Mb of ram without any problem. We have 8 of our customers with the same environment installed. Most of them have *never* reported even a single problem in a year, so we plan to change all the server with Win NT else we have nothing to work on ;) In our spare time we are developing a Samba interface to HylaFAX that we plan to put in the public domain, but please don't start asking when it will be released: we really don't know! Bye! Dr. Sbragion Denis InfoTecna Tel, Fax: +39 39 2324054 URL: http://space.tin.it/internet/dsbragio From lkcl at switchboard.net Thu May 21 16:32:24 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid In-Reply-To: Message-ID: On Thu, 21 May 1998, Kevin Currie wrote: > > > As a stepping stone, how about having it reset the machine > > > password for an account that is already there, > > > > the "add" and "modify" SAM account info dce/rpc calls are encrypted: see > > above answer. > > Well, smbpasswd reads the smb.conf file, how about just having the > "machine reset users = " parameter be interpreted by smbpasswd so that > non-root users can reset the machine (and only machine) account passwords? you mean, make them an equivalent of an "NT SAM administrator"? From jallison at whistle.com Thu May 21 16:53:23 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid References: Message-ID: <35645C03.167B5E45@whistle.com> Kevin Currie wrote: > > Well, smbpasswd reads the smb.conf file, how about just having the > "machine reset users = " parameter be interpreted by smbpasswd so that > non-root users can reset the machine (and only machine) account passwords? > We can't do that as it would be the biggest security hole this side of the buffer overrun problem in Samba 1.9.17p1 and all previous versions :-). If anyone could do that I could write code that would allow anyone sniffing the network to get plaintext equivalent passwords from the next user who logs onto that NT workstation (come to think of it I could do that anyway, but this makes it even easier, as you can select a machine target and force it at a particular time :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Thu May 21 16:50:34 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid References: Message-ID: <35645B5A.1766B09C@whistle.com> Kevin Currie wrote: > > When I say rebuild, I'm talking about a format of the HDD... which > in a lab enviorment tends to happen quite often, especially since MS uses > this damn registry thing. It is far easier to "clone" an image of a HDD > around the lab then go to 100 computers and indiviually fix little bugs. > When you reformat the HD you have lost the machine account password. When you reload from a previous 'clone' snapshot you have re-loaded a previous machine account password. As this was randomly generated on the machine you made the snapshot on there is no way for the Samba PDC to know what that password was, hence the 'bad password in domain' message. Your only option other than re-entering the domain is to dump out the machine password using Paul Ashton's lsadump, and manualy edit this into the Samba PDC machine account password. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From scrappy at hub.org Thu May 21 17:13:29 1998 From: scrappy at hub.org (The Hermit Hacker) Date: Tue Dec 2 02:24:10 2003 Subject: pam_ntdom on other then Linux? Message-ID: Specifically, has anyone gotten it to compile under Solaris 2.6? I'm slowly plugging away at it, but if someone is already there...? :) Basically, I want to get the pam module working so that I can authenticate from an NT server for Samba on a Solaris machine... Thanks... From x7currie at lab2.cc.wmich.edu Thu May 21 17:13:37 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid In-Reply-To: <35645B5A.1766B09C@whistle.com> Message-ID: > Your only option other than re-entering the > domain is to dump out the machine password > using Paul Ashton's lsadump, and manualy > edit this into the Samba PDC machine account > password. That's the problem... I cannot re-enter the domian until I do a "smbpasswd -m machine machine" on the Samba PDC, which has to be run as root. I'd like to see a way to get the machine password to be able to be reset by a lower security user (such as a grad assistant, lab tech, etc) so that they can fix a downed machine without having to contact someone with root access to the campus network. Kevin Currie From x7currie at lab2.cc.wmich.edu Thu May 21 17:18:32 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid In-Reply-To: Message-ID: > > Well, smbpasswd reads the smb.conf file, how about just having the > > "machine reset users = " parameter be interpreted by smbpasswd so that > > non-root users can reset the machine (and only machine) account passwords? > > you mean, make them an equivalent of an "NT SAM administrator"? Not quite that far... That's not quite what I had in mind. What I'm looking at is the ability for a grad assistant, lab tech, etc. to be able to set a machine password back to the machine name so that they can fix a downed computer without having to contact a campus sysadmin with root access. Kevin From jallison at whistle.com Thu May 21 17:16:30 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:10 2003 Subject: Long machine names... References: Message-ID: <3564616E.3ACBBA@whistle.com> Tim Winders wrote: > > I just ran into a "problem" with the machine accounts requiring an entry > in the /etc/passwd file for account creating. On *MY* system, unix > account names can only be 8 characters. I have (had) an NT machine with > the name SUPPORT2 (8 character) but to create the unix account, I needed 9 > characters (SUPPORT2$) which wouldn't work. I created the account as > SUPPORT2 and changed the entry to SUPPORT2$ and then ran smbpasswd -a -m > support2 support2 but the NT machine said it could login because the > account in the domain didn't exist or the password didn't match. I ended > up changing the machine name to SUP2 and adding the appropriate entries > and this worked... > As a matter of interest, which UNIX is this ? > Hey! Wait a minute... now that I look again at my /etc/passwd file, there > are NO machine entries there... does smbpasswd REMOVE the entries from > /etc/passwd when the machine account is created? > No - smbpasswd never touches the /etc/passwd file. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From twinders at SPC.cc.tx.us Thu May 21 17:30:33 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:10 2003 Subject: Long machine names... In-Reply-To: <3564616E.3ACBBA@whistle.com> Message-ID: On Thu, 21 May 1998, Jeremy Allison wrote: > Tim Winders wrote: > > > > I just ran into a "problem" with the machine accounts requiring an entry > > in the /etc/passwd file for account creating. On *MY* system, unix > > account names can only be 8 characters. I have (had) an NT machine with > > the name SUPPORT2 (8 character) but to create the unix account, I needed 9 > > characters (SUPPORT2$) which wouldn't work. I created the account as > > SUPPORT2 and changed the entry to SUPPORT2$ and then ran smbpasswd -a -m > > support2 support2 but the NT machine said it could login because the > > account in the domain didn't exist or the password didn't match. I ended > > up changing the machine name to SUP2 and adding the appropriate entries > > and this worked... > > > > As a matter of interest, which UNIX is this ? Digital Unix 4.0D > > > Hey! Wait a minute... now that I look again at my /etc/passwd file, there > > are NO machine entries there... does smbpasswd REMOVE the entries from > > /etc/passwd when the machine account is created? > > > > No - smbpasswd never touches the /etc/passwd file. OK, now I am VERY confused. I ran the unix adduser utility and added the new user called sup2$ (the new name of my machine). I verified the entry WAS in /etc/passwd. I then IMMEDIATELY ran smbpasswd -a -m sup2 sup2 and the samba private/smbpasswd file was updated to relfect the new sup2$ machine account. I could then login with the NT box. I then checked the /etc/passwd file and there were NO machine account entries... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From lkcl at switchboard.net Thu May 21 17:47:49 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: On Fri, 22 May 1998, Andrew Perrin - Demography wrote: > Well, this morning I did a cvs update and now the machine logs in okay -- > but something else broke, and since I now have a level 100 debug log I'll > let y'all know anyway. There are three issues currently unresolved, all > of which should show up in this log: > > 1.) the "detected a slow network connection" dialog on login, asking if > the user wants to download the profile or use a local one: this will happen when log levels are high. will go away if you run at log level 1. don't worry about it. > 2.) Can't connect to *any* shares on the PDC except those set guest only > -- all others get invalid password errors. Until today, it worked fine to > connect to a share on another Samba server in the domain with security = > server use "security = domain". add the other samba server to the domain just as if it was an nt workstation (smbpasswd -a -m other_samba_server's_name). > and password server = . HOWEVER, > > 3.) Today's new issue is that the scheme above doesn't work quite right > anymore. I can no longer browse the machine above, a Samba server but > not a PDC, running 1.9.18p7 with security=server and password server = > (our Samba PDC server). Browsing gets "access denied" but mounting works > fine using NET USE. send us sone smb.conf files to the list: let's have a look. > > I'll put the log in http://demog.berkeley.edu/~aperrin/samba.twins.log > for your reading enjoyment :) > > Thanks! > > --------------------------------------------------------------------- > Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support > Department of Demography - University of California at Berkeley > 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA > http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 > > On Wed, 20 May 1998, Jean-Francois Micouleau wrote: > > > On Thu, 21 May 1998, Andrew Perrin - Demography wrote: > > > Has anyone figured out a pattern and/or a preventative measure for the > > > phenomenon of machines spontaneously not having valid machine accounts? > > > It seems to happen every once in a while, and you have to un-join the > > > domain and then re-join it; kind of a bother. > > > > When you have this problem, could you stop smbd and restart it with a > > debug level of 100, turn off and on the workstation, try to login again ? > > > > and make the log available by ftp or http ? > > > > Jean Francois > > > > ----------------------------------------------------------- > > Pinky: "What are we going to do tonight, Brain?" > > Brain: "The same thing we do every night, Pinky : > > try to install Windows NT !" > > ----------------------------------------------------------- > > > > From kfleming at access-laserpress.com Thu May 21 17:48:23 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:10 2003 Subject: Use of Samba References: <3.0.5.32.19980521174154.008b4500@MBox.InfoTecna.com> Message-ID: <356468E7.3042235F@access-laserpress.com> I've got two machines here, one dual P120 running RH Linux 4.2 with Samba-prealpha running as a domain member server, the other an UltraSparc 2 dual 250 running Solaris 2.5.1 with Samba-prealpha also as a domain member server. There is a Digital AlphaServer 4000 as the PDC for this domain running NT4.0, with 10 NT4.0 workstations. From jallison at whistle.com Thu May 21 17:41:51 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:10 2003 Subject: Long machine names... References: Message-ID: <3564675F.FE636D3F@whistle.com> Tim Winders wrote: > > > OK, now I am VERY confused. I ran the unix adduser utility and added the > new user called sup2$ (the new name of my machine). I verified the entry > WAS in /etc/passwd. I then IMMEDIATELY ran smbpasswd -a -m sup2 sup2 and > the samba private/smbpasswd file was updated to relfect the new sup2$ > machine account. I could then login with the NT box. I then checked the > /etc/passwd file and there were NO machine account entries... > Well whoever did it wasn't smbpasswd. I defy you to find code in there that writes to /etc/passwd :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From twinders at SPC.cc.tx.us Thu May 21 18:21:04 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:10 2003 Subject: Long machine names... In-Reply-To: <3564675F.FE636D3F@whistle.com> Message-ID: On Thu, 21 May 1998, Jeremy Allison wrote: > Tim Winders wrote: > > > > > > OK, now I am VERY confused. I ran the unix adduser utility and added the > > new user called sup2$ (the new name of my machine). I verified the entry > > WAS in /etc/passwd. I then IMMEDIATELY ran smbpasswd -a -m sup2 sup2 and > > the samba private/smbpasswd file was updated to relfect the new sup2$ > > machine account. I could then login with the NT box. I then checked the > > /etc/passwd file and there were NO machine account entries... > > > > Well whoever did it wasn't smbpasswd. I defy you to find > code in there that writes to /etc/passwd :-). OK. I added the user phone$ and here's the entry in /etc/passwd phone$:Nologin:1152:92:machine account:/usr/users/machine/phone$:/bin/false (This machine ALREADY had a machine account and the unix user was removed somehow). Next, I did smbpasswd -m phone phone and all is still OK in /etc/passwd. So, edited private/smbpasswd and removed the phone$ entry. Then did: # smbpasswd -a -m phone phone smbpasswd: Added user phone$. and the /etc/passwd file is STILL OK. So, I changed MY UNIX passwd and everthing is still OK. (arrrgh!) So, then I remembered that we are running the Digital Internet Locker management suite. So, I created a temporary user using that software and SON OF A B*TCH, the phone$ entry was GONE. There must be a "bug/problem/something" with usernames with $ in the account name and they are getting stripped from the /etc/passwd file when the new account is created. But, here is a problem... That account goes away, but their files (spool/home directory etc) are LEFT and then that UID gets used again! I guess I have to talk to digital... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From tavis at mahler.econ.columbia.edu Thu May 21 18:35:15 1998 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:24:10 2003 Subject: Roll Call In-Reply-To: <19980521135357.42456@maunsell.co.uk> Message-ID: On Thu, May 21, 1998 at 11:47:56AM +0000, Luke Kenneth Casson Leighton wrote: > so would i. can i ask people the favour of doing a "roll-call" of their > site topology / number of samba pdc servers / number of nt 3.51 / 4.0 > workstations? So far I'm just testing things out on a pair of old Sparcs running SunOS 4.1.4 and two NT workstations on the same subnet. Soon I'll be moving it to 3-4 Alpha servers (one PDC that currently functions as our NIS and xdmcp server too) running Digital Unix and about 20 PCs on 4 subnets running NTW 4.0 (mostly Intel clients, some Alpha). Our users (including me) are social science researchers (roughly 50 but soon to be about 150, about half professors half grad students) and currently use the servers mostly for statistics; once the clients are installed, we will just have basic office software on them. Cheers, Tavis From aperrin at demog.Berkeley.EDU Thu May 21 18:44:38 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: OK, here's the full info. Background: 1.) BOSERUP, a Solaris 2.6 machine running Samba-1.9.19-prealpha as a PDC for domain SANDBOX. 2.) BLAKE, a Solaris 2.6 machine running Samba-1.9.18p7 as a member of the SANDBOX domain. 3.) KITAGAWA, a Windows NT 4.0(SP3) machine as a member of the SANDBOX domain. KITAGAWA can log into the domain fine; however, it cannot: - get any shares whatsoever from BOSERUP (invalid password); or - browse BLAKE (but it *can* NET USE \\blake\homes). BOSERUP:smb.conf: [global] workgroup = SANDBOX smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 10 log file = /var/log/samba.%m.log wins support = no wins server = os level = 100 domain master = yes time server = true unix realname = yes preferred master = yes load printers = no hide dot files = no revalidate = yes default service = homes encrypt passwords = yes domain logons = yes domain sid = S-1-5-21-123-456-789 ; sorry to be so boring security = user case sensitive = no preserve case = yes short preserve case = yes ; The following deal with roaming profiles. Currently configured to send ; them to utility\username as drive Y:. logon drive = Y: logon home = \\blake\%U logon path = \\blake\ntprofile\.ntprofile logon script = init.bat domain admin users = ntadmin ; Added the following at the suggestion of luke from the samba team 5/8/98 domain groups = admins [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no create mask = 0775 Comment = Home Directory (%U) [test] guest ok = yes read only = no browseable = yes wide links = yes printable = no path = /usr/LOCAL/samba-test Comment = Sandbox Test Share [netlogon] path = /usr/LOCAL/netlogon writeable = no guest ok = yes locking = no BLAKE: smb.conf [global] workgroup = SANDBOX smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 1 wins support = no wins server = os level = 0 preferred master = no domain logons = no encrypt passwords = yes security = server ; just got the =domain recc. and will try. password server = boserup log file = /var/log/samba.%m.log load printers = no hide dot files = no default service = homes time server = true guest account = nobody [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no Comment = Home Directory (%U) [ntprofile] guest ok = no read only = no browseable = yes wide links = yes printable = no path = /home/davis/hdir1/%U Comment = Profile Directory (%U) [test] guest ok = no read only = no browseable = yes wide links = yes path = /usr/LOCAL/samba Comment = Test Directory [pdf] guest ok = no read only = no browseable = yes wide links = yes printable = yes print command = cat %s | /usr/local/bin/distill > %H/distilled.pdf ; rm %s path = /tmp printer driver = Apple LaserWriter II NT v47.0 --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Thu, 21 May 1998, Luke Kenneth Casson Leighton wrote: > > 3.) Today's new issue is that the scheme above doesn't work quite right > > anymore. I can no longer browse the machine above, a Samba server but > > not a PDC, running 1.9.18p7 with security=server and password server = > > (our Samba PDC server). Browsing gets "access denied" but mounting works > > fine using NET USE. > > send us sone smb.conf files to the list: let's have a look. From cartegw at Eng.Auburn.EDU Thu May 21 18:47:09 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid References: Message-ID: <356476AD.E84028B0@eng.auburn.edu> Kevin Currie wrote: > > Not quite that far... That's not quite what I had in mind. > What I'm looking at is the ability for a grad assistant, lab tech, > etc. to be able to set a machine password back to the machine name so > that they can fix a downed computer without having to contact a campus > sysadmin with root access. OK. Why not use something like sudo to give access to to smbpasswd or write someother fronend that acts as a menu system for labmon to run. That's what we do here so that they can do things like kill errant processes and clean print queues. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From x7currie at lab2.cc.wmich.edu Thu May 21 18:56:57 1998 From: x7currie at lab2.cc.wmich.edu (Kevin Currie) Date: Tue Dec 2 02:24:10 2003 Subject: Update: Machine accounts invalid In-Reply-To: <356476AD.E84028B0@eng.auburn.edu> Message-ID: > OK. Why not use something like sudo to give access to to smbpasswd or > write someother fronend that acts as a menu system for labmon to run. > That's what we do here so that they can do things like kill errant > processes and clean print queues. I'm going to see if he'll put a .rhosts file in each machine account's home directory and that will let an account do an rlogin w/o a password... We'll see. They keep that server locked up pretty tight. Kevin From airlied at skynet.csn.ul.ie Thu May 21 19:38:13 1998 From: airlied at skynet.csn.ul.ie (Dave Airlie) Date: Tue Dec 2 02:24:10 2003 Subject: pam_ntdom on other then Linux? In-Reply-To: Message-ID: There isn't that much to it .. in the toplevel Makefile add -DSUNOS5 to the CFLAGS and add the line LD_D = ld -B dynamic -G somewhere at the top.. make sure you have GNU make, and also add the line #define LOG_AUTHPRIV (4<<3) somewhere in the top of pam_ntdom_auth.c this compiles for me under Solaris 2.6 with the SUNPro compiler, I'd imagine gcc should be no different, It gives me some warnings which I have ignored and I can't say it will work ... I might give a go something rsn :-) at updating pam_ntdom with configure support as I have done with pam_smb, I'll check out a copy from CVS and play around with sometime next week .. Dave. On Fri, 22 May 1998, The Hermit Hacker wrote: > > Specifically, has anyone gotten it to compile under Solaris 2.6? > > I'm slowly plugging away at it, but if someone is already there...? :) > > Basically, I want to get the pam module working so that I can authenticate > from an NT server for Samba on a Solaris machine... > > Thanks... > > ------------ David Airlie, David.Airlie@ul.ie,airlied@skynet -------- Telecommunications Research Centre, ECE Dept, University of Limerick \ http://www.csn.ul.ie/~airlied -- Computer Engineering Postgrad \ --- TEL: +353-61-202695 ----------------------------------------------- From twot at server1.netpath.net Thu May 21 19:40:37 1998 From: twot at server1.netpath.net (No Telling) Date: Tue Dec 2 02:24:10 2003 Subject: SMB errors on NT network Message-ID: I did a few network traces on our NT network and found some rather impressive errors in the SMB packets. I'm getting STATUS_SHARING_VIOLATION erros, and STATUS_LOCK_NOT_GRANTED errors in the SMB packets. These occur when trying to load files from the NT server. I assume this to be better fitted on samba@samba.anu.edu.au so i cc'ed it over there as well. I apologize for the inappropriate traffic. However, is there anything else i can do to see where these errors would even occur? i'm open for ideas. thanks a bunch! -- Duane Toler twot@netpath.net detoler@ifgcompanies.com From kfleming at access-laserpress.com Thu May 21 20:15:51 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:10 2003 Subject: Samba NTDOM printing? Message-ID: <35648B77.8BC293C3@access-laserpress.com> How does the current NTDOM work affect Samba's printing capabilities? I've currently got printing working fine (from an NT4.0 Workstation) if I copy a file directly to the queue using a command line copy command, or if I do a NET USE to the printer to capture an LPT port. However, trying to actually set up the printer on my workstation, even though it appears just fine in the browse list, results in "Cannot add printer. The printer name is invalid.". I vaguely remember seeing something about this on the list, but can't remember for sure... Also, what do most people use as the permissions on their Samba print-spool directory? From jallison at whistle.com Thu May 21 20:15:21 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts References: Message-ID: <35648B59.5F0BEB5D@whistle.com> Andrew Perrin - Demography wrote: > > OK, here's the full info. Background: > 1.) BOSERUP, a Solaris 2.6 machine running Samba-1.9.19-prealpha as a PDC > for domain SANDBOX. > 2.) BLAKE, a Solaris 2.6 machine running Samba-1.9.18p7 as a member of the > SANDBOX domain. > 3.) KITAGAWA, a Windows NT 4.0(SP3) machine as a member of the SANDBOX > domain. > > KITAGAWA can log into the domain fine; however, it cannot: > - get any shares whatsoever from BOSERUP (invalid password); or > - browse BLAKE (but it *can* NET USE \\blake\homes). > Can you send (or make available) debug level 10 logs of the user who logged into KITAGAWA attempting to browse BOSERUP, and BLAKE, please ? Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Thu May 21 21:44:53 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:10 2003 Subject: Netscape4 profile on 1.9.19alpha drive Message-ID: <3564A055.C441D671@eng.auburn.edu> Here we go again.... OK. I agree this is weird but I am betting that it has something to do with the wildcard changes that breaks netscape4 profiles for IMAP4 client configurations. Here's the scenario. Server : Solaris 2.5.1 Problem : Netscape 4.05 configured as an IMAP4 client Client OS Samba version work --------- ------------- ---- Win98 1.9.19alpha no WinNT4.0 1.9.19alpha no WinNT4.0 1.9.18p7 yes Win98 1.9.18p7 yes Win98 1.9.18p4 yes I can go into details if anyone wishes. The general idea problem is that netscape does not open the INBOX in /var/mail but rather looks for inbox in whatever the remote mail folder directory is set to. The log files ( at debug level 10...I can get high if neccessary ) are at http://www.eng.auburn.edu/users/cartegw/log.net4.bad http://www.eng.auburn.edu/users/cartegw/log.net4.good respectively and are from a run on WinNT4.0 Wks against 1.9.19alpha share and a 1.9.18p7 share. Just to clarify, Netscape **is** installed local to the PC and the netscape profile is located on the samba share ( ie. [homes] ). BTW....Things like 'cd the_*' work great! Thanks. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Thu May 21 21:59:18 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:10 2003 Subject: Netscape4 profile on 1.9.19alpha drive References: <3564A055.C441D671@eng.auburn.edu> Message-ID: <3564A3B5.16B90C46@eng.auburn.edu> Gerald Carter wrote: > > > http://www.eng.auburn.edu/users/cartegw/log.net4.bad > http://www.eng.auburn.edu/users/cartegw/log.net4.good > Just an update. The location of the log files is at ftp://ftp.eng.auburn.edu/pub/cartegw/log.net4.bad (~3.5Mb ) ftp://ftp.eng.auburn.edu/pub/cartegw/log.net4.good (~743Kb ) rather than http:// Sorry, j- -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From aperrin at demog.Berkeley.EDU Thu May 21 22:23:33 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: <35648B59.5F0BEB5D@whistle.com> Message-ID: Well, blake now browses okay, so I'll skip those. Logs available for your reading pleasure on the web are: 1.) boserup (the pdc) when aperrin logs into kitagawa: http://demog.berkeley.edu/~aperrin/bos.connect.log 2.) blake when aperrin logs into kitagawa: http://demog.berkeley.edu/~aperrin/bla.connect.log 3.) boserup when aperrin tries to connect to \\boserup\aperrin or \\boserup\homes: http://demog.berkeley.edu/~aperrin/bos.usehome.log Thanks- ap --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Thu, 21 May 1998, Jeremy Allison wrote: > Andrew Perrin - Demography wrote: > > > > OK, here's the full info. Background: > > 1.) BOSERUP, a Solaris 2.6 machine running Samba-1.9.19-prealpha as a PDC > > for domain SANDBOX. > > 2.) BLAKE, a Solaris 2.6 machine running Samba-1.9.18p7 as a member of the > > SANDBOX domain. > > 3.) KITAGAWA, a Windows NT 4.0(SP3) machine as a member of the SANDBOX > > domain. > > > > KITAGAWA can log into the domain fine; however, it cannot: > > - get any shares whatsoever from BOSERUP (invalid password); or > > - browse BLAKE (but it *can* NET USE \\blake\homes). > > > > Can you send (or make available) debug level 10 logs of > the user who logged into KITAGAWA attempting to browse > BOSERUP, and BLAKE, please ? > > Jeremy. > > -- > -------------------------------------------------------- > Buying an operating system without source is like buying > a self-assembly Space Shuttle with no instructions. > -------------------------------------------------------- > From jallison at whistle.com Thu May 21 22:15:16 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:10 2003 Subject: Netscape4 profile on 1.9.19alpha drive References: <3564A055.C441D671@eng.auburn.edu> Message-ID: <3564A774.8F02F93E@whistle.com> Gerald Carter wrote: > > The log files ( at debug level 10...I can get high if neccessary ) are > at I just took a look: > > http://www.eng.auburn.edu/users/cartegw/log.net4.bad ^^^^ This does not look like a Samba log. > http://www.eng.auburn.edu/users/cartegw/log.net4.good ^^^^ This is flagged as unavailable. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Thu May 21 22:31:49 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:10 2003 Subject: pam_ntdom on other then Linux? In-Reply-To: Message-ID: On Fri, 22 May 1998, The Hermit Hacker wrote: > > Specifically, has anyone gotten it to compile under Solaris 2.6? > > I'm slowly plugging away at it, but if someone is already there...? :) please do: i don't have access to solaris. From lkcl at switchboard.net Thu May 21 22:35:22 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: Message-ID: On Thu, 21 May 1998, Andrew Perrin - Demography wrote: > OK, here's the full info. Background: > 1.) BOSERUP, a Solaris 2.6 machine running Samba-1.9.19-prealpha as a PDC > for domain SANDBOX. > 2.) BLAKE, a Solaris 2.6 machine running Samba-1.9.18p7 as a member of the > SANDBOX domain. > 3.) KITAGAWA, a Windows NT 4.0(SP3) machine as a member of the SANDBOX > domain. > > KITAGAWA can log into the domain fine; however, it cannot: > - get any shares whatsoever from BOSERUP (invalid password); or > - browse BLAKE (but it *can* NET USE \\blake\homes). > > BOSERUP:smb.conf: > [global] > domain sid = S-1-5-21-123-456-789 ; sorry to be so boring there are going to be lots of these... > [netlogon] > path = /usr/LOCAL/netlogon > writeable = no > guest ok = yes guest ok = no. always. on [netlogon]. in fact, guest ok = no everywhere unless you really must. looks fine to me, smb.conf-wise... From aperrin at demog.Berkeley.EDU Thu May 21 22:44:23 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:10 2003 Subject: security=domain bombs Message-ID: On advice of helpful folks from the list, I tried to switch our Samba server from security=server with password server = over to security=domain. I get invalid password errors when connecting from NT, and Session Setup failure when using smbclient. Once I also got "Your server software is being unfriendly" from smbclient. Transcript of smbclient: #@davis:/usr/local/src/ntdom/source>./smbclient '\\blake\aperrin' -U aperrin -W SANDBOX Server time is Thu May 21 15:37:17 1998 Timezone is UTC-7.0 Password: Session setup failed for username=aperrin myname=UTILITY destname=BLAKE ERRSRV - ERRbadpw (Bad password - name/password pair in a Tree Connect or Session Setup are invalid.) You might find the -U, -W or -n options useful Sometimes you have to use `-n USERNAME' (particularly with OS/2) Some servers also insist on uppercase-only passwords Solaris 2.6, samba-1.9.19prealpha this morning's cvs. smb conf's follow; logs are available at: 1.) NT to Samba, logs from PDC server: http://demog.berkeley.edu/~aperrin/bos.twins.log http://demog.berkeley.edu/~aperrin/bos.smb.log 2.) NT to Samba, logs from server serving homes: http://demog.berkeley.edu/~aperrin/bla.twins.log http://demog.berkeley.edu/~aperrin/bla.smb.log 3.) smbclient to Samba, log from home server: http://demog.berkeley.edu/~aperrin/bla.utility.log BLAKE: smb.conf (homes server): [global] workgroup = SANDBOX smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 10 wins support = no wins server = 128.32.163.196 os level = 0 preferred master = no domain logons = no encrypt passwords = yes security = domain ; password server = boserup log file = /var/log/samba.%m.log load printers = no hide dot files = no default service = homes time server = true guest account = nobody [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no Comment = Home Directory (%U) [ntprofile] guest ok = no read only = no browseable = yes wide links = yes printable = no path = /home/davis/hdir1/%U Comment = Profile Directory (%U) [test] guest ok = no read only = no browseable = yes wide links = yes path = /usr/LOCAL/samba Comment = Test Directory [pdf] guest ok = no read only = no browseable = yes wide links = yes printable = yes print command = cat %s | /usr/local/bin/distill > %H/distilled.pdf ; rm %s path = /tmp printer driver = Apple LaserWriter II NT v47.0 BOSERUP: smb.conf (PDC) [global] workgroup = SANDBOX smbrun = /usr/LOCAL/samba/bin/smbrun lock dir = /usr/LOCAL/samba/var/locks debug level = 10 log file = /var/log/samba.%m.log wins support = no wins server = 128.32.163.196 os level = 100 domain master = yes time server = true unix realname = yes preferred master = yes load printers = no hide dot files = no revalidate = yes default service = homes encrypt passwords = yes domain logons = yes domain sid = S-1-5-21-123-456-789 security = user case sensitive = no preserve case = yes short preserve case = yes ; The following deal with roaming profiles. Currently configured to send ; them to utility\username as drive Y:. logon drive = Y: logon home = \\blake\%U logon path = \\blake\ntprofile\.ntprofile logon script = init.bat domain admin users = ntadmin ; Added the following at the suggestion of luke from the samba team 5/8/98 domain groups = admins [homes] guest ok = no read only = no browseable = yes wide links = yes printable = no create mask = 0775 Comment = Home Directory (%U) [test] guest ok = yes read only = no browseable = yes wide links = yes printable = no path = /usr/LOCAL/samba-test Comment = Sandbox Test Share [netlogon] path = /usr/LOCAL/netlogon writeable = no guest ok = yes locking = no --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 From abs at maunsell.co.uk Thu May 21 22:58:01 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:10 2003 Subject: UNIX full name Message-ID: <19980521235801.20219@maunsell.co.uk> Hello, I just noticed in the 'Windows NT Security' window (Ctrl-alt-del), my logged in details record me as ' is logged in as FOO\abs' in one subnet, but 'uid no Body is logged in as FOO\abs' in others. The samba PDC is Solaris 2.5.1 in both cases, but either way, I was assuming that setting unix realname = yes would get my GCOS field, certainly not the GECOS field of the passwd entry for uid = 60001. Does anyone else get this as well? Thanks -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From jallison at whistle.com Thu May 21 23:16:47 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts References: Message-ID: <3564B5DF.C2101987@whistle.com> Andrew Perrin - Demography wrote: > > Well, blake now browses okay, so I'll skip those. Logs available for your > reading pleasure on the web are: > > 1.) boserup (the pdc) when aperrin logs into kitagawa: > http://demog.berkeley.edu/~aperrin/bos.connect.log > 2.) blake when aperrin logs into kitagawa: > http://demog.berkeley.edu/~aperrin/bla.connect.log > 3.) boserup when aperrin tries to connect to \\boserup\aperrin or > \\boserup\homes: > http://demog.berkeley.edu/~aperrin/bos.usehome.log > Phew - nailed it. That one was a *bastard* to find. The problem is you have 'revalidate = true' set in your smb.conf global section on BOSERUP. This is interacting badly with the 'security=user' parameter - as is really is meant to be used for security=share settings. What happens is that the tconX call is made with no password, as you have already given a valid encrypted password in the sessionsetupandX. The default tconX case with no password is this piece of code in password.c /* check for a previously validated username/password pair */ if (!ok && !lp_revalidate(snum) && (vuser != 0) && !vuser->guest && user_ok(vuser->name,snum)) { fstrcpy(user,vuser->name); *guest = False; DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n")); ok = True; } Note that having revalidate set screws it up, as it causes this code not to be executed. I'll check with Andrew for the exact meaning of the revalidate parameter, as I think it may be redundent with security=user, in which case we can replace this code with && (!lp_revalidate(snum) || lp_security() > SEC_SHARE) &&.... But this is a security sensitive change so I'll not make it lightly. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From tridge at samba.anu.edu.au Thu May 21 23:49:28 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:10 2003 Subject: Bad machine accounts In-Reply-To: <3564B5DF.C2101987@whistle.com> (message from Jeremy Allison on Thu, 21 May 1998 16:16:47 -0700) References: <3564B5DF.C2101987@whistle.com> Message-ID: <19980521234931Z12671015-16620+7064@samba.anu.edu.au> > I'll check with Andrew for the exact meaning of the > revalidate parameter, as I think it may be redundent > with security=user, in which case we can replace this > code with > > && (!lp_revalidate(snum) || lp_security() > SEC_SHARE) &&.... yep, that would be good. revalidate was intended for share level security and is basically useless for user level security. I suggest we also add a testparm warning "WARNING; revalidate set with user level security" and fix the smb.conf manpage entry for revalidate. I wonder how many people have this set with user level security? Andrew From mhaigh at village.vut.edu.au Fri May 22 00:31:03 1998 From: mhaigh at village.vut.edu.au (Mick Haigh) Date: Tue Dec 2 02:24:11 2003 Subject: Bad machine accounts References: <19980521234931Z12671015-16620+7064@samba.anu.edu.au> Message-ID: <3564C747.4F26BCA5@village.vut.edu.au> Andrew Tridgell wrote: > > I'll check with Andrew for the exact meaning of the > > revalidate parameter, as I think it may be redundent > > with security=user, in which case we can replace this > > code with > > > > && (!lp_revalidate(snum) || lp_security() > SEC_SHARE) &&.... > > yep, that would be good. revalidate was intended for share level > security and is basically useless for user level security. > > I suggest we also add a testparm warning "WARNING; revalidate set with > user level security" and fix the smb.conf manpage entry for revalidate. > > I wonder how many people have this set with user level security? > I did suggest this to samba-bugs a while back, but I guess you guys never got to see it for some reason. Not to worry - tis done now. -------------- next part -------------- A non-text attachment was scrubbed... Name: vcard.vcf Type: text/x-vcard Size: 275 bytes Desc: Card for Mick Haigh Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980522/aea8682d/vcard.vcf From tridge at samba.anu.edu.au Fri May 22 00:40:19 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:11 2003 Subject: Bad machine accounts In-Reply-To: <3564C747.4F26BCA5@village.vut.edu.au> (message from Mick Haigh on Fri, 22 May 1998 10:31:03 +1000) References: <19980521234931Z12671015-16620+7064@samba.anu.edu.au> <3564C747.4F26BCA5@village.vut.edu.au> Message-ID: <19980522004026Z12583363-9284+7113@samba.anu.edu.au> > I did suggest this to samba-bugs a while back, but I guess you guys never > got to see it for some reason. Not to worry - tis done now. yeah, sorry. It's still in our incoming directory. we are way behind :( From jpr9c at cs.virginia.edu Fri May 22 12:39:35 1998 From: jpr9c at cs.virginia.edu (Scott Ruffner) Date: Tue Dec 2 02:24:11 2003 Subject: SAMBA-NTDOM digest 191 References: <19980522080548Z12600750-9284+7227@samba.anu.edu.au> Message-ID: <35657207.947A39B4@mail.cs.virginia.edu> > ------------------------------ > > Date: Thu, 21 May 1998 16:44:53 -0500 > From: Gerald Carter > Subject: Netscape4 profile on 1.9.19alpha drive > I can go into details if anyone wishes. The general idea problem is > that netscape does not open the INBOX in /var/mail but rather looks for > inbox in whatever the remote mail folder directory is set to. Wow! I have this same strange behavior, but I thought this was a result of a problem with Netscape. Our profiles are on both the Samba server and on local machines, and I get the same behavior...NT 4.0 WkSta and Samba 1.9.17p5 on Solaris 2.5.1. Just another data point... Scott -- Scott Ruffner Systems Engineer ruffner@cs.virginia.edu Computer Science Department 226E Olsson Hall University of Virginia (804)982-2219 From lkcl at switchboard.net Fri May 22 13:00:29 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: SAMBA-NTDOM digest 191 In-Reply-To: <35657207.947A39B4@mail.cs.virginia.edu> Message-ID: 1) create a defaultuser with junk name, junk everything *except* the profile location is \\cb1-gw\homes\netscape 2) copy the following file into all your users home directories, or modify it as appropriate: \\cb1-gw\homes\netscape\prefs.js: // Netscape User Preferences // This is a generated file! Do not edit. // LIES! ALL LIES! EDIT IT AS MUCH AS YOU LIKE!!!! lkcl // DISCLAIMER: EDIT IT AT YOUR OWN RISK :-) lkcl user_pref("browser.bookmark_columns_win", "v1 1 1:10000 2:2998 4:1999 3:1999"); user_pref("browser.bookmark_window_rect", "0,0,600,432"); user_pref("browser.cache.directory", "c:\\temp"); user_pref("browser.download_directory", "c:\\"); user_pref("browser.startup.homepage", "http://www.cb1.com/new/home.htm"); user_pref("browser.startup.homepage_override", false); user_pref("browser.url_history.URL_1", "http://www.gamefaqs.com"); user_pref("browser.url_history.URL_10", "www.yahoo.co.uk"); user_pref("browser.url_history.URL_11", "http://samba.anu.edu.au/listproc/samba/current"); user_pref("browser.url_history.URL_12", "http://samba.anu.edu.au/listproc/samba/urrent"); user_pref("browser.url_history.URL_13", "samba.anu.edu.au/listproc/samba/Current"); user_pref("browser.url_history.URL_14", "www.microsoft.com/"); user_pref("browser.url_history.URL_15", "http://ils2.microsoft.com/"); user_pref("browser.url_history.URL_2", "http://207.82.250.251/cgi-bin/start"); user_pref("browser.url_history.URL_3", "hotmail.com"); user_pref("browser.url_history.URL_4", "http://www.zkb.ch/"); user_pref("browser.url_history.URL_5", "ROCKETMAIL.COM/"); user_pref("browser.url_history.URL_6", "ROCKETMAIL.COM"); user_pref("browser.url_history.URL_7", "www.hotmail.com/"); user_pref("browser.url_history.URL_8", "http://www.yahoo.co.it"); user_pref("browser.url_history.URL_9", "http://www.yahoo.com"); user_pref("browser.wfe.show_value", 3); user_pref("browser.window_rect", "170,71,830,582"); user_pref("custtoolbar.has_toolbar_folder", false); user_pref("custtoolbar.personal_toolbar_folder", ""); user_pref("editor.author", "CB1 Cafe: lkcl"); user_pref("ldapList.version", 1); user_pref("ldap_1.directory1.filename", "abook.nab"); user_pref("ldap_1.directory2.filename", "X1NM5C2H.nab"); user_pref("ldap_1.directory3.filename", "XU7EPLP3.nab"); user_pref("ldap_1.directory3.searchBase", "c=US"); user_pref("ldap_1.directory4.filename", "XUAI3NCR.nab"); user_pref("ldap_1.directory5.filename", "XUJBD6N9.nab"); user_pref("ldap_1.directory6.filename", "XVSIKEMN.nab"); user_pref("ldap_1.end_of_directories", "9052416"); user_pref("mail.compose_window_rect", "22,22,607,422"); user_pref("mail.default_fcc", "\\cb1-gw\\homes\\mail\\sent"); user_pref("mail.identity.useremail", "lkcl@switchboard.net"); user_pref("mail.identity.username", "CB1 Cafe: lkcl"); user_pref("mail.imap.delete_is_move_to_trash", true); user_pref("mail.imap.server_sub_directory", "mail"); user_pref("mail.pop_name", "lkcl"); user_pref("mail.pop_password", "O6idIenfPg=="); user_pref("mail.remember_password", true); user_pref("mail.server_type", 1); user_pref("mail.thread_columns_win", "v1 6 5:23 2:3333 4:23 1:3333 3:1999 6:1331 12:23 7:749 8:749 10:493 9:493"); user_pref("mail.use_fcc", false); user_pref("mailnews.category_pane_width", 250); user_pref("mailnews.folder_columns_win", "v1 3 11:6000 10:2000 9:2000"); user_pref("mailnews.folder_window_rect", "109,0,600,432"); user_pref("mailnews.message_window_rect", "0,0,800,553"); user_pref("mailnews.profile_age", 1); user_pref("mailnews.thread_pane_height", 100); user_pref("mailnews.thread_window_rect", "0,54,600,411"); user_pref("mailnews.thread_window_showwindow", 3); user_pref("network.hosts.pop_server", "mailhost.cb1.com"); user_pref("network.hosts.smtp_server", "mailhost.cb1.com"); user_pref("news.default_fcc", "\\cb1-gw\\homes\\mail\\sent-mail"); user_pref("news.show_pretty_names", true); user_pref("news.subscribe.join_width", 83); user_pref("news.subscribe.name_width", 207); user_pref("news.subscribe.post_width", 82); user_pref("news.thread_columns_win", "v1 6 5:23 2:3334 4:23 1:3334 3:1999 6:1331 12:23 7:749 8:749 10:493 9:493"); user_pref("news.use_fcc", false); user_pref("security.warn_submit_insecure", false); user_pref("taskbar.floating", false); user_pref("taskbar.x", 652); user_pref("taskbar.y", 3); On Fri, 22 May 1998, Scott Ruffner wrote: > > ------------------------------ > > > Date: Thu, 21 May 1998 16:44:53 -0500 > > From: Gerald Carter > > Subject: Netscape4 profile on 1.9.19alpha drive > > I can go into details if anyone wishes. The general idea problem is > > that netscape does not open the INBOX in /var/mail but rather looks for > > inbox in whatever the remote mail folder directory is set to. > > Wow! I have this same strange behavior, but I thought this was a result > of a problem with Netscape. Our profiles are on both the Samba server > and on local machines, and I get the same behavior...NT 4.0 WkSta and > Samba 1.9.17p5 on Solaris 2.5.1. Just another data point... > > Scott > -- > Scott Ruffner Systems Engineer > ruffner@cs.virginia.edu Computer Science Department > 226E Olsson Hall University of Virginia > (804)982-2219 > alternatively, we modified the adduser script on freebsd to substitute %USER_NAME% with the username when ~USER_NAME/netscape/prefs.js was copied / created. luke From scrappy at hub.org Fri May 22 13:02:31 1998 From: scrappy at hub.org (The Hermit Hacker) Date: Tue Dec 2 02:24:11 2003 Subject: pam_ntdom on other then Linux? Message-ID: >There isn't that much to it .. >in the toplevel Makefile add >-DSUNOS5 to the CFLAGS >and add the line >LD_D = ld -B dynamic -G >somewhere at the top.. >make sure you have GNU make, and also add the line >#define LOG_AUTHPRIV (4<<3) >somewhere in the top of pam_ntdom_auth.c >this compiles for me under Solaris 2.6 with the SUNPro compiler, I'd >imagine gcc should be no different, >It gives me some warnings which I have ignored and I can't say it will >work ... I know this is just a technicality, but you say it compiles for you, but does it work? I'm getting the following when I try to telnet in: May 22 09:54:08 hades login: load_modules: can not open module /usr/lib/security/pam_ntdom_auth.so.1 With an /etc/pam.conf looking like: # PAM configuration # # Authentication management # login auth required /usr/lib/security/pam_unix.so.1 login auth required /usr/lib/security/pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/pam_unix.so.1 # dtlogin auth required /usr/lib/security/pam_unix.so.1 # rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 #other auth required /usr/lib/security/pam_ntdom_auth.so.1 other auth required /usr/lib/security/pam_unix.so.1 # # Account management # login account required /usr/lib/security/pam_unix.so.1 dtlogin account required /usr/lib/security/pam_unix.so.1 # other account required /usr/lib/security/pam_unix.so.1 # # Session management # other session required /usr/lib/security/pam_unix.so.1 # # Password management # other password required /usr/lib/security/pam_unix.so.1 and the file definitely exists: hades:/usr/ccs/bin> cd /usr/lib/security hades:/usr/lib/security> ls -lt pam_ntdom_auth.so.1 -rwxr-xr-x 1 root other 276188 May 22 09:53 pam_ntdom_auth.so.1 From cartegw at Eng.Auburn.EDU Fri May 22 13:08:03 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: Samba NTDOM printing? References: <35648B77.8BC293C3@access-laserpress.com> Message-ID: <356578B3.47A93FA@eng.auburn.edu> Kevin P. Fleming wrote: > > How does the current NTDOM work affect Samba's printing capabilities? > I've currently got printing working fine (from an NT4.0 Workstation) > if I copy a file directly to the queue using a command line copy > command, or if I do a NET USE to the printer to capture an LPT port. This has puzzled me as well. I have 5 NT boxes printing to a 1.9.19alpha samba served printer. The samba server is also the PDC. However, I am unable to add a new network printer from that server on the NT boxes. I talked with Jean-Francois about this. He has implmented about 16 of the 50 or so \PIPE\spoolss functions. However, they are not in the current main branch code as I understand. > However, trying to actually set up the printer on my workstation, even > though it appears just fine in the browse list, results in "Cannot add > printer. The printer name is invalid.". I vaguely remember seeing > something about this on the list, but can't remember for sure... For the meantime, I am setting up a 1.9.18p7 samba server which will use the samba pdc as the password server and share printers off the main one. You are correct that the "net use lpt1: \\server\printername' solution will work. The other solution listed in the FAQ does not seem to work at the moment. > Also, what do most people use as the permissions on their Samba > print-spool directory? rwxrwxrwxt ( the sam as /tmp ) -- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Fri May 22 13:24:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: Samba NTDOM printing? In-Reply-To: <356578B3.47A93FA@eng.auburn.edu> Message-ID: AH - yes. spoolss. jean-francois, where is that? think it would be good to check that in, do a "#ifdef EXPERIMENTAL_SPOOLSS_SUPPORT" yes? > I talked with Jean-Francois about this. He has implmented about 16 of > the 50 or so \PIPE\spoolss functions. However, they are not in the > current main branch code as I understand. From tridge at samba.anu.edu.au Fri May 22 13:49:51 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:11 2003 Subject: CVS tree available via anonymous rsync Message-ID: <19980522134952Z12597806-8446+7335@samba.anu.edu.au> For those of you who like to keep up with the latest Samba code and find CVS too slow, you can now get anything that is in CVS on samba.anu.edu.au via anonymous rsync. for example: rsync -avz samba.anu.edu.au::ftp/unpacked/samba/ . you'll need a 2.0 release of rsync. See http://samba.anu.edu.au/rsync/ of course, this is really just a blatent plug for rsync, but I hope you'll forgive me :) From Jean-Francois.Micouleau at utc.fr Fri May 22 14:31:33 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:11 2003 Subject: Samba NTDOM printing? In-Reply-To: Message-ID: On Fri, 22 May 1998, Luke Kenneth Casson Leighton wrote: > AH - yes. spoolss. jean-francois, where is that? on my disk :-) > think it would be good to check that in, do a > "#ifdef EXPERIMENTAL_SPOOLSS_SUPPORT" #ifdef UGLY_USELESS_CODE would be better ! > > I talked with Jean-Francois about this. He has implmented about 16 of > > the 50 or so \PIPE\spoolss functions. However, they are not in the > > current main branch code as I understand. I could send you the code, but nobody would gain anything with it ! All the major functions are missing, the base is here, ie: the structs and the basics functions: OpenPrinter, ClosePrinter, enumprinters... I still haven't wrote the Print function or the Install_the_driver_on_the_workstation function. The code is really ugly compared to what is in lib/rpc, I will continue to work on it in july ----------------------------------------------------------- Pinky: "What are we going to do tonight, Brain?" Brain: "The same thing we do every night, Pinky : try to install Windows NT !" ----------------------------------------------------------- From cartegw at Eng.Auburn.EDU Fri May 22 14:41:36 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: security=domain bombs References: Message-ID: <35658EA0.42DBCAB@eng.auburn.edu> Andrew Perrin - Demography wrote: > > On advice of helpful folks from the list, I tried to switch our Samba > server from security=server with password server = over to > security=domain. I get invalid password errors when connecting from > NT, and Session Setup failure when using smbclient. Once I also got > "Your server software is being unfriendly" from smbclient. Make sure that the private/..mac file exists on the samba domain client. When I just recently set this up, the file was created but called MACHINE.SID. rename this file to ..mac and mae sure that you have added the machine account for the samba client on the PDC ( Samba or NT ). Let me know if this helps. I forgot to mention it to Jeremy recently. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Fri May 22 14:50:30 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: Samba NTDOM printing? In-Reply-To: Message-ID: On Fri, 22 May 1998, Jean-Francois Micouleau wrote: > On Fri, 22 May 1998, Luke Kenneth Casson Leighton wrote: > > > AH - yes. spoolss. jean-francois, where is that? > > on my disk :-) whew. > > think it would be good to check that in, do a > > "#ifdef EXPERIMENTAL_SPOOLSS_SUPPORT" > > #ifdef UGLY_USELESS_CODE would be better ! your wish is my command. > > > I talked with Jean-Francois about this. He has implmented about 16 of > > > the 50 or so \PIPE\spoolss functions. However, they are not in the > > > current main branch code as I understand. > > I could send you the code, but nobody would gain anything with it ! that's fine. at least we won't get someone else going "oh, no work has been done on this: i think i'll have a go". > All the major functions are missing, the base is here, ie: the structs and > the basics functions: OpenPrinter, ClosePrinter, enumprinters... good: that will do. > I still haven't wrote the Print function or the > Install_the_driver_on_the_workstation function. i don't mind. > The code is really ugly compared to what is in lib/rpc, i don't even mind that! > I will continue to work on it in july good one. the main thing is to get it in there, so that other people can see it and they won't waste time duplicating your work. "cathedral and the bazaar..." From lkcl at switchboard.net Fri May 22 14:54:48 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: security=domain bombs In-Reply-To: <35658EA0.42DBCAB@eng.auburn.edu> Message-ID: On Sat, 23 May 1998, Gerald Carter wrote: > Andrew Perrin - Demography wrote: > > > > On advice of helpful folks from the list, I tried to switch our Samba > > server from security=server with password server = over to > > security=domain. I get invalid password errors when connecting from > > NT, and Session Setup failure when using smbclient. Once I also got > > "Your server software is being unfriendly" from smbclient. > > Make sure that the private/..mac file exists on the > samba domain client. When I just recently set this up, the file was > created but called MACHINE.SID. OOPS! that's not good... > rename this file to > ..mac and mae sure that you have added the machine > account for the samba client on the PDC ( Samba or NT ). jeremy posted instructions: they will be in the archives. From jallison at whistle.com Fri May 22 17:04:21 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:11 2003 Subject: security=domain bombs References: <35658EA0.42DBCAB@eng.auburn.edu> Message-ID: <3565B015.57250A38@whistle.com> Gerald Carter wrote: > > Make sure that the private/..mac file exists on the > samba domain client. When I just recently set this up, the file was > created but called MACHINE.SID. rename this file to > ..mac and mae sure that you have added the machine > account for the samba client on the PDC ( Samba or NT ). > No, this is wrong. If you do this everything will break. The MACHINE.SID contains the ascii text of what used to be in the 'domain sid' parameter in smb.conf - ie. a string like S-1-21-123-456-789 - it gets randomly generated the first time any smbd starts up if it doesn't exist, and *never* changes once created (it's the machine 'identity' - just like an NT machine SID). The private/DOMAIN.MACHINENAME.mac file is the machine password file, that must exist if security=domain is set in smb.conf. This file is created when you join the domain using smbpasswd - first add the Samba machine to the NT domain on the PDC (if it's a Samba PDC using smbpasswd -a -m as usual, if it's an NT PDC using server manager for domains), and then on the machine joining the domain type add the pdc name as the first entry in the 'password server' list and then type (as root) : smbpasswd -j This will create the private/DOMAIN.MACHINENAME.mac file that contains the machine password for this domain. I know this is confusing, I need to write a document on this but don't have the time right now (soon, I promise). Jeremy. Jeremy. From cartegw at Eng.Auburn.EDU Fri May 22 17:23:03 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: security=domain bombs References: <35658EA0.42DBCAB@eng.auburn.edu> <3565B015.57250A38@whistle.com> Message-ID: <3565B477.26FA79F0@eng.auburn.edu> Jeremy Allison wrote: > > No, this is wrong. If you do this everything > will break. The MACHINE.SID contains the > ascii text of what used to be in the 'domain sid' > parameter in smb.conf - ie. a string like > > S-1-21-123-456-789 Oops. Sorry. > - it gets randomly generated the first time > any smbd starts up if it doesn't exist, and > *never* changes once created (it's the machine > 'identity' - just like an NT machine SID). > > The private/DOMAIN.MACHINENAME.mac file is > the machine password file, that must exist > if security=domain is set in smb.conf. > > This file is created when you join the > domain using smbpasswd - first add the > Samba machine to the NT domain on the PDC > (if it's a Samba PDC using smbpasswd -a -m > as usual, if it's an NT PDC using server > manager for domains), and then on the > machine joining the domain type add the > pdc name as the first entry in the > 'password server' list and then type > (as root) : > > smbpasswd -j I missed this part. > This will create the private/DOMAIN.MACHINENAME.mac > file that contains the machine password for > this domain. > > I know this is confusing, I need to write a > document on this but don't have the time > right now (soon, I promise). > You want me to add it to the NTDOM FAQ? jerry "yes-I-am-braindead-today" carter ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From twinders at SPC.cc.tx.us Fri May 22 20:08:31 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:11 2003 Subject: Win95 Change Password on Digital Unix? Message-ID: I am running 1.9.19-prealpha (CVS from 5/22/98 10:30am CST) under Digital Unix 4.0D with encrypted passwords. I was hoping to get the Win95 change password feature to work, so I compiled with -DALLOW_CHANGE_PASSWORD and try to use the Win95 control panel to change the Samba/Unix password but smbd dumps core. Does anyone have this working under DU? I have the log.smb and core file if that would help... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From twinders at SPC.cc.tx.us Fri May 22 20:48:09 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:11 2003 Subject: using Samba for Access list in Win95? Message-ID: What is the status of Samba being used as a DC for authenticating users to access Win95 shares? Right now, if I have obtain access list in Win95 Access Control to point to the Samba domain on my network, then I get a "could not obtain userlist" error in Win95 when trying to add users able to access the share. === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From kfleming at access-laserpress.com Fri May 22 21:35:31 1998 From: kfleming at access-laserpress.com (Kevin P. Fleming) Date: Tue Dec 2 02:24:11 2003 Subject: Make error Message-ID: <3565EFA3.15506F84@access-laserpress.com> I just updated both of my copies of the current CVS tree, and on my Solaris machine using "gmake" I'm getting an error from gmake: Makefile:764: *** missing separator. Stop. Using make on RH Linux works fine, however. Not being a make expert (and the Samba Makefile being pretty complicated) I'm not sure where to look for the problem... From jallison at whistle.com Fri May 22 21:44:03 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:11 2003 Subject: using Samba for Access list in Win95? References: Message-ID: <3565F1A3.29181C21@whistle.com> Tim Winders wrote: > > What is the status of Samba being used as a DC for authenticating users to > access Win95 shares? > > Right now, if I have obtain access list in Win95 Access Control to point > to the Samba domain on my network, then I get a "could not obtain > userlist" error in Win95 when trying to add users able to access the > share. > Missing rpc call I'm afraid :-(. On the list of 'things to do'. Regards, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Fri May 22 21:59:02 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: Make error References: <3565EFA3.15506F84@access-laserpress.com> Message-ID: <3565F526.50C72049@eng.auburn.edu> Kevin P. Fleming wrote: > > I just updated both of my copies of the current CVS tree, and on my > Solaris machine using "gmake" I'm getting an error from gmake: > > Makefile:764: *** missing separator. Stop. > Try removing the makefile and downloading a fresh copy. Sometime update are imcompatible after you set it up to compile locally. gmake 3.74 works fine here on Solaris 2.5.1. Just update the source about 30 minutesa ago. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From twinders at SPC.cc.tx.us Fri May 22 23:24:57 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:11 2003 Subject: using Samba for Access list in Win95? In-Reply-To: <3565F1A3.29181C21@whistle.com> Message-ID: On Fri, 22 May 1998, Jeremy Allison wrote: > Tim Winders wrote: > > > > What is the status of Samba being used as a DC for authenticating users to > > access Win95 shares? > > > > Right now, if I have obtain access list in Win95 Access Control to point > > to the Samba domain on my network, then I get a "could not obtain > > userlist" error in Win95 when trying to add users able to access the > > share. > > > > Missing rpc call I'm afraid :-(. On the list of 'things to do'. > > Regards, > > Jeremy. Great! Thanks for the update. === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From lkcl at switchboard.net Sat May 23 10:10:45 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: Win95 Change Password on Digital Unix? In-Reply-To: Message-ID: do a gdb on the core, and type "where". send it to the list. On Sat, 23 May 1998, Tim Winders wrote: > I am running 1.9.19-prealpha (CVS from 5/22/98 10:30am CST) under Digital > Unix 4.0D with encrypted passwords. I was hoping to get the Win95 change > password feature to work, so I compiled with -DALLOW_CHANGE_PASSWORD and > try to use the Win95 control panel to change the Samba/Unix password but > smbd dumps core. Does anyone have this working under DU? I have the > log.smb and core file if that would help... > > === Tim > > --------------------------------------------------------------------- > | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | > | Network Administrator | Phone: 806-894-9611 x 2369 | > | South Plains College | Fax: 806-897-4711 | > --------------------------------------------------------------------- > > > > From twinders at SPC.cc.tx.us Sat May 23 16:54:34 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:11 2003 Subject: Win95 Change Password on Digital Unix? In-Reply-To: Message-ID: On Sat, 23 May 1998, Luke Kenneth Casson Leighton wrote: > do a gdb on the core, and type "where". send it to the list. > > On Sat, 23 May 1998, Tim Winders wrote: > > > I am running 1.9.19-prealpha (CVS from 5/22/98 10:30am CST) under Digital > > Unix 4.0D with encrypted passwords. I was hoping to get the Win95 change > > password feature to work, so I compiled with -DALLOW_CHANGE_PASSWORD and > > try to use the Win95 control panel to change the Samba/Unix password but > > smbd dumps core. Does anyone have this working under DU? I have the > > log.smb and core file if that would help... OK, here is the output (actually from dbx, not gdb). Jeremy wanted to see a different output, which I haven't had a chance to produce... # dbx ../../bin/smbd core.passwd dbx version 3.11.10 Type 'help' for help. Core file created by program "smbd" signal Segmentation fault at >*[SamOEMhash, 0x120028018] ldq_u r18, 0(r 16) (dbx) where > 0 SamOEMhash(0x8e26f13ff96b66aa, 0x6e20ee1a21033819, 0x82329459017888f6, 0xeb 286c10b8ea060b, 0x1fe54fa6552a95d4) [0x120028018] 1 check_oem_password(0x12004f880, 0x11ffffb30, 0x12004f898, 0x11ffffb30, 0x14 0079e6e) [0x120068940] 2 (unknown)() [0x12004f8bc] 3 (unknown)() [0x120055fb0] 4 (unknown)() [0x1200561d8] 5 reply_trans(0x0, 0x0, 0x0, 0x0, 0x0) [0x120056bec] 6 (unknown)() [0x1200796e0] 7 construct_reply(0x120073b80, 0x14007a001, 0x14008a421, 0x6700000025, 0x1000 00000) [0x12007a15c] 8 (unknown)() [0x120073b7c] 9 (unknown)() [0x12007a56c] 10 main(0x1400077c0, 0x140000e20, 0x3, 0x140000020, 0x6e) [0x12007b418] Sorry if this isn't formatted correctly, I just did a copy/paste... === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From twinders at SPC.cc.tx.us Sat May 23 17:14:42 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:11 2003 Subject: More compile errors under DU Message-ID: I just did a make clean and recompiled (CVS from 5/21) with -g3 flag and received these compile warnings. These didn't show up when I reported a similar error before becuase these files didn't need to be updated... This is under Digital Unix 4.0D cc: Warning: lib/rpc/parse/parse_net.c, line 739: In this statement, & before array "(id->lm_chal)" is ignored. memcpy(&(id->lm_chal), lm_challenge, sizeof(id->lm_chal)); ---------------^ Compiling lib/rpc/parse/parse_reg.c cc: Warning: lib/rpc/parse/parse_reg.c, line 145: In this statement, & before array "(r_q->pad1)" is ignored. bzero(&(r_q->pad1), sizeof(r_q->pad1)); --------^ cc: Warning: lib/rpc/parse/parse_reg.c, line 150: In this statement, & before array "(r_q->pad2)" is ignored. bzero(&(r_q->pad2), sizeof(r_q->pad2)); --------^ cc: Warning: lib/rpc/server/srv_lsa.c, line 42: In this statement, & before array "(r_o.pol.data)" is ignored. bzero(&(r_o.pol.data), POL_HND_SIZE); --------^ Compiling lib/rpc/server/srv_netlog.c cc: Warning: lib/rpc/server/srv_netlog.c, line 347: In this statement, & before array "(q_a.clnt_chal.data)" is ignored. memcpy(vuser->dc.clnt_cred.challenge.data, &(q_a.clnt_chal.data) , sizeof(q_a.clnt_chal.data)); -----------------------------------------------------------^ cc: Warning: lib/rpc/server/srv_netlog.c, line 348: In this statement, & before array "(q_a.clnt_chal.data)" is ignored. memcpy(vuser->dc.srv_cred.challenge.data, &(q_a.clnt_chal.data), sizeof(q_a.clnt_chal.data)); ----------------------------------------------------------^ Compiling lib/rpc/server/srv_reg.c cc: Warning: lib/rpc/server/srv_reg.c, line 41: In this statement, & before array "(r_u.pol.data)" is ignored. bzero(&(r_u.pol.data), POL_HND_SIZE); --------^ cc: Warning: smbpass.c, line 256: In this statement, the referenced type of the pointer value "p" is "unsigned char", which is not compatible with "signed char" .. pw_buf.acct_ctrl = pdb_decode_acct_ctrl(p); -------------------------^ I know you said this last one my compiler is lying. Does this have anything to do with the Win95 password change code? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From lkcl at switchboard.net Sun May 24 13:25:36 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: More compile errors under DU In-Reply-To: Message-ID: [....] > ----------------------------------------------------------^ > Compiling lib/rpc/server/srv_reg.c > cc: Warning: lib/rpc/server/srv_reg.c, line 41: In this statement, & > before array "(r_u.pol.data)" is ignored. > bzero(&(r_u.pol.data), POL_HND_SIZE); > --------^ done. > > > cc: Warning: smbpass.c, line 256: In this statement, the referenced type > of the pointer value "p" is "unsigned char", which is not compatible with > "signed char" > . > pw_buf.acct_ctrl = pdb_decode_acct_ctrl(p); > -------------------------^ oops sorry i thought acct_ctrl return result oh well yes, fixed this, thanks. > I know you said this last one my compiler is lying. Does this have > anything to do with the Win95 password change code? no. From A.G.Jippes at ub.utwente.nl Mon May 25 15:30:34 1998 From: A.G.Jippes at ub.utwente.nl (Jippes, A.G. (UB)) Date: Tue Dec 2 02:24:11 2003 Subject: ?Use a script instead of a password file Message-ID: We want to make NT workstations accessible to our library users using their personal login. A script checks the login with our central user database. Can this be done with Samba now, or in the near future? (so, can I get Samba to use the script instead of the password file?). Any pitfalls? Thanks, Arnoud. ------------------------------- Arnoud G. Jippes University of Twente Library/IT Postbus 217, 7500 AE, Enschede tel:(+31-534)894116, fax:351805 email: a.g.jippes@ub.utwente.nl From lkcl at switchboard.net Mon May 25 20:03:28 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: ?Use a script instead of a password file In-Reply-To: Message-ID: what do you mean by "script"? do you mean the "logon script" parameter in smb.conf, or something else? On Tue, 26 May 1998, Jippes, A.G. (UB) wrote: > We want to make NT workstations accessible to our library users using > their personal login. A script checks the login with our central user > database. Can this be done with Samba now, or in the near future? (so, > can I get Samba to use the script instead of the password file?). Any > pitfalls? > > Thanks, > > Arnoud. > > ------------------------------- > Arnoud G. Jippes > University of Twente Library/IT > Postbus 217, 7500 AE, Enschede > tel:(+31-534)894116, fax:351805 > email: a.g.jippes@ub.utwente.nl > > From A.G.Jippes at ub.utwente.nl Tue May 26 07:52:17 1998 From: A.G.Jippes at ub.utwente.nl (Jippes, A.G. (UB)) Date: Tue Dec 2 02:24:11 2003 Subject: ?Use a script instead of a password file Message-ID: Hi Luke (et al.), Sorry for the 'script' confusion. I didn't mean the "login script". I would like Samba to use my Perl script to check passwords at our central user database instead of the smbpasswd file. I need to validate logins on our semi-public NT workstations. B.t.w. Since Samba can check the NT-passwords against its one-way encrypted smbpasswd file, I assume Samba does decrypt the password it gets from NT workstations, right? Thanks, Arnoud. ------------------------------- Arnoud G. Jippes University of Twente Library/IT Postbus 217, 7500 AE, Enschede tel:(+31-534)894116, fax:351805 email: a.g.jippes@ub.utwente.nl >---------- >From: Luke Kenneth Casson Leighton[SMTP:lkcl@switchboard.net] > >what do you mean by "script"? do you mean the "logon script" parameter in >smb.conf, or something else? > >On Tue, 26 May 1998, Jippes, A.G. (UB) wrote: > >> We want to make NT workstations accessible to our library users using >> their personal login. A script checks the login with our central user >> database. Can this be done with Samba now, or in the near future? (so, >> can I get Samba to use the script instead of the password file?). Any >> pitfalls? > From lkcl at switchboard.net Tue May 26 11:55:32 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: ?Use a script instead of a password file In-Reply-To: Message-ID: On Tue, 26 May 1998, Jippes, A.G. (UB) wrote: > Hi Luke (et al.), > > Sorry for the 'script' confusion. I didn't mean the "login script". I > would like Samba to use my Perl script to check passwords at our central > user database instead of the smbpasswd file. I need to validate logins > on our semi-public NT workstations. perfect timing! then you will need to see the "password API needed" thread at http://samba.anu.edu.au/listproc/samba-technical and write your own database that has a c-to-perl interface on it. although exactly why you would want to do this instead of writing your own database api in c i do not know. anyway, the interface is all there: see passdb.c in the latest cvs > B.t.w. Since Samba can check the NT-passwords against its one-way > encrypted smbpasswd file, correct. > I assume Samba does decrypt the password it > gets from NT workstations, right? wrong. the LM and NT hashes are clear-text equivalent hashes. they are non-reversable and you cannot decrypt them. in what way do you wish to validate against the semi-public NT workstations, and what kind of "central user database" is it? if you intend to post a technical reply, please copy the message to samba-technical. ta! luke > Thanks, > > Arnoud. > ------------------------------- > Arnoud G. Jippes > University of Twente Library/IT > Postbus 217, 7500 AE, Enschede > tel:(+31-534)894116, fax:351805 > email: a.g.jippes@ub.utwente.nl > > > >---------- > >From: Luke Kenneth Casson Leighton[SMTP:lkcl@switchboard.net] > > > >what do you mean by "script"? do you mean the "logon script" parameter in > >smb.conf, or something else? > > > >On Tue, 26 May 1998, Jippes, A.G. (UB) wrote: > > > >> We want to make NT workstations accessible to our library users using > >> their personal login. A script checks the login with our central user > >> database. Can this be done with Samba now, or in the near future? (so, > >> can I get Samba to use the script instead of the password file?). Any > >> pitfalls? > > > From trep at dem.qc.ca Tue May 26 14:53:47 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC Message-ID: <199805261453.KAA29660@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 1393 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980526/e456ba25/attachment.bat From trep at dem.qc.ca Tue May 26 14:56:12 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805261453.KAA29660@ursula.dem.qc.ca> from "Pierre-Jules Tremblay" at May 26, 98 10:53:47 am Message-ID: <199805261456.KAA29776@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 7416 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980526/4f3cea23/attachment.bat From cartegw at Eng.Auburn.EDU Tue May 26 15:32:13 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC References: <199805261453.KAA29660@ursula.dem.qc.ca> Message-ID: <356AE07D.E2C10995@eng.auburn.edu> Pierre-Jules Tremblay wrote: > > Hi all, > > User B logs on to workstation A. He ends up getting user A's profile > instead of his own (roaming) profile. More interesting still, his > USERPROFILE environment variable points to the local directory where > user A's local profile copy is stored! Where are the roaming profiles stored? I mean what is the value from smb.conf? Maybe this will help... ( from Samba NTDOM faq ) 4.1 Why is it bad to set "logon path = \\%N\%U\profile" in smb.conf? Sometimes Windows clients will maintain a connection to the [homes] ( or [%U] ) share even after the user has logged out. Consider the following scenario. user1 logs into the Windows NT machine. Therefore the [homes] share is set to \\server\user1. user1 works for a while and then logs out. user2 logs into the same Windows NT machine. However, since the NT box has maintained a connection to [homes] which was perviously set to \\server\user1, when the operating system attempts to get the profile and if it can read users1's profile, will get it otherwise it will return an error. You get the picture. > Unfortunately, I do not have the user manager for domains exe. This and the "Server Manager" are available for download from Microsoft at ftp://ftp.microsoft.com/Softlib/MSLFILES/SRVTOOLS.EXE This is also given in the NTDOM FAQ. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Tue May 26 15:37:14 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC References: <199805261456.KAA29776@ursula.dem.qc.ca> Message-ID: <356AE1AA.96F36E62@eng.auburn.edu> Pierre-Jules Tremblay wrote: > > domain sid = S-1-5-21-123-456-789-123 Just FYI....this is wrong. Should be S-1-5-21-XXXXX-XXXXXX-XXXXX and is also now unecessary under the new code ( it automatically generated for you and stored in private/MACHINE.SID or in the case that "domain sid" exists, it is copied from there. After the file exists, the parameter is ignored ). I will update the FAQ on this shortly. > # logon path = \\%L\Profiles\%U The default for logon path is \\%L\%U\profile. See my previous post about using the home directory for roaming profiles. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From trep at dem.qc.ca Tue May 26 16:21:23 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356AE1AA.96F36E62@eng.auburn.edu> from "Gerald Carter" at May 26, 98 10:37:14 am Message-ID: <199805261621.MAA30784@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 2069 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980526/268dc556/attachment.bat From cartegw at Eng.Auburn.EDU Tue May 26 16:41:17 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC References: <199805261621.MAA30784@ursula.dem.qc.ca> Message-ID: <356AF0AD.4DFA1BF0@eng.auburn.edu> Pierre-Jules Tremblay wrote: > > Okay, I figured out the problem (I think). I believe the way Samba > handles domain admin users is causing this (or maybe my understanding > is). I should document this. Has comes up several times. > It turns out in my example that both users were listed in the "domain > admin users" keyword. I discovered that the profile list in the > registry was being set wrong (see > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\ProfileList). The key for both users A and B ended > up being the same, i.e. S-1-5-21-123-456-789-123-500. Now, 500 is the > uid of user A on the samba server, but I also noticed that the last > three digits of the local Administrator account are 500, is this a > coincidence? Nope. When you set "domain admin users", the RID for each user is set the well known ADMIN RID ( ie. 500 ) in the user info reply packet. > Anyway, I simply removed user B from the domain admin users list and > now the problem if fixed, i.e. the registry key name for user B is > now S-1-5-21-123-456-789-123-1514 (where 514 is the Unix uid of user > B; what does the 1 stand for?). The RID is generated by adding 1000 to the unix UID. This is the same way that the posix subsystem handles it. > I just wonder how come *all* users listed in the "domain admin users" > are mapped to the same domain id, i.e. S-1-5-21-123-456-789-123-500 > and therefore all ending up with the same local profile location. Is > this the only way to "fool" NT into thinking this user is a domain > admin? Yup. > If I change the domain ID now, won't this mean I'll have to have every > machine rejoin the domain? How critical is this? You don't have to. The latest code will generate the private/MACHINE.SID file from the value of "domain sid". After the file is generated, the "domain sid" value from smb.conf is ignored. And yes, if you change the value of domain sid then all members will have to rejoin the domain. > > > # logon path = \\%L\Profiles\%U > > > > The default for logon path is \\%L\%U\profile. See my previous post > > about using the home directory for roaming profiles. > > The above setup works well for me, for both Win95 and NT stations. > Thanks for the info, though. I know. But be warned. Strange things can happen. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From Jean-Francois.Micouleau at utc.fr Tue May 26 16:51:14 1998 From: Jean-Francois.Micouleau at utc.fr (Jean-Francois Micouleau) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805261621.MAA30784@ursula.dem.qc.ca> Message-ID: On Wed, 27 May 1998, Pierre-Jules Tremblay wrote: > Okay, I figured out the problem (I think). I believe the way Samba > handles domain admin users is causing this (or maybe my understanding is). > > It turns out in my example that both users were listed in the "domain > admin users" keyword. I discovered that the profile list in the > registry was being set wrong (see > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > NT\CurrentVersion\ProfileList). The key for both users A and B ended > up being the same, i.e. S-1-5-21-123-456-789-123-500. Now, 500 is the > uid of user A on the samba server, but I also noticed that the last > three digits of the local Administrator account are 500, is this a > coincidence? nope. it's how samba manage rid. Special remark to Luke: it's not the good way to handle it ! I'm sure it's wrong to force the rid in passdb.c, we should force the unknown_5 value. Somewhere in ipc.c I saw the same code with comments coming from cifs 6 doc. > Anyway, I simply removed user B from the domain admin users list and > now the problem if fixed, i.e. the registry key name for user B is > now S-1-5-21-123-456-789-123-1514 (where 514 is the Unix uid of user > B; what does the 1 stand for?). Therefore, the two users get their > own registry values for local profile path, etc., as they should. The 1 is the posix offset, rid=uid+1000 for normal users > I just wonder how come *all* users listed in the "domain admin users" > are mapped to the same domain id, i.e. S-1-5-21-123-456-789-123-500 > and therefore all ending up with the same local profile location. Is > this the only way to "fool" NT into thinking this user is a domain > admin? As I said above, it's how it's done in samba right now. It's not how NT does it, and I hope it will change. Jean Francois ----------------------------------------------------------- Pinky: "What are we going to do tonight, Brain?" Brain: "The same thing we do every night, Pinky : try to install Windows NT !" ----------------------------------------------------------- From aperrin at demog.Berkeley.EDU Tue May 26 17:19:41 1998 From: aperrin at demog.Berkeley.EDU (Andrew Perrin - Demography) Date: Tue Dec 2 02:24:11 2003 Subject: Bad machine accounts In-Reply-To: <3564B5DF.C2101987@whistle.com> Message-ID: Well, I changed this last week and it didn't work; but then this morning it started working fine after the cvs update. so... thanks to Jeremy and others for the advice; and to whatever changes were made over the weekend in the cvs branch if they mattered :). ap --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Thu, 21 May 1998, Jeremy Allison wrote: > Andrew Perrin - Demography wrote: > > > > Well, blake now browses okay, so I'll skip those. Logs available for your > > reading pleasure on the web are: > > > > 1.) boserup (the pdc) when aperrin logs into kitagawa: > > http://demog.berkeley.edu/~aperrin/bos.connect.log > > 2.) blake when aperrin logs into kitagawa: > > http://demog.berkeley.edu/~aperrin/bla.connect.log > > 3.) boserup when aperrin tries to connect to \\boserup\aperrin or > > \\boserup\homes: > > http://demog.berkeley.edu/~aperrin/bos.usehome.log > > > > Phew - nailed it. That one was a *bastard* to find. > > The problem is you have 'revalidate = true' set in > your smb.conf global section on BOSERUP. > > This is interacting badly with the 'security=user' > parameter - as is really is meant to be used for > security=share settings. > > What happens is that the tconX call is made with > no password, as you have already given a valid > encrypted password in the sessionsetupandX. > > The default tconX case with no password is this piece of > code in password.c > > /* check for a previously validated username/password pair */ > if (!ok && !lp_revalidate(snum) && > (vuser != 0) && !vuser->guest && > user_ok(vuser->name,snum)) { > fstrcpy(user,vuser->name); > *guest = False; > DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n")); > ok = True; > } > > Note that having revalidate set screws it up, as it causes > this code not to be executed. > > I'll check with Andrew for the exact meaning of the > revalidate parameter, as I think it may be redundent > with security=user, in which case we can replace this > code with > > && (!lp_revalidate(snum) || lp_security() > SEC_SHARE) &&.... > > But this is a security sensitive change so I'll not > make it lightly. > > Jeremy. > > > -- > -------------------------------------------------------- > Buying an operating system without source is like buying > a self-assembly Space Shuttle with no instructions. > -------------------------------------------------------- > From tas at microdisplay.com Tue May 26 20:43:53 1998 From: tas at microdisplay.com (Todd Stiers) Date: Tue Dec 2 02:24:11 2003 Subject: Error saving roaming profiles, and are groups supported? Message-ID: <356B2988.EBB85A20@microdisplay.com> Hi, Wonderful piece of work! I built the server, and I can get machines (NT 4.0) and users configured and logged in in the smbpasswd file. My issues/questions: 1. I get errors on user logout ("Unable to save roaming profile") on logout - it loads wonderfully, I set permissions 777 to see if thats it - its not. 2. The users in my "SAMBA" domain fail to show in the "User Manager". This is bad because I can't "Add" SAMBA domain users to the Administrator and/Backup groups of the local machine. SO Does the NTDOM version support groups? Is there a behind-the-scenes smbpasswd config I have failed to find for groups? Thanks -Todd [--- [--- [--- [--- [--- [--- [--- [--- Todd Stiers Systems Administrator The MicroDisplay Corporation (510)243-9515x129 http://www.microdisplay.com ---] ---] ---] ---] ---] ---] ---] ---] From tas at microdisplay.com Tue May 26 20:51:23 1998 From: tas at microdisplay.com (Todd Stiers) Date: Tue Dec 2 02:24:11 2003 Subject: No Groups, my bad... Message-ID: <356B2B4B.1C0FD49B@microdisplay.com> Hi, Answering my own question: 1. No groups listed in FAQ, 1st section. 2. I see this is a "medium" on the to-do. I'll keep watching. I could dump NT server if the groups were semi-operational. -Todd [--- [--- [--- [--- [--- [--- [--- [--- Todd Stiers Systems Administrator The MicroDisplay Corporation (510)243-9515x129 http://www.microdisplay.com ---] ---] ---] ---] ---] ---] ---] ---] From cartegw at Eng.Auburn.EDU Tue May 26 21:19:21 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: Error saving roaming profiles, and are groups supported? References: <356B2988.EBB85A20@microdisplay.com> Message-ID: <356B31D9.7A6DBEDA@eng.auburn.edu> Todd Stiers wrote: > > My issues/questions: > 1. I get errors on user logout ("Unable to save roaming profile") on > logout - it loads wonderfully, Where is the profile stred ( ie. what is the value of "logon path" in smb.conf )? > 2. The users in my "SAMBA" domain fail to show in the "User Manager". Yup. Does not currently work. > SO Does the NTDOM version support groups? Is there a behind-the-scenes > smbpasswd config I have failed to find for groups? I'll say nope. But there are a few hacks such as "domain admin users" and "domain groups". see the list archives for dicussions about these parameters. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From ratzka at HRZ.Uni-Marburg.DE Wed May 27 06:32:47 1998 From: ratzka at HRZ.Uni-Marburg.DE (Wolfgang Ratzka) Date: Tue Dec 2 02:24:11 2003 Subject: NTDOM-FAQ 4.1 [Why is it bad to set "logon path = ...] In-Reply-To: <356AE07D.E2C10995@eng.auburn.edu> References: <356AE07D.E2C10995@eng.auburn.edu> Message-ID: <199805270632.IAA20192@pprz04.HRZ.Uni-Marburg.DE> >>>>> "GC" == Gerald Carter writes: GC> 4.1 Why is it bad to set "logon path = \\%N\%U\profile" in GC> smb.conf? Is this only an issue with samba or is it generally a bad idea with NT to put a users' roaming profiles into their homedirs? I would assume that to a client "\\servername\\user1" and "\\servername\\user2" would look like different shares. So why would the client mix them up? -- Regards Wolfgang Ratzka Phone: +49 6421 28 3531 FAX: +49 6421 28 6994 Uni Marburg, HRZ, Hans-Meerwein-Str., D-35032 Marburg, Germany ------------------------------Where do you want to go tomorrow? From trep at dem.qc.ca Wed May 27 12:41:59 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356AF0AD.4DFA1BF0@eng.auburn.edu> from "Gerald Carter" at May 27, 98 02:53:59 am Message-ID: <199805271242.IAA03053@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 999 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980527/25bbac25/attachment.bat From cartegw at Eng.Auburn.EDU Wed May 27 13:35:48 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:11 2003 Subject: Updates to the NTDOM faq Message-ID: <356C16B4.FAEEA48@eng.auburn.edu> Just an update on the faq.... Just updated the NTDOM FAQ. Relavent changes include - Updated information on the generation of the private/MACHINE.SID file rather than using the "domain sid" parameter - Add instructions for setting up the "security = domain" model - Add a reference to problems with roaming profile and the "domain admin users" parameter - Added links to the Win 95 and NT 4.0 versions of * Server Manager ( 95 & NT ) * User Manager for Domains ( 95 & NT ) * Event Viewer ( 95 only ) - updated the information on generating the machine account on the server. The FAQ is available from a link off of the main samba page. Not thatI have only updated the main saite ( samba.anu.edu.au/samba/samba.html ) and that it will most likely take a day for the changes to appear at the mirror sites. Changes, comments & suggestions welcome. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From tridge at samba.anu.edu.au Wed May 27 14:00:14 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:11 2003 Subject: Updates to the NTDOM faq In-Reply-To: <356C16B4.FAEEA48@eng.auburn.edu> (message from Gerald Carter on Wed, 27 May 1998 23:41:13 +1000) References: <356C16B4.FAEEA48@eng.auburn.edu> Message-ID: <19980527140028Z12661801-1709+5597@samba.anu.edu.au> > Not that I have only updated the main saite ( > samba.anu.edu.au/samba/samba.html ) and that it will most likely > take a day for the changes to appear at the mirror sites. the main US mirror synchronises every 30 minutes (via rsync). The European mirror runs a bit less often. Cheers, Andrew From lkcl at switchboard.net Wed May 27 14:07:55 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:11 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356AE07D.E2C10995@eng.auburn.edu> Message-ID: > Unfortunately, I do not have the user manager for domains exe. it's irrelevant for an NT PDC at the moment. the equivalent of USRMGR.EXE is the password database (currently only private/smbpasswd) and smb.conf. luke From lkcl at switchboard.net Wed May 27 14:08:18 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356AE07D.E2C10995@eng.auburn.edu> Message-ID: > Unfortunately, I do not have the user manager for domains exe. dang. sorry. irrelevant for a _samba_ PDC. From lkcl at switchboard.net Wed May 27 14:11:03 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356AE1AA.96F36E62@eng.auburn.edu> Message-ID: On Wed, 27 May 1998, Gerald Carter wrote: > Pierre-Jules Tremblay wrote: > > > > domain sid = S-1-5-21-123-456-789-123 > > Just FYI....this is wrong. Should be S-1-5-21-XXXXX-XXXXXX-XXXXX and is > also now unecessary under the new code ( it automatically generated for > you and stored in private/MACHINE.SID or in the case that "domain sid" > exists, it is copied from there. After the file exists, the parameter > is ignored ). I will update the FAQ on this shortly. i will update NTDOMAIN.txt too. From lkcl at switchboard.net Wed May 27 14:15:57 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805261621.MAA30784@ursula.dem.qc.ca> Message-ID: On Wed, 27 May 1998, Pierre-Jules Tremblay wrote: > > Okay, I figured out the problem (I think). I believe the way Samba > handles domain admin users is causing this (or maybe my understanding is). > > It turns out in my example that both users were listed in the "domain > admin users" keyword. I discovered that the profile list in the > registry was being set wrong (see no it's being set absolutely correctly, according to a bug i have in the code where "domain admin users" is used twice: once to add you to the domain admin groups; the other time to change your RID to "domain administrator". sorry. try using "domain groups = admins" instead. From lkcl at switchboard.net Wed May 27 14:16:39 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356AF0AD.4DFA1BF0@eng.auburn.edu> Message-ID: On Wed, 27 May 1998, Gerald Carter wrote: > Pierre-Jules Tremblay wrote: > > > > Okay, I figured out the problem (I think). I believe the way Samba > > handles domain admin users is causing this (or maybe my understanding > > is). > > I should document this. Has comes up several times. > > > It turns out in my example that both users were listed in the "domain > > admin users" keyword. I discovered that the profile list in the > > registry was being set wrong (see > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows > > NT\CurrentVersion\ProfileList). The key for both users A and B ended > > up being the same, i.e. S-1-5-21-123-456-789-123-500. Now, 500 is the > > uid of user A on the samba server, but I also noticed that the last > > three digits of the local Administrator account are 500, is this a > > coincidence? > > Nope. When you set "domain admin users", the RID for each user is set > the well known ADMIN RID ( ie. 500 ) in the user info reply packet. ... which it should not: i should set the Primary Group to "domain admin group". sorry From lkcl at switchboard.net Wed May 27 14:18:05 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: Message-ID: > > coincidence? > > nope. it's how samba manage rid. > > Special remark to Luke: it's not the good way to handle it ! > I'm sure it's wrong to force the rid in passdb.c, we should force the > unknown_5 value. Somewhere in ipc.c I saw the same code with comments > coming from cifs 6 doc. i know. i'm not certain that the unknown_5 value will make much difference... > > Anyway, I simply removed user B from the domain admin users list and > > now the problem if fixed, i.e. the registry key name for user B is > > now S-1-5-21-123-456-789-123-1514 (where 514 is the Unix uid of user > > B; what does the 1 stand for?). Therefore, the two users get their > > own registry values for local profile path, etc., as they should. > > The 1 is the posix offset, rid=uid+1000 for normal users ah: the 1000 should actually be 0x10000... From lkcl at switchboard.net Wed May 27 14:25:06 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Error saving roaming profiles, and are groups supported? In-Reply-To: <356B2988.EBB85A20@microdisplay.com> Message-ID: dang!!! all the "domain xxxxx" parameters are documented in the BRANCH_NTDOM version of smb.conf.5! arg i'll just recover those and get them into the main branch. > 2. The users in my "SAMBA" domain fail to show in the "User Manager". > This is bad because I can't "Add" SAMBA domain users to the > Administrator > and/Backup groups of the local machine. > > SO Does the NTDOM version support groups? Is there a behind-the-scenes > smbpasswd > config I have failed to find for groups? > > Thanks > > -Todd > > [--- [--- [--- [--- [--- [--- [--- [--- > Todd Stiers > Systems Administrator > The MicroDisplay Corporation > (510)243-9515x129 > http://www.microdisplay.com > ---] ---] ---] ---] ---] ---] ---] ---] > > > From cartegw at Eng.Auburn.EDU Wed May 27 15:01:08 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: Message-ID: <356C2AB4.9081D0D8@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > ah: the 1000 should actually be 0x10000... Uh-oh. You do realize that if you change this in the code it will break all existing normal user profiles since the RID is embedded in the ntuser.dat file, right? Welcome to the bleeding edge everyone ;) As always, corrections welcome. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Wed May 27 15:08:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356C2AB4.9081D0D8@eng.auburn.edu> Message-ID: On Wed, 27 May 1998, Gerald Carter wrote: > Luke Kenneth Casson Leighton wrote: > > > > ah: the 1000 should actually be 0x10000... > > Uh-oh. You do realize that if you change this in the code it will > break all existing normal user profiles since the RID is embedded > in the ntuser.dat file, right? yep!!! > Welcome to the bleeding edge everyone ;) jeremy would say (if he was awake right now and reading your message) that we have to provide backwards-compatibility support as we have real users out there already. i would say, "not until 1.9.19alpha1. until then, i welcome opportunities to change things for the better despite inconvenience to pre-alpha users: i really, really hate backwards-compatibility limitations and _like_ taking the rap". luke From cartegw at Eng.Auburn.EDU Wed May 27 15:22:57 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: Message-ID: <356C2FD1.9F35C264@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > jeremy would say (if he was awake right now and reading your message) > that we have to provide backwards-compatibility support as we have > real users out there already. > > i would say, "not until 1.9.19alpha1. until then, i welcome > opportunities to change things for the better despite inconvenience to > pre-alpha users: i really, really hate backwards-compatibility > limitations and _like_ taking the rap". Fair enough. I knew the risk when I signed on. How bout a least a warning before so I can just delete old user profiles. Probably a good thing. I need to move them anyway to a new disk. At least this way I don't have to worry about copying them over. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From trep at dem.qc.ca Wed May 27 15:44:45 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: from "Luke Kenneth Casson Leighton" at May 28, 98 00:36:33 am Message-ID: <199805271545.LAA10237@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 820 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980527/eb691ea6/attachment.bat From lkcl at switchboard.net Wed May 27 15:56:59 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356C2FD1.9F35C264@eng.auburn.edu> Message-ID: On Wed, 27 May 1998, Gerald Carter wrote: > Luke Kenneth Casson Leighton wrote: > > > > jeremy would say (if he was awake right now and reading your message) > > that we have to provide backwards-compatibility support as we have > > real users out there already. > > > > i would say, "not until 1.9.19alpha1. until then, i welcome > > opportunities to change things for the better despite inconvenience to > > pre-alpha users: i really, really hate backwards-compatibility > > limitations and _like_ taking the rap". > > Fair enough. I knew the risk when I signed on. How bout a least a > warning before so I can just delete old user profiles. Probably a good > thing. I need to move them anyway to a new disk. At least this way I > don't have to worry about copying them over. hm. let me think. the profiles are stored by name. does anyone know if they contain the RID or not? what i'm wondering is, will it actually make any difference to the profile itself, but only confuses the workstation for a bit while the RID changes. hm. worthwhile testing by changing one user's unix and nt user id... From lkcl at switchboard.net Wed May 27 16:03:03 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805271545.LAA10237@ursula.dem.qc.ca> Message-ID: On Wed, 27 May 1998, Pierre-Jules Tremblay wrote: > > > On Wed, 27 May 1998, Pierre-Jules Tremblay wrote: > > > > > It turns out in my example that both users were listed in the "domain > > > admin users" keyword. I discovered that the profile list in the > > > registry was being set wrong (see > > > > no it's being set absolutely correctly, according to a bug i have in the > > code where "domain admin users" is used twice: once to add you to the > > domain admin groups; the other time to change your RID to "domain > > administrator". sorry. > > > > try using "domain groups = admins" instead. > > I've searched through the samba-ntdom digest archive but found out > very little about this config option. > What does this do exactly, and who does it do it for? it should have exactly the same effect as the "local aliases" that you can add users to via the USRMGR.EXE program. > Do I have to set up a unix group named > "admins" and put users in it? no, although we plan to have a mapping system "map groupname" to map "wheel" to "admins" etc etc... > I already tried this but it had no > effect. hmmm... From mark at opennt.com Wed May 27 16:14:41 1998 From: mark at opennt.com (Mark Funkenhauser) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: from "Luke Kenneth Casson Leighton" at May 28, 98 00:45:15 am Message-ID: <199805271614.MAA28867@shire.ssi.softway.com> A non-text attachment was scrubbed... Name: not available Type: text Size: 2002 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980527/3c1d37ae/attachment.bat From cartegw at Eng.Auburn.EDU Wed May 27 16:22:38 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: Message-ID: <356C3DCE.1B73D7B2@eng.auburn.edu> Luke Kenneth Casson Leighton wrote: > > the profiles are stored by name. does anyone know if they > contain the RID or not? what i'm wondering is, will it > actually make any difference to the profile itself, but > only confuses the workstation for a bit while the RID > changes. > I am basing my comments on effects after changing the domain sid on the samba PDC. This would generate a new SID which made the previous profile unusable ( but this was back in the beginning ). I had assumed that the SID was stored in the profile but I may be wrong. I will try this out over lunch. Will let you know. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Wed May 27 16:30:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805271614.MAA28867@shire.ssi.softway.com> Message-ID: > > > > > > The 1 is the posix offset, rid=uid+1000 for normal users > > > > ah: the 1000 should actually be 0x10000... > > Are you sure? no :-) i _think_ it doesn't matter as long as the mapping a) exists b) is monotonic. > The POSIX subsystem is creating a UNIX-like id (32 bit number) > from the NT RID. What I think Samba PDC is trying to do is the reverse; > creating a RID from a UNIX id. > > If you want Samba to look like an NT system, then the user RID's > you generate should start at 1000 since 1000 is the first RID > created for user's via UserManager. ... which is what i randomly chose to do. however, no proper mapping currently exists for group rids. > How POSIX subsystem creates UNIX-like from an NT SID: > It takes the RID (it strips off the DomainSid part) > and then adds a special offset value depending on the type of DomainSid. > For instance: > special well-known ids have the 0x10000 offset (Everyone = 0x10100) > built-in domain ids have the 0x20000 offset (Administrators = 0x20220) > (Guests = 0x20222) > local machine ids have the 0x30000 offset (Administrator = 0x301F4) > (Guest = 0x301F5) > (User1 = 0x303E8) > primary domain ids have the 0x100000 offset (Domain1\User1 = 0x1003E8) > 1st trusted domain uses the 0x200000 offset (Domain2\User1 = 0x2003E8) > 2nd trusted domain uses the 0x300000 offset (Domain2\User1 = 0x3003E8) what about group rids? > So, if the Sambe PDC is to work with the POSIX subsystem(s) > (the MS POSIX subsytem is *not* the only commercial POSIX subsystem > implementation) > it has to ensure that RID's do not get any larger than 0x100000. ok, assuming that we meet this requirement, regardless: it is slowly dawning on me that we may not need to use the posix sub-system uid<->rid mapping system in samba: it would appear to be a completely separate issue. in fact, applying it may only confuse people because they may think that they can do this: unix uid (on samba) --no-mapping-> posix uid (on nt workstation) whereas what they should do is this: unix uid (on samba) --uid-to-user-rid-> nt user rid (on nt workstation --opennt-rid-to-posix-> posix uid (on nt workstation). does this make any sense, mark? From mark at opennt.com Wed May 27 16:50:54 1998 From: mark at opennt.com (Mark Funkenhauser) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: from "Luke Kenneth Casson Leighton" at May 27, 98 04:30:27 pm Message-ID: <199805271650.MAA29170@shire.ssi.softway.com> A non-text attachment was scrubbed... Name: not available Type: text Size: 987 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980527/a3c189e4/attachment.bat From jallison at whistle.com Wed May 27 17:23:33 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: <356C2AB4.9081D0D8@eng.auburn.edu> Message-ID: <356C4C15.A8BF5113@whistle.com> Gerald Carter wrote: > > Luke Kenneth Casson Leighton wrote: > > > > ah: the 1000 should actually be 0x10000... > > Uh-oh. You do realize that if you change this in the code it will > break all existing normal user profiles since the RID is embedded > in the ntuser.dat file, right? Welcome to the bleeding edge everyone ;) > Ah, good thing I didn't just fix that as part of another checkin. I knew it should have been 0x1000 (I spent a happy couple of hours going though NT header files for well known rids a couple of weeks ago, and discovered the problem then) and it was on my list of things to fix when I did the overhaul of the uid/gid <-> rid mapping code in preparation for the acl support. Good thing Luke's doing it instead, you can all shout at him :-). Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Wed May 27 17:28:04 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: Message-ID: <356C4D24.916CE2E9@whistle.com> Luke Kenneth Casson Leighton wrote: > > jeremy would say (if he was awake right now and reading your message) that > we have to provide backwards-compatibility support as we have real users > out there already. > Au contraire :-) - I have always been explicit that the PDC support is pre-alpha, and will change a *lot* between now and 1.9.19alpha. Indeed I'm going to remove the 'domain sid' parameter before then (that'll break *everyone's* smb.conf files :-) Whilst Samba PDC is in pre-alpha, real users be dammed (they knew what they were getting into :-) :-). The only backwards compatibility we have to be *very* careful of, is not to break documented parameters that are in the 1.9.18 series - as the people running the 'stable' release will expect to be able to upgrade to the 1.9.19 stable release without parameters dissapearing from smb.conf (I'm going to change some of the parameter defaults though, as currently some of them don't make sense). Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From cartegw at Eng.Auburn.EDU Wed May 27 18:07:42 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: <356C4C15.A8BF5113@whistle.com> Message-ID: <356C566E.AFDCFC20@eng.auburn.edu> Gerald Carter wrote: > > Luke Kenneth Casson Leighton wrote: > > > > ah: the 1000 should actually be 0x10000... > > Uh-oh. You do realize that if you change this in the code it will > break all existing normal user profiles since the RID is embedded > in the ntuser.dat file, right? Welcome to the bleeding edge > everyone ;) OK. I just realized that the entire question about RID's stored in user profiles has really already been answered. There would be a problem with roaming profiles and the "domain admin users" parameters if the RID wasn't stored in the profile. Here's a quick way ( which I just tested ) to verify that the RID ( actually I believe the entire SID ) in stored in the user profile. - add an entry to smb.conf for "domain admin users = . This username should have no previously established roaming profile located anywhere. - Log in to the NT box, make some changes and the logout. You can use the registry to verify the user's account SID if you wish. If you are in doubt that the changes stuck then log in again to just see. - Remove the "domain admin users" entry from smb.conf - Log back in to the NT box. After the last step, run the registry editor and notice that the account SID is different ( normal users are unix uid + 1000 ). Notice also that you will have the default user profile. Add the "domain admin users" entry back into smb.conf and "viola!", you will have you profile back. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Wed May 27 18:22:34 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805271650.MAA29170@shire.ssi.softway.com> Message-ID: On Wed, 27 May 1998, Mark Funkenhauser wrote: > > > > what about group rids? > > ... are treated just like user RIDs. They share the same number space. > If you create a new local group (via UserManager), the RID for this > group is sequentially after the last user (or group) RID available. > For me, the last user was RID=1009 and when I created the new > local group, it got RID=1010. exactly, so with pre-existing unix uids and unix groups, we need a system that maps these into some proprietary RID space. given that the uid and gid numbers both count from zero, this is going to be a lot of fun to work out. even if it means creating a file to maintain the mapping.... From paul at argo.demon.co.uk Wed May 27 17:30:33 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: Your message of "Thu, 28 May 1998 03:44:21 +1000." <356C4C15.A8BF5113@whistle.com> Message-ID: <199805271830.TAA06120@argo.demon.co.uk> jallison@whistle.com said: > Gerald Carter wrote: > Gerald Carter wrote: > > > > Luke Kenneth Casson Leighton wrote: > > > > > > ah: the 1000 should actually be 0x10000... > > > > Uh-oh. You do realize that if you change this in the code it will > > break all existing normal user profiles since the RID is embedded > > in the ntuser.dat file, right? Welcome to the bleeding edge everyone ;) > > > > Ah, good thing I didn't just fix that as part of another > checkin. I knew it should have been 0x1000 I believe www.sysinternals.com's SID changer could be used as a migration tool. I think it loads all the user hives that are available. Paul From paul at argo.demon.co.uk Wed May 27 17:27:44 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: Your message of "Thu, 28 May 1998 03:47:33 +1000." <356C4D24.916CE2E9@whistle.com> Message-ID: <199805271827.TAA06104@argo.demon.co.uk> jallison@whistle.com said: > Indeed I'm going to remove the 'domain sid' parameter > before then (that'll break *everyone's* smb.conf files :-) NO! Don't do that. I was going to mention this earlier when you introduced it, but I didn't since you didn't remove the option to do it manually. Unix isn't NT. On Unix I like to have control over what happens. I don't like "management by broadcast" and "management by random number generation" which is half of what NT is all about. If I want to configure my DHCP server or my Samba PDC to allocate mappings that perhaps have a larger significance, I can do it. Why is 1-5-21-32423423-2342312-123213 better than 1-5-21-192-168-59 which happens to also indicate which subnet the PDC is for? (to give but one contrived example) Paul From william at hae.com Wed May 27 18:44:46 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:12 2003 Subject: q163846 Message-ID: I don't know if you guys have seen this, but I thought it might be helpful: ftp://ftp.microsoft.com/bussys/winnt/kb/q163/8/46.txt --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." From william at hae.com Wed May 27 18:46:44 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805271827.TAA06104@argo.demon.co.uk> Message-ID: Paul-- I believe we are going to retain the ability to edit the domain.sid file, it just won't appear in the smb.conf. --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." On Thu, 28 May 1998, Paul Ashton wrote: > Date: Thu, 28 May 1998 04:38:07 +1000 > From: Paul Ashton > To: Multiple recipients of list > Subject: Re: Mixed profiles w/Samba-PDC > > > jallison@whistle.com said: > > Indeed I'm going to remove the 'domain sid' parameter > > before then (that'll break *everyone's* smb.conf files :-) > > NO! Don't do that. I was going to mention this earlier when > you introduced it, but I didn't since you didn't remove the > option to do it manually. > > Unix isn't NT. On Unix I like to have control over what > happens. I don't like "management by broadcast" and "management > by random number generation" which is half of what NT is all > about. If I want to configure my DHCP server or my Samba PDC > to allocate mappings that perhaps have a larger significance, > I can do it. Why is 1-5-21-32423423-2342312-123213 better than > 1-5-21-192-168-59 which happens to also indicate which subnet > the PDC is for? (to give but one contrived example) > > Paul > > From paul at argo.demon.co.uk Wed May 27 17:53:16 1998 From: paul at argo.demon.co.uk (Paul Ashton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: Your message of "Wed, 27 May 1998 11:46:44 PDT." Message-ID: <199805271853.TAA06307@argo.demon.co.uk> william@hae.com said: > I believe we are going to retain the ability to edit the domain.sid file, > it just won't appear in the smb.conf. ooops. sorry Jeremy. Paul From cartegw at Eng.Auburn.EDU Wed May 27 18:57:16 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: <199805271827.TAA06104@argo.demon.co.uk> Message-ID: <356C620C.E31D954B@eng.auburn.edu> Paul Ashton wrote: > > jallison@whistle.com said: > > Indeed I'm going to remove the 'domain sid' parameter > > before then (that'll break *everyone's* smb.conf files :-) > > NO! Don't do that. I was going to mention this earlier when > you introduced it, but I didn't since you didn't remove the > option to do it manually. > > Unix isn't NT. On Unix I like to have control over what > happens. I don't like "management by broadcast" and "management > by random number generation" which is half of what NT is all > about. If I want to configure my DHCP server or my Samba PDC > to allocate mappings that perhaps have a larger significance, > I can do it. Why is 1-5-21-32423423-2342312-123213 better than > 1-5-21-192-168-59 which happens to also indicate which subnet > the PDC is for? (to give but one contrived example) Then currently you can just edit the generated MACHINE.SID file to change the domain SID. I think Jeremy's purpose was to prevent everyone from setting up S-1-5-21-123-465-789. Given the fact that most of the smb.conf files posted to the mail samba list still have the comments from the Red Hat ( or other ) distribution, it makes sense to me since the ability to manually change it is still there. Not if the contents of MACHINE.SID were some proprietary database named "Tej" of something like that, then I would agree. ;) j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Wed May 27 18:53:49 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: <199805271827.TAA06104@argo.demon.co.uk> Message-ID: <356C613D.59702A98@whistle.com> Paul Ashton wrote: > > jallison@whistle.com said: > > Indeed I'm going to remove the 'domain sid' parameter > > before then (that'll break *everyone's* smb.conf files :-) > > NO! Don't do that. I was going to mention this earlier when > you introduced it, but I didn't since you didn't remove the > option to do it manually. > > Unix isn't NT. On Unix I like to have control over what > happens. I don't like "management by broadcast" and "management > by random number generation" which is half of what NT is all > about. If I want to configure my DHCP server or my Samba PDC > to allocate mappings that perhaps have a larger significance, > I can do it. Why is 1-5-21-32423423-2342312-123213 better than > 1-5-21-192-168-59 which happens to also indicate which subnet > the PDC is for? (to give but one contrived example) > I agree with you about NT. Removing the domain sid parameter from smb.conf won't stop you hand configuring the SID though. The machine SID is now stored in the MACHINE.SID file in *exactly* the same (ascii) format it would be in the smb.conf file (eg. S-1-5-21-192-168-59 to use your example). The reason I want to remove the parameter from the smb.conf is that changing a machine SID is not something to be done lightly, whilst you're editing a new share (for example), as it would break many things. Moving the SID into a separate file, whose existance you have to know of and hand edit to do exactly what you want fixes this problem. For the people who don't care (90%), the file is generated using random numbers, for the people who do, they can create it themselves - that's the power of UNIX :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From lkcl at switchboard.net Thu May 28 11:29:04 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805271827.TAA06104@argo.demon.co.uk> Message-ID: On Thu, 28 May 1998, Paul Ashton wrote: > > jallison@whistle.com said: > > Indeed I'm going to remove the 'domain sid' parameter > > before then (that'll break *everyone's* smb.conf files :-) > > NO! Don't do that. I was going to mention this earlier when > you introduced it, but I didn't since you didn't remove the > option to do it manually. ok, so we document it as "dire warning: do not mess with / use this parameter unless you know what you are doing". alternatively, we allow it in as a compile-time option. From lkcl at switchboard.net Thu May 28 11:33:44 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: q163846 In-Reply-To: Message-ID: yes i was aware of these numbers: they are listed in winnt.h and i have added them to samba. "domain groups = " parameter for example. On Thu, 28 May 1998, William Stuart wrote: > I don't know if you guys have seen this, but I thought it might be > helpful: > > ftp://ftp.microsoft.com/bussys/winnt/kb/q163/8/46.txt > > --- > William Stuart (william@hae.com) > "If Netscape is giving their software away, how do they make money?" > "Volume." why do they not ask the same question of microsoft? From lkcl at switchboard.net Thu May 28 11:34:44 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: Message-ID: On Thu, 28 May 1998, William Stuart wrote: > Paul-- > > I believe we are going to retain the ability to edit the domain.sid file, > it just won't appear in the smb.conf. good point: this is good. ok, and a dire warning in domain.sid is automatically added saying "don't mess with this unless you know what you are doing!"? From mp at agymk.mumszki.hu Thu May 28 14:15:46 1998 From: mp at agymk.mumszki.hu (Martha Peter) Date: Tue Dec 2 02:24:12 2003 Subject: User level share on clients Message-ID: Hi all! I'm new to this list, but i have read the archives and the FAQ. I haven't found any solutions for my problem. (it may be my fault) I've created a samba PDC, and it works fine except... On the clints i cannot create shares for users. I mean when i try to create a share i try to specify which uses can access that share, but the windowsNT WS cannot get the user list from the samba server. The error: client can't access users' list in domain SAMBA now, try again later (or something like that) I'd be glad if somebody can help me out. Best wishes, MP From cartegw at Eng.Auburn.EDU Thu May 28 14:31:23 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:12 2003 Subject: User level share on clients References: Message-ID: <356D753B.8C11D556@eng.auburn.edu> Martha Peter wrote: > > I've created a samba PDC, and it works fine except... On the clints i > cannot create shares for users. I mean when i try to create a share i > try to specify which uses can access that share, but the windowsNT WS > cannot get the user list from the samba server. The error: client > can't access users' list in domain SAMBA now, try again later (or > something like that) I'd be glad if somebody can help me out. You are correct. Samba does not currently support the bropwsing of user accounts in the domain. Therefore all shares you create will have the permission set to "Everyone (all)". The only security you will have is the security of the file system (ie. don't use FAT ). Same problem as using Windows 95 user-level security. It's low priority at the moment. Hope this helps, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Thu May 28 14:32:08 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: User level share on clients In-Reply-To: Message-ID: hi martha, yes: correct. you cannot currently use a samba PDC to gain user / group lists to allow share accesses like that. it's on the TODO list (for win95 at least). luke On Fri, 29 May 1998, Martha Peter wrote: > Hi all! > > I'm new to this list, but i have read the archives and the FAQ. I haven't > found any solutions for my problem. (it may be my fault) > I've created a samba PDC, and it works fine except... On the clints i > cannot create shares for users. I mean when i try to create a share i try > to specify which uses can access that share, but the windowsNT WS cannot > get the user list from the samba server. The error: client can't access > users' list in domain SAMBA now, try again later (or something like that) > I'd be glad if somebody can help me out. > > Best wishes, > MP > > From cartegw at Eng.Auburn.EDU Thu May 28 16:06:50 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:12 2003 Subject: Changing machine accounts Message-ID: <356D8B99.59714F49@eng.auburn.edu> Has anyone else seen this message in the system event log? EventID 3224 Changing machine account password for account CLOVER$ failed with the following error: The credentials supplied conflict with an existing set of credentials. The EventLog shows that no one was logged into the system at the time the event was recorded. Ideas? Suggestiions? j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lkcl at switchboard.net Thu May 28 16:43:27 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Changing machine accounts In-Reply-To: <356D8B99.59714F49@eng.auburn.edu> Message-ID: On Fri, 29 May 1998, Gerald Carter wrote: > Has anyone else seen this message in the system event log? > > EventID 3224 > Changing machine account password for account CLOVER$ failed > with the following error: The credentials supplied conflict with > an existing set of credentials. damn: this means that we have a password change problem / corruption or something. From jallison at whistle.com Thu May 28 17:05:43 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:12 2003 Subject: Changing machine accounts References: <356D8B99.59714F49@eng.auburn.edu> Message-ID: <356D9967.191E64A9@whistle.com> Gerald Carter wrote: > > Has anyone else seen this message in the system event log? > > EventID 3224 > Changing machine account password for account CLOVER$ failed > with the following error: The credentials supplied conflict with > an existing set of credentials. > > The EventLog shows that no one was logged into the system at the time > the event was recorded. > > Ideas? Suggestiions? Did you cvs update within the last day or so ? I added code to smbd that would detect when the machine password was older than a configurable time (by default 7 days, as NT does) and then will attempt to change the password inside the smbd idle loop (ie. when a user isn't doing anything). And yes it takes care of multiple smbd's noticing the password needs changing at the same time :-). I tested the code here before committing, and it correctly changed the UNIX machine password to the PDC whilst a user was using Samba on the UNIX box. Have you taken a look in the UNIX smbd log - any machine password change errors will be logged at debug level 0 so you should always see them. Check if the CLOVER attempted a password change at the time given in the eventlog, and see if you can figure out why the NT PDC was saying that. Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From william at hae.com Thu May 28 17:27:29 1998 From: william at hae.com (William Stuart) Date: Tue Dec 2 02:24:12 2003 Subject: Changing machine accounts In-Reply-To: <356D8B99.59714F49@eng.auburn.edu> Message-ID: I seem to recall seeing this message when I was not logged into the domain, but a local workstation as a standard user. I got it when I was logging into a shre, I gave it the local administrator username and password. This was a non-samba environment. All machines were NT. --- William Stuart (william@hae.com) "If Netscape is giving their software away, how do they make money?" "Volume." On Fri, 29 May 1998, Gerald Carter wrote: > Date: Fri, 29 May 1998 02:12:50 +1000 > From: Gerald Carter > To: Multiple recipients of list > Subject: Changing machine accounts > > Has anyone else seen this message in the system event log? > > EventID 3224 > Changing machine account password for account CLOVER$ failed > with the following error: The credentials supplied conflict with > an existing set of credentials. > > The EventLog shows that no one was logged into the system at the time > the event was recorded. > > Ideas? Suggestiions? > > > j- > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From trep at dem.qc.ca Thu May 28 17:33:07 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: from "Luke Kenneth Casson Leighton" at May 27, 98 04:03:03 pm Message-ID: <199805281733.NAA06599@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 708 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980528/5f7944ff/attachment.bat From lkcl at switchboard.net Thu May 28 17:41:48 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <199805281733.NAA06599@ursula.dem.qc.ca> Message-ID: On Thu, 28 May 1998, Pierre-Jules Tremblay wrote: > > > On Wed, 27 May 1998, Pierre-Jules Tremblay wrote: > > > I already tried this but it had no > > > effect. > > > > hmmm... > > > > Okay, I had tried the following in smb.conf at the time: > > domain groups = admins > > Which did not seem to affect anything at all. And after reading the > BRANCH_NTDOM smb.conf.5 man page, and a file about which sids and rids > are defined, I tried this: > > domain groups = 512 544 > > where 512 is the Domain group id for Administrators and 544 is the > Local group id for Administrators. Now, every user gets Administrator > priviledges upon login, which in my case is preferable to the > converse. > > Is there currently a way to assign these rids on a per user basis? include = smb.conf.%U. or .%g. whatever you like From cartegw at Eng.Auburn.EDU Thu May 28 17:56:12 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:12 2003 Subject: Changing machine accounts References: <356D8B99.59714F49@eng.auburn.edu> <356D9967.191E64A9@whistle.com> Message-ID: <356DA53C.1C99D92D@eng.auburn.edu> Jeremy Allison wrote: > > Did you cvs update within the last day or so ? Last update on May 26 16:20 GMT-5.0. However, the event was record on May 21 and another machine also recorded the same event ( except for that machine ) on May 25. The version of smbd Samba running at that time would have been compiled on May 20. > Have you taken a look in the UNIX smbd log - any > machine password change errors will be logged at > debug level 0 so you should always see them. The log files are set to log.%m and I didnt see any messages there. The fact that two smbd processes running as root are connected to the NT box wouldn't be unusual would it? I have noticed this behaviour before but didn't worry about it. I'm guessing on of them is for the domain connection. Could they both be trying to change the password? > Check if the CLOVER attempted a password change > at the time given in the eventlog, and see if you > can figure out why the NT PDC was saying that. I am noticing a lot of core dumps going on an INVALID PIPE HANDLE error. However, the core dump size was limited to 0 bytes ( not to save the file ) so I don't have the core files to debug. I will go back and change this. See what I can do to track things down. Unless this is a familar problem which you have already solved. Thanks again for the help, j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From jallison at whistle.com Thu May 28 20:34:07 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC References: <199805271614.MAA28867@shire.ssi.softway.com> Message-ID: <356DCA3F.3D4B3193@whistle.com> Mark Funkenhauser wrote: > > So, if the Sambe PDC is to work with the POSIX subsystem(s) > (the MS POSIX subsytem is *not* the only commercial POSIX subsystem > implementation) > it has to ensure that RID's do not get any larger than 0x100000. > Hmmm. That's going to be a problem I think. Currently, we plan to encode the UNIX account type (user or group) in the RID, using the top 4 bits. We have to do this as we need to determine, given a RID from an NT box, whether this maps back to a UNIX uid_t or gid_t. I suppose we could always encode the account type info in the bottom bits instead, so the RID encoding would look like (in big-endian format): <----20 bits--------->|<-12 bits-->| +----------------+----+------------+ | uid_t or gid_t+1 |'known' user| +----------------+----+------------+ or |account type| +------------+ If the top 20 bits are 0 - then it's a 'well known account', if the top 20 bits are != 0 then the account type (UNIX user or group) is encoded in the bottom 4 bits. This is still a bit tight for your POSIX subsystem though, as it only gives 0xFFF unique UNIX users or groups. What does your POSIX subsystem do if it gets a RID >0x100000 as a primary domain rid ? This is looking increasingly likely...... :-(. Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From trep at dem.qc.ca Thu May 28 22:25:45 1998 From: trep at dem.qc.ca (Pierre-Jules Tremblay) Date: Tue Dec 2 02:24:12 2003 Subject: Changing machine accounts In-Reply-To: from "Luke Kenneth Casson Leighton" at May 29, 98 02:44:04 am Message-ID: <199805282225.SAA10957@ursula.dem.qc.ca> A non-text attachment was scrubbed... Name: not available Type: text Size: 684 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/19980528/2bd90445/attachment.bat From matthew at law.usyd.edu.au Fri May 29 03:25:30 1998 From: matthew at law.usyd.edu.au (Matthew Geier) Date: Tue Dec 2 02:24:12 2003 Subject: A small sucess Message-ID: <199805290325.NAA03458@janus.law.usyd.edu.au> After running the CVS head version of samba for a few weeks. (Last updated about a week ago) and lurking for a while I finally got an NT client up to test. A minor sucess for me, followed the FAQ instructions and my NT machine did attach to the samba server and I can login fine.samba-ntdom. I only did it today so Ive not had time for the machine password to expire yet!:-) Ive got a include = /usr/local/samba/lib/smb.%M.conf hack in place to make my machine require encrypted passwords, but not every one else. (Their passwords are probably still being 'update encrypted'.) My only problem seems to be a name mangling bug in the current CVS tree, its affecting some of my win16 and dos scripts under Win95.... -- Matthew Geier, matthew@law.usyd.edu.au Computer Systems Manager, +61 2 9351 0240 Law School, University of Sydney +61 2 9351 0200 (fax) From gavle at datakunskap.se Fri May 29 09:32:50 1998 From: gavle at datakunskap.se (Mattias Lorvi-Ericson) Date: Tue Dec 2 02:24:12 2003 Subject: System Policies? Message-ID: <01BD8AED.A647FDA0@du206-242.ppp.algonet.se> Is it possible to use system policies on a Samba-server? I'm using about 50 95-boxes to logon to my Samba-PDC. The thing I'd like to do is to forbid users to run some programs on their machines... Regards /Fredric Norr? From awilliam at whitemice.org Fri May 29 06:35:58 1998 From: awilliam at whitemice.org (Adam Williams) Date: Tue Dec 2 02:24:12 2003 Subject: System Policies? In-Reply-To: root "System Policies? (fwd)" (May 29, 6:31am) References: Message-ID: <9805290635.ZM2845@estate1.whitemice.org> On May 29, 6:31am, root wrote: > > Is it possible to use system policies on a Samba-server? > I'm using about 50 95-boxes to logon to my Samba-PDC. > The thing I'd like to do is to forbid users to run some programs on their machines... > Yes, you just need to install "poledit" off the Windows 95 CD, and use it to create a pilicy file in the netlogon directory, and point all the PC's to update thier registry from that directory. Easy, works great. But set the permision on the Config.pol file so only admins can read or write it. From janet at bioss.sari.ac.uk Fri May 29 11:10:39 1998 From: janet at bioss.sari.ac.uk (Janet Dickson) Date: Tue Dec 2 02:24:12 2003 Subject: Win95 and encrypted passwords References: <19980529043705Z12590425-28719+2@samba.anu.edu.au> Message-ID: <356E97AF.A06146C@bioss.sari.ac.uk> Hi I've set up a Win95 box to use the NTDOM Samba stuff and applied the patches to get it to send encrypted passwords. Does anyone know how to get back to sending un-encrypted passwords - I want the machine to go back to using the Samba server running 1.9.18p7 ? Janet -- *************************************************************************** Janet Dickson | http://www.bioss.sari.ac.uk/~janet Biomathematics and Statistics Scotland | email: janet@bioss.sari.ac.uk The King's Buildings, Mayfield Rd | Telephone: +44 (0) 131 650 4888 Edinburgh EH9 3JZ, Scotland, UK. | Fax: +44 (0) 131 650 4901 *************************************************************************** From lkcl at switchboard.net Fri May 29 12:10:20 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:12 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356DCA3F.3D4B3193@whistle.com> Message-ID: On Fri, 29 May 1998, Jeremy Allison wrote: > Mark Funkenhauser wrote: > > > > So, if the Sambe PDC is to work with the POSIX subsystem(s) > > (the MS POSIX subsytem is *not* the only commercial POSIX subsystem > > implementation) > > it has to ensure that RID's do not get any larger than 0x100000. > > > > Hmmm. That's going to be a problem I think. Currently, > we plan to encode the UNIX account type (user or group) > in the RID, using the top 4 bits. We have to do this as > we need to determine, given a RID from an NT box, whether > this maps back to a UNIX uid_t or gid_t. um... there is at least one other method i can think of, which is not very optimal but i think microsoft have this base already covered and i think you will find that it is not a problem. to confirm this, can anyone tell me if there is a Lose32 function that says "what kind of RID is this? a user, group, alias or other?" the non-optimal method is to simply search the entire (SEPARATE) user rid database and the entire (SEPARATE) group rid database. note that the group rid database does not exist, and one instance of the user rid database is private/smbpasswd+private/samdb. when you get a RID in a structure returned from a lookup or enumeration, it is already marked with an ENUM which tells you what kind of RID it is, in that structure. therefore, jeremy, your suggestion is an optimisation that a) may be unnecessary b) may cause problems as you outline below. > > I suppose we could always encode the account type info > in the bottom bits instead, so the RID encoding would look > like (in big-endian format): > > <----20 bits--------->|<-12 bits-->| > +----------------+----+------------+ > | uid_t or gid_t+1 |'known' user| > +----------------+----+------------+ > or |account type| > +------------+ > > If the top 20 bits are 0 - then it's a 'well > known account', if the top 20 bits are != 0 > then the account type (UNIX user or group) > is encoded in the bottom 4 bits. > > This is still a bit tight for your POSIX > subsystem though, as it only gives 0xFFF > unique UNIX users or groups. > > What does your POSIX subsystem do if it gets > a RID >0x100000 as a primary domain rid ? > This is looking increasingly likely...... :-(. > > Cheers, > > Jeremy. > > -- > -------------------------------------------------------- > Buying an operating system without source is like buying > a self-assembly Space Shuttle with no instructions. > -------------------------------------------------------- > From caesmb at lab2.cc.wmich.edu Fri May 29 12:23:58 1998 From: caesmb at lab2.cc.wmich.edu (CAE Samba Admin) Date: Tue Dec 2 02:24:12 2003 Subject: System Policies? In-Reply-To: <01BD8AED.A647FDA0@du206-242.ppp.algonet.se> Message-ID: > Is it possible to use system policies on a Samba-server? > I'm using about 50 95-boxes to logon to my Samba-PDC. > The thing I'd like to do is to forbid users to run some programs on their machines... I'm doing it with NT, I had some difficulties getting 95 to take the policies though. From cartegw at Eng.Auburn.EDU Fri May 29 12:36:58 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:13 2003 Subject: A small sucess References: <199805290325.NAA03458@janus.law.usyd.edu.au> Message-ID: <356EABE9.AAB10D5F@eng.auburn.edu> Matthew Geier wrote: > > My only problem seems to be a name mangling bug in the current CVS > tree, its affecting some of my win16 and dos scripts under Win95.... Jeremy has been working on the NT woldcard code. Check out the latest code and see if that fixes things. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Fri May 29 13:14:47 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:13 2003 Subject: Win95 and encrypted passwords References: <356E97AF.A06146C@bioss.sari.ac.uk> Message-ID: <356EB4C7.A4E64398@eng.auburn.edu> Janet Dickson wrote: > > I've set up a Win95 box to use the NTDOM Samba stuff and applied the > patches to get it to send encrypted passwords. Does anyone know how to > get back to sending un-encrypted passwords - I want the machine to go > back to using the Samba server running 1.9.18p7 ? > See the docs/Win95*reg file with the standard distribution j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From twinders at SPC.cc.tx.us Fri May 29 14:18:58 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files Message-ID: I just noticed this and am questioning the security implications. I have the following in smb.conf admin users = twinders domain admin users = twinders When I login to Win95/WinNT with the twinders username and correct password, any files created on the Samba server are owned root and group system. This is under Digital Unix 4.0D and CVS HEAD from 5/24. Can anyone explain why these files should be root owned instead of user owned? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From tridge at samba.anu.edu.au Fri May 29 14:50:17 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: (message from Tim Winders on Sat, 30 May 1998 00:19:53 +1000) References: Message-ID: <19980529145025Z12583760-1055+120@samba.anu.edu.au> > I just noticed this and am questioning the security implications. I have > the following in smb.conf > > admin users = twinders > domain admin users = twinders > > When I login to Win95/WinNT with the twinders username and correct > password, any files created on the Samba server are owned root and group > system. This is under Digital Unix 4.0D and CVS HEAD from 5/24. Can > anyone explain why these files should be root owned instead of user owned? this is explained in the smb.conf man page. It is tempting to remove this option completely as so many people seem to just assume it works like the NT equivalent does. It really isn't a very useful option. Jeremy, what do you think? remove it? ----- .SS admin users (S) This is a list of users who will be granted administrative privileges on the share. This means that they will do all file operations as the super-user (root). You should use this option very carefully, as any user in this list will be able to do anything they like on the share, irrespective of file permissions. From twinders at SPC.cc.tx.us Fri May 29 15:00:38 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: <19980529145025Z12583760-1055+120@samba.anu.edu.au> Message-ID: On Sat, 30 May 1998, Andrew Tridgell wrote: > > I just noticed this and am questioning the security implications. I have > > the following in smb.conf > > > > admin users = twinders > > domain admin users = twinders > > > > When I login to Win95/WinNT with the twinders username and correct > > password, any files created on the Samba server are owned root and group > > system. This is under Digital Unix 4.0D and CVS HEAD from 5/24. Can > > anyone explain why these files should be root owned instead of user owned? > > this is explained in the smb.conf man page. > > It is tempting to remove this option completely as so many people seem > to just assume it works like the NT equivalent does. It really isn't a > very useful option. Jeremy, what do you think? remove it? > > ----- > .SS admin users (S) > > This is a list of users who will be granted administrative privileges > on the share. This means that they will do all file operations as the > super-user (root). > > You should use this option very carefully, as any user in this list > will be able to do anything they like on the share, irrespective of > file permissions. I read this, but disagree with how it should work. Is the ONLY thing it does is FILE permissions? Are there other "domain" things that might pop up in the future? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From abs at maunsell.co.uk Fri May 29 15:09:30 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:13 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: ; from Luke Kenneth Casson Leighton on Fri, May 29, 1998 at 03:56:36AM +1000 References: Message-ID: <19980529160930.51293@maunsell.co.uk> On Fri, May 29, 1998 at 03:56:36AM +1000, Luke Kenneth Casson Leighton wrote: > > On Thu, 28 May 1998, Pierre-Jules Tremblay wrote: > > > domain groups = 512 544 > > > > where 512 is the Domain group id for Administrators and 544 is the > > Local group id for Administrators. Now, every user gets Administrator > > priviledges upon login, which in my case is preferable to the > > converse. > > > > Is there currently a way to assign these rids on a per user basis? > > include = smb.conf.%U. or .%g. whatever you like I cant get this to work with any variable substitutions other than %m. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From lkcl at switchboard.net Fri May 29 15:17:02 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: Message-ID: On Sat, 30 May 1998, Tim Winders wrote: > On Sat, 30 May 1998, Andrew Tridgell wrote: > > > > I just noticed this and am questioning the security implications. I have > > > the following in smb.conf > > > > > > admin users = twinders > > > domain admin users = twinders > > > > > > When I login to Win95/WinNT with the twinders username and correct > > > password, any files created on the Samba server are owned root and group > > > system. This is under Digital Unix 4.0D and CVS HEAD from 5/24. Can > > > anyone explain why these files should be root owned instead of user owned? > > > > this is explained in the smb.conf man page. > > > > It is tempting to remove this option completely as so many people seem > > to just assume it works like the NT equivalent does. It really isn't a > > very useful option. Jeremy, what do you think? remove it? > > > > ----- > > .SS admin users (S) > > > > This is a list of users who will be granted administrative privileges > > on the share. This means that they will do all file operations as the > > super-user (root). > > > > You should use this option very carefully, as any user in this list > > will be able to do anything they like on the share, irrespective of > > file permissions. > > I read this, but disagree with how it should work. Is the ONLY thing it > does is FILE permissions? Are there other "domain" things that might pop > up in the future? none. From cartegw at Eng.Auburn.EDU Fri May 29 15:19:44 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files References: Message-ID: <356ED210.41C9FC95@eng.auburn.edu> Tim Winders wrote: > > > .SS admin users (S) > > > > This is a list of users who will be granted administrative > > privileges on the share. This means that they will do all file > > operations as the super-user (root). > > > > You should use this option very carefully, as any user in this list > > will be able to do anything they like on the share, irrespective of > > file permissions. > > I read this, but disagree with how it should work. Is the ONLY > thing it does is FILE permissions? Are there other "domain" things > that might pop up in the future? The "admin users" parameter has been around long before the NTDOM code. Not sure what you mean by 'other "domain" things'... j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From tridge at samba.anu.edu.au Fri May 29 15:20:11 1998 From: tridge at samba.anu.edu.au (Andrew Tridgell) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: (message from Tim Winders on Fri, 29 May 1998 10:00:38 -0500 (CDT)) References: Message-ID: <19980529152019Z12583092-1055+132@samba.anu.edu.au> > I read this, but disagree with how it should work. as I said, it isn't a very useful option. > Is the ONLY thing it does is FILE permissions? almost. It also sets a silly flag so when the client asks for login info it display "admin user". pointless really. > Are there other "domain" things that might pop up in the future? not if we remove the option :) From abs at maunsell.co.uk Fri May 29 15:24:04 1998 From: abs at maunsell.co.uk (Andy Smith) Date: Tue Dec 2 02:24:13 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <19980529160930.51293@maunsell.co.uk>; from Andy Smith on Sat, May 30, 1998 at 01:19:39AM +1000 References: <19980529160930.51293@maunsell.co.uk> Message-ID: <19980529162404.01869@maunsell.co.uk> On Sat, May 30, 1998 at 01:19:39AM +1000, Andy Smith wrote: > > I cant get this to work with any variable substitutions other than %m. oops, sorry, just got %U working. Still no joy with %G or %g, but I'm happy enough with %U. -- _ __ Maunsell Ltd, IT Unit Tel : 0181-663-6565 /_| _/ ( _ '_// 160 Croydon Road, Fax : 0181-663-6723 ( |/)(/(/ __)//)/ //) Beckenham, Kent BR3 4DE Email: abs@maunsell.co.uk / England. -or- abs@maunsl00.demon.co.uk From lkcl at switchboard.net Fri May 29 15:42:39 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: <19980529152019Z12583092-1055+132@samba.anu.edu.au> Message-ID: On Sat, 30 May 1998, Andrew Tridgell wrote: > > I read this, but disagree with how it should work. > > as I said, it isn't a very useful option. > > > Is the ONLY thing it does is FILE permissions? > > almost. It also sets a silly flag so when the client asks for login > info it display "admin user". pointless really. weeelll.... ok. using "domain admin users" we should set the flag in the LsarSamLogon response (which is similar to the ipc.c login info you mention above). From twinders at SPC.cc.tx.us Fri May 29 15:48:33 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: Message-ID: On Fri, 29 May 1998, Luke Kenneth Casson Leighton wrote: > On Sat, 30 May 1998, Tim Winders wrote: > > > On Sat, 30 May 1998, Andrew Tridgell wrote: > > > > > > I just noticed this and am questioning the security implications. I have > > > > the following in smb.conf > > > > > > > > admin users = twinders > > > > domain admin users = twinders > > > > > > > > When I login to Win95/WinNT with the twinders username and correct > > > > password, any files created on the Samba server are owned root and group > > > > system. This is under Digital Unix 4.0D and CVS HEAD from 5/24. Can > > > > anyone explain why these files should be root owned instead of user owned? > > > > > > this is explained in the smb.conf man page. > > > > > > It is tempting to remove this option completely as so many people seem > > > to just assume it works like the NT equivalent does. It really isn't a > > > very useful option. Jeremy, what do you think? remove it? > > > > > > ----- > > > .SS admin users (S) > > > > > > This is a list of users who will be granted administrative privileges > > > on the share. This means that they will do all file operations as the > > > super-user (root). > > > > > > You should use this option very carefully, as any user in this list > > > will be able to do anything they like on the share, irrespective of > > > file permissions. > > > > I read this, but disagree with how it should work. Is the ONLY thing it > > does is FILE permissions? Are there other "domain" things that might pop > > up in the future? > > none. > So, unless you WANT root file priv there is *NO* reason to use these options, right? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From twinders at SPC.cc.tx.us Fri May 29 15:49:53 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: <356ED210.41C9FC95@eng.auburn.edu> Message-ID: On Fri, 29 May 1998, Gerald Carter wrote: > Tim Winders wrote: > > > > > .SS admin users (S) > > > > > > This is a list of users who will be granted administrative > > > privileges on the share. This means that they will do all file > > > operations as the super-user (root). > > > > > > You should use this option very carefully, as any user in this list > > > will be able to do anything they like on the share, irrespective of > > > file permissions. > > > > I read this, but disagree with how it should work. Is the ONLY > > thing it does is FILE permissions? Are there other "domain" things > > that might pop up in the future? > > The "admin users" parameter has been around long before the NTDOM > code. Not sure what you mean by 'other "domain" things'... Sorry. There are TWO options I am concerned about. The admin users and the domain admin users. I guess the admin users is what does the FILE permissions as root, correct? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From twinders at SPC.cc.tx.us Fri May 29 15:52:37 1998 From: twinders at SPC.cc.tx.us (Tim Winders) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: <19980529152019Z12583092-1055+132@samba.anu.edu.au> Message-ID: On Sat, 30 May 1998, Andrew Tridgell wrote: > > I read this, but disagree with how it should work. > > as I said, it isn't a very useful option. > > > Is the ONLY thing it does is FILE permissions? > > almost. It also sets a silly flag so when the client asks for login > info it display "admin user". pointless really. > > > Are there other "domain" things that might pop up in the future? > > not if we remove the option :) > I just replied to Jerry, but here is the same/similar question. The admin users = sets that flag and the file permissions. I guess the Domain Admin users = is different and is/will be used for different things? Would this be the equiv of putting the user in the Domain Admins group on NTS 4? === Tim --------------------------------------------------------------------- | Tim Winders, CNE, MCSE | Email: TWinders@SPC.cc.tx.us | | Network Administrator | Phone: 806-894-9611 x 2369 | | South Plains College | Fax: 806-897-4711 | --------------------------------------------------------------------- From jallison at whistle.com Fri May 29 16:22:24 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files References: <19980529152019Z12583092-1055+132@samba.anu.edu.au> Message-ID: <356EE0C0.B6FDC70B@whistle.com> Andrew Tridgell wrote: > > > I read this, but disagree with how it should work. > > as I said, it isn't a very useful option. > > > Is the ONLY thing it does is FILE permissions? > > almost. It also sets a silly flag so when the client asks for login > info it display "admin user". pointless really. > > > Are there other "domain" things that might pop up in the future? > > not if we remove the option :) Well I know of some sites that use it, unfortunately. It does do exactly what the man page says, so it isn't really in error. Maybe we should mark it 'deprecated' and 'to be removed' and add a warning for it in testparm and wait a couple of releases before we just hack it out. Ah, backwards compatibility, both Microsoft & Samba wish it didn't exist :-). Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Fri May 29 16:26:37 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:13 2003 Subject: Mixed profiles w/Samba-PDC References: Message-ID: <356EE1BD.6F8B2655@whistle.com> Luke Kenneth Casson Leighton wrote: > > > when you get a RID in a structure returned from a lookup or enumeration, > it is already marked with an ENUM which tells you what kind of RID it is, > in that structure. > > therefore, jeremy, your suggestion is an optimisation that a) may be > unnecessary b) may cause problems as you outline below. > But there's *just* one case you missed (of course that happens to be the most important case for a file server :-). That's the case where you get a SID as part of an NT ACL. In that case you just get a list of SIDs, and the ACL is in self relative format. Unfortunately an ACL can contain both user and group SIDs - and there's *no* extra flag that tells the two apart. So my suggestion is still neccessary I'm afraid. Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From jallison at whistle.com Fri May 29 16:46:15 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:13 2003 Subject: A small sucess References: <199805290325.NAA03458@janus.law.usyd.edu.au> Message-ID: <356EE657.9EB73279@whistle.com> Matthew Geier wrote: > > My only problem seems to be a name mangling bug in the current CVS tree, > its affecting some of my win16 and dos scripts under Win95.... > Can you give a bug report on the mangling problem please ? Chris re-wrote the name mangling code between the last 1.9.18 release and the head branch. His tests showed that it had exactly the same behaviour as the older branch (but was faster). Could you explain the mangling semantics you require ? Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- From tas at microdisplay.com Fri May 29 17:00:07 1998 From: tas at microdisplay.com (Todd Stiers) Date: Tue Dec 2 02:24:13 2003 Subject: Roaming Profiles Not Saving Message-ID: <356EE997.42E8FD62@microdisplay.com> Hi, I can read but not save my NT 4.0 profiles to SAMBA (yes, this is a repeat), but it reads wonderfully. I can't find the new DOCS on the "domain admin" /etc options. I suspect a permissions problem on the Linux side, though its all chmod'd 777, in /usr/local/samba/profiles: drwxrwxrwx 4 root root 1024 May 26 14:50 profiles/ It was suggested I post my smb.conf - here it is: [global] workgroup = MICRODISWORK domain sid = S-1-5-21-1016038973-2536072266-1649160573 domain admin users = tas backup server string = Samba Server On Ebola TESTING debug level = 20 load printers = yes log file = /usr/local/samba/var/log.%m max log size = 50 security = user encrypt passwords = yes socket options = TCP_NODELAY local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = %U.bat logon path = \\%L\Profiles\%U wins support = yes dns proxy = no [netlogon] comment = Network Logon Service path = /usr/local/samba/netlogon guest ok = yes writable = no share modes = no [Profiles] path = /usr/local/samba/profiles browseable = no guest ok = no Thanks BTW, I am enjoying the list. I would think that making users and groups browsable for workstations should be a priority btw - its totally useful. Any need or desire for Perl codework? (I would die laughing to see Perl based servers replace NT Server...) -Todd [--- [--- [--- [--- [--- [--- [--- [--- Todd Stiers Systems Administrator The MicroDisplay Corporation (510)243-9515x129 http://www.microdisplay.com ---] ---] ---] ---] ---] ---] ---] ---] From lkcl at switchboard.net Fri May 29 18:10:31 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: Message-ID: > So, unless you WANT root file priv there is *NO* reason to use these > options, right? absolutely correct. From lkcl at switchboard.net Fri May 29 18:12:57 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: Admin equiv creates root owned files In-Reply-To: Message-ID: > users = sets that flag and the file permissions. I guess the Domain Admin > users = is different and is/will be used for different things? Would this > be the equiv of putting the user in the Domain Admins group on NTS 4? correct. nothing else, either. From cartegw at Eng.Auburn.EDU Fri May 29 18:29:16 1998 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:24:13 2003 Subject: Roaming Profiles Not Saving References: <356EE997.42E8FD62@microdisplay.com> Message-ID: <356EFE7C.FCC22432@eng.auburn.edu> Todd Stiers wrote: > > I can read but not save my NT 4.0 profiles to SAMBA (yes, this is a > repeat), > but it reads wonderfully. > > I can't find the new DOCS on the "domain admin" /etc options. Do you get any error messages? Does any of the profile save? I'm wondering if it is a matter of case on the file names and settings in smb.conf. Just a hunch. j- ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From matthew at law.usyd.edu.au Fri May 29 21:09:39 1998 From: matthew at law.usyd.edu.au (Matthew Geier) Date: Tue Dec 2 02:24:13 2003 Subject: A small sucess In-Reply-To: <356EE657.9EB73279@whistle.com> from "Jeremy Allison" at May 29, 98 09:46:15 am Message-ID: <199805292109.HAA16851@janus.law.usyd.edu.au> > > Matthew Geier wrote: > > > > > My only problem seems to be a name mangling bug in the current CVS tree, > > its affecting some of my win16 and dos scripts under Win95.... > > > > Can you give a bug report on the mangling problem please ? > > Chris re-wrote the name mangling code between the last > 1.9.18 release and the head branch. His tests showed > that it had exactly the same behaviour as the older > branch (but was faster). > > Could you explain the mangling semantics you require ? > I sent a samba-bugs report in at the time, but the quick answer is, that something changed between 1.9.18 and the current CVS tree that broke my setup!. I have a number of batch scripts that attach to and run database applications off a Novell server (lots of net use commands). These batch scripts live in a folder called 'Lib Data'. Windows complains it cant find the batch file when you try to run it. eg- chdir to /u1/pchome unix_clean_name [./APPL/LIB DATA/CASE CITATORS/HYPERCITE-CASE CITATIONS.BAT] Got dir cache hit on . APPL -> appl Got dir cache hit on appl LIB DATA -> Lib Data Got dir cache hit on appl/Lib Data CASE CITATORS -> Case Citators unix_clean_name [appl/Lib Data/Case Citators/Hypercite-case Citations.bat] 1998/05/19 10:34:49 getatr name=appl/Lib Data/Case Citators/Hypercite-case Citat ions.bat mode=32 size=144 After many more transactions looking for .pif and .ico files it eventually does - call_trans2findfirst: dirtype = 19, maxentries = 6, close_after_first=0, close_i f_end = 0 requires_resume_key = 0 level = 260, max_data_bytes = 2432 unix_clean_name [./APPL/LIBDA~H/CASEC~8E/HYPER~I1.BAT] Got dir cache hit on . APPL -> appl unix_clean_name [appl/LIBDA~H/CASEC~8E/HYPER~I1.BAT] unix_clean_name [appl/LIBDA~H/CASEC~8E] 1998/05/19 10:34:50 error packet at line 675 cmd=50 (SMBtrans2) eclass=1 ecode=2 error string = No such file or directory It might be worth noting that creating a symlink in the unix file systems called LIBDA~H pointing at Lib Data 'fixed' the problem. I assume Samba failed to turn LIBDA~H back into Lib Data, but it has no problem turning the other mangled path components back into their real names. Ive since found that Eudora 3's installer didn't like living in a directory called 'Eudora 3' and using a similar symlink hack made it happy. Ive also managed to get my home PC under NT to attach to and domain login to my server at work. After the problems I had with win3.11 logging in from remote subnets I was expecting it to fail. It took ages, as it scanned every file in my 'profile' directory on the server, but it worked. I was even more suprised when my win95 desktop layout (from work) appeared on my NT workstation at home! -- Matthew Geier, matthew@law.usyd.edu.au Computer Systems Manager, +61 2 9351 0240 Law School, University of Sydney +61 2 9351 0200 (fax) From tas at microdisplay.com Fri May 29 22:58:11 1998 From: tas at microdisplay.com (Todd Stiers) Date: Tue Dec 2 02:24:13 2003 Subject: Roaming Profiles Not Saving References: <356EFE7C.FCC22432@eng.auburn.edu> Message-ID: <356F3D83.E91F287B@microdisplay.com> Hi, > > > > I can read but not save my NT 4.0 profiles to SAMBA (yes, this is a > > repeat), > > but it reads wonderfully. > > > > I can't find the new DOCS on the "domain admin" /etc options. > > Do you get any error messages? Does any of the profile save? I'm > wondering if it is a matter of case on the file names and settings in > smb.conf. Just a hunch. > Error message on the NT box: The update of your roaming profile failed. Please contact your Network Administrator. (65) (that would be myself) No files in the profile have altered timestamps or content, all files and directories are chmod 777. Have not checked for errors in tha log.. Last message after logout, debug level = 20 1998/05/29 15:54:17 error packet at line 4634 cmd=0 (SMBmkdir) eclass=2 ecode=4 size=35 smb_com=0x0 smb_rcls=2 smb_reh=0 smb_err=4 smb_flg=136 smb_flg2=1 smb_tid=76 smb_pid=51966 smb_uid=100 smb_mid=192 smt_wct=0 smb_bcc=0 write_socket(6,39) write_socket(6,39) wrote 39 unbecome_user now uid=(0,0) gid=(0,0) Thanks -Todd -- [--- [--- [--- [--- [--- [--- [--- [--- Todd Stiers Systems Administrator The MicroDisplay Corporation (510)243-9515x129 http://www.microdisplay.com ---] ---] ---] ---] ---] ---] ---] ---] From jallison at whistle.com Sat May 30 02:59:00 1998 From: jallison at whistle.com (Jeremy Allison) Date: Tue Dec 2 02:24:13 2003 Subject: [Fwd: Mixed profiles w/Samba-PDC] Message-ID: <356F75F3.BE3D89B7@whistle.com> Here's my current solution to the RID <--> uid/gid mapping that I've been discussing with the OpenNT people. It seems to solve most of the RID problems we've been discussing. These are : RIDs generated from a Samba PDC will should be <24 bits and must avoid the well known RID space <1000 and will also be uniquely identifiable when sent to Samba in an ACL list. The scheme below takes the bottom 3 bits and OR's the account type into them, and then adds 1000 to move the generated SID out of the well known range. Using the scheme below, root (uid 0) maps into RID 1000. If group wheel were gid 0 this would map into RID 1001. uid 1 maps to RID 1008, gid 1 maps to RID 1009 etc. ie. rid = (uid*8) + 1000; gid = (gid*8) + 1001; Any RID < 1000 is a well known rid. The RID type (user, group, or machine account) is encoded in the bottom 3 bits. To convert from a uid to rid : #define USER_RID_TYPE 0 rid = (((((uint32)uid)*8) + 1000) | USER_RID_TYPE); To convert from a gid to rid : #define GROUP_RID_TYPE 1 rid = (((((uint32)gid)*8) + 1000) | GROUP_RID_TYPE); On receipt of a RID, do the following : if (rid < 1000) rid is well known. else if ((rid & 7) == USER_RID_TYPE) uid = (uid_t)((u_rid / 8) - 1000); else if ((rid & 7) == GROUP_RID_TYPE) gid = (gid_t)((g_rid / 8) - 1000); I've coded this up and am ready to check it into the main branch. Speak now - or I'll do the checkin on Monday... :-). Cheers, Jeremy. -- -------------------------------------------------------- Buying an operating system without source is like buying a self-assembly Space Shuttle with no instructions. -------------------------------------------------------- -------------- next part -------------- An embedded message was scrubbed... From: Jeremy Allison Subject: Re: Mixed profiles w/Samba-PDC Date: Fri, 29 May 1998 18:37:26 -0700 Size: 4689 Url: http://lists.samba.org/archive/samba-ntdom/attachments/19980529/b1819dbf/attachment.eml From mlaurent at eie.fceia.unr.edu.ar Fri May 29 17:53:17 1998 From: mlaurent at eie.fceia.unr.edu.ar (Marcelo E. Laurenti) Date: Tue Dec 2 02:24:13 2003 Subject: System Policies? In-Reply-To: <01BD8AED.A647FDA0@du206-242.ppp.algonet.se> Message-ID: On Fri, 29 May 1998, Mattias Lorvi-Ericson wrote: > Is it possible to use system policies on a Samba-server? Yes, it is. Get the poledit by microsoft > I'm using about 50 95-boxes to logon to my Samba-PDC. > The thing I'd like to do is to forbid users to run some programs on their machines... > > Regards > /Fredric Norr? > -- Marcelo E. Laurenti Escuela de Ingenieria Electronica Fac. de Cs. Exactas e Ingenieria Universidad Nacional de Rosario From lkcl at switchboard.net Sat May 30 13:48:17 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356EE1BD.6F8B2655@whistle.com> Message-ID: On Fri, 29 May 1998, Jeremy Allison wrote: > Luke Kenneth Casson Leighton wrote: > > > > > > when you get a RID in a structure returned from a lookup or enumeration, > > it is already marked with an ENUM which tells you what kind of RID it is, > > in that structure. > > > > therefore, jeremy, your suggestion is an optimisation that a) may be > > unnecessary b) may cause problems as you outline below. > > > > But there's *just* one case you missed (of course that happens > to be the most important case for a file server :-). That's the > case where you get a SID as part of an NT ACL. > > In that case you just get a list of SIDs, and the ACL > is in self relative format. Unfortunately an ACL can > contain both user and group SIDs - and there's *no* > extra flag that tells the two apart. yes: jean francois reminded me of this. > So my suggestion is still neccessary I'm afraid. your suggestion is merely an optimisation, and the simplest and fastest of possible optimisations: it's not strictly necessary. another alternative optimisation is to allocate blocks of RIDs (in groups of 0x400, for example) and have two files with ranges in them: one which specifies which batch of 0x400-spaced-out RIDs have been allocated as group RIDs; the other specifies which have been allocated as user RIDs. i would expect the group RIDs file to be small; the user RIDs file to be large(r). alternatively, given this expectation, write a _function_ which allocates RIDs on, say, a 100 user rid to 1 group rid basis. both these two alternatives should start counting from 10000. luke From lkcl at switchboard.net Sat May 30 13:48:36 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: Mixed profiles w/Samba-PDC In-Reply-To: <356EE1BD.6F8B2655@whistle.com> Message-ID: damn - pressed too many 0s. both alternatives should count up from 1000. From lkcl at switchboard.net Sat May 30 13:50:39 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: Roaming Profiles Not Saving In-Reply-To: <356EE997.42E8FD62@microdisplay.com> Message-ID: todd, On Sat, 30 May 1998, Todd Stiers wrote: > Hi, > > I can read but not save my NT 4.0 profiles to SAMBA (yes, this is a > repeat), > but it reads wonderfully. add: case sensitive = no case preserve = yes short case preserve = yes see what happens: let us know. luke > > I can't find the new DOCS on the "domain admin" /etc options. > > I suspect a permissions problem on the Linux side, though its all > chmod'd 777, > in /usr/local/samba/profiles: > > drwxrwxrwx 4 root root 1024 May 26 14:50 profiles/ > > It was suggested I post my smb.conf - here it is: > > [global] > workgroup = MICRODISWORK > domain sid = S-1-5-21-1016038973-2536072266-1649160573 oo look! someone chose a decent domain sid!!! > domain admin users = tas backup > server string = Samba Server On Ebola TESTING > debug level = 20 > load printers = yes > log file = /usr/local/samba/var/log.%m > max log size = 50 > security = user > encrypt passwords = yes > socket options = TCP_NODELAY > local master = yes > os level = 33 > domain master = yes > preferred master = yes > domain logons = yes > logon script = %U.bat > logon path = \\%L\Profiles\%U > wins support = yes > dns proxy = no > > [netlogon] > comment = Network Logon Service > path = /usr/local/samba/netlogon > guest ok = yes > writable = no > share modes = no > > [Profiles] > path = /usr/local/samba/profiles > browseable = no > guest ok = no > > > Thanks BTW, I am enjoying the list. > > I would think that making users and groups browsable for workstations > should be a priority btw - its totally useful. > > Any need or desire for Perl codework? > > (I would die laughing to see Perl based servers replace NT Server...) > > -Todd > > [--- [--- [--- [--- [--- [--- [--- [--- > Todd Stiers > Systems Administrator > The MicroDisplay Corporation > (510)243-9515x129 > http://www.microdisplay.com > ---] ---] ---] ---] ---] ---] ---] ---] > > > > From lkcl at switchboard.net Sat May 30 14:13:07 1998 From: lkcl at switchboard.net (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:24:13 2003 Subject: [Fwd: Mixed profiles w/Samba-PDC] In-Reply-To: <356F75F3.BE3D89B7@whistle.com> Message-ID: > Here's my current solution to the RID <--> uid/gid mapping > that I've been discussing with the OpenNT people. > #define USER_RID_TYPE 0 > #define GROUP_RID_TYPE 1 > Speak now - or I'll do the checkin on Monday... :-). jeremy i recommend using exactly the same values in the SID_NAME_USE enum for the XXXX_RID_TYPE defines above that jean-francois posted earlier this week. i also would recommend considering the file-based system or simply not having such a mapping at all, and taking the performance hit when doing a lookup on a RID (complete search of all RID databases required). From rob at hydra.demon.co.uk Sat May 30 21:19:11 1998 From: rob at hydra.demon.co.uk (Rob Coward) Date: Tue Dec 2 02:24:13 2003 Subject: Roaming Profiles Not Saving Message-ID: <896563496.208336.0@hydra.demon.co.uk> Have you changed you domain sid recently ? I noticed exactly the same behaviour a little while back after changing the value of domain sid = ....... Regards, Rob -----Original Message----- From: Todd Stiers To: Multiple recipients of list Date: 29 May 1998 18:41 Subject: Roaming Profiles Not Saving >Hi, > >I can read but not save my NT 4.0 profiles to SAMBA (yes, this is a >repeat), >but it reads wonderfully. > From jjm at iname.com Sun May 31 12:25:31 1998 From: jjm at iname.com (Johan Meiring) Date: Tue Dec 2 02:24:13 2003 Subject: Mapping various drive to same share (Was: Re: Mixed profiles w/Samba-PDC) Message-ID: <19980531122739Z12583064-2975+945@samba.anu.edu.au> Hi, Sorry I can not point you to a solution, but I can report that I have seen this behaviour on an NT4 network with _NO_ samba at all! Johan >So far, the only strange thing that has happened is the following. >The logon script will force everybody to have two network connections: >F: for their home directory and G: for a public repository. After the >user has logged in, and as time goes by, drive letters beyond G: get >mapped to the public repository as well. After several hours, drive >letters all the way through Z: can end up being mapped to the same >share. Even when taking out this share from the logon script, it is >the home directory that gets mapped over and over in this way. >Could this be related in any way to the profile path I'm using? >Thanks for your help, all. >Pierre ------------------------------ From jon at freivald.org Sun May 31 17:28:20 1998 From: jon at freivald.org (Jon Freivald) Date: Tue Dec 2 02:24:13 2003 Subject: Mapping various drive to same share (Was: Re: Mixed profiles w/Samba-PDC) Message-ID: <2.2.32.19980531172820.005a10d0@freivald.org> I've seen this behavior (without Samba involved) using programs that make repeated "map UNC path to next available drive" calls. Memory is foggy right now as to what was environment/program (I'm a network engineer, so have worked on over 500 separate networks in the last 2 years...). If I run accross it in my notes I'll let you know what it was and how we worked around it. Jon At 10:29 PM 5/31/98 +1000, Johan Meiring wrote: >Hi, > >Sorry I can not point you to a solution, but I can report that I have seen >this behaviour on an NT4 network with _NO_ samba at all! > >Johan > > >>So far, the only strange thing that has happened is the following. >>The logon script will force everybody to have two network connections: >>F: for their home directory and G: for a public repository. After the >>user has logged in, and as time goes by, drive letters beyond G: get >>mapped to the public repository as well. After several hours, drive >>letters all the way through Z: can end up being mapped to the same >>share. Even when taking out this share from the logon script, it is >>the home directory that gets mapped over and over in this way. > >>Could this be related in any way to the profile path I'm using? > >>Thanks for your help, all. > > >>Pierre > >------------------------------ > -- Jon Freivald jon@freivald.org -- http://www.freivald.org/~jon From glauche at plum.de Fri May 1 07:43:44 1998 From: glauche at plum.de (Michael Glauche) Date: Tue Dec 2 02:26:10 2003 Subject: Adding many machine accounts ? Message-ID: <001201bd74d4$deb16b60$cf3b8286@prangh> Hi, is there some easy way to add quite a lot of machine accounts ? Does the button "add machine account to domain" work ? regards, Michael From mg at plum.de Fri May 22 08:51:33 1998 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:26:17 2003 Subject: Update Encryted parameter References: <19990521171609.G743@dimensional.com> Message-ID: <35653C95.7340EA90@plum.de> Adrian Goins schrieb: > > i have a network of 2500+ users and don't want to move everyone over to > smbpasswd and do all of the password conversions as well, but i'm confused > as to how the 'update encrypted' parameter works. > > i know that it will allow a normal (plaintext) password for login and then > update the smbpasswd file on its own. should there already be an entry > for the user in the smbpasswd file? should they have 'NO PASSWORD...' or > just a row of 32 Xs? > The users should be there, with no password set (u can use the convert utility found in samba) regards, Michael -- NTDOM-FAQ (german) http://www.connection-net.de/linux/samba/ From mg at plum.de Sat May 30 19:35:49 1998 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:26:23 2003 Subject: Strange problem with winword .dot files Message-ID: <35705F95.31DA49DE@plum.de> Hi, I got a stragen problem with winword 95 .dot files. They are located on our samba server (running cvs 2.1.0-prealpha samba, acting as ntdom controller). While using win95 clients, we never had any problems, but with NT no user can use the .dot files on the server, only some strange error messages occur while reading the .dot file .. any suggestion ? regards, Michael From mg at plum.de Sat May 30 19:38:17 1998 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:26:23 2003 Subject: Printjobs does not get deleted after printing ? Message-ID: <35706029.62DCDC5@plum.de> Hi, got another strange problem with cvs samba : when I try to print (using lprng) the printjobs stay in the queue. I was wondering why our disks where full, and I found that there were 5 gb diskspace occupied. printing = lprng printcap name = /etc/printcap print command = /usr/local/bin/lpr -P%p %s -r lpq command = /usr/local/bin/lpq -P%p lprm command = /usr/local/bin/lprm -P%p %j regards, Michael