From thien_vu at hotmail.com Tue Feb 1 00:19:50 2000 From: thien_vu at hotmail.com (thien_vu@hotmail.com) Date: Tue Dec 2 02:28:17 2003 Subject: pam_smb, pam_ntdom Message-ID: <20000201001950.78218.qmail@hotmail.com> I have tried to install pam_smb, but am unable to get these working. I followed the instructions in INSTALL, but at the linux logon screen, I enter in my username, and it just resets back to the login screen, never prompting for a password. For the NT server, I am using Samba-TNG and have it set up to accept domain logins. I have also added a machine trust account to itself because both Samba-TNG and the pam_smb modules are running on the same machine. Is this a problem? For pam_smb, I am using the CVS version 1.9. I was wondering if these modules are still in development, and if anyone has gotten them successfully working. Thien Vu ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From c.bourgois at chrysoft.com Tue Feb 1 01:10:53 2000 From: c.bourgois at chrysoft.com (Christophe BOURGOIS) Date: Tue Dec 2 02:28:18 2003 Subject: Samba-TNG Message-ID: <3896329C.E3DC82FE@chrysoft.com> Thanks for your rapid answer. Where can I download Samba-TNG to make a PDC. XTophe. From lkcl at samba.org Tue Feb 1 03:00:16 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:18 2003 Subject: [samba-tng] memory corruption. help needed Message-ID: i hate these. using yamd it reports a memory corruption even _before_ i get to the stage i actually wanted to test, which is thhis: rpcclient -S samba-tng -U% -l log [] lsaq [] createuser workstation$ core-dumps on sam_usersetinfo(). can anyone help, pleeease? i suggest using yamd it's a meory debugger, use freshmeat.net to locate it. if you can't repro this then recompile like this: ./configure.deveoper --with-samtdb this will enable the new sam tdb database i'm slowly chewing through, it's going to take me forever (i.e all week :) thx, luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From abrooks at css.tayloru.edu Tue Feb 1 04:29:31 2000 From: abrooks at css.tayloru.edu (Aaron D. Brooks) Date: Tue Dec 2 02:28:18 2003 Subject: NT Workstation duplication In-Reply-To: Message-ID: Hmmm... time for another release of a Taylor University project. Enter the JACAL. (https://sourceforge.net/project/?group_id=1988) There are certain inherent problems with image duplicating for NT box propagation. While having identical hardware helps immensely with avoiding wierd and unusual problems, this is no guarantee. I've had identical machines with very small chip revisions in devices as insignificant as IOMega Zip drives cause BAD systemic problems when machines are duplicated with copying programs such as Ghost. A year ago myself and my co-worker Joel Martin, created a linux boot disk system which can build any of our lab in about an hour and a half. The build process is a true NT install complete with 75+ applications which serve the CSS and Science divisions which we service. Did I mention that these machines dual boot to linux too and that is part of the build? The components are the following: * A boot disk containing only a DHCP kernel-autoconfig NFS root kernel * an NFS server with the NT i386 image and a base unattend.txt file. This NFS server doesn't necessarily need to be a Linux box. This could be an NT box running WarNFS or something like that if someone wanted to do that. * a series of perl scripts which, given the machine name and hardware probe information, customize the unattend.txt file * a perl script which sucessively launch installation of apps after the initial NT build is complete * a perl script which installs diffs from Microsoft's SysDiff program (we have really augmented this process if you are rightfully having doubts about the standard SysDiff process) * a script which does DLL and other file conflict and version resolution * a SaMBa server which houses the diffs of the applications * a series of ScriptIt files to install apps that don't SysDiff well (MS IE 5, MS Publisher 2000, MS NT SP 5 (6? not yet baby, not yet), sense a theme. Typically these are things which perform OS upgrades (are apps supposed to do that>??)) * Perl and ActiveState Perl run the system from the Linux and NT sides This is the only way that our network is managable. Our hardware is totally heterogeneous, our custom configurations is broad, we need some machines to run all apps on the network, some machines need to run some off of the network and others that need all apps to be local. The system is entirely customizable. A full, proper installation is done, dual booting linux, in about 1-2 hours depending on config. (It used to be under an hour before we started installing MetroWerks Codewarrior and Visual Studio locally for performance reasons.) Things this system doesn't do right now or could do better: * Run with little configuration for a novice NT/UN*X admin. This currently requires some know-how. It turns knowledge into power, configuration, and most importantly freed time. (Oh, yeah, and stability -- we control the DLL versions... this really helps out a lot (see MSDN newsletter Jan/Feb 2000, article "The End DLL Hell") * Resolve conficts of registry keys. This is a very rare occurance since the registry, at least in some manner, compartmentalizes apps' information. Generally we have to hand manipulate any shared path keys in the diff. Rare but it would be nice to have done automatically -- does require some level of programmable smarts. * One word: Multicast -- unicast hurts us the most for performance. The performance is still outstanding considering the sheer volume of apps that we run but if you need a machine redone in 1/2 an hour this project currently isn't for you. This project is not necessarily tied to SaMBa but if you really want to have an automated network you will want a Linux/UN*X box at the back end and SaMBa makes this all fly smoothly. Right now JACAL is really only in a usable state for TU. We have had the idea of releseing this all along and have sculpted this to be modular and platform independant. (Yes, in theory this could also do Win95/98/2000, BeOS, or anything else.) We'd like to see this tool work for other people too. It as made our lives much better here. (It takes 25+ hours straight to install all of our apps by hand. Image copying would never work on our diverse hardware.) Go to the SourceForge URL at the top of the message and subscribe to the jacal-announce listserver if you'd like to follow this project. Better yet, join the jacal-devel and jacal-users and help us move this project from TU to you. ;) -A. +-------> Aaron D. Brooks, 765 . 998 . 5168 Computing Systems Resource Manager Taylor University, CSS Department abrooks [SHIFT"2"] css.tayloru.edu From lkcl at samba.org Tue Feb 1 05:08:39 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:18 2003 Subject: [samba-tng] conversion Message-ID: oh! i nearly forgot! there's still srv_reg.c up for grabs, if anyone wants to convert this. particularly in light of that registry code out there. luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mgeddes at xavier.sa.edu.au Tue Feb 1 05:32:25 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:18 2003 Subject: Me again.... Message-ID: <38966FE8.BEB2D339@xavier.sa.edu.au> Hi, I'm looking through my log files to find a reason for rpc / trusts not working, and I keep getting the attached message. I have checked the permissions on the .msrpc directory, as well as the files within. They are all set to either 700 or 600. Thanks, Matt From mgeddes at xavier.sa.edu.au Tue Feb 1 05:55:47 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:18 2003 Subject: [Fwd: (stupid) Me again....] Message-ID: <38967563.F710BD78@xavier.sa.edu.au> > Hi, > > I'm looking through my log files to find a reason for rpc / trusts not > working, and I keep getting the attached message. > > I have checked the permissions on the .msrpc directory, as well as the > files within. They are all set to either 700 or 600. > > Thanks, > Matt This time with the attachment Matt -------------- next part -------------- A non-text attachment was scrubbed... Name: message.sam Type: application/vnd.lotus-wordpro Size: 459 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000201/85b7929a/message.bin From lkcl at samba.org Tue Feb 1 05:59:35 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:18 2003 Subject: [Fwd: (stupid) Me again....] In-Reply-To: <38967563.F710BD78@xavier.sa.edu.au> Message-ID: mattnew, this is non-critical "warnings" and if you know how to fix the problem, i'll take the warnings away. thx, luke On Tue, 1 Feb 2000, Matthew Geddes wrote: > > > > Hi, > > > > I'm looking through my log files to find a reason for rpc / trusts not > > working, and I keep getting the attached message. > > > > I have checked the permissions on the .msrpc directory, as well as the > > files within. They are all set to either 700 or 600. > > > > Thanks, > > Matt > > This time with the attachment > > Matt > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From robert at vps.co.za Tue Feb 1 09:13:59 2000 From: robert at vps.co.za (robert@vps.co.za) Date: Tue Dec 2 02:28:18 2003 Subject: NT Workstation duplication In-Reply-To: Message-ID: Compared to the amount of data on the drive? I sounds good to compress a 600 mb partition to 300 mb... But what if there is only 400 mb's of data on the drive... Then it is bad compression.. Robert Sandilands On Mon, 31 Jan 2000, Seth Vidal wrote: > Date: Mon, 31 Jan 2000 14:58:33 -0500 (EST) > From: Seth Vidal > To: robert@vps.co.za > Cc: Multiple recipients of list SAMBA-NTDOM > Subject: RE: NT Workstation duplication > > > Very badly. You have to take a harddisk and do something like overwrite > > the disk with zero's to make sure that all the previous information is not > > there that will foul your compression ratio's. > hmm not true really. > I have a 600mb partition that I dd from the device and it compresses (gzip > -9) down to 350mb > > -sv > > From jeremy at valinux.com Tue Feb 1 12:27:46 2000 From: jeremy at valinux.com (jeremy@valinux.com) Date: Tue Dec 2 02:28:18 2003 Subject: UNICODE string case-conversion* In-Reply-To: from "Luke Kenneth Casson Leighton" at Jan 31, 2000 02:17:08 PM Message-ID: <200002011227.EAA12541@legion.su.valinux.com> > > hey, this is probably more of an NT developer question than anything, but > um... i need a strlowerW() function. > > i.e i need a UNICODE function that converts Unidode chatacters to lower > case. firstly, does such a function exist, and does it work sensibly on > russian etc alphabets, on NT? > > I have one of these - check out the SAMBA_UNICODE branch: It's reasonably co,plex as it needs to read state tables compiled from ftp.unicode.org. Jeremy. From thomas at du.no Tue Feb 1 11:35:43 2000 From: thomas at du.no (=?iso-8859-1?Q?Thomas_Kolst=F8?=) Date: Tue Dec 2 02:28:18 2003 Subject: Win2k Pro. machines logging on to a samba controlled domain? Message-ID: <003a01bf6ca8$79f777f0$4201a8c0@ntthomas> Hi there.. When we upgraded to win2k machines here at work - we encountered a problem - the win2k machines could not find/log on to the domain - i have read the NTDOM faq several times - and I have made an NT4.0 server log on to the domain - but the win2k machines doesnt seem to like it. Is there some known issues with samba and win2k? - Thomas Kolst? From greg at discreet.com Tue Feb 1 12:52:08 2000 From: greg at discreet.com (Greg Dickie) Date: Tue Dec 2 02:28:18 2003 Subject: Win2k Pro. machines logging on to a samba controlled domain? In-Reply-To: <003a01bf6ca8$79f777f0$4201a8c0@ntthomas> Message-ID: Unless your samba PDC is running some variant of the 2.1prealpha code Win2k will not work. Samba 2.0.6 (?) and up will let Win2k use resources but cannot act as a DC. Greg On 01-Feb-00 Thomas Kolstø wrote: > Hi there.. > > When we upgraded to win2k machines here at work - we encountered a problem - > the win2k machines could not find/log on to the domain - i have read the > NTDOM faq several times - and I have made an NT4.0 server log on to the > domain - but the win2k machines doesnt seem to like it. > Is there some known issues with samba and win2k? > > - Thomas Kolstø --------------------------------------------------------------------- Greg Dickie Just A Guy* *from discreet (the logic is gone) Montreal (514) 954-7171 greg@discreet.com From lk at netuse.de Tue Feb 1 13:41:07 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:18 2003 Subject: configure fails under linux Message-ID: <3896E273.156FB830@netuse.de> Hello! Today i have tried to compile Samba TNG under Linux. But configure fails! It works under Solaris. checking whether to use syslog logging... no checking whether to use profiling... no checking whether to support netatalk... no checking whether to support disk-quotas... no checking how to get filesystem space usage checking statvfs64 function (SVR4)... no checking statvfs function (SVR4)... yes checking configure summary WARNING: No automated network interface determination ERROR: no seteuid method available configure: error: summary failure. Aborting config Any ideas? -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lk at netuse.de Tue Feb 1 14:06:38 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:18 2003 Subject: Frustrated with browsing, domains, and network logins ... References: <4.2.0.58.20000131080145.009769e0@localhost> Message-ID: <3896E86E.754CE69@netuse.de> Anthony Brock wrote: > > At 03:59 AM 1/28/00 -0800, lk@NetUSE.DE wrote: > >Anthony Brock wrote: > > >> We have a WINS server located at x.x.4.1 ->dns1 (Samba 2.0.6) > > >> We have a Domain PDC for PLANTSERVICES located at x.x.9.61 -> > > >plant_server > > >> (NT 4.0 ServicePack 5) > > >> We have a workstation that needs to login to PLANTSERVICES at x.x.5.154 > > >-> > > >> dherron (Win98) > >Have you disabled the wins-server on the PDC? > > Yes, WINS is disabled on both the PDC and BDC. > > >Use all clients the same WINS-server? And do all clients and > >servers use a WINS-server? > > Currently, all clients use DHCP and are assigned the same WINS server > address (x.x.4.1). When I installed the NT PDC, it also was configured > with this WINS address (I also added the WINS to the BDC at that time, > which was about 4 months ago). > > >Which Sambaversion do you use? > > The WINS Server was recently down-graded back to 2.0.6 (since virtually all > of our cross-network browsing became VERY unstable when we tried to upgrade > to Samba-TNG). > > >Can you post the global section from smb.conf? > > # Samba config file created using SWAT > # from dns1.georgefox.edu (x.x.4.1) > # Date: 1999/12/27 10:47:49 > > # Global parameters > [global] > workgroup = IT > encrypt passwords = Yes > syslog = 0 > time server = Yes > logon script = startup.bat > domain logons = Yes > os level = 34 > preferred master = Yes > domain master = Yes > wins support = Yes Hm, looks ok. I have no idea anymore. I would watch the nmbd log file. I think at debug level 3 or 4 you can see enough. nmbd writes to the logfile if it get domain master browser, local master browser , etc ... . Maybe you can track down your problems, watching the debug messages. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lk at netuse.de Tue Feb 1 14:15:26 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:18 2003 Subject: configure fails under linux References: <3896E273.156FB830@netuse.de> Message-ID: <3896EA7E.3AF01D09@netuse.de> Lars Kneschke wrote: > > Hello! > > Today i have tried to compile Samba TNG under Linux. But configure > fails! It works under Solaris. > > checking whether to use syslog logging... no > checking whether to use profiling... no > checking whether to support netatalk... no > checking whether to support disk-quotas... no > checking how to get filesystem space usage > checking statvfs64 function (SVR4)... no > checking statvfs function (SVR4)... yes > checking configure summary > WARNING: No automated network interface determination > ERROR: no seteuid method available > configure: error: summary failure. Aborting config AH, this is the output from config.log configure:9382: checking how to get filesystem space usage configure:9389: checking statvfs64 function (SVR4) configure:9408: gcc -o conftest -O conftest.c -ldl -lcrypt -lpam 1>&5 configure: In function `main': configure:9403: storage size of `fsd' isn't known configure: failed program was: #line 9397 "configure" #include "confdefs.h" #include #include main () { struct statvfs64 fsd; exit (statfs64 (".", &fsd)); } configure:9441: checking statvfs function (SVR4) configure:9454: gcc -o conftest -O conftest.c -ldl -lcrypt -lpam 1>&5 configure:9738: gcc -o conftest -O conftest.c -ldl -lcrypt -lpam 1>&5 configure: failed program was: #line 9734 "configure" #include "confdefs.h" #include "./tests/summary.c" Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From davidd at ee.byu.edu Tue Feb 1 15:23:56 2000 From: davidd at ee.byu.edu (David W Dougall) Date: Tue Dec 2 02:28:18 2003 Subject: Simple logon server for WinNT machines Message-ID: I am having great difficulties with samba acting as logon server for my WinNT machines. The NT machines are all either SP4 or SP5. The only functionality that I am looking for is a login server. I just want a central location to store passwords and I am trying to avoid an NT server for several different reasons. Anyway, I set up 2.0.5a and 2.0.6 with the same result: I could join the domain from the NT machine, but upon reboot and login attempt, B.S.O.D I recently downloaded pre3.0. I waas not able to even join the domain with this version. I Don't know if this version supports PDC/netlogon. I went back to an older 2.1 version. This one allows me to join the domain(with some difficulty), but upon reboot, it tells me that my password is incorrect no matter what I enter. The only way to get in is to bypass the domain and enter the local administrator password. Now I have samba-tng and I am trying to set it up. First of all, I have very scanty documentation. I am not even sure if I am setting it up correctly. The only web page I could find was: http://www.kneschke.de/projekte/samba_tng/index.php3 Anyway, I am confused about what all of the daemons do. I added all of the accounts in /etc/passwd and /etc/smbpasswd for the users and workstations and server with appropriate passwords. My first confusion came when trying to run smbpasswd -j ECENSYS I get the following error. Joining Domain as PDC socket connect to /tmp/.smb.0/agent failed: Connection refused error connecting to 128.x.x.x:445 (Connection refused) failed session setup cli_net_use_add: connection failed cli_nt_setup_creds: request challenge failed 2000/02/01 08:08:27 : change_trust_account_password: Failed to change password for domain ECENSYS. Unable to join domain ECENSYS. Well, I attempt to join the domain from the NT workstation anyway. The first time, it says it cannot contact the domain controller. Then I restart the daemons with higher log level and attempt it again at which time the NT machine says: You already have a connection with the domain... None of the log files do anything except the log.nmb which says it received a login request GETDC and then sent out a packet to \MAILSLOT\NET\GETDC468. I am stumped. I need help. If I can get simple logins working on version 2.0.6, that would be the best. If the error number from the NT machine from the B.S.O.D would help, I can get that. If I must use samba-tng, I need more documentation. Please point me to a web page or something. --David I have included the smb.conf file below. [global] log file = /var/adm/samba/log.%m security = user server string = ECEn Dept Sysop Server workgroup = ecensys encrypt passwords = yes mangled names = yes smb passwd file = /etc/smbpasswd client code page = 437 lock directory = /opt/samba/var/locks share modes = yes hosts allow = [my subnet] os level = 0 wins support = yes status = yes domain master = yes local master = yes preferred master = yes domain logons = yes time server = yes [homes] comment = Home Directories browseable = no read only = no create mode = 0750 [netlogon] path = /opt/netlogon writeable = no guest ok = no From jens.skripczynski at igd.fhg.de Tue Feb 1 16:28:06 2000 From: jens.skripczynski at igd.fhg.de (Jens Skripczynski) Date: Tue Dec 2 02:28:18 2003 Subject: Simple logon server for WinNT machines In-Reply-To: ; from davidd@ee.byu.edu on Wed, Feb 02, 2000 at 02:24:41AM +1100 References: Message-ID: <20000201172806.A5338@pclinux.igd.fhg.de> David W Dougall: > [...] Have a look at: http://www.kneschke.de/projekte/samba_tng/index.php3 It should answer some of your questions... Ciao Jens Skripczynski -- E-Mail: skripi@igd.fhg.de Computers are like airconditioners: They stop working properly if you open windows. From lk at netuse.de Tue Feb 1 17:04:36 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:18 2003 Subject: coding volunteers needed for msrpc server-side API conversion References: Message-ID: <38971224.C545EC17@netuse.de> Luke Kenneth Casson Leighton wrote: > > if anyone wants to help with a very boring but basically self-consistent > task, i'd really appreciate it. the goal is, examine rpc_client/cli_*.c > functions, e.g samr_open_domain(), and create a srv_*.c function with > EXACTLY the same paramaters called _samr_open_domain(), for all functions > in rpc_client/cli_*.c and srv_*.c. Hello! Today evening i have a network card again, for my linux router. So i should be able to help a little bit. Which file need's some work? Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From Bill.Smith at jhuapl.edu Tue Feb 1 17:56:45 2000 From: Bill.Smith at jhuapl.edu (Smith, William E.) Date: Tue Dec 2 02:28:18 2003 Subject: Configuring Linux Box to Use Domain Level Security Message-ID: <67525B5908A1D3118D6B0008C79192C867251A@aples3.jhuapl.edu> I am attempting to setup my linux machine to use domain level security but am having some problems. I'll start off by first listing what I have done. The linux machine has been placed in Domain A(A resource domain) and has joined that domain with no problems after I had created the machine account for it via Server Manager. I listed the password servers I wanted to use which are located within Domain B(Account domain). Domain A also trusts domain B. I then changed the security level to domain and restarted all the daemons. When I looked at the logs, I found the following errors listed: My feeling as is several other linux people I've talked to here is that I need a machine account created in Domain B at which point my machine will be able to have authentication requests done via the account domain controllers in Domain B. Is this the right line of thinking or is something else wrong here? Also, what kind of inherent security risks/holes are opened up when using an NT domain controller to authenticate requests. Any help would be appreciated. Thanks, Bill [2000/02/01 12:39:35, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) cli_nt_setup_creds: auth2 challenge failed [2000/02/01 12:39:35, 0] smbd/password.c:domain_client_validate(1351) domain_client_validate: unable to setup the PDC credentials to machine . Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. [2000/02/01 12:39:35, 0] rpc_client/cli_netlogon.c:cli_net_auth2(160) cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT [2000/02/01 12:39:35, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) cli_nt_setup_creds: auth2 challenge failed [2000/02/01 12:39:35, 0] smbd/password.c:domain_client_validate(1351) domain_client_validate: unable to setup the PDC credentials to machine . . Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. Bill Smith mailto:bill.smith@jhuapl.edu The Johns Hopkins University Washington DC: 240-228-5523 Applied Physics Laboratory MD: 443-778-5523 11100 Johns Hopkins Road Fax: 240-228-5727 Laurel, MD 20723-6099 Web: http://www.jhuapl.edu/ -------------- next part -------------- HTML attachment scrubbed and removed From aaronvictor at yahoo.com Tue Feb 1 19:18:39 2000 From: aaronvictor at yahoo.com (Aaron Victor) Date: Tue Dec 2 02:28:18 2003 Subject: Windoze NT/98 drive mountings being dropped Message-ID: <20000201191839.20574.qmail@web307.mail.yahoo.com> Greetings everyone. I have been looking for a solution to this problem for a while now with no luck as of yet. Maybe someone else has seen this problem. First some quick info on my setup and home network. *Linux firewall running version 2.2.13 *Firewall is running Samba version 2.0.5a *Mounting drives to two NT PDC's and two 98 workstations The problem I am having is. After a successful mount from the linux box to an NT/98 box. Everything seems fine for a day or two. Then without warning or anything known causing it, the mappings are dropped. And the dir they were mapped to becomes un-usable. Here is what the dir's look like after the mountings are dropped: ls -l brings back the following: ls: pdc01_e: Input/output error ls: pdc01_d: Input/output error ls: pdc01_c: Input/output error ls: wks01_c: Input/output error ls: wks01_d: Input/output error ls: wks02_c: Input/output error ls: wks02_d: Input/output error ls: wks02_e: Input/output error The command I use to mount the drive is the following: smbmount //ntserver/ntshare /dir/mount dir -U username Then it prompts me for the password. Everything seems OK for a day or two.. Then the mounting is dropped and the dir that it was mounted to is listed with an input/output error. If anyone can help. I would greatly appreciate it. THANKS!!! Also. If anyone happens to know how to get rid of the un-usable dir's that are cluttering up my /mnt dir let me know.. After this happens I can't do anything with the dir's that had the mount done to them.. I can't delete them, or re chmod them or anything.. So they are filling up the /mnt dir. I have about 35 of these type of dir's in their now.. I would like to get rid of them once we figure this problem out. THANKS AGAIN! Aaron Victor __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com From lkcl at samba.org Tue Feb 1 19:47:00 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:18 2003 Subject: coding volunteers needed for msrpc server-side API conversion In-Reply-To: <38971224.C545EC17@netuse.de> Message-ID: On Tue, 1 Feb 2000, Lars Kneschke wrote: > Luke Kenneth Casson Leighton wrote: > > > > if anyone wants to help with a very boring but basically self-consistent > > task, i'd really appreciate it. the goal is, examine rpc_client/cli_*.c > > functions, e.g samr_open_domain(), and create a srv_*.c function with > > EXACTLY the same paramaters called _samr_open_domain(), for all functions > > in rpc_client/cli_*.c and srv_*.c. > Hello! > > Today evening i have a network card again, for my linux router. So i > should be able to help a little bit. Which file need's some work? you could start on reg_srv.c. cut/paste it to winregd/srv_reg_nt.c and go from there. there are plenty of examples. send me, first of all, patches for one function at a time. the _actual_ goal is not as i originally stated: the goal is to expose all _Q_ and _R_ members to the _xxx_msrpc_() functions and then later to modify the xxx_msrpc_() client-side function to do the same. the ultimate aim is to have EXACTLY the same API as the microsoft MSDN, and i do mean exactly. but PLEASE, do NOT go copying the MSDN, that breaks microsoft's copyright. work from the data over-the-wire, and than means the samba data structures, only. you shouldn't get stuck, but if you do, then _refer_ to the MSDN, don't copy it. thx, luke lars, talk with sander and sean millichamp and elrond, they're chewing through this stuff. From thien at ac.housing.berkeley.edu Wed Feb 2 02:24:54 2000 From: thien at ac.housing.berkeley.edu (Thien Vu) Date: Tue Dec 2 02:28:18 2003 Subject: Server migration & linux user authentication Message-ID: I will be migrating my servers to Samba this weekend, and was wondering how I could get my current PDC's SID number, so I can use it on the Samba server, without re-adding all my workstations to the domain. Also, we have triple boot systems (WinNT Workstation, Win98, and Linux) and was wondering if pam_smb or pam_ntdom packages are still being used, so we can have centralized user authentication for the Linux machines. I asked about these PAM modules before, but received no response. Thanks, Thien Vu From sam at topic.com.au Wed Feb 2 02:47:58 2000 From: sam at topic.com.au (Sam Couter) Date: Tue Dec 2 02:28:18 2003 Subject: Server migration & linux user authentication In-Reply-To: ; from thien@ac.housing.berkeley.edu on Wed, Feb 02, 2000 at 01:27:01PM +1100 References: Message-ID: <20000202134758.F5635@beethoven.tsa> Thien Vu wrote: > I will be migrating my servers to Samba this weekend, and was wondering > how I could get my current PDC's SID number, so I can use it on the Samba > server, without re-adding all my workstations to the domain. Don't know, can't help with that one. > Also, we have triple boot systems (WinNT Workstation, Win98, and Linux) > and was wondering if pam_smb or pam_ntdom packages are still being used, > so we can have centralized user authentication for the Linux machines. I > asked about these PAM modules before, but received no response. I'm successfully using pam_ntdom here, and was using pam_smb with similar success. The machines are dual-boot Linux/Win98, and I have no problems. I'm told that if the machine were to boot into NT as well as Linux, then it would have to have a different netbios name under NT than it has under Linux. Something to do with NT periodically changing it's domain password or something. -- Sam Couter sam@topic.com.au Internet Engineer http://www.topic.com.au/ tSA Consulting -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000202/553ecd39/attachment.bin From thien_vu at hotmail.com Wed Feb 2 05:48:14 2000 From: thien_vu at hotmail.com (Thien Vu) Date: Tue Dec 2 02:28:18 2003 Subject: Server migration & linux user authentication References: <20000202134758.F5635@beethoven.tsa> Message-ID: <20000202054824.29077.qmail@hotmail.com> ----- Original Message ----- From: "Sam Couter" To: "Thien Vu" Cc: "Multiple recipients of list SAMBA-NTDOM" Sent: Tuesday, February 01, 2000 6:47 PM Subject: Re: Server migration & linux user authentication From Skripi at hrzpub.tu-darmstadt.de Wed Feb 2 09:50:51 2000 From: Skripi at hrzpub.tu-darmstadt.de (Jens Skripczynski) Date: Tue Dec 2 02:28:18 2003 Subject: Creating a PDC with Samba In-Reply-To: <38975DF8.1DA4BB33@chrysoft.com>; from c.bourgois@chrysoft.com on Tue, Feb 01, 2000 at 11:28:08PM +0100 References: <3894D682.8FE6D7EC@chrysoft.com> <20000131105525.A1276@shadowland.sc> <38975DF8.1DA4BB33@chrysoft.com> Message-ID: <20000202105051.A1258@shadowland.sc> 1) The newest cvs can be downloaded via cvs. Or there is a site (I forgot thr URL), which makes daily snapshots into a tarball, which can be downloaded via CVS. Can s.o. please post the URL again ? Lars can you add this link to the tarballs somewhere on the FAQ ? Are there also tarballs for the 3.0 Tree ? Christophe BOURGOIS: > It's OK for the problem I submit you just before : I didn't understand that > Samba TNG mean The Next Generation ans I found it in Samba alpha. > After I install it on my server, on my Windows client when I set up a share > in user mode I've got the message : "You cannot view the list of users at > this time. Please try again later." Hm. Currently I'm not to sure about the state of the implementation of the UserManager in the alpha tarball, but in the CVS it is broken... P.S.: If you reply to the List. These general questions are anwsered more quickly. Ciao Jens Skripczynski -- E-Mail: skripi@hrzpub.tu-darmstadt.de Computers are like airconditioners: They stop working properly if you open windows. From thomas at du.no Wed Feb 2 10:28:32 2000 From: thomas at du.no (=?iso-8859-1?Q?Thomas_Kolst=F8?=) Date: Tue Dec 2 02:28:18 2003 Subject: Win2k Pro. / NT4.0 SP 6 "Connection refused - in samba.$client.log" - why? Message-ID: <003c01bf6d68$53a14ed0$4201a8c0@ntthomas> Hello there I followed the advice of Karl-Heinz Schulz (thanks btw :) and installed the latest samba-tng source today - and the domain logon worked much better with this one, at least - my win2k box finds the domain now, but i`m still having problems with - as the win2k box says, the username and password for the workstation trust account. But I noticed that in my samba.ms-server.log file, that there where some errors like "Connection refused" in there - does anyone know what this is all about? Please, could anyone look at the file ? Thomas Kolstoe -------------- next part -------------- Transaction 1 of length 174 switch message SMBnegprot (pid 1280) Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [XENIX CORE] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [LANMAN1.0] Requested protocol [Windows for Workgroups 3.1a] Requested protocol [LM1.2X002] Requested protocol [LANMAN2.1] Requested protocol [NT LM 0.12] Selected protocol NT LM 0.12 Transaction 2 of length 135 switch message SMBsesssetupX (pid 1280) Domain=[] NativeOS=[Windows NT 1381] NativeLanMan=[] sesssetupX:name=[] nobody is in 2 groups: 99, 98 uid 99 registered to name nobody Clearing default real name uid 99 vuid 100 registered to name nobody Chained message switch message SMBtconX (pid 1280) ACCEPTED: guest account and guest ok Initialising default vfs hooks Connect path is /tmp dos_ChDir to /tmp dos_ChDir to /usr/local/samba-tng/bin ms-server (192.168.1.241) connect to service IPC$ as user nobody (uid=99, gid=99) (pid 1280) tconX service=ipc$ user=nobody Transaction 3 of length 121 switch message SMBtrans (pid 1280) dos_ChDir to /tmp trans <\PIPE\LANMAN> data=0 params=37 setup=0 named pipe command on name Got API command 104 of form (tdscnt=0,tpscnt=37,mdrcnt=4200,mprcnt=8) Doing NetServerEnum NetServerEnum domain = DULOKAL001 uLevel=1 counted=1 total=1 Transaction 1 of length 174 switch message SMBnegprot (pid 1281) Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [XENIX CORE] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [LANMAN1.0] Requested protocol [Windows for Workgroups 3.1a] Requested protocol [LM1.2X002] Requested protocol [LANMAN2.1] Requested protocol [NT LM 0.12] Selected protocol NT LM 0.12 Transaction 2 of length 197 switch message SMBsesssetupX (pid 1281) Domain=[MS-SERVER] NativeOS=[Windows NT 1381] NativeLanMan=[] sesssetupX:name=[thomas] domain_client_validate: could not find domain MS-SERVER adding home directory thomas at /home/thomas thomas is in 1 groups: 100 uid 1008 registered to name thomas Clearing default real name uid 1008 vuid 100 registered to name thomas Chained message switch message SMBtconX (pid 1281) ACCEPTED: validated uid ok as non-guest Initialising default vfs hooks Connect path is /tmp dos_ChDir to /tmp dos_ChDir to /usr/local/samba-tng/bin ms-server (192.168.1.241) connect to service IPC$ as user thomas (uid=1008, gid=100) (pid 1281) tconX service=ipc$ user=thomas Transaction 3 of length 95 switch message SMBntcreateX (pid 1281) dos_ChDir to /tmp nt_open_pipe: Known pipe wkssvc opening. socket connect to /usr/local/samba-tng/var/locks/.msrpc/wkssvc failed: Connection refused msrpc_establish_connection: failed wkssvc) msrpc_use_add: connection failed error packet at line 520 cmd=162 (SMBntcreateX) eclass=2 ecode=4 error string = Connection refused Transaction 4 of length 39 switch message SMBtdis (pid 1281) dos_ChDir to /usr/local/samba-tng/bin ms-server (192.168.1.241) closed connection to service IPC$ Yielding connection to IPC$ Transaction 5 of length 43 switch message SMBulogoffX (pid 1281) ulogoffX vuid=100 end of file from client Closing connections Server exit (normal exit) dos_ChDir to /usr/local/samba-tng/bin free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections Transaction 4 of length 121 switch message SMBtrans (pid 1280) dos_ChDir to /tmp trans <\PIPE\LANMAN> data=0 params=37 setup=0 named pipe command on name Got API command 104 of form (tdscnt=0,tpscnt=37,mdrcnt=4200,mprcnt=8) Doing NetServerEnum NetServerEnum domain = DULOKAL001 uLevel=1 counted=1 total=1 Transaction 1 of length 174 switch message SMBnegprot (pid 1289) Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [XENIX CORE] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [LANMAN1.0] Requested protocol [Windows for Workgroups 3.1a] Requested protocol [LM1.2X002] Requested protocol [LANMAN2.1] Requested protocol [NT LM 0.12] Selected protocol NT LM 0.12 Transaction 2 of length 204 switch message SMBsesssetupX (pid 1289) Domain=[DULOKAL001] NativeOS=[Windows NT 1381] NativeLanMan=[] sesssetupX:name=[MS-SERVER$] socket connect to /usr/local/samba-tng/var/locks/.msrpc/NETLOGON failed: Connection refused msrpc_establish_connection: failed NETLOGON) msrpc_use_add: connection failed cli_nt_setup_creds: request challenge failed domain_client_validate: credentials failed (\\.) 32 bit error packet at line 403 cmd=115 (SMBsesssetupX) eclass=c000000d [Error: Unknown error (13,49152)] error string = Connection refused end of file from client Closing connections Server exit (normal exit) dos_ChDir to /usr/local/samba-tng/bin free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections Transaction 5 of length 4 free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections free_connections: closing all MSRPC connections Transaction 5 of length 4 free_connections: closing all MSRPC connections From lk at netuse.de Wed Feb 2 10:39:01 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:18 2003 Subject: Creating a PDC with Samba References: <3894D682.8FE6D7EC@chrysoft.com> <20000131105525.A1276@shadowland.sc> <38975DF8.1DA4BB33@chrysoft.com> <20000202105051.A1258@shadowland.sc> Message-ID: <38980945.33976C08@netuse.de> Jens Skripczynski wrote: > > 1) > The newest cvs can be downloaded via cvs. Or there is a site (I forgot > thr URL), which makes daily snapshots into a tarball, which can be downloaded > via CVS. > Can s.o. please post the URL again ? > Lars can you add this link to the tarballs somewhere on the FAQ ? > > Are there also tarballs for the 3.0 Tree ? Yes, i'll add this to the FAQ. The URL is http://sernet.pair.com/?N=D. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lk at netuse.de Wed Feb 2 10:43:53 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:18 2003 Subject: Win2k Pro. / NT4.0 SP 6 "Connection refused - in samba.$client.log" - why? References: <003c01bf6d68$53a14ed0$4201a8c0@ntthomas> Message-ID: <38980A69.5361DFEE@netuse.de> Thomas Kolst? wrote: > > Hello there > > I followed the advice of Karl-Heinz Schulz (thanks btw :) and installed the > latest samba-tng source today - and the domain logon worked much better with > this one, at least - my win2k box finds the domain now, but i`m still having > problems with - as the win2k box says, the username and password for the > workstation trust account. > > But I noticed that in my samba.ms-server.log file, that there where some > errors like "Connection refused" in there - does anyone know what this is > all about? Please, could anyone look at the file ? Does this file exist? /usr/local/samba-tng/var/locks/.msrpc/wkssvc Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From thomas at du.no Wed Feb 2 10:52:11 2000 From: thomas at du.no (=?iso-8859-1?Q?Thomas_Kolst=F8?=) Date: Tue Dec 2 02:28:18 2003 Subject: Win2k Pro. / NT4.0 SP 6 "Connection refused - in samba.$client.log" - why? References: <003c01bf6d68$53a14ed0$4201a8c0@ntthomas> <38980A69.5361DFEE@netuse.de> Message-ID: <004e01bf6d6b$a0f45a80$4201a8c0@ntthomas> Nope: du_filserv:/usr/local/samba-tng/var/locks/.msrpc# ls -lag total 8 drwx------ 2 root root 4096 Feb 2 10:50 ./ drwxr-xr-x 3 root root 4096 Feb 2 11:51 ../ srwx------ 1 root root 0 Feb 2 10:50 NETLOGON= srwx------ 1 root root 0 Feb 2 10:49 winreg= du_filserv:/usr/local/samba-tng/var/locks/.msrpc# Should I maybe touch it ? Thomas Kolstoe ----- Original Message ----- From: "Lars Kneschke" To: Cc: "Multiple recipients of list SAMBA-NTDOM" Sent: Wednesday, February 02, 2000 11:43 AM Subject: Re: Win2k Pro. / NT4.0 SP 6 "Connection refused - in samba.$client.log" - why? > Thomas Kolst? wrote: > > > > Hello there > > > > I followed the advice of Karl-Heinz Schulz (thanks btw :) and installed the > > latest samba-tng source today - and the domain logon worked much better with > > this one, at least - my win2k box finds the domain now, but i`m still having > > problems with - as the win2k box says, the username and password for the > > workstation trust account. > > > > But I noticed that in my samba.ms-server.log file, that there where some > > errors like "Connection refused" in there - does anyone know what this is > > all about? Please, could anyone look at the file ? > Does this file exist? > > /usr/local/samba-tng/var/locks/.msrpc/wkssvc > > Cu > -- > Lars Kneschke > NetUSE Kommunikationstechnologie GmbH > Siemenswall, D-24107 Kiel, Germany > Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 > From lk at netuse.de Wed Feb 2 11:46:36 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:18 2003 Subject: Win2k Pro. / NT4.0 SP 6 "Connection refused - in samba.$client.log" - why? References: <003c01bf6d68$53a14ed0$4201a8c0@ntthomas> <38980A69.5361DFEE@netuse.de> <004e01bf6d6b$a0f45a80$4201a8c0@ntthomas> Message-ID: <3898191C.DDC5DCC9@netuse.de> Thomas Kolst? wrote: > > Nope: > > du_filserv:/usr/local/samba-tng/var/locks/.msrpc# ls -lag > total 8 > drwx------ 2 root root 4096 Feb 2 10:50 ./ > drwxr-xr-x 3 root root 4096 Feb 2 11:51 ../ > srwx------ 1 root root 0 Feb 2 10:50 NETLOGON= > srwx------ 1 root root 0 Feb 2 10:49 winreg= > du_filserv:/usr/local/samba-tng/var/locks/.msrpc# > > > Does this file exist? > > > > /usr/local/samba-tng/var/locks/.msrpc/wkssvc Have started all necessary daemons? Simply start all daemons form /bin. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From thomas at du.no Wed Feb 2 12:00:38 2000 From: thomas at du.no (=?iso-8859-1?Q?Thomas_Kolst=F8?=) Date: Tue Dec 2 02:28:18 2003 Subject: Win2k Pro. / NT4.0 SP 6 "Connection refused - in samba.$client.log" - why? References: <003c01bf6d68$53a14ed0$4201a8c0@ntthomas> <38980A69.5361DFEE@netuse.de> Message-ID: <007901bf6d75$316d9690$4201a8c0@ntthomas> Oh - now it.. kida works, but the win2k box complains about : "The RPC server is unavalible" What is this ? Sorry for being so .. stupid, but im kinda new to all this.. Thomas Kolstoe ----- Original Message ----- From: "Lars Kneschke" To: "Multiple recipients of list SAMBA-NTDOM" Sent: Wednesday, February 02, 2000 11:47 AM Subject: Re: Win2k Pro. / NT4.0 SP 6 "Connection refused - in samba.$client.log" - why? > Thomas Kolst? wrote: > > > > Hello there > > > > I followed the advice of Karl-Heinz Schulz (thanks btw :) and installed the > > latest samba-tng source today - and the domain logon worked much better with > > this one, at least - my win2k box finds the domain now, but i`m still having > > problems with - as the win2k box says, the username and password for the > > workstation trust account. > > > > But I noticed that in my samba.ms-server.log file, that there where some > > errors like "Connection refused" in there - does anyone know what this is > > all about? Please, could anyone look at the file ? > Does this file exist? > > /usr/local/samba-tng/var/locks/.msrpc/wkssvc > > Cu > -- > Lars Kneschke > NetUSE Kommunikationstechnologie GmbH > Siemenswall, D-24107 Kiel, Germany > Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 > From Volker.Lendecke at SerNet.DE Wed Feb 2 12:17:32 2000 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue Dec 2 02:28:18 2003 Subject: Creating a PDC with Samba In-Reply-To: <38980945.33976C08@netuse.de>; from lk@netuse.de on Wed, Feb 02, 2000 at 09:44:56PM +1100 References: <3894D682.8FE6D7EC@chrysoft.com> <20000131105525.A1276@shadowland.sc> <38975DF8.1DA4BB33@chrysoft.com> <20000202105051.A1258@shadowland.sc> <38980945.33976C08@netuse.de> Message-ID: On Wed, Feb 02, 2000 at 09:44:56PM +1100, Lars Kneschke wrote: > The URL is http://sernet.pair.com/?N=D. Please refer to http://samba.sernet.de/pdc.html, as the pair.com server might be moved some day. Volker -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 289 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000202/393dbaf9/attachment.bin From mknuut at cs.joensuu.fi Wed Feb 2 12:30:57 2000 From: mknuut at cs.joensuu.fi (Marko Knuuttila) Date: Tue Dec 2 02:28:18 2003 Subject: subscribe Message-ID: <004201bf6d79$5bc104f0$302aa7c1@cs.joensuu.fi> subscribe From thomas at du.no Wed Feb 2 13:21:30 2000 From: thomas at du.no (=?iso-8859-1?Q?Thomas_Kolst=F8?=) Date: Tue Dec 2 02:28:18 2003 Subject: RPC server.. Message-ID: <003201bf6d80$7d599e90$4201a8c0@ntthomas> I got a error msg back from the samba-ntdom mailing list - so I`ll try again to post this : I get this error when trying to connect to a samba(latest samba-tng package from the cvs tree) controlled nt-domain: "The RPC server is unavalible" What does this mean, and - how can I fix it ? Sorry for being so .. stupid, but im kinda new to all this.. Thomas Kolstoe From lk at netuse.de Wed Feb 2 13:23:16 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:18 2003 Subject: RPC server.. References: <003201bf6d80$7d599e90$4201a8c0@ntthomas> Message-ID: <38982FC4.28DBBED2@netuse.de> Thomas Kolst? wrote: > > I got a error msg back from the samba-ntdom mailing list - so I`ll try > again to post this : > > I get this error when trying to connect to a samba(latest samba-tng package > from the cvs tree) controlled nt-domain: > > "The RPC server is unavalible" > > What does this mean, and - how can I fix it ? Sorry for being so .. stupid, > but im kinda new to all this.. The best thing is to watch the logfiles. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From Olivier.Brousselle at univ-lehavre.fr Wed Feb 2 13:36:32 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:18 2003 Subject: Compilation problem on Slackware 7.0 Message-ID: <389832E0.65A14EA4@univ-lehavre.fr> Hi, I have a problem with Samba 2.1 (01-Feb-2000) on a Slackware 7.0. I use egcs 2.91.66, GNU Make 3.77 Using LIBS = -lreadline -lcrypt -lcurses Compiling tdb/tdb.c with libtool tdb/tdb.c:678: conflicting types for `tdb_traverse' include/proto.h:5249: previous declaration of `tdb_traverse' make: *** [tdb/tdb.lo] Error 1 Any idea ? -- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Facult? des sciences Laboratoire de m?canique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From hdkutz at media-support.de Wed Feb 2 14:48:28 2000 From: hdkutz at media-support.de (Hans-Dieter Kutz) Date: Tue Dec 2 02:28:18 2003 Subject: Compile Error on SunOS Message-ID: <389843BC.4F842FB8@media-support.de> Release: samba-2.1-latest.tar.gz 01-Feb-2000 23:47 2.0M # make ..... Using LIBS = -lsec -lsocket -lnsl -ldl -lpam Compiling tdb/tdb.c with libtool tdb/tdb.c:678: conflicting types for `tdb_traverse' include/proto.h:5109: previous declaration of `tdb_traverse' make: *** [tdb/tdb.lo] Error 1 # uname -a SunOS laempel 5.7 Generic_106542-08 i86pc i386 i86pc Any ideas ? -- ----------------------------------------------------------------- hans-dieter kutz primus services group GmbH phone +49 221 3091-565 Bonner Strasse 172 - 176 fax +49 221 3091-566 D-50968 Koeln hdkutz@rzag.net Germany ----------------------------------------------------------------- Computers are like airconditioners: They stop working properly if you open windows. ----------------------------------------------------------------- From swamidass at mail.com Wed Feb 2 15:36:38 2000 From: swamidass at mail.com (Vijay Swamidass) Date: Tue Dec 2 02:28:18 2003 Subject: pam smb and ftp Message-ID: <006f01bf6d93$4bf48780$0e41cc83@ace.business.auburn.edu> Hello, Does anyone know if pam smb authenticates ftp logins? I am running Redhat 6.1, and telnet logins are authenticating to the NT domain, but ftp does not. Thanks. ++++++++++++++++++++++++++++++++++++++++++ Vijay Swamdass swamidass@mail.com (334) 887-8766 ++++++++++++++++++++++++++++++++++++++++++ -------------- next part -------------- HTML attachment scrubbed and removed From thomas at du.no Wed Feb 2 16:01:21 2000 From: thomas at du.no (=?iso-8859-1?Q?Thomas_Kolst=F8?=) Date: Tue Dec 2 02:28:19 2003 Subject: Workstation Trust Account. Message-ID: <001201bf6d96$d1bb53a0$4201a8c0@ntthomas> Hello there - it`s me again :) Well - now I have managed to get the win2k worksation to join the domain, but when doing so - i met some problems on the way. When I spesfy that I shall add the computer named : "NT-THOMAS" to domain: "DULOKAL002" - the machine says : "Enter the name and password of an account with permission to join the domain" Here I have tried several different usernames, for both trust accounts - and normal useraccounts. If I try to log in as user "NT-THOMAS$" with password "nt-thomas" - I get the errormsg: "The account used is a computer account. Use your global user account or local user account to access this server" So - I tried to use the "thomas" account in my smbpasswd file. When I do this, it all works fine - I get the "Welcome to the DULOKAL002 domain" msg, BUT - yes .. there is a but... only the "administrator" and "thomas" account in the smbpasswd file works - I have like.. 20 other users - but when I try to log in with theese ones, it says that there is no contact with the "DULOKAL002" domain. Does anyone know what I`m missing here? Sincerly Thomas Kolstoe From lk at netuse.de Wed Feb 2 16:05:53 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:19 2003 Subject: Creating a PDC with Samba References: <3894D682.8FE6D7EC@chrysoft.com> <20000131105525.A1276@shadowland.sc> <38975DF8.1DA4BB33@chrysoft.com> <20000202105051.A1258@shadowland.sc> <38980945.33976C08@netuse.de> Message-ID: <389855E1.B17A8140@netuse.de> Volker Lendecke wrote: > > On Wed, Feb 02, 2000 at 09:44:56PM +1100, Lars Kneschke wrote: > > The URL is http://sernet.pair.com/?N=D. > > Please refer to http://samba.sernet.de/pdc.html, as the pair.com > server might be moved some day. Ok, id did it. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From swaters at amicus.com Wed Feb 2 16:44:18 2000 From: swaters at amicus.com (Stephen Waters) Date: Tue Dec 2 02:28:19 2003 Subject: Win9x speed and Samba. References: <387D3036.FFC01484@valinux.com> Message-ID: <38985EE2.9403B58@amicus.com> would this patch also fix problems where windows says it couldn't find a file or a share because of a slow connection? thanks, -s Jeremy Allison wrote: > > Reading the comp.protocols.smb newsgroup sometimes has > its benefits :-). > > Someone just posted there that they improved the speed > of their Win9x systems by a factor of 15 against a Samba > server by applying the patch to *all* versions of Win9x > (*NOT* NT) described in Microsoft knowledgebase article : > > Q236926 > > -found at : > > http://support.microsoft.com/support/kb/articles/q236/9/26.asp?LNG=ENG&SA=ALLKB > > Apparently Win9x (all versions) has a bug in the TCP > RTT calculations that can cause premature retransmissions > of packets. Now the article claims this is only on high > delay networks (satellite links etc.) so your millage > may vary. > > There is also a patch for NT4 SP5 and below (the fix > was rolled into NT4 SP6). > > Articls - Q232512 refers to the NT fix (there is a link > to this from the web page above). > > If people on this list having performance problems could > try this fix out and report back I'd really appreciate it. > > If it turns out to be beneficial I'll add a link to the > main Samba web page and add it to the Samba docs for the > next release. > > Cheers, > > Jeremy Allison, > Samba Team. > > -- > -------------------------------------------------------- > Buying an operating system without source is like buying > a self-assembly Space Shuttle with no instructions. > -------------------------------------------------------- From martin at tantalus.com Wed Feb 2 17:16:19 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:19 2003 Subject: Modify Passwords on NT PDC Message-ID: <003d01bf6da1$3932dc60$12f066cf@tantalus> I want to be able to modify passwords on the NT PDC via a linux box using Samba. This is the error I get.. Anyone know why I would get an error of [root@samba /]# smbpasswd -D 3 -r guide -U martin Old SMB password: New SMB password: Retype new SMB password: resolve_name: Attempting lmhosts lookup for name guide<0x20> resolve_name: Attempting host lookup for name guide<0x20> Connecting to 0.0.0.0 at port 139 machine guide rejected the password change: Error was : User has insufficient privilege. Failed to change password entry for martin [root@samba /]# (The IP address is not 0.0.0.0 in the original output.. just hidden from this post.) I presonaly think it is a problem with the way samba is seeding the request to the PDC. The PDC shows an error of "Access Not Allowed from this User" But I'm unable to determine what user Samba is using to request the auth. I've gone in to SWAT and check to see if I could set it to something else, but I don't think I can. Does anyone have any ideas? All I want to do is change an NT accounts password via Linux. Thanks. ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From grahamj at virtue.cx Wed Feb 2 18:13:38 2000 From: grahamj at virtue.cx (Quicker than the human eye) Date: Tue Dec 2 02:28:19 2003 Subject: pam smb and ftp In-Reply-To: <006f01bf6d93$4bf48780$0e41cc83@ace.business.auburn.edu> Message-ID: On Thu, 3 Feb 2000, Vijay Swamidass wrote: > Hello, > Does anyone know if pam smb authenticates ftp logins? I am running Redhat 6.1, and telnet logins are authenticating to the NT domain, but ftp does not. > > Thanks. > > ++++++++++++++++++++++++++++++++++++++++++ > Vijay Swamdass > swamidass@mail.com > (334) 887-8766 > ++++++++++++++++++++++++++++++++++++++++++ > This depends on two things: 1) Is your ftp server using pam (If you're using a stok RH install it will me) 2) Is pam_smb in the /etc/pam.d/ftp file. Otherwise pam_smb won't be invoked. From sollarsa at starofthesea.pvt.k12.or.us Wed Feb 2 18:23:28 2000 From: sollarsa at starofthesea.pvt.k12.or.us (Anthony L. Sollars) Date: Tue Dec 2 02:28:19 2003 Subject: File Locked ?? Message-ID: <38987620.558A1040@starofthesea.pvt.k12.or.us> Dear all, Has anyone come across the problem of files becoming locked, so that win9x user cannot save a document they are working on. I go onto the server and chmod the files to 775 and they are allowed to save again, but as soon as they save the returns to 755 and it is locked. Has anyone come across this before. I am running samba 2.0.5 on a slackware4.0 disrib. Sincerely, _____________________________________________________________ Anthony L. Sollars Technology Coordinator/Computer Teacher Star of the Sea School 1411 Grand Avenue Astoria, Or 97103 (503) 325-3771 sollarsa@starofthesea.pvt.k12.or.us http://www.starofthesea.pvt.k12.or.us --Never Argue with a Fool,. --They bring you down to their level and beat you with Experience. _____________________________________________________________ From martin at tantalus.com Wed Feb 2 18:26:47 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:19 2003 Subject: Samba with NIS+ or LDAP Message-ID: <000901bf6dab$118ea720$12f066cf@tantalus> Anyone know of any links with information about using Samba with NIS+ or LDAP for a authentication? And if Samba is your PDC, can you still use LDAP or NIS+ to manage the accounts? ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From dmalcolm at hiwaay.net Wed Feb 2 18:35:17 2000 From: dmalcolm at hiwaay.net (Dan Malcolm) Date: Tue Dec 2 02:28:19 2003 Subject: File Locked ?? References: <38987620.558A1040@starofthesea.pvt.k12.or.us> Message-ID: <001901bf6dac$43e8dc80$6f498cd0@gets1000.com> Try setting: create mask = 775 directory mask = 775 I had the same problem but this solved. Apparently Samba users are actually given permission through their group association rather than as owner. Dan ----- Original Message ----- From: "Anthony L. Sollars" To: "Multiple recipients of list SAMBA-NTDOM" Sent: Wednesday, February 02, 2000 12:24 PM Subject: File Locked ?? > Dear all, > > Has anyone come across the problem of files becoming locked, so that > win9x user cannot save a document they are working on. I go onto the > server and chmod the files to 775 and they are allowed to save again, > but as soon as they save the returns to 755 and it is locked. Has anyone > come across this before. I am running samba 2.0.5 on a slackware4.0 > disrib. > > > Sincerely, > > _____________________________________________________________ > > Anthony L. Sollars > Technology Coordinator/Computer Teacher > Star of the Sea School > 1411 Grand Avenue Astoria, Or 97103 > (503) 325-3771 > sollarsa@starofthesea.pvt.k12.or.us > http://www.starofthesea.pvt.k12.or.us > > --Never Argue with a Fool,. > --They bring you down to their level and beat you with Experience. > _____________________________________________________________ > > From mark at ripe.net Wed Feb 2 19:24:02 2000 From: mark at ripe.net (Mark Guz) Date: Tue Dec 2 02:28:19 2003 Subject: unknown parameter "domain group map" Message-ID: <029a01bf6db3$15e388b0$2d0100c1@ripe.net> Does anyone know why, even though I followed the NT-dom faq to the letter, including how to download the latest CVS code, that it still ignors: domain group map domain user map local group map I have downloaded 3.0.0-prealpha by following the instructions in the nt dom faq on www.samba.org Is the faq out of date now? is the information kept somewhere else or am I simply stupid??? Mark S. Guz System/Network Engineer Ripe NCC Amsterdam http://www.ripe.net From allen at driversoft.com Wed Feb 2 19:36:53 2000 From: allen at driversoft.com (Allen Reese) Date: Tue Dec 2 02:28:19 2003 Subject: File Locked ?? In-Reply-To: <38987620.558A1040@starofthesea.pvt.k12.or.us> Message-ID: I saw this a few months ago, and used a force mode to make the perms always be 775. it would happen when the person editing the file wasn't the owner, but was in the group. it looks like for my docw share which everyone uses to access files i have: create mode=775 directory mode=775 force create mode=775 force directory mode=775 force group=docw Hopefully that helps you, sorry I don't have much time to research futher because everything is crumbling today, it must be bug day again. Allen Reese VP Engineering Driversoft, Inc. allen@driversoft.com Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread Hi, I'm an evil mutated signature virus, put me in your .sig or I will bite your kneecaps! On Thu, 3 Feb 2000, Anthony L. Sollars wrote: > Dear all, > > Has anyone come across the problem of files becoming locked, so that > win9x user cannot save a document they are working on. I go onto the > server and chmod the files to 775 and they are allowed to save again, > but as soon as they save the returns to 755 and it is locked. Has anyone > come across this before. I am running samba 2.0.5 on a slackware4.0 > disrib. > > > Sincerely, > > _____________________________________________________________ > > Anthony L. Sollars > Technology Coordinator/Computer Teacher > Star of the Sea School > 1411 Grand Avenue Astoria, Or 97103 > (503) 325-3771 > sollarsa@starofthesea.pvt.k12.or.us > http://www.starofthesea.pvt.k12.or.us > > --Never Argue with a Fool,. > --They bring you down to their level and beat you with Experience. > _____________________________________________________________ > From lkcl at samba.org Wed Feb 2 20:11:43 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: Server migration & linux user authentication In-Reply-To: Message-ID: rpcclient lsaquery command. pam-list@redhat.com. ftp.kernel.org. On Wed, 2 Feb 2000, Thien Vu wrote: > I will be migrating my servers to Samba this weekend, and was wondering > how I could get my current PDC's SID number, so I can use it on the Samba > server, without re-adding all my workstations to the domain. > > Also, we have triple boot systems (WinNT Workstation, Win98, and Linux) > and was wondering if pam_smb or pam_ntdom packages are still being used, > so we can have centralized user authentication for the Linux machines. I > asked about these PAM modules before, but received no response. > > Thanks, > Thien Vu > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 2 20:56:30 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: Creating a PDC with Samba In-Reply-To: <20000202105051.A1258@shadowland.sc> Message-ID: > Hm. Currently I'm not to sure about the state of the implementation of the > UserManager in the alpha tarball, but in the CVS it is broken... if it's broken, please report fully exactly _where_ it is broken, otherwise it's not going to get fixed! see tng faq for reporting. i am currently working on samrtdbd not samrd, endeavouring to do a better job of the mess i made of domain_namemap.c. if anyone wants to take over getting samrd working, please feel free to do so, otherwise i'll only fix reported (and therefore easy-to-fix) bugs in samrd. thx ppl! luke From lkcl at samba.org Wed Feb 2 20:57:12 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: Win2k Pro. / NT4.0 SP 6 "Connection refused - in samba.$client.log" - why? In-Reply-To: <004e01bf6d6b$a0f45a80$4201a8c0@ntthomas> Message-ID: no, run wkssvcd. On Wed, 2 Feb 2000, Thomas Kolst? wrote: > Nope: > > du_filserv:/usr/local/samba-tng/var/locks/.msrpc# ls -lag > total 8 > drwx------ 2 root root 4096 Feb 2 10:50 ./ > drwxr-xr-x 3 root root 4096 Feb 2 11:51 ../ > srwx------ 1 root root 0 Feb 2 10:50 NETLOGON= > srwx------ 1 root root 0 Feb 2 10:49 winreg= > du_filserv:/usr/local/samba-tng/var/locks/.msrpc# > > > > Should I maybe touch it ? > > Thomas Kolstoe > > ----- Original Message ----- > From: "Lars Kneschke" > To: > Cc: "Multiple recipients of list SAMBA-NTDOM" > Sent: Wednesday, February 02, 2000 11:43 AM > Subject: Re: Win2k Pro. / NT4.0 SP 6 "Connection refused - in > samba.$client.log" - why? > > > > Thomas Kolst? wrote: > > > > > > Hello there > > > > > > I followed the advice of Karl-Heinz Schulz (thanks btw :) and installed > the > > > latest samba-tng source today - and the domain logon worked much better > with > > > this one, at least - my win2k box finds the domain now, but i`m still > having > > > problems with - as the win2k box says, the username and password for the > > > workstation trust account. > > > > > > But I noticed that in my samba.ms-server.log file, that there where some > > > errors like "Connection refused" in there - does anyone know what this > is > > > all about? Please, could anyone look at the file ? > > Does this file exist? > > > > /usr/local/samba-tng/var/locks/.msrpc/wkssvc > > > > Cu > > -- > > Lars Kneschke > > NetUSE Kommunikationstechnologie GmbH > > Siemenswall, D-24107 Kiel, Germany > > Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From fwickham at mainex1.asu.edu Wed Feb 2 21:00:55 2000 From: fwickham at mainex1.asu.edu (Scott) Date: Tue Dec 2 02:28:19 2003 Subject: Samba / NT4 / Solaris2.6 Message-ID: <38989B07.5AD25500@mainex1.asu.edu> Hello All: I'm trying to map to a Solaris 2.6 server with Samba 1.9.16p11 I have an NT4 workstation and log into an NT PDC Server. I've modified the NT batch file (Created by KixStart) to reflect multiple senarios (see below). However, the drive letter to the Solaris machine will appear in NT's Explorer, but when I click "refresh", the drive letter disappears ! I can map the drive to the Solaris Server normally using Explorer but really need to automate this for the sake of the users. Any Hints???? Scott Wickham (KixStart scr file ............) SetConsole( "HIDE" ) ; ------------------------------------------------------------------------------- ; CSB Drive Mappings (supercedes normal drive mappings if they are in CSB group) IF INGROUP("ARMS_TRAIN") ; Arms data entry training use V: "\\ARMS\devel" ; 2/1/2000 Scott W. ENDIF ;IF INGROUP("ARMS_TRAIN") ; Arms data entry training ;use V: "\\Arms\devel" ; 2/1/2000 Scott W. ;ENDIF ;IF INGROUP("ARMS_TRAIN") ; Arms data entry training ;use V: "\\ARMS\devel" ; 2/1/2000 Scott W. ;ENDIF ;IF INGROUP("ARMS_MAP") ; Arms data entry training ;use R: "\\arms\shares" ; 2/1/2000 Scott W. ;ENDIF ; ---------------------------------------------------------- From ralf at is.rice.edu Wed Feb 2 21:08:41 2000 From: ralf at is.rice.edu (Alfredo Ramos) Date: Tue Dec 2 02:28:19 2003 Subject: unknown parameter "domain group map" In-Reply-To: <029a01bf6db3$15e388b0$2d0100c1@ripe.net> Message-ID: This is happening to me too. When testparm is run, it reads the conf file and it thinks everything is "OK". It recognizes the parameter, but in the log file I keep getting [2000/01/31 13:43:45, 0] param/loadparm.c:lp_do_parameter(2060) Ignoring unknown parameter "domain group map" And I don't have any administrator privileges on client machines. I followed Lars' instructions on his web page to no avail. Al. --------------------------------------------------------------------------------- | Alfredo Ramos This space available for rent. | New Media & Student Computing Get your product moving. Advertise here! | Rice University. | Email: ralf@is.rice.edu --------------------------------------------------------------------------------- On Thu, 3 Feb 2000, Mark Guz wrote: > Does anyone know why, even though I followed the NT-dom faq to the letter, > including how to download the latest CVS code, that it still ignors: > > domain group map > domain user map > local group map > > I have downloaded 3.0.0-prealpha by following the instructions in the nt dom > faq on www.samba.org > > Is the faq out of date now? > is the information kept somewhere else > or am I simply stupid??? > > > Mark S. Guz > System/Network Engineer > Ripe NCC > Amsterdam > http://www.ripe.net > > From lars at kneschke.de Wed Feb 2 21:09:45 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:19 2003 Subject: unknown parameter "domain group map" References: Message-ID: <38989D19.AB4A72BA@kneschke.de> Alfredo Ramos wrote: > > This is happening to me too. > > When testparm is run, it reads the conf file and it thinks everything is > "OK". It recognizes the parameter, but in the log file I keep getting > > [2000/01/31 13:43:45, 0] param/loadparm.c:lp_do_parameter(2060) > Ignoring unknown parameter "domain group map" > > And I don't have any administrator privileges on client machines. > > I followed Lars' instructions on his web page to no avail. If you use a mixed Samba Main/TNG this is ok, because smbd from Main doesn't know this parameter. If you use Samba TNG only, you should not get this message. I only get "domain admin" working, but never "local admin". At the moment i use only Samba TNG and i can become a "domain admin". Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From lars at kneschke.de Wed Feb 2 21:24:20 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:19 2003 Subject: coding volunteers needed for msrpc server-side API conversion References: Message-ID: <3898A084.C31B500B@kneschke.de> Luke Kenneth Casson Leighton wrote: > > On Tue, 1 Feb 2000, Lars Kneschke wrote: > > > Luke Kenneth Casson Leighton wrote: > > > > > > if anyone wants to help with a very boring but basically self-consistent > > > task, i'd really appreciate it. the goal is, examine rpc_client/cli_*.c > > > functions, e.g samr_open_domain(), and create a srv_*.c function with > > > EXACTLY the same paramaters called _samr_open_domain(), for all functions > > > in rpc_client/cli_*.c and srv_*.c. > > Hello! > > > > Today evening i have a network card again, for my linux router. So i > > should be able to help a little bit. Which file need's some work? > > you could start on reg_srv.c. cut/paste it to winregd/srv_reg_nt.c and go > from there. Do you mean rpc_server/srv_reg.c? I have no file reg_srv.c! > there are plenty of examples. send me, first of all, patches for one > function at a time. > > the _actual_ goal is not as i originally stated: the goal is to expose all > _Q_ and _R_ members to the _xxx_msrpc_() functions and then later to > modify the xxx_msrpc_() client-side function to do the same. > > the ultimate aim is to have EXACTLY the same API as the microsoft MSDN, > and i do mean exactly. but PLEASE, do NOT go copying the MSDN, that > breaks microsoft's copyright. work from the data over-the-wire, and than > means the samba data structures, only. you shouldn't get stuck, but if > you do, then _refer_ to the MSDN, don't copy it. > > thx, > > luke > > lars, talk with sander and sean millichamp and elrond, they're chewing > through this stuff. Sorry, coders! :-) But i have no idea what i should do. I understand C and Luke said it is borring but easy. But i don't understand what i have to do! Can some one send me a example? I really like to contribute. Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From mml1000 at cam.ac.uk Wed Feb 2 21:32:34 2000 From: mml1000 at cam.ac.uk (Matthew M Lavy) Date: Tue Dec 2 02:28:19 2003 Subject: unknown parameter "domain group map" In-Reply-To: <029a01bf6db3$15e388b0$2d0100c1@ripe.net> Message-ID: On Thu, 3 Feb 2000, Mark Guz wrote: [snip] > > I have downloaded 3.0.0-prealpha by following the instructions in the nt dom > faq on www.samba.org You want to get the latest code from the TNG branch, and NOT the head branch; if you followed the NT-faq you probably didn't do this. Did you do: cvs checkout -r SAMBA_TNG samba? -- Matthew M Lavy BA MPhil ARCM LTCL Jesus College, Cambridge CB5 8BL Tel: +44 1223 511338 email: mml1000@jesus.cam.ac.uk From D.Bannon at latrobe.edu.au Wed Feb 2 21:57:24 2000 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:28:19 2003 Subject: pam smb and ftp In-Reply-To: <006f01bf6d93$4bf48780$0e41cc83@ace.business.auburn.edu> Message-ID: <3.0.6.32.20000203085724.008a5cd0@bioserve.latrobe.edu.au> At 02:38 AM 03/02/2000 +1100, Vijay Swamidass wrote: > Hello, I am running Redhat 6.1, and telnet logins are authenticating >to the NT domain, but ftp does not. Thanks. Sure will, but you must have a ftp stack (in pam.d) that includes pam_smb, just the same as you must have done to the telnet stack. If there is not a file, ~\pam.d\ftp to add the pam_smb line to, I would assume you don't have a suitable ftp server installed. Std RH normally does. David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From mgeddes at xavier.sa.edu.au Wed Feb 2 22:16:26 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:19 2003 Subject: pam smb and ftp References: <006f01bf6d93$4bf48780$0e41cc83@ace.business.auburn.edu> Message-ID: <3898ACB9.FABF1283@xavier.sa.edu.au> Vijay Swamidass wrote: > Hello,Does anyone know if pam smb authenticates ftp logins? I am > running Redhat 6.1, and telnet logins are authenticating to the NT > domain, but ftp does > not. Thanks. ++++++++++++++++++++++++++++++++++++++++++ > Vijay Swamdass > swamidass@mail.com > (334) 887-8766 > ++++++++++++++++++++++++++++++++++++++++++ does /etc/pam.d/ftp exist and is it set up right? Check out the PAM docs for further details Matt -------------- next part -------------- HTML attachment scrubbed and removed From martin at tantalus.com Wed Feb 2 22:15:35 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:19 2003 Subject: LDAP Message-ID: <001501bf6dcb$0726df80$12f066cf@tantalus> Does anyoen know if Samba compiles with LDAP support? In version 2.0.6 I get this.. checking whether to use LDAP password database... yes configure: error: LDAP password database not supported in this version. when I run ./configure ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From mgeddes at xavier.sa.edu.au Wed Feb 2 22:25:58 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:19 2003 Subject: LDAP References: <001501bf6dcb$0726df80$12f066cf@tantalus> Message-ID: <3898AEF6.40B086F6@xavier.sa.edu.au> Martin Brown wrote: > Does anyoen know if Samba compiles with LDAP support? In version 2.0.6 > > I get this.. > > checking whether to use LDAP password database... yes > configure: error: LDAP password database not supported in this version. > I think you need to run ./configure --with-passwd when configuring OpenLDAP. Recompile and live happily ever after..... Matt From swamive at mail.auburn.edu Wed Feb 2 23:24:33 2000 From: swamive at mail.auburn.edu (Vijay E Swamidass) Date: Tue Dec 2 02:28:19 2003 Subject: pam smb and ftp In-Reply-To: <3.0.6.32.20000203085724.008a5cd0@bioserve.latrobe.edu.au> Message-ID: Thanks all for the help... updated /etc/pam.d/ftp and it works like a champ. It is really a marvelous piece of software. Vijay From lkcl at samba.org Thu Feb 3 02:15:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: [samba-tng] status Message-ID: ok. sander's doing netlogon conversion, he's just gone to sleep. elrond's doing lsarpc conversion, he doesn't like the msdn api format, but then again, neither do any msdn developers like lsa_lookup_sids and lsa_lookup_names. [elrond, would you be happy with a client-side "wrapper" function that looks like rpc_client/cli_lsarpc.c's lsa_lookup_names?] sean millichamp's first foray into programming for a while resulted in srvsvc conversion, he even had fun doing it. lars volunteered for srv_reg.c, and is having the same conceptual difficulties with the task to be carried out that sean _used_ to have before sander explained in a mini HOWTO (Thx sander)! luke howard hates passdb/*.c and groupdb/*.c as much as i do. he's not touched the pre-existing schema so he's created an nt5ldap schema. it all works, but falls down silly in exactly the same way that the smbpsswd API samrd does (i.e without --with-ldap). luke also liked the surs thing so much he wrote a surs_nt5ldap_sid_to_uid function - in 20 lines of code. YESS :) i'm also trying to get luke h. to write a samrnt5ldapd, but he coded himself silly on the passdb/ groupbd/ version so needs a rest. i'm also encouraging him to "track" what i do for samtdbd, so he doesn't have to waste effort. i'm _trying_ to write samtdbd, but the rest of you are so busy in the mornings (when i'm not even up) that i had 100 email messages when i _started_ work and they just kept on coming... anyway, i got usrmgr to actually display a user-dialog today. i have two outstanding problems, one of which is how to make the user passwords secure even though the database itself may be accessible read-only (just like /etc/passwd is). i have an idea, i'll post an rfc in a separate message. the other one is how to do a SamrQueryUserInfo() at level 0x18 on local loopback but NOT on network access. i not sure... luke From lkcl at samba.org Thu Feb 3 02:51:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: SYSKEY2. Request For Comments Message-ID: recently, netect / bindview posted a review of the syskey system and how the RC4 cypher stream was reset each time. standard RC4 attack analysis shows that XORing two obfuscated passwords together results in the XOR cypher stream dropping out, and you have the two XORed password. further attack analysis can decrypt the passwords. i am looking to implement an equivalent mechanism to SYSKEY, however i do not have the relevant security skills to say whether a proposal is secure or not. i will outline the requirements, first, and then a possible proposal. 1) the SAM database may be accessible read-only (for example on NT, using REGEDT32 or PWDUMP or PWDUMP2) it should not be possible to decrypt the passwords, even though it is possible to obtain a binary or over-the-wire copy of the SAM database. 2) a mechanism to encrypt or decrypt the passwords should be reasonable fast so that any updates do not result in simultaneous accesses to the SAM database locking each other out for significantly [relatively] long periods of time. the idea i came up with is this: 1) create a syskey key. it can be any length. this is privately stored / protected. call this syskeyN 2) take the binary data of the user's profile (on NT, see HKLM\SAM\Sam\Domains\Account\Users\000001f4\V for an example: this is the administrator account. you will need to add permissions to access HKLM\SAM: remember to remove them afterwards!) this binary data is also known as the NDR of the user's profile. microsoft's SAM developers and DCOM / DCE/RPC developers know exactly what this is. make a copy of the NDR data, and zero out the part with the password. call ths usr21Z 3) use HMAC_MD5T64 to generate an RC4 key. the definition of HMAC_MD5T64 is basically that it's a version of HMAC_HD5 except that instead of, at the start of the algorithm, if the key is > 64 bytes, you truncate it instead of using MD5(key). sooo, i said that the syskey key can be any length, but it can actually only be <= 64 bytes. unless microsoft fixes their version of HMAC_MD5, which is currently not compliant with rfc 2104. 4) the rc4 key, K is calculated: K = HMAC_MD5T64(syskeyN, usr21Z); 5) the encrypted passwords LM# and NT# are calculated: E(LM#) = rc4(K, LM#) E(NT#) = rc4(K, NT#) 6) the encrypted passwords are subsituted back into the NDR data. the result is that the password hashes can only be decrypted if the secret key, syskey, is known, even if a copy of all the binary NDR user data is available. notes 1) LM# and NT# could, for backwards-compatibility, in fact be the DES-RID-wrapped-1.75-times versions of LM# and NT#, in step 5, above. 2) MD5 is 16 times more computationally expensive than MD4. are there any better/simpler algorithms? 3) do you _really_ need to do this: lock SAM database. obtain user binary data (usr21). calculate key, enc-pwdds, store data, unlock SAM database. i think so, in which case notes 2) becomes a problem if the algorithm is slow. 4) usr21Z contains timestamps (8-byte NT format) on when the password was last changed, _and_ when the user last logged in, _and_ when the user last logged off. the data is therefore constantly changing, and each change will require a new update to the encrypted password field (syskey2). comments, please! especially on whether the usr21Z data is sufficient to produce variations in the per-user key, particularly as the various time-stamps keep changing. thx, luke (samba team) p.s the definition of # is actually "octothorpe" - an eight-sided figure. it is pronounced, everywhere except in the u.s, as "hash". for those people in the u.k who have ever tried to use a u.s. keyboard or listened to automated telephone instructions, shift-3 and the button underneath 9 on a telephone _is_, to americans, the pound symbol. Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From matty at cifs.org Thu Feb 3 03:44:25 2000 From: matty at cifs.org (Matt Chapman) Date: Tue Dec 2 02:28:19 2003 Subject: [samba-tng] status In-Reply-To: ; from lkcl@samba.org on Thu, Feb 03, 2000 at 01:19:17PM +1100 References: Message-ID: <20000203144424.A8055@cifs.org> > > the other one is how to do a SamrQueryUserInfo() at level 0x18 on local > loopback but NOT on network access. level 18 (0x12), not 0x18. not that it matters if it is internal only :-) in NT it is not done on ncalrpc, but by calling SamrQueryInformationUser in SAMSRV.DLL directly (the special info level does not seem to be defined in any IDL). the return buffer contains 16-byte NT# followed by 16-byte LM#. Matt -- Matthew "Austin" Chapman SysAdmin, Developer, Samba Team Member From lkcl at samba.org Thu Feb 3 03:48:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: [samba-tng] status In-Reply-To: <20000203144424.A8055@cifs.org> Message-ID: On Thu, 3 Feb 2000, Matt Chapman wrote: > > > > the other one is how to do a SamrQueryUserInfo() at level 0x18 on local > > loopback but NOT on network access. > > level 18 (0x12), not 0x18. not that it matters if it is internal only :-) true. so, the functionali "equivalent", so-to-speak, is for me to call _samr_query_userinfo(). argh. that means that i have to also call _samr_commect(), _samr_open_domain and _samr_open_user(), followed by _samr_close() on all three handles returned. i _think_ the code can cope with that. i'm referring to the code that associates TDB_CONTEXT* database handles with the POLICY_HND* handles of each of the _samr_open...() implementations. yeah, there's nothing else special about it. yeah, i like it! thanks matthew! > in NT it is not done on ncalrpc, but by calling SamrQueryInformationUser > in SAMSRV.DLL directly (the special info level does not seem to be defined in > any IDL). the return buffer contains 16-byte NT# followed by 16-byte LM#. > > Matt > > > -- > Matthew "Austin" Chapman > SysAdmin, Developer, Samba Team Member > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From gleblanc at cu-portland.edu Thu Feb 3 04:46:38 2000 From: gleblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:19 2003 Subject: "attack" (manage) NT domain using the linux tools? References: Message-ID: <3899082E.75228480@cu-portland.edu> Luke Kenneth Casson Leighton wrote: > > yep! rpcclient. there's a man page, even. createuser, setuserinfo user > -p newuserpassword, creategroup addgroup, delgroup creategroupmem etc etc > it's about 98% all there. Awesome, can I do just a checkout on rpcclient, or do I need to pull all of (TNG/HEAD)? Greg From lkcl at samba.org Thu Feb 3 04:52:23 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: "attack" (manage) NT domain using the linux tools? In-Reply-To: <3899082E.75228480@cu-portland.edu> Message-ID: tng. ./configure; make bin/rpcclient. On Thu, 3 Feb 2000, Gregory Leblanc wrote: > Luke Kenneth Casson Leighton wrote: > > > > yep! rpcclient. there's a man page, even. createuser, setuserinfo user > > -p newuserpassword, creategroup addgroup, delgroup creategroupmem etc etc > > it's about 98% all there. > > Awesome, can I do just a checkout on rpcclient, or do I need to pull all > of (TNG/HEAD)? > Greg > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From pli at ee.ualberta.ca Thu Feb 3 05:28:29 2000 From: pli at ee.ualberta.ca (Patrick Li) Date: Tue Dec 2 02:28:19 2003 Subject: Policy Message-ID: SGVsbG8gR3V5cywNCg0KSSdtIGN1cnJlbnRseSBydW5uaW5nIFNhbWJhIDIuMC42IGFzIGEgUERD LA0KSSBjYW4gZ2V0IHByb2ZpbGVzIGFuZCBkb21haW4gbG9naW4gd29ya2luZw0KYnV0IGZvciBw b2xpY3ksIEkgY2FuJ3QgZ2V0IGFueXRoaW5nLg0KDQpJIGdvdCB0aGF0IGNvbmZpZy5wb2wgaW4g bXkgTmV0bG9nb24gc2hhcmUNCg0KQ2FuIGFueW9uZSB0ZWxsIG1lIGhvdyB0byBmaXggdGhpcw0K DQpUaGFueA0KDQpQYXQ= From Olivier.Brousselle at univ-lehavre.fr Thu Feb 3 08:42:08 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:19 2003 Subject: CVS Samba TNG Message-ID: <38993F60.BC6FDAF@univ-lehavre.fr> Hi, I need to get Samba TNG, but there is a problem : cvs -d:pserver:cvs@cvs.samba.org:/cvsroot login It's OK cd /usr/src/samba-main cvs -d:pserver:cvs@cvs.samba.org:/cvsroot co samba OK cd /usr/src/samba-tng cvs -d:pserver:cvs@cvs.samba.org:/cvsroot co -r SAMBA_TNG samba Problem : cvs server: cannot find module 'SAMBA_TNG' - ignored cvs [checkout aborted]: cannot expand modules Is there a mistake in my command ? -- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Facult? des sciences Laboratoire de m?canique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From lk at netuse.de Thu Feb 3 09:01:10 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:19 2003 Subject: CVS Samba TNG References: <38993F60.BC6FDAF@univ-lehavre.fr> Message-ID: <389943D6.F1C871CA@netuse.de> Olivier Brousselle wrote: > cd /usr/src/samba-tng > cvs -d:pserver:cvs@cvs.samba.org:/cvsroot co -r SAMBA_TNG samba > Problem : > cvs server: cannot find module 'SAMBA_TNG' - ignored > cvs [checkout aborted]: cannot expand modules I just tested it 1 minute ago and it works. cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co -r SAMBA_TNG samba This is what cvs --version says at my linux workstation: lars@knecke:~ > cvs --version Concurrent Versions System (CVS) 1.10.7 (client/server) Copyright (c) 1989-1998 Brian Berliner, david d `zoo' zuhn, Jeff Polk, and other authors CVS may be copied only under the terms of the GNU General Public License, a copy of which can be found with the CVS distribution kit. Specify the --help option for further information about CVS Maybe you have a old cvs version? Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From icoupeau at unav.es Thu Feb 3 09:22:28 2000 From: icoupeau at unav.es (Ignacio Coupeau) Date: Tue Dec 2 02:28:19 2003 Subject: Samba with NIS+ or LDAP References: <000901bf6dab$118ea720$12f066cf@tantalus> Message-ID: <389948D4.A4CEB3CA@unav.es> the page http://www.unav.es/cti/ldap-smb-howto.html may help, Ignacio Martin Brown wrote: > > Anyone know of any links with information about using Samba with NIS+ or > LDAP for a authentication? And if Samba is your PDC, can you still use LDAP > or NIS+ to manage the accounts? ____________________________________________________ Ignacio Coupeau, Ph.D. e-mail: icoupeau@unav.es CTI, Director fax: 948 425619 University of Navarra voice: 948 425600 Pamplona, SPAIN http://www.unav.es/cti/ From Olivier.Brousselle at univ-lehavre.fr Thu Feb 3 11:16:12 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:19 2003 Subject: Compilation of SAMR Message-ID: <3899637C.E0051B55@univ-lehavre.fr> Hello, I have another problem : I use Linux Slackware 7.0, Samba TNG. Compilation of Samba TNG : Compiling rpcclient/cmd_samr.c rpcclient/cmd_samr.c: In function `cmd_sam_set_userinfo2': rpcclient/cmd_samr.c:2189: `SAM_USER_INFO_16' undeclared (first use in this function) rpcclient/cmd_samr.c:2189: (Each undeclared identifier is reported only once rpcclient/cmd_samr.c:2189: for each function it appears in.) rpcclient/cmd_samr.c:2189: `p' undeclared (first use in this function) rpcclient/cmd_samr.c:2189: parse error before `)' make: *** [rpcclient/cmd_samr.o] Error 1 Any idea, patch ? -- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Facult? des sciences Laboratoire de m?canique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From jfaria at mediaone.net Thu Feb 3 11:38:48 2000 From: jfaria at mediaone.net (Jim Faria) Date: Tue Dec 2 02:28:19 2003 Subject: Compile problems Solaris7 with pam_ntdom V0.23 Message-ID: I'm getting the following compile errors with both gcc 2.8.1 and 2.95.2. The full samba package 2.0.6 buid and installed fine. # make mkdir -p ./dynamic *** Building pam-ntdom(alpha) module of the framework... Contact: lkcl@samba.org gcc -O2 -DHAVE_CONFIG_H -fPIC -DSCONFIGED=\"/etc/security/\" -DDEBUG_PASSWOR D -I./lib/include -I./lib/rpc/include -I./rpc_validate -c rpc_validate.c -o dynamic/rpc_validate.o rpc_validate.c: In function `client_connect': rpc_validate.c:62: parse error before `(' rpc_validate.c:67: parse error before `(' rpc_validate.c: In function `Valid_User': rpc_validate.c:92: parse error before `(' rpc_validate.c: In function `domain_client_validate': rpc_validate.c:170: parse error before `(' rpc_validate.c:198: parse error before `(' rpc_validate.c:219: parse error before `(' rpc_validate.c:230: parse error before `(' rpc_validate.c:246: parse error before `(' make: *** [dynamic/rpc_validate.o] Error 1 From Bill.Smith at jhuapl.edu Thu Feb 3 13:00:04 2000 From: Bill.Smith at jhuapl.edu (Smith, William E.) Date: Tue Dec 2 02:28:19 2003 Subject: Configuring Linux Box to Use Domain Level Security Message-ID: <67525B5908A1D3118D6B0008C79192C8672538@aples3.jhuapl.edu> I am attempting to setup my linux machine to use domain level security but am having some problems. I'll start off by first listing what I have done. The linux machine has been placed in Domain A(A resource domain) and has joined that domain with no problems after I had created the machine account for it via Server Manager. I listed the password servers I wanted to use which are located within Domain B(Account domain). Domain A also trusts domain B. I then changed the security level to domain and restarted all the daemons. When I looked at the logs, I found the following errors listed: My feeling as is several other linux people I've talked to here is that I need a machine account created in Domain B at which point my machine will be able to have authentication requests done via the account domain controllers in Domain B. Is this the right line of thinking or is something else wrong here? Also, what kind of inherent security risks/holes are opened up when using an NT domain controller to authenticate requests. Any help would be appreciated. Thanks, Bill [2000/02/01 12:39:35, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) cli_nt_setup_creds: auth2 challenge failed [2000/02/01 12:39:35, 0] smbd/password.c:domain_client_validate(1351) domain_client_validate: unable to setup the PDC credentials to machine . Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. [2000/02/01 12:39:35, 0] rpc_client/cli_netlogon.c:cli_net_auth2(160) cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT [2000/02/01 12:39:35, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) cli_nt_setup_creds: auth2 challenge failed [2000/02/01 12:39:35, 0] smbd/password.c:domain_client_validate(1351) domain_client_validate: unable to setup the PDC credentials to machine . . Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. Bill Smith mailto:bill.smith@jhuapl.edu The Johns Hopkins University &nbs p; Washington DC: 240-228-5523 Applied Physics Laboratory &nbs p; MD: 443-778-5523 11100 Johns Hopkins Road &nbs p; Fax: 240-228-5727 Laurel, MD 20723-6099 &nbs p; Web: http://www.jhuapl.edu/ -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at samba.org Thu Feb 3 17:00:03 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: Compilation of SAMR In-Reply-To: <3899637C.E0051B55@univ-lehavre.fr> Message-ID: fixed, this morning. On Thu, 3 Feb 2000, Olivier Brousselle wrote: > Hello, > > I have another problem : > I use Linux Slackware 7.0, Samba TNG. > > Compilation of Samba TNG : > > Compiling rpcclient/cmd_samr.c > rpcclient/cmd_samr.c: In function `cmd_sam_set_userinfo2': > rpcclient/cmd_samr.c:2189: `SAM_USER_INFO_16' undeclared (first use in > this function) > rpcclient/cmd_samr.c:2189: (Each undeclared identifier is reported only > once > rpcclient/cmd_samr.c:2189: for each function it appears in.) > rpcclient/cmd_samr.c:2189: `p' undeclared (first use in this function) > rpcclient/cmd_samr.c:2189: parse error before `)' > make: *** [rpcclient/cmd_samr.o] Error > 1 > > Any idea, patch ? > > -- > Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr > ================================================================== > Facult? des sciences Laboratoire de m?canique > du lundi au mercredi jeudi et vendredi > Tel : 02/32/74/43/37 02/32/74/49/67 > Fax : 02/32/74/43/14 02/32/74/49/60 > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 3 17:02:32 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: Compile problems Solaris7 with pam_ntdom V0.23 In-Reply-To: Message-ID: use 0.24 or download latest cvs. thx. On Thu, 3 Feb 2000, Jim Faria wrote: > I'm getting the following compile errors with both gcc 2.8.1 and 2.95.2. The > full samba package 2.0.6 buid and installed fine. > > # make > mkdir -p ./dynamic > > *** Building pam-ntdom(alpha) module of the framework... > Contact: lkcl@samba.org > > gcc -O2 -DHAVE_CONFIG_H -fPIC -DSCONFIGED=\"/etc/security/\" -DDEBUG_PASSWOR > D -I./lib/include -I./lib/rpc/include -I./rpc_validate -c > rpc_validate.c -o dynamic/rpc_validate.o > rpc_validate.c: In function `client_connect': > rpc_validate.c:62: parse error before `(' > rpc_validate.c:67: parse error before `(' > rpc_validate.c: In function `Valid_User': > rpc_validate.c:92: parse error before `(' > rpc_validate.c: In function `domain_client_validate': > rpc_validate.c:170: parse error before `(' > rpc_validate.c:198: parse error before `(' > rpc_validate.c:219: parse error before `(' > rpc_validate.c:230: parse error before `(' > rpc_validate.c:246: parse error before `(' > make: *** [dynamic/rpc_validate.o] Error 1 > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From jfaria at mediaone.net Thu Feb 3 17:54:19 2000 From: jfaria at mediaone.net (Jim Faria) Date: Tue Dec 2 02:28:19 2003 Subject: FW: Compile problems Solaris7 with pam_ntdom V0.24 Message-ID: Correction. This problem is with 0.24. I had different build problems with 0.23 -----Original Message----- From: Jim Faria [mailto:jfaria@mediaone.net] Sent: Thursday, February 03, 2000 6:39 AM To: samba-ntdom@samba.org Subject: Compile problems Solaris7 with pam_ntdom V0.23 I'm getting the following compile errors with both gcc 2.8.1 and 2.95.2. The full samba package 2.0.6 buid and installed fine. # make mkdir -p ./dynamic *** Building pam-ntdom(alpha) module of the framework... Contact: lkcl@samba.org gcc -O2 -DHAVE_CONFIG_H -fPIC -DSCONFIGED=\"/etc/security/\" -DDEBUG_PASSWOR D -I./lib/include -I./lib/rpc/include -I./rpc_validate -c rpc_validate.c -o dynamic/rpc_validate.o rpc_validate.c: In function `client_connect': rpc_validate.c:62: parse error before `(' rpc_validate.c:67: parse error before `(' rpc_validate.c: In function `Valid_User': rpc_validate.c:92: parse error before `(' rpc_validate.c: In function `domain_client_validate': rpc_validate.c:170: parse error before `(' rpc_validate.c:198: parse error before `(' rpc_validate.c:219: parse error before `(' rpc_validate.c:230: parse error before `(' rpc_validate.c:246: parse error before `(' make: *** [dynamic/rpc_validate.o] Error 1 From fruitbat at netspace.org Thu Feb 3 18:52:43 2000 From: fruitbat at netspace.org (Eric the Fruitbat) Date: Tue Dec 2 02:28:19 2003 Subject: No subject Message-ID: <200002031852.NAA12125@netspace.org> Hello. A while ago I posted a question to the list about a problem I was having with remote SMB clients crashing inexplicably when trying to attach to a 2.0.6 PDC. I received one response off-list from someone, but unfortunately their suggestions weren't applicable. Other than that, I'm sort of stuck -- I'm not in a position where I can simply accept that samba doesn't work anymore and forget about it, but I also don't know what might be going wrong. The newsgroup has been of no use, either, though I've tried posting there. Maybe there's a simple solution that I'm overlooking, but I don't know what it is, so if anyone could point me in the right direction I'd really appreciate it. Thanks. Eric deRiel -- "I am a bomb technician. If you see me running, try and keep up." From patvie at ce.ife.org.mx Thu Feb 3 19:30:32 2000 From: patvie at ce.ife.org.mx (Patrick Vielle Calzada) Date: Tue Dec 2 02:28:19 2003 Subject: NT Workstation duplication In-Reply-To: Message-ID: Take a look at this minihowto. http://cuiwww.unige.ch/info/pc/remote-boot/howto.html From vgill at technologist.com Fri Feb 4 01:16:04 2000 From: vgill at technologist.com (Vern H. Gill) Date: Tue Dec 2 02:28:19 2003 Subject: Subscribe Message-ID: <000601bf6ead$685287e0$3405a8c0@gillnet.org> Subscribe From kbn at pjat.dk Fri Feb 4 01:16:40 2000 From: kbn at pjat.dk (Kim Bjoern Nielsen) Date: Tue Dec 2 02:28:19 2003 Subject: Compilation errors - IRIX 6.5.6f Message-ID: <389A2878.647228A@pjat.dk> Hi, Compilation warnings with latest CVS - compiling on R4400 for IRIX 6.5.6f; using gcc 2.95.2 & gmake 3.78.1: - still can't join W2K Professional to domain )-: Thanks - Kim -------------- next part -------------- Compiling rpc_client/msrpc_samr.c with libtool rpc_client/msrpc_samr.c: In function `lookup_sam_names': rpc_client/msrpc_samr.c:118: warning: passing arg 4 of `samr_query_lookup_names' from incompatible pointer type Compiling rpc_parse/parse_net.c with libtool rpc_parse/parse_net.c: In function `make_dom_sid2s': rpc_parse/parse_net.c:543: warning: assignment discards qualifiers from pointer target type Compiling rpc_parse/parse_creds.c with libtool rpc_parse/parse_creds.c: In function `create_user_creds': rpc_parse/parse_creds.c:600: warning: assignment discards qualifiers from pointer target type Compiling lib/util.c with libtool lib/util.c: In function `nametouid': lib/util.c:2082: warning: passing arg 1 of `Get_Pwnam' discards qualifiers from pointer target type Compiling groupdb/aliasunix.c with libtool groupdb/aliasunix.c:317: warning: initialization from incompatible pointer type groupdb/aliasunix.c:318: warning: initialization from incompatible pointer type Compiling groupdb/builtinunix.c with libtool groupdb/builtinunix.c:310: warning: initialization from incompatible pointer type groupdb/builtinunix.c:311: warning: initialization from incompatible pointer type Compiling lib/domain_namemap.c with libtool lib/domain_namemap.c: In function `lookup_remote_ntname': lib/domain_namemap.c:913: warning: assignment discards qualifiers from pointer target type Compiling web/cgi.c web/cgi.c: In function `cgi_handle_authorization': web/cgi.c:364: warning: assignment discards qualifiers from pointer target type lots of (while linking): ld32: WARNING 85: definition of __deregister_frame_info in bin/.libs/libnmb.so preempts that definition in bin/.libs/libsamba.so. From lkcl at samba.org Fri Feb 4 01:50:09 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:19 2003 Subject: kRe: Compilation errors - IRIX 6.5.6f In-Reply-To: <389A2878.647228A@pjat.dk> Message-ID: ok, time to On Fri, 4 Feb 2000, Kim Bjoern Nielsen wrote: > Hi, > get more info from you. can you follow sFAQ reporting instructions. faq ref'd in source/README. don't send anything to the list, yet, just check logs at level 100. lokok for obvious "errors", "INTERNAL ERROR", warnings, failures, login failures in log.NETLOGON etc etc. follow the _exact_ instructions on setup in the FAQ, too. thx, luke > Compilation warnings with latest CVS - compiling on R4400 for IRIX > 6.5.6f; > > using gcc 2.95.2 & gmake 3.78.1: > > - still can't join W2K Professional to domain )-: > > Thanks - Kim Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From vgill at technologist.com Fri Feb 4 01:23:49 2000 From: vgill at technologist.com (Vern H. Gill) Date: Tue Dec 2 02:28:19 2003 Subject: Links Message-ID: <000701bf6eae$7d498bc0$3405a8c0@gillnet.org> Can someone please provide the links for the LIBS or binaries to enable the following, or tell me if it is included in the code, and maybe a brief explanation of what each one is for; >From samba-main/tng --with-smbwrapper --with-afs --with-dfs --with-krb4=base-dir --with-krb5=base-dir --with-automount --with-smbmount --with-pam --with-ldap --with-ssl --with-syslog --with-profile --with-netatalk --with-quotas --with-utmp >From samba-tng only --with-samtdb --with-libmsrpc --with-libubiqx --with-libsamba --with-libnmb --with-libsmbpw --with-libsmb --with-mmap From aaron at cs.newcastle.edu.au Fri Feb 4 04:14:30 2000 From: aaron at cs.newcastle.edu.au (Aaron Scott) Date: Tue Dec 2 02:28:20 2003 Subject: Multiple trusted samba PDCs on existing NT Server network? Message-ID: <200002040414.PAA17284@lily.newcastle.edu.au> A non-text attachment was scrubbed... Name: not available Type: text Size: 3019 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000204/07b49d41/attachment.bat From Olivier.Brousselle at univ-lehavre.fr Fri Feb 4 07:13:48 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:20 2003 Subject: [TNG] Domain Admin Message-ID: <389A7C2C.3B308864@univ-lehavre.fr> Hello, How can I become domain admin ? I follow these instructions : smb.conf : domain group map = /home/samba-tng/private/groups.map chmod ugo+r /home/samba-tng/private/groups.map groups.map : admindom = "Domain Admins" /etc/group : admindom:x:36000:root I can log root onto a Workstation, but i'm not domain admin. Did I make a mistake ? -- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Facult? des sciences Laboratoire de m?canique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From thien_vu at hotmail.com Fri Feb 4 07:40:29 2000 From: thien_vu at hotmail.com (Thien Vu) Date: Tue Dec 2 02:28:20 2003 Subject: [TNG] Domain Admin References: <389A7C2C.3B308864@univ-lehavre.fr> Message-ID: <20000204074121.53293.qmail@hotmail.com> I'm using Samba 2.0.6a to manage the NT Workstations, and I am using the parameter in smb.conf: username map = /usr/local/samba/lib/username.map and in username.map file I have: @ntadmins = "Domain Admins" Even though its *officially* supported, it works fine for me! Thien Vu From lkcl at samba.org Fri Feb 4 07:49:39 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: one of those horrible realisations Message-ID: ok, this is one of those nasty moments when you realise it's much more complex than you thought. multi-user systems, WinDD, WInframe, TSE. multiplex multiple users onto one smbd process. smbd has multiple personalities, based on vuids (SMB virtual user ids). which vuid context are you supposed to make an MSRPC call under, if you only have one msrpc connection per pipe per smbd process? i.e, each vuid has totally separate msrpcd context. i.e each vuid must, under the current architecture, fork its own msrpc daemon process. basically, each REAL smb user MUST have their own msrpc daemon. it's not bad, it's just not a nice thing to realise at about 3 or 4 am. luke From martijn at ilse.nl Fri Feb 4 08:58:17 2000 From: martijn at ilse.nl (Martijn Grendelman) Date: Tue Dec 2 02:28:20 2003 Subject: basic questions Message-ID: <007401bf6eed$fa295320$54b89ec0@ilse.net> Hi there, I have been following this list for a couple of weeks now, and I have learnt a lot, but there still remain some questions unanswered for me, that I can't seem to find in the other docs either: - What is the difference between the HEAD and TNG branches? Should I see HEAD as pre-2.1 and TNG as pre-3.0? How do they differ in functionality? What's the deal on using smbd and nmbd from HEAD and all the other deamons from TNG? - What do 'all those' daemons from TNG (netlogond, lsarpcd, browserd, etc.) do? A short description would be nice, maybe Lars can add this to his FAQ or something? - I really would like domain logons for NT4 workstations to work well. Being able to use the User Mgr for Domains would be nice, but is not essential. Being able to have domain users as LOCAL admins would be even nicer! What do I need (i.e. which version of Samba)? Thanks for any answers, Martijn. From snail_talk at yahoo.com Fri Feb 4 09:47:04 2000 From: snail_talk at yahoo.com (geoffrey lee) Date: Tue Dec 2 02:28:20 2003 Subject: basic questions In-Reply-To: <007401bf6eed$fa295320$54b89ec0@ilse.net> Message-ID: <000001bf6ef4$cab3f490$0200000a@workstation1> hi, > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Martijn Grendelman > Sent: Friday, February 04, 2000 5:01 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: basic questions > > > Hi there, > > I have been following this list for a couple of weeks now, and I > have learnt > a lot, but there still remain some questions unanswered for me, > that I can't > seem to find in the other docs either: > > - What is the difference between the HEAD and TNG branches? Should I see > HEAD as pre-2.1 and TNG as pre-3.0? How do they differ in functionality? very basically speaking TNG is HEAD + nt pdc support. > What's the deal on using smbd and nmbd from HEAD and all the other deamons > from TNG? > - What do 'all those' daemons from TNG (netlogond, lsarpcd, > browserd, etc.) > do? A short description would be nice, maybe Lars can add this to > his FAQ or > something? each one has its different uses. if you have tried the production version fo samba, there were only two daemons, smbd and nmbd. while this is perfectly ok, but say you only want a particular functionality in samba. you'd have to enable all the daemons. but now, you only have to enable what you use, nt all of htem. > - I really would like domain logons for NT4 workstations to work > well. Being > able to use the User Mgr for Domains would be nice, but is not essential. > Being able to have domain users as LOCAL admins would be even > nicer! What do > I need (i.e. which version of Samba)? > get the user to logon locally, and give them the admin password... > Thanks for any answers, > Martijn. > From lk at netuse.de Fri Feb 4 09:42:36 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:20 2003 Subject: basic questions References: <007401bf6eed$fa295320$54b89ec0@ilse.net> Message-ID: <389A9F0C.9F2AC84C@netuse.de> Martijn Grendelman wrote: > > Hi there, > > I have been following this list for a couple of weeks now, and I have learnt > a lot, but there still remain some questions unanswered for me, that I can't > seem to find in the other docs either: > > - What is the difference between the HEAD and TNG branches? Should I see > HEAD as pre-2.1 and TNG as pre-3.0? How do they differ in functionality? > What's the deal on using smbd and nmbd from HEAD and all the other deamons > from TNG? I have updated the webpages some days ago. At the startpage is now a list about the advances and disadvances of the different branches. If you read it, and it didn't help you, i would be very interessted to hear what's not clear. > - What do 'all those' daemons from TNG (netlogond, lsarpcd, browserd, etc.) > do? A short description would be nice, maybe Lars can add this to his FAQ or > something? I would add a new FAQ-Point. But there is also a README in the source-tree. Pelase read /source/README > - I really would like domain logons for NT4 workstations to work well. Being > able to use the User Mgr for Domains would be nice, but is not essential. > Being able to have domain users as LOCAL admins would be even nicer! What do > I need (i.e. which version of Samba)? Samba TNG or mixed Samba TNG/Head should do it. I don't get local admins working, but domain admins did it. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From martijn at ilse.nl Fri Feb 4 10:19:55 2000 From: martijn at ilse.nl (Martijn Grendelman) Date: Tue Dec 2 02:28:20 2003 Subject: basic questions References: <007401bf6eed$fa295320$54b89ec0@ilse.net> <389A9F0C.9F2AC84C@netuse.de> Message-ID: <00b901bf6ef9$62bb7e30$54b89ec0@ilse.net> Hi, From: Lars Kneschke > I have updated the webpages some days ago. At the startpage is now a > list about the advances and disadvances of the different branches. If > you read it, and it didn't help you, i would be very interessted to hear > what's not clear. Oops.. Yes, I did read it and it is clear. I just kind of forgot I read it and my bookmark points directly to the FAQ so I missed it this morning :-( > I would add a new FAQ-Point. But there is also a README in the > source-tree. Pelase read /source/README Found that one just a second after I sent my first message to the list... > Samba TNG or mixed Samba TNG/Head should do it. I don't get local admins > working, but domain admins did it. I've been experimenting with it. I haven't really tried to get domain admins to work though. Now I can't get yesterday's MAIN to compile, but that's probably a known issue. I have a combined MAIN/TNG Samba running (CVS Jan 26th), but the UMfD doesn't work and I'm not sure if it's supposed to. It displays the domain users but then exits with an RPC protocol error. Something wrong on my side, or is it just Samba? Excuse my for being ignorant if I am... Thanx, Martijn. From lk at netuse.de Fri Feb 4 10:23:24 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:20 2003 Subject: [TNG] Domain Admin References: <389A7C2C.3B308864@univ-lehavre.fr> Message-ID: <389AA89C.B496DCA@netuse.de> Olivier Brousselle wrote: > > Hello, > > How can I become domain admin ? > > I follow these instructions : > > smb.conf : > domain group map = /home/samba-tng/private/groups.map > > chmod ugo+r /home/samba-tng/private/groups.map > > groups.map : > admindom = "Domain Admins" > > /etc/group : > admindom:x:36000:root > > I can log root onto a Workstation, but i'm not domain admin. That's the way it should work with Samba TNG. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lk at netuse.de Fri Feb 4 11:51:53 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:20 2003 Subject: basic questions References: <007401bf6eed$fa295320$54b89ec0@ilse.net> <389A9F0C.9F2AC84C@netuse.de> <00b901bf6ef9$62bb7e30$54b89ec0@ilse.net> Message-ID: <389ABD59.F8219AAE@netuse.de> Martijn Grendelman wrote: > > I have updated the webpages some days ago. At the startpage is now a > > list about the advances and disadvances of the different branches. If > > you read it, and it didn't help you, i would be very interessted to hear > > what's not clear. > > Oops.. Yes, I did read it and it is clear. I just kind of forgot I read it > and my bookmark points directly to the FAQ so I missed it this morning :-( > > Samba TNG or mixed Samba TNG/Head should do it. I don't get local admins > > working, but domain admins did it. > > I've been experimenting with it. I haven't really tried to get domain admins > to work though. Now I can't get yesterday's MAIN to compile, but that's > probably a known issue. > > I have a combined MAIN/TNG Samba running (CVS Jan 26th), but the UMfD > doesn't work and I'm not sure if it's supposed to. It displays the domain > users but then exits with an RPC protocol error. Something wrong on my side, > or is it just Samba? I think it is just Samba. You could update your cvs-tree and compile a new version. If you backup the bin and lib directory, you could also switch back to your working version(if the current samba-version don't work). Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From jeremy at valinux.com Fri Feb 4 15:14:13 2000 From: jeremy at valinux.com (jeremy@valinux.com) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: from "Luke Kenneth Casson Leighton" at Feb 03, 2000 01:55:01 PM Message-ID: <200002041514.HAA13238@legion.su.valinux.com> > i am looking to implement an equivalent mechanism to SYSKEY, however i do > not have the relevant security skills to say whether a proposal is secure > or not. Why ? SYSKEY is a silly idea ! Either you trust root, or you don't. If you don't trust root, then all the SYSKEY in the world doesn't help. If you do trust root, then why not let them see the hashed passwords ? Don't give me any "it improves security" crap, as it doesn't (unless you store the key off machine - on a floppy disk needed on machine boot). This is the same issue kerberos has. There is no need to complicate all our code with this stuff, it doesn't even add any security ! What does everyone else think ? I don't want you to implement it - it's just a *bad* idea. Jeremy. From greg at discreet.com Fri Feb 4 15:11:58 2000 From: greg at discreet.com (Greg Dickie) Date: Tue Dec 2 02:28:20 2003 Subject: TNG compile errors Message-ID: Don't know if it's new but: Compiling rpcclient/rpcclient.c rpcclient/rpcclient.c: In function `main': rpcclient/rpcclient.c:394: parse error before `int' rpcclient/rpcclient.c:418: `term_code' undeclared (first use in this function) rpcclient/rpcclient.c:418: (Each undeclared identifier is reported only once rpcclient/rpcclient.c:418: for each function it appears in.) rpcclient/rpcclient.c:423: `cli_info' undeclared (first use in this function) rpcclient/rpcclient.c:464: `myumask' undeclared (first use in this function) rpcclient/rpcclient.c:479: `p' undeclared (first use in this function) rpcclient/rpcclient.c:482: `password' undeclared (first use in this function) rpcclient/rpcclient.c:483: `got_pass' undeclared (first use in this function) rpcclient/rpcclient.c:546: `cli_action' undeclared (first use in this function) rpcclient/rpcclient.c:549: `opt' undeclared (first use in this function) rpcclient/rpcclient.c:607: `dbf' undeclared (first use in this function) rpcclient/rpcclient.c:652: `cmd_str' undeclared (first use in this function) rpcclient/rpcclient.c:666: `servicesf' undeclared (first use in this function) Greg --------------------------------------------------------------------- Greg Dickie Just A Guy* *from discreet (the logic is gone) Montreal (514) 954-7171 greg@discreet.com From Jean-Francois.Micouleau at dalalu.fr Fri Feb 4 15:17:41 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:20 2003 Subject: TNG compile errors In-Reply-To: Message-ID: On Sat, 5 Feb 2000, Greg Dickie wrote: > Don't know if it's new but: Are you sure you're using the TNG branch ? Luke added 3 lines in rpcclient.c in the HEAD branch. I fixed it this morning but forgot to commit :-) > > Compiling rpcclient/rpcclient.c > rpcclient/rpcclient.c: In function `main': > rpcclient/rpcclient.c:394: parse error before `int' > rpcclient/rpcclient.c:418: `term_code' undeclared (first use in this function) > rpcclient/rpcclient.c:418: (Each undeclared identifier is reported only once > rpcclient/rpcclient.c:418: for each function it appears in.) > rpcclient/rpcclient.c:423: `cli_info' undeclared (first use in this function) > rpcclient/rpcclient.c:464: `myumask' undeclared (first use in this function) > rpcclient/rpcclient.c:479: `p' undeclared (first use in this function) > rpcclient/rpcclient.c:482: `password' undeclared (first use in this function) > rpcclient/rpcclient.c:483: `got_pass' undeclared (first use in this function) > rpcclient/rpcclient.c:546: `cli_action' undeclared (first use in this function) > rpcclient/rpcclient.c:549: `opt' undeclared (first use in this function) > rpcclient/rpcclient.c:607: `dbf' undeclared (first use in this function) > rpcclient/rpcclient.c:652: `cmd_str' undeclared (first use in this function) > rpcclient/rpcclient.c:666: `servicesf' undeclared (first use in this function) > > > Greg > --------------------------------------------------------------------- > Greg Dickie > Just A Guy* > *from discreet (the logic is gone) > Montreal > (514) 954-7171 > greg@discreet.com > From Jean-Francois.Micouleau at dalalu.fr Fri Feb 4 15:20:24 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:20 2003 Subject: TNG compile errors In-Reply-To: Message-ID: On Sat, 5 Feb 2000, Greg Dickie wrote: > Don't know if it's new but: fixed. > > Compiling rpcclient/rpcclient.c > rpcclient/rpcclient.c: In function `main': > rpcclient/rpcclient.c:394: parse error before `int' > rpcclient/rpcclient.c:418: `term_code' undeclared (first use in this function) > rpcclient/rpcclient.c:418: (Each undeclared identifier is reported only once > rpcclient/rpcclient.c:418: for each function it appears in.) > rpcclient/rpcclient.c:423: `cli_info' undeclared (first use in this function) > rpcclient/rpcclient.c:464: `myumask' undeclared (first use in this function) > rpcclient/rpcclient.c:479: `p' undeclared (first use in this function) > rpcclient/rpcclient.c:482: `password' undeclared (first use in this function) > rpcclient/rpcclient.c:483: `got_pass' undeclared (first use in this function) > rpcclient/rpcclient.c:546: `cli_action' undeclared (first use in this function) > rpcclient/rpcclient.c:549: `opt' undeclared (first use in this function) > rpcclient/rpcclient.c:607: `dbf' undeclared (first use in this function) > rpcclient/rpcclient.c:652: `cmd_str' undeclared (first use in this function) > rpcclient/rpcclient.c:666: `servicesf' undeclared (first use in this function) > > > Greg > --------------------------------------------------------------------- > Greg Dickie > Just A Guy* > *from discreet (the logic is gone) > Montreal > (514) 954-7171 > greg@discreet.com > From timothy_d_cole at md.northgrum.com Fri Feb 4 16:12:46 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB5631F5@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: jeremy@valinux.com [SMTP:jeremy@valinux.com] > Sent: Friday, February 04, 2000 9:18 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: SYSKEY2. Request For Comments > > > i am looking to implement an equivalent mechanism to SYSKEY, however i > do > > not have the relevant security skills to say whether a proposal is > secure > > or not. > > Why ? SYSKEY is a silly idea ! > > Either you trust root, or you don't. > [ snip ] > There is no need to complicate all our code with > this stuff, it doesn't even add any security ! > > What does everyone else think ? I don't want you > to implement it - it's just a *bad* idea. > I concur. From lkcl at samba.org Fri Feb 4 16:28:55 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002041514.HAA13238@legion.su.valinux.com> Message-ID: i need to make the sam database read-accessible to all unix users. just like /etc/passwd. therefore, i need to encrypt the passwords [or as elrond suggested, keep them in a separate database that is root-only accessible] with a root-only accessible syskey. On Fri, 4 Feb 2000 jeremy@valinux.com wrote: > > i am looking to implement an equivalent mechanism to SYSKEY, however i do > > not have the relevant security skills to say whether a proposal is secure > > or not. > > Why ? SYSKEY is a silly idea ! > > Either you trust root, or you don't. > > If you don't trust root, then all the SYSKEY in > the world doesn't help. If you do trust root, then > why not let them see the hashed passwords ? > > Don't give me any "it improves security" crap, > as it doesn't (unless you store the key off > machine - on a floppy disk needed on machine boot). > > This is the same issue kerberos has. > > There is no need to complicate all our code with > this stuff, it doesn't even add any security ! > > What does everyone else think ? I don't want you > to implement it - it's just a *bad* idea. > > Jeremy. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 4 16:34:28 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: TNG compile errors In-Reply-To: Message-ID: looks very wrong, to me. do a new cvs checkoit, you probably have the old cvs main rpccleint.c! i think i'm starting to get what the problem is with public cvs. always to a cvs -r SAMBA_TNG update NOT a straight cvs update. On Sat, 5 Feb 2000, Greg Dickie wrote: > > Don't know if it's new but: > > Compiling rpcclient/rpcclient.c > rpcclient/rpcclient.c: In function `main': > rpcclient/rpcclient.c:394: parse error before `int' > rpcclient/rpcclient.c:418: `term_code' undeclared (first use in this function) > rpcclient/rpcclient.c:418: (Each undeclared identifier is reported only once > rpcclient/rpcclient.c:418: for each function it appears in.) > rpcclient/rpcclient.c:423: `cli_info' undeclared (first use in this function) > rpcclient/rpcclient.c:464: `myumask' undeclared (first use in this function) > rpcclient/rpcclient.c:479: `p' undeclared (first use in this function) > rpcclient/rpcclient.c:482: `password' undeclared (first use in this function) > rpcclient/rpcclient.c:483: `got_pass' undeclared (first use in this function) > rpcclient/rpcclient.c:546: `cli_action' undeclared (first use in this function) > rpcclient/rpcclient.c:549: `opt' undeclared (first use in this function) > rpcclient/rpcclient.c:607: `dbf' undeclared (first use in this function) > rpcclient/rpcclient.c:652: `cmd_str' undeclared (first use in this function) > rpcclient/rpcclient.c:666: `servicesf' undeclared (first use in this function) > > > Greg > --------------------------------------------------------------------- > Greg Dickie > Just A Guy* > *from discreet (the logic is gone) > Montreal > (514) 954-7171 > greg@discreet.com > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From greg at discreet.com Fri Feb 4 16:42:32 2000 From: greg at discreet.com (Greg Dickie) Date: Tue Dec 2 02:28:20 2003 Subject: TNG compile errors In-Reply-To: Message-ID: errr... seems like that might be trur 'cuz the samba/CVS/Tag file says TSAMBA_TNG but I ain't getting the right source.... bummer! sorry for the false alram. Greg On 04-Feb-00 Luke Kenneth Casson Leighton wrote: > looks very wrong, to me. > > do a new cvs checkoit, you probably have the old cvs main rpccleint.c! > > i think i'm starting to get what the problem is with public cvs. > > always to a cvs -r SAMBA_TNG update NOT a straight cvs update. > > > On Sat, 5 Feb 2000, Greg Dickie wrote: > >> >> Don't know if it's new but: >> >> Compiling rpcclient/rpcclient.c >> rpcclient/rpcclient.c: In function `main': >> rpcclient/rpcclient.c:394: parse error before `int' >> rpcclient/rpcclient.c:418: `term_code' undeclared (first use in this >> function) >> rpcclient/rpcclient.c:418: (Each undeclared identifier is reported only once >> rpcclient/rpcclient.c:418: for each function it appears in.) >> rpcclient/rpcclient.c:423: `cli_info' undeclared (first use in this >> function) >> rpcclient/rpcclient.c:464: `myumask' undeclared (first use in this function) >> rpcclient/rpcclient.c:479: `p' undeclared (first use in this function) >> rpcclient/rpcclient.c:482: `password' undeclared (first use in this >> function) >> rpcclient/rpcclient.c:483: `got_pass' undeclared (first use in this >> function) >> rpcclient/rpcclient.c:546: `cli_action' undeclared (first use in this >> function) >> rpcclient/rpcclient.c:549: `opt' undeclared (first use in this function) >> rpcclient/rpcclient.c:607: `dbf' undeclared (first use in this function) >> rpcclient/rpcclient.c:652: `cmd_str' undeclared (first use in this function) >> rpcclient/rpcclient.c:666: `servicesf' undeclared (first use in this >> function) >> >> >> Greg >> --------------------------------------------------------------------- >> Greg Dickie >> Just A Guy* >> *from discreet (the logic is gone) >> Montreal >> (514) 954-7171 >> greg@discreet.com >> > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals --------------------------------------------------------------------- Greg Dickie Just A Guy* *from discreet (the logic is gone) Montreal (514) 954-7171 greg@discreet.com From Nicolas.Williams at wdr.com Fri Feb 4 16:56:46 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments Message-ID: <20000204115645.W3726@sm2p1386swk.wdr.com> On Sat, 5 Feb 2000, Luke Kenneth Casson Leighton wrote: > i need to make the sam database read-accessible to all unix users. just > like /etc/passwd. > > therefore, i need to encrypt the passwords [or as elrond suggested, keep > them in a separate database that is root-only accessible] with a root-only > accessible syskey. > > On Fri, 4 Feb 2000 jeremy@valinux.com wrote: > > > > i am looking to implement an equivalent mechanism to SYSKEY, however i do > > > not have the relevant security skills to say whether a proposal is secure > > > or not. > > > > Why ? SYSKEY is a silly idea ! ... > > What does everyone else think ? I don't want you > > to implement it - it's just a *bad* idea. > > > > Jeremy. > > Luke, you canuse a separate root-read-only TDB for storing the password data. Much like Unix systems have /etc/passwd and /etc/shadow (as someone else has already pointed out). Jeremy is correct in likening your idea to the way MIT's Kerberos KDC stores its data. Think about it: you're gonna encrypt the data and then keep the encryption key in a root-read-only file on the same machine anyways (If you don't then an operator would have to type in the key when the service starts). It's not a bad thing, but it's also not any more secure than the shadow idea. The fact is, domain controllers and KDCs MUST BE SECURED. This means that few users get to login to them, that few services run on them, etc... Nico This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From lkcl at samba.org Fri Feb 4 17:09:04 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <20000204115645.W3726@sm2p1386swk.wdr.com> Message-ID: On Sat, 5 Feb 2000, Nicolas Williams wrote: > On Sat, 5 Feb 2000, Luke Kenneth Casson Leighton wrote: > > i need to make the sam database read-accessible to all unix users. just > > like /etc/passwd. > > > > therefore, i need to encrypt the passwords [or as elrond suggested, keep > > them in a separate database that is root-only accessible] with a root-only > > accessible syskey. > Luke, you canuse a separate root-read-only TDB for storing the password > data. Much like Unix systems have /etc/passwd and /etc/shadow (as > someone else has already pointed out). this is an expansion of the above sentence in []. > Jeremy is correct in likening your idea to the way MIT's Kerberos KDC > stores its data. does that have any merits that are worth investigating? > Think about it: you're gonna encrypt the data and then keep the > encryption key in a root-read-only file on the same machine anyways (If > you don't then an operator would have to type in the key when the > service starts). both those are possibilities. > It's not a bad thing, but it's also not any more secure than the > shadow idea. it's _as_ secure. that's good enough for me. for the record, i'm taking in ideas at the moment, not implementations, design brain-storming only, please. From jeremy at valinux.com Fri Feb 4 18:32:00 2000 From: jeremy at valinux.com (jeremy@valinux.com) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: from "Luke Kenneth Casson Leighton" at Feb 05, 2000 03:30:59 AM Message-ID: <200002041832.KAA13336@legion.su.valinux.com> > > i need to make the sam database read-accessible to all unix users. just > like /etc/passwd. > > therefore, i need to encrypt the passwords [or as elrond suggested, keep > them in a separate database that is root-only accessible] with a root-only > accessible syskey. No, you don't want to give even encrypted access to the hash values to ordinary users. And if you keep the hashaes seperately in a root accessible only file (like the current smbpasswd file), then you don't need to encrypt the file - just as we don't encrypt the root read only smbpasswd right now. It's a waste of time and effort. Don't do it ! SYSKEY is just a pathetic attempt to add obscurity to a system unless the root key is kep t separately off the machine on a floppy - that's the only reason it would add *any* security. Jeremy. From jeremy at valinux.com Fri Feb 4 18:34:08 2000 From: jeremy at valinux.com (jeremy@valinux.com) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: from "Luke Kenneth Casson Leighton" at Feb 05, 2000 04:11:45 AM Message-ID: <200002041834.KAA13344@legion.su.valinux.com> > > On Sat, 5 Feb 2000, Nicolas Williams wrote: > > > It's not a bad thing, but it's also not any more secure than the > > shadow idea. > > it's _as_ secure. that's good enough for me. > > for the record, i'm taking in ideas at the moment, not implementations, > design brain-storming only, please. > But it's only *as* secure, plus 3000 lines of extra crypto code. What's the point ? Jeremy. From martin at tantalus.com Fri Feb 4 17:41:39 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:20 2003 Subject: Off Topic Question Message-ID: <001a01bf6f37$17acd3b0$12f066cf@tantalus> I'm compiling NIS+ on my linux box.. it's asking for a library file I can't find.. mp.h Does anyone know where I can grab it? Or what lib package it's in? ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From lkcl at samba.org Fri Feb 4 18:07:52 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002041832.KAA13336@legion.su.valinux.com> Message-ID: yyOn Fri, 4 Feb 2000 jeremy@valinux.com wrote: > > > > i need to make the sam database read-accessible to all unix users. just > > like /etc/passwd. > > > > therefore, i need to encrypt the passwords [or as elrond suggested, keep > > them in a separate database that is root-only accessible] with a root-only > > accessible syskey. > > No, you don't want to give even encrypted access to the hash > values to ordinary users. i won't be -- over-the-wire. i blank those out. > And if you keep the hashaes seperately in a root accessible > only file (like the current smbpasswd file), then you don't > need to encrypt the file - just as we don't encrypt the root > read only smbpasswd right now. well, the trouble with that is that i will have to maintain (and lock, and maintain), two databases, for users. tdb_lock(passwd_tdb); tdb_lock(user_tdb); create_user(passwd_tdb, user_tdb, &usr21); tdb_unlock(passwd_tdb); tdb_unlock(user_tdb); i hear you say, what's wrong with that? well, the current list of databases is: sam.tdb S-1-5-32.usr.tdb S-1-5-32.als.tdb S-1-5-32.grp.tdb S-1-5-21-xxx-xxx-xxx.usr.tdb S-1-5-21-xxx-xxx-xxx.als.tdb S-1-5-21-xxx-xxx-xxx.grp.tdb now you want me to add (and yes, i'm considering it) .pwd.tdb at least with a SYSKEY2 algorithm i can load a /usr/local/samba/private/syskey2.mac root-accessible-only file (which, if root so desires, can be read at start-up time from /floppy/syskey2.mac instead!) and use it to encrypt the password fields in S-1-5-21-xxx-xxx-xxxx.usr.tdb, and this allows me to make all those files ug+r (not, by the way, o+r, necessarily). > It's a waste of time and effort. Don't do it ! > > SYSKEY is just a pathetic attempt to add obscurity > to a system unless the root key is kep t separately > off the machine on a floppy - that's the only reason > it would add *any* security. if you read netect / bindview's analysis of SYSKEY, it adds absolutely nothing anyway, because as XXXXXXX usual, microsoft can't use RC4 correctly. they reset the cypher stream on every single password, so you do XOR(E(LM#), E(NT#)) and you can then do a brute-force analysis a'la l0phtcrack. From lkcl at samba.org Fri Feb 4 18:09:50 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002041834.KAA13344@legion.su.valinux.com> Message-ID: On Fri, 4 Feb 2000 jeremy@valinux.com wrote: > > > > On Sat, 5 Feb 2000, Nicolas Williams wrote: > > > > > It's not a bad thing, but it's also not any more secure than the > > > shadow idea. > > > > it's _as_ secure. that's good enough for me. > > > > for the record, i'm taking in ideas at the moment, not implementations, > > design brain-storming only, please. > > > > But it's only *as* secure, plus 3000 lines of extra > crypto code. What's the point ? estimated 200, not 3000. it avoids me having to lock two databases when one will do. it's still in the air, remember. if i can't solicit or come up with a good algorithm, then the algoritmhm _is: store the user passwords in a separate database. it's the best candidate so far. luke From jphollan at earthlink.net Fri Feb 4 18:13:02 2000 From: jphollan at earthlink.net (jason holland) Date: Tue Dec 2 02:28:20 2003 Subject: Off Topic Question In-Reply-To: <001a01bf6f37$17acd3b0$12f066cf@tantalus> Message-ID: <000601bf6f3b$7977a120$0264a8c0@mickey.earthlink.net> Martin, mp.h is contained in the nis-utils package. the source is available from http://www.suse.de/~kukuk/nisplus/download.html Jason P. Holland Sprint Paranet - Unix Administrator jphollan@sprintparanet.com ]- ]- I'm compiling NIS+ on my linux box.. it's asking for a library ]- file I can't ]- find.. mp.h ]- ]- Does anyone know where I can grab it? Or what lib package it's in? ]- ]- ___________________________________________ ]- Martin Brown, Unix Systems Administrator ]- Tantalus Communications Inc. ]- 500-1122 Mainland Street ]- Vancouver, BC, Canada V6B 5L1 ]- martin@tantalus.com ]- ]- Direct 604.721-0351 ]- Main 604.609.0700 ]- Fax 604.609.0705 ]- Toll Free 1.877.326.6776 ]- http://www.tantalus.com "When eBusiness experience counts." From gene_yee at hotmail.com Fri Feb 4 18:19:38 2000 From: gene_yee at hotmail.com (Gene Yee) Date: Tue Dec 2 02:28:20 2003 Subject: NT Print Queue Message-ID: <20000204181938.41603.qmail@hotmail.com> I've built a Samba print server to replace a NT print server however the status of the queues are not being reported. Another words, a user can print a 35 page document, that document will make it into the spool directory but the status of the job isn't viewable to the user. I am using: Linux RedHat 6.1 Samba 2.0.6 LPRng-3.6.13 Thanks. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From timothy_d_cole at md.northgrum.com Fri Feb 4 18:32:48 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB5631F7@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > Sent: Friday, February 04, 2000 13:14 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: SYSKEY2. Request For Comments > > On Fri, 4 Feb 2000 jeremy@valinux.com wrote: > > > > > > > On Sat, 5 Feb 2000, Nicolas Williams wrote: > > > > > > > It's not a bad thing, but it's also not any more secure than the > > > > shadow idea. > > > > > > it's _as_ secure. that's good enough for me. > > > > > > for the record, i'm taking in ideas at the moment, not > implementations, > > > design brain-storming only, please. > > > > > > > But it's only *as* secure, plus 3000 lines of extra > > crypto code. What's the point ? > > estimated 200, not 3000. it avoids me having to lock two databases when > one will do. > Do the costs of having to lock two databases outweigh those of writing 200 LOC of code? Personally, the approach I would tend to take would be to write a small wraper API for tdb that allows you to treat multiple "physical" databases as a single "logical" database. If you factor out the added complexity in one place, I'd be suprised if it was 200 LOC. (no, I'm not volunteering to write another library; I've got my hands full already :P) From lkcl at samba.org Fri Feb 4 18:37:30 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <51FBD4A8EFD9D111BA7300A0C927DADB5631F7@xcgmd008.md.essd.northgrum.com> Message-ID: > Do the costs of having to lock two databases outweigh those of > writing 200 LOC of code? > > Personally, the approach I would tend to take would be to write a > small wraper API for tdb that allows you to treat multiple "physical" > databases as a single "logical" database. If you factor out the added > complexity in one place, I'd be suprised if it was 200 LOC. (no, I'm not > volunteering to write another library; I've got my hands full already :P) kok, i can do that. i take it no-one _likes_ the SYSKEY2 idea! sorry, microsoft, i tried my best. From p.mayers at ic.ac.uk Fri Feb 4 19:34:43 2000 From: p.mayers at ic.ac.uk (Phil Mayers) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments References: <200002041514.HAA13238@legion.su.valinux.com> Message-ID: <389B29D3.A9EB5927@ic.ac.uk> I'm afraid I agree. If you don't trust root, then you're screwed. If someones get a root shell on the machine, you're deader than courdroy. They can essentially do anything, hence it adds no real security, just puts another step in the way. Cheers, Phil jeremy@valinux.com wrote: > > > i am looking to implement an equivalent mechanism to SYSKEY, however i do > > not have the relevant security skills to say whether a proposal is secure > > or not. > > Why ? SYSKEY is a silly idea ! > > Either you trust root, or you don't. > > If you don't trust root, then all the SYSKEY in > the world doesn't help. If you do trust root, then > why not let them see the hashed passwords ? > > Don't give me any "it improves security" crap, > as it doesn't (unless you store the key off > machine - on a floppy disk needed on machine boot). > > This is the same issue kerberos has. > > There is no need to complicate all our code with > this stuff, it doesn't even add any security ! > > What does everyone else think ? I don't want you > to implement it - it's just a *bad* idea. > > Jeremy. From owensc at enc.edu Fri Feb 4 20:05:37 2000 From: owensc at enc.edu (Charles N. Owens) Date: Tue Dec 2 02:28:20 2003 Subject: one of those horrible realisations References: Message-ID: <389B3111.147BD6E@enc.edu> Luke Kenneth Casson Leighton wrote: > ok, this is one of those nasty moments when you realise it's much more > complex than you thought. > > multi-user systems, WinDD, WInframe, TSE. multiplex multiple users onto > one smbd process. This is the _default_ behavior with TSE, yes. We've got quite a bit of TSE+Metaframe running hereabouts (served by a Samba PDC, of course !). I've read in various places that with WinFrame, WinDD (and perhaps TSE as well) that the munging of all users onto a single SMB connection results in all access from all users being mapped to the unix uid of the first connected user (very bad). When I first started playing with TSE this had me very worried, but I quickly found out that this is _not_ an issue (at least with TSE anyway). Multiuser Samba access works just fine! There is a huge scalability problem on the NT side, however, (and maybe with Samba as well). The number of open files for a single SMB connection is limited (by NT) to 2048. Once your TSE server approaches this limit stability goes out the window (snicker). We were seeing blue screens daily until a kind soul on this list pointed us at MS Knowledge Base articles (Q190162 & Q233082) that document this issue and provide a registry modification that causes each user to get their own SMB connection. After putting in this fix our TSE stability went from awful to quite reasonable. I quote from Q190162: To maintain compatibility with existing Server Message Block (SMB)-based products (for example, Windows NT 3.x and 4.0, Windows 95), Terminal Server's use of SMB has not been modified from Windows NT Server 4.0. This can cause a problem if many Terminal Server users connect to a single network share, either on the Terminal Server or elsewhere on the network. The potential problem is an SMB limitation of 2048 open file handles. It's amazing how nonchalant some of these KB articles are... almost as if this isn't a big deal, or as if the current state of affairs was arrived at by deliberate design. We found that without the registry fix we could get by with maybe 6 to 9 TSE users... but instability (~30 second freezes, BSODs) would start creeping in fast if we added more. This registry fix is a _must_ with TSE. [speculation] A possible implication here is that there may be some kind of future (Win2K?) enhancement planned that will remove this limit on the number of open file handles. If not, then I think that Samba is fine as is, at least with TSE and Win2K Terminal Services (maybe not Winframe, WinDD, etc). This is, of course, from the perspective of a user/SysAdmin... not that of a Samba-hacker. There may be deeper, more technical issues afoot. >From where I sit, though, what we have now works, and works well! There is probably some room for improvement on the Samba side in terms of scalability. With this registry fix in place, of course, each TSE user gets their own smbd process... consuming 1.5-2 MB of RAM. I'm guessing that the more modular Samba-TNG architecture will bring some relief in this area? ... in that the per-connection forked daemon is responsible for much less (just file services) it should be much smaller, eh? (don't mind my rambling about the obvious [unless I'm wrong]... I've only lightly read about TNG) Charles Owens > smbd has multiple personalities, based on vuids (SMB virtual user ids). > > which vuid context are you supposed to make an MSRPC call under, if you > only have one msrpc connection per pipe per smbd process? > > i.e, each vuid has totally separate msrpcd context. > > i.e each vuid must, under the current architecture, fork its own msrpc > daemon process. > > basically, each REAL smb user MUST have their own msrpc daemon. > > it's not bad, it's just not a nice thing to realise at about 3 or 4 am. > > luke -- ------------------------------------------------------------------------- Charles N. Owens Email: owensc@enc.edu http://www.enc.edu/~owensc Network & Systems Administrator Information Technology Services "Outside of a dog, a book is a man's Eastern Nazarene College best friend. Inside of a dog it's too dark to read." - Groucho Marx ------------------------------------------------------------------------- From lkcl at samba.org Fri Feb 4 20:38:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <389B29D3.A9EB5927@ic.ac.uk> Message-ID: phil, this isn't about root being trusted or untrusted. it's about making sure that only root can decode a password stored in a location in a publicly accessible file. On Sat, 5 Feb 2000, Phil Mayers wrote: > I'm afraid I agree. If you don't trust root, then you're screwed. If > someones get a root shell on the machine, you're deader than courdroy. > They can essentially do anything, hence it adds no real security, just > puts another step in the way. > > Cheers, > Phil > > jeremy@valinux.com wrote: > > > > > i am looking to implement an equivalent mechanism to SYSKEY, however i do > > > not have the relevant security skills to say whether a proposal is secure > > > or not. > > > > Why ? SYSKEY is a silly idea ! > > > > Either you trust root, or you don't. > > > > If you don't trust root, then all the SYSKEY in > > the world doesn't help. If you do trust root, then > > why not let them see the hashed passwords ? > > > > Don't give me any "it improves security" crap, > > as it doesn't (unless you store the key off > > machine - on a floppy disk needed on machine boot). > > > > This is the same issue kerberos has. > > > > There is no need to complicate all our code with > > this stuff, it doesn't even add any security ! > > > > What does everyone else think ? I don't want you > > to implement it - it's just a *bad* idea. > > > > Jeremy. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 4 21:01:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: one of those horrible realisations In-Reply-To: <389B3111.147BD6E@enc.edu> Message-ID: On Fri, 4 Feb 2000, Charles N. Owens wrote: > Luke Kenneth Casson Leighton wrote: > > > ok, this is one of those nasty moments when you realise it's much more > > complex than you thought. > > > > multi-user systems, WinDD, WInframe, TSE. multiplex multiple users onto > > one smbd process. > > This is the _default_ behavior with TSE, yes. We've got quite a bit of > TSE+Metaframe running hereabouts (served by a Samba PDC, of course !). I've > read in various places that with WinFrame, WinDD (and perhaps TSE as well) > that the munging of all users onto a single SMB connection results in all > access from all users being mapped to the unix uid of the first connected > user (very bad). When I first started playing with TSE this had me very yes, that's because of the usage of sesssetup_user i talked about in a bug-report or two to samba-technical. > There is a huge scalability problem on the NT side, however, (and maybe with > Samba as well). The number of open files for a single SMB connection is > limited (by NT) to 2048. Once your TSE server approaches this limit > stability goes out the window (snicker). We were seeing blue screens daily _actually_, it's not a limit for samba, the limit is... hmmm, probably close to 65536 (maybe 50,000) on samba. microsoft chose to only use the first 11 bits of the smb file handle for files, and the rest for MSRPC pipes, instead of sharing the [limited] 16 bit file handle properly!!! > To maintain compatibility with existing Server Message Block > (SMB)-based products (for example, Windows NT 3.x and 4.0, Windows > 95), Terminal Server's use of SMB has not been modified from > Windows NT Server 4.0. This can cause a problem if many Terminal > Server users connect to a single network share, either on the > Terminal Server or elsewhere on the network. The potential problem > is an SMB limitation of 2048 open file handles. bullshit, it's _not_ an SMB limitation, it's microsoft own self-imposed implementation limitation. > [speculation] A possible implication here is that there may be some kind of > future (Win2K?) enhancement planned that will remove this limit on the > number of open file handles. If not, then I think that Samba is fine as is, well, hopefully, someone on this list will notice this message and post a bug-report. they _might_ have fixed it in nt5 TSE, but i doubt it. > There is probably some room for improvement on the Samba side in terms of > scalability. With this registry fix in place, of course, each TSE user gets > their own smbd process... consuming 1.5-2 MB of RAM. I'm guessing that the the samba-tng library architecture reduces the size of processes dramatically. From laa at ipt.pt Fri Feb 4 22:32:47 2000 From: laa at ipt.pt (laa@ipt.pt) Date: Tue Dec 2 02:28:20 2003 Subject: samba / switch hub /win9x Message-ID: <389B538F.6E9B01C@ipt.pt> I have a FreeBSD box with samba that works well when the FreeBSDBOX and all the win9x boxes are on the same hub. The problem is when i put a switch_hub between the FreeBSDbox and the win9x boxes. Win98 can see the samba server but they reject the passwords when we try to mount the remote unix drive. With NT worksation boxes everything works fine!! Any tip to solve this problem? Thanks e-mail: laa@ipt.pt From martin at tantalus.com Fri Feb 4 22:44:27 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:20 2003 Subject: samba / switch hub /win9x In-Reply-To: <389B538F.6E9B01C@ipt.pt> Message-ID: <000401bf6f61$650e2580$12f066cf@tantalus> My guess it is because your switch is filtering the NT broadcasts. Do you have VLANS setup? -----Original Message----- From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of laa@ipt.pt Sent: Friday, February 04, 2000 2:37 PM To: Multiple recipients of list SAMBA-NTDOM Subject: samba / switch hub /win9x I have a FreeBSD box with samba that works well when the FreeBSDBOX and all the win9x boxes are on the same hub. The problem is when i put a switch_hub between the FreeBSDbox and the win9x boxes. Win98 can see the samba server but they reject the passwords when we try to mount the remote unix drive. With NT worksation boxes everything works fine!! Any tip to solve this problem? Thanks e-mail: laa@ipt.pt From zen at uninet.net.id Fri Feb 4 16:35:23 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:20 2003 Subject: how is rpctorture? Message-ID: <00020423403308.00644@zen.sphenisci.or.id> Luke, Sorry to bother you with this question, but I am wondering how is your rpctorture test result ? The super duper heavy duty test you are doing on torturing the login request... Thanx, ZEN From grahamj at virtue.cx Sat Feb 5 04:26:36 2000 From: grahamj at virtue.cx (Quicker than the human eye) Date: Tue Dec 2 02:28:20 2003 Subject: how is rpctorture? In-Reply-To: <00020423403308.00644@zen.sphenisci.or.id> Message-ID: Actually, I'm the one who's working on getting rpctorture up-and-running under TNG. Last weekend was one of those where you get *zero* done. Anyway, I'll be working on it this weekend. Should be no problem, ask again on Monday! ;-) Jonathan --- "If anyone thinks that nothing can be known, he does not know whether even this can be known, since he admits he knows nothing. Against such an adversary, therefore, who deliberately stands on his head, I will not trouble to argue my case." Lucretius (Latham translation) On Sat, 5 Feb 2000, ZEN el GUAY wrote: > Luke, > Sorry to bother you with this question, but I am wondering how is your > rpctorture test result ? The super duper heavy duty test you are doing on > torturing the login request... > > Thanx, > ZEN > > > > > From gaurav at carroll.com Sat Feb 5 05:51:15 2000 From: gaurav at carroll.com (G. Naik) Date: Tue Dec 2 02:28:20 2003 Subject: [TNG] Domain Admin In-Reply-To: <20000204074121.53293.qmail@hotmail.com> Message-ID: Does this technique work with other groups. I am using Samba Head, and trying to get group policies to work. However, it seems that Samba HEAD doesn't understand domain group map, local group map..etc. However, I do see username map working. In my system policy file, I have groups defined. However, when the user logs in, the policy is not applied, because the NT WS, cannot get the correct group mapping for that particular user. Can something like work with Samba HEAD? -g- On Fri, 4 Feb 2000, Thien Vu wrote: > I'm using Samba 2.0.6a to manage the NT Workstations, and I am using the > parameter in smb.conf: > username map = /usr/local/samba/lib/username.map > and in username.map file I have: > @ntadmins = "Domain Admins" > Even though its *officially* supported, it works fine for me! > > Thien Vu > > > --- Gaurav Naik ("g") | C A R R O L L - N E T, Inc. 201-488-1332 | www.carroll.com From lkcl at samba.org Sat Feb 5 13:59:34 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:20 2003 Subject: how is rpctorture? In-Reply-To: <00020423403308.00644@zen.sphenisci.or.id> Message-ID: someone else volunteered to get rpctorture running, i haven't heard back from them. On Sat, 5 Feb 2000, ZEN el GUAY wrote: > Luke, > Sorry to bother you with this question, but I am wondering how is your > rpctorture test result ? The super duper heavy duty test you are doing on > torturing the login request... > > Thanx, > ZEN > > > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From sharpe at ns.aus.com Sat Feb 5 15:25:25 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:20 2003 Subject: Is Samba-TNG broken at the moment or not? Message-ID: <3.0.6.32.20000206012525.00903940@203.16.214.248> Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From lkcl at samba.org Sat Feb 5 14:53:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:21 2003 Subject: Is Samba-TNG broken at the moment or not? In-Reply-To: <3.0.6.32.20000206012525.00903940@203.16.214.248> Message-ID: it's... in an interesting state :) it should be working ok as long as you use samrd and netlogond not samrtdbd. From lars at kneschke.de Sat Feb 5 19:59:48 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:21 2003 Subject: libsamrpass.so.0 don't get installed Message-ID: <389C8134.7E223536@kneschke.de> netlogond and samrd don't start, because libsamrpass.so.0 don't get installed. Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From lkcl at samba.org Sat Feb 5 20:13:33 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:21 2003 Subject: libsamrpass.so.0 don't get installed In-Reply-To: <389C8134.7E223536@kneschke.de> Message-ID: install? what's that? On Sun, 6 Feb 2000, Lars Kneschke wrote: > netlogond and samrd don't start, because libsamrpass.so.0 don't get > installed. From voc at fl.aec.at Sat Feb 5 20:28:32 2000 From: voc at fl.aec.at (Volker Christian) Date: Tue Dec 2 02:28:21 2003 Subject: AW: libsamrpass.so.0 don't get installed Message-ID: I have had the same problem. If you do a "make install" with the lattest TNG-version libsamrpass.so.0 don't get installed into %prefix%/lib. I have done this by hand. voc -----Urspr?ngliche Nachricht----- Von: Luke Kenneth Casson Leighton [mailto:lkcl@samba.org] Gesendet: Saturday, February 05, 2000 9:16 PM An: Multiple recipients of list SAMBA-NTDOM Betreff: Re: libsamrpass.so.0 don't get installed install? what's that? On Sun, 6 Feb 2000, Lars Kneschke wrote: > netlogond and samrd don't start, because libsamrpass.so.0 don't get > installed. From lars at kneschke.de Sat Feb 5 20:45:56 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:21 2003 Subject: libsamrpass.so.0 don't get installed References: Message-ID: <389C8C04.B76FD7C6@kneschke.de> Luke Kenneth Casson Leighton wrote: > > install? what's that? > > On Sun, 6 Feb 2000, Lars Kneschke wrote: > > > netlogond and samrd don't start, because libsamrpass.so.0 don't get > > installed. :-) make install does not create libsamrpass.so.0 in /lib. Do you know what i mean? Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From lkcl at samba.org Sat Feb 5 21:17:17 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:21 2003 Subject: libsamrpass.so.0 don't get installed In-Reply-To: <389C8C04.B76FD7C6@kneschke.de> Message-ID: > :-) > make install does not create libsamrpass.so.0 in /lib. > Do you know what i mean? nooo, i have noo idea what you're talking about, lars, i don't _use_ make install. p.s please do a cvs update and try again, ok? thx! From lars at kneschke.de Sat Feb 5 23:27:03 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:21 2003 Subject: libsamrpass.so.0 don't get installed References: Message-ID: <389CB1C7.9AB81335@kneschke.de> Luke Kenneth Casson Leighton wrote: > nooo, i have noo idea what you're talking about, lars, i don't _use_ make > install. Howto do you create teh shared libraries? > p.s please do a cvs update and try again, ok? thx! I did it. make works fine. But this happens if i "make install". "make install" should not start to compile something. It should install things only. [root@knecke source]# make install Compiling lib/sursalgdomonly.c with libtool Compiling samrd/srv_samr_tdb_init.c with libtool Compiling samrd/srv_samr_dom_tdb.c with libtool Compiling samrd/srv_samr_sam_tdb.c with libtool Compiling samrd/srv_samr_usr_tdb.c with libtool samrd/srv_samr_usr_tdb.c: In function `_samr_create_user': samrd/srv_samr_usr_tdb.c:729: warning: assignment discards `const' from pointertarget type Compiling samrd/srv_samr_grp_tdb.c with libtool Compiling samrd/srv_samr_als_tdb.c with libtool Compiling samrd/srv_samr_tdb.c with libtool Linking shared library bin/libsamrtdb.la Compiling lib/sursalgnt5ldap.c with libtool Compiling samrd/srv_samr_usr_nt5ldap.c with libtool Compiling samrd/srv_samr_dom_nt5ldap.c with libtool samrd/srv_samr_dom_nt5ldap.c: In function `_samr_enum_dom_users': samrd/srv_samr_dom_nt5ldap.c:93: too few arguments to function `get_nt5ldapsid' samrd/srv_samr_dom_nt5ldap.c:102: `LDAP_NO_LIMIT' undeclared (first use in this function) samrd/srv_samr_dom_nt5ldap.c:102: (Each undeclared identifier is reported only once samrd/srv_samr_dom_nt5ldap.c:102: for each function it appears in.) samrd/srv_samr_dom_nt5ldap.c: In function `_samr_enum_dom_groups': samrd/srv_samr_dom_nt5ldap.c:161: too few arguments to function `get_nt5ldapsid'samrd/srv_samr_dom_nt5ldap.c:173: `LDAP_NO_LIMIT' undeclared (first use in this function) samrd/srv_samr_dom_nt5ldap.c: In function `_samr_enum_dom_aliases': samrd/srv_samr_dom_nt5ldap.c:234: too few arguments to function `get_nt5ldapsid'samrd/srv_samr_dom_nt5ldap.c:246: `LDAP_NO_LIMIT' undeclared (first use in this function) samrd/srv_samr_dom_nt5ldap.c: In function `_samr_query_dispinfo': samrd/srv_samr_dom_nt5ldap.c:308: too few arguments to function `get_nt5ldapsid'make: *** [samrd/srv_samr_dom_nt5ldap.lo] Error 1 Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From lkcl at samba.org Sat Feb 5 23:35:51 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:21 2003 Subject: libsamrpass.so.0 don't get installed In-Reply-To: <389CB1C7.9AB81335@kneschke.de> Message-ID: On Sat, 5 Feb 2000, Lars Kneschke wrote: > Luke Kenneth Casson Leighton wrote: > > nooo, i have noo idea what you're talking about, lars, i don't _use_ make > > install. > Howto do you create teh shared libraries? make :) > > p.s please do a cvs update and try again, ok? thx! > I did it. > make works fine. But this happens if i "make install". "make install" > should not start to compile something. It should install things only. oh dear. i was afraid this might happen. *sigh*. ok, i take out LIBSAMNT5LDAP and LIBSAMTDB. > Compiling samrd/srv_samr_tdb.c with libtool > Linking shared library bin/libsamrtdb.la > Compiling lib/sursalgnt5ldap.c with libtool > Compiling samrd/srv_samr_usr_nt5ldap.c with libtool > Compiling samrd/srv_samr_dom_nt5ldap.c with libtool > samrd/srv_samr_dom_nt5ldap.c: In function `_samr_enum_dom_users': > samrd/srv_samr_dom_nt5ldap.c:93: too few arguments to function > `get_nt5ldapsid' > samrd/srv_samr_dom_nt5ldap.c:102: `LDAP_NO_LIMIT' undeclared (first use > in this > function) > samrd/srv_samr_dom_nt5ldap.c:102: (Each undeclared identifier is > reported only once > samrd/srv_samr_dom_nt5ldap.c:102: for each function it appears in.) > samrd/srv_samr_dom_nt5ldap.c: In function `_samr_enum_dom_groups': > samrd/srv_samr_dom_nt5ldap.c:161: too few arguments to function > `get_nt5ldapsid'samrd/srv_samr_dom_nt5ldap.c:173: `LDAP_NO_LIMIT' > undeclared (first use in this > function) > samrd/srv_samr_dom_nt5ldap.c: In function `_samr_enum_dom_aliases': > samrd/srv_samr_dom_nt5ldap.c:234: too few arguments to function > `get_nt5ldapsid'samrd/srv_samr_dom_nt5ldap.c:246: `LDAP_NO_LIMIT' > undeclared (first use in this > function) > samrd/srv_samr_dom_nt5ldap.c: In function `_samr_query_dispinfo': > samrd/srv_samr_dom_nt5ldap.c:308: too few arguments to function > `get_nt5ldapsid'make: *** [samrd/srv_samr_dom_nt5ldap.lo] Error From lukeh at PADL.COM Sun Feb 6 07:20:26 2000 From: lukeh at PADL.COM (Luke Howard) Date: Tue Dec 2 02:28:21 2003 Subject: libsamrpass.so.0 don't get installed References: <389CB1C7.9AB81335@kneschke.de> Message-ID: <200002060720.SAA17921@au.padl.com> >samrd/srv_samr_dom_nt5ldap.c:102: `LDAP_NO_LIMIT' undeclared (first use >in this >function) >samrd/srv_samr_dom_nt5ldap.c:102: (Each undeclared identifier is >reported only once >samrd/srv_samr_dom_nt5ldap.c:102: for each function it appears in.) >samrd/srv_samr_dom_nt5ldap.c: In function `_samr_enum_dom_groups': >samrd/srv_samr_dom_nt5ldap.c:161: too few arguments to function Please note: the nt5ldap code is really unstable at the moment. The samr nt5ldap code is totally _incomplete_, and while the passdb code more or less works, it is subject to other (generic) problems with samrd and passdb, and also possible schema changes. regards, -- Luke -- Luke Howard PADL Software Pty Ltd http://www.padl.com From lars at kneschke.de Sun Feb 6 11:07:25 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:21 2003 Subject: AW: libsamrpass.so.0 don't get installed References: Message-ID: <389D55ED.773AA89C@kneschke.de> Volker Christian wrote: > > I have had the same problem. If you do a "make install" with the lattest > TNG-version > libsamrpass.so.0 don't get installed into %prefix%/lib. I have done this by > hand. Good Morning!:-) Everything works fine now! Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From jln-p at stben.be Sun Feb 6 17:03:36 2000 From: jln-p at stben.be (Jean-Louis Noel) Date: Tue Dec 2 02:28:21 2003 Subject: groups Message-ID: <001801bf70c4$1be90460$285595c2@stben.be> Hello, How to deal with NT groups? Bye, Jean-Louis -------------- next part -------------- HTML attachment scrubbed and removed From europa at li.net Sun Feb 6 17:49:00 2000 From: europa at li.net (GateKeeper) Date: Tue Dec 2 02:28:21 2003 Subject: domain users,domain admin users Message-ID: <389DB40C.7D6A@li.net> My problem starts when I attempt to run netmon under NT 4.0. I get the message "Admin permissions are required to run Netmon on this machine". This naturally leads into the $20,000 question. How do I set up an Administrator level account under SAMBA. The PDC FAQ describes a method which requires setting the following parameters. "domain group map" "local group map" "domain user map" However, the source that I obtained through the cvs procedure described in the PDC FAQ does not support these parameters. (ie) testparm reports a parsing error. This lead me to try the other parameters "domain users" "domain admin users" Now the log file reports user "xxxx" is now a domain administrator but I still do not have Administrator rights on the workstation. Please, any suggestions...... Sean Kessler From lars at kneschke.de Sun Feb 6 18:25:04 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:21 2003 Subject: groups References: <001801bf70c4$1be90460$285595c2@stben.be> Message-ID: <389DBC80.12658F9E@kneschke.de> > Jean-Louis Noel wrote: > > Hello, > > How to deal with NT groups? At http://www.kneschke.de/projekte/samba_tng you will find a FAQ. There is one topic which describes how to become a domain admin. This works any other group too. Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From hallewellt at rfa.org Sun Feb 6 18:41:46 2000 From: hallewellt at rfa.org (Tom Hallewell) Date: Tue Dec 2 02:28:21 2003 Subject: groups References: <001801bf70c4$1be90460$285595c2@stben.be> <389DBC80.12658F9E@kneschke.de> Message-ID: <389DC06A.EB2A4038@rfa.org> This information is true only with TNG, and not the 2.0.6 tree, correct? Tom Hallewell Radio Free Asia Lars Kneschke wrote: > > > Jean-Louis Noel wrote: > > > > Hello, > > > > How to deal with NT groups? > At http://www.kneschke.de/projekte/samba_tng you will find a FAQ. There > is one topic which describes how to become a domain admin. This works > any other group too. > > Cu > -- > > Do you like Samba? > Do you know KSamba? > Try http://www.kneschke.de/projekte/ksamba!! > Or watch our other projects at http://www.kneschke.de/projekte! From kiril at mech.ru.acad.bg Sun Feb 6 19:13:40 2000 From: kiril at mech.ru.acad.bg (Kiril Hristov) Date: Tue Dec 2 02:28:21 2003 Subject: Samba & Active Directory Message-ID: <389DC7E3.E9197C35@mech.ru.acad.bg> Hi, Microsoft announced Active Directory with w2k. Did you know, how Samba will work with it? From lars at kneschke.de Sun Feb 6 20:00:02 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:21 2003 Subject: groups References: <001801bf70c4$1be90460$285595c2@stben.be> <389DBC80.12658F9E@kneschke.de> <389DC06A.EB2A4038@rfa.org> Message-ID: <389DD2C2.11AE0A6@kneschke.de> Tom Hallewell wrote: > > This information is true only with TNG, and not the 2.0.6 tree, correct? Yes! -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From mg at plum.de Sun Feb 6 20:28:23 2000 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:28:21 2003 Subject: groups References: <001801bf70c4$1be90460$285595c2@stben.be> <389DBC80.12658F9E@kneschke.de> <389DC06A.EB2A4038@rfa.org> <389DD2C2.11AE0A6@kneschke.de> Message-ID: <389DD967.C0708EB8@plum.de> Lars Kneschke wrote: > > Tom Hallewell wrote: > > > > This information is true only with TNG, and not the 2.0.6 tree, correct? > Yes! > -- For 2.0.6 there is only: "domain admin users", which takes a list of users, there is also "domain groups" , but it has no documentation ... regards, Michael -- Samba NT-Domain howto (in german) http://www.sambahq.de From mg at plum.de Sun Feb 6 20:35:10 2000 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:28:21 2003 Subject: groups References: <001801bf70c4$1be90460$285595c2@stben.be> <389DBC80.12658F9E@kneschke.de> <389DC06A.EB2A4038@rfa.org> Message-ID: <389DDAFE.E7C03B30@plum.de> Tom Hallewell wrote: > > This information is true only with TNG, and not the 2.0.6 tree, correct? > Tom Hallewell > Radio Free Asia > If I remember correctly .. there was a diskussion about this long time ago, I think they were hardcoded in samba, so if you want to change it, edit srv_lookup.c and srv_util.c And change the RID<->Group mapping in there .. (at least that way works if you want/have to use localized group names) Luke: please correct me if I'm telling nonsense :) But .. take this with caution :) too long ago :) regards, Michael -- Samba NT-Domain howto (in german) http://www.sambahq.de From thien_vu at hotmail.com Sun Feb 6 20:39:09 2000 From: thien_vu at hotmail.com (Thien Vu) Date: Tue Dec 2 02:28:21 2003 Subject: groups References: <001801bf70c4$1be90460$285595c2@stben.be> <389DBC80.12658F9E@kneschke.de> <389DC06A.EB2A4038@rfa.org> <389DD2C2.11AE0A6@kneschke.de> <389DD967.C0708EB8@plum.de> Message-ID: <20000206203927.45980.qmail@hotmail.com> For 2.0.6, there also is a domain admin groups parameter domain admin groups = @unix-group-name I'm using this parameter now for a Samba NT PDC. Thien ----- Original Message ----- From: "Michael Glauche" To: "Multiple recipients of list SAMBA-NTDOM" Sent: Sunday, February 06, 2000 12:26 PM Subject: Re: groups > Lars Kneschke wrote: > > > > Tom Hallewell wrote: > > > > > > This information is true only with TNG, and not the 2.0.6 tree, correct? > > Yes! > > -- > > For 2.0.6 there is only: "domain admin users", which takes a list of > users, > there is also "domain groups" , but it has no documentation ... > > regards, > Michael > > -- > Samba NT-Domain howto (in german) > http://www.sambahq.de > From lkcl at samba.org Sun Feb 6 21:38:52 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:21 2003 Subject: groups In-Reply-To: <389DDAFE.E7C03B30@plum.de> Message-ID: someone added a patch to create a lookup table. someone from germany. here we go (param/loadparm.c): "builtin rid file". On Mon, 7 Feb 2000, Michael Glauche wrote: > Tom Hallewell wrote: > > > > This information is true only with TNG, and not the 2.0.6 tree, correct? > > Tom Hallewell > > Radio Free Asia > > > If I remember correctly .. there was a diskussion about this long time > ago, > I think they were hardcoded in samba, so if you want to change it, edit > > srv_lookup.c and srv_util.c > > And change the RID<->Group mapping in there .. > (at least that way works if you want/have to use localized group names) > > Luke: please correct me if I'm telling nonsense :) > > But .. take this with caution :) too long ago :) > > regards, > Michael > -- > Samba NT-Domain howto (in german) > http://www.sambahq.de > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From jln-p at stben.be Sun Feb 6 21:56:20 2000 From: jln-p at stben.be (Jean-Louis Noel) Date: Tue Dec 2 02:28:21 2003 Subject: groups References: <001801bf70c4$1be90460$285595c2@stben.be> <389DBC80.12658F9E@kneschke.de> <389DC06A.EB2A4038@rfa.org> <389DD2C2.11AE0A6@kneschke.de> <389DD967.C0708EB8@plum.de> Message-ID: <000e01bf70ed$00b93100$285595c2@stben.be> Michael Glauche wrote : > there is also "domain groups" , but it has no documentation ... More infos? [2000/02/06 22:41:00, 1] rpc_server/srv_util.c:make_dom_gids(141) make_dom_gids: unknown well-known alias RID eleves/7 [2000/02/06 22:45:49, 1] rpc_server/srv_util.c:make_dom_gids(141) make_dom_gids: unknown well-known alias RID @eleves/7 Bye, Jean-Louis From mgeddes at xavier.sa.edu.au Mon Feb 7 00:29:47 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:21 2003 Subject: PAM_SMB/PAM_NTDOM Message-ID: <389E11FB.292A1A44@xavier.sa.edu.au> Hi guys, I would like to use LDAP to store the NT SAM on a bunch of linux servers. I believe that this will improve network traffic a little. I'd also like to have Unix authenticate against the same database (thus giving our users a single-login environment). Is it possible to have PAM_NTDOM or PAM_SMB consulting Samba running on each server and have them consult a slave LDAP server on the same machine? I realise that this is probably not normal (but who wants to be normal *anyway*). Thanks for your replies, opinions and such, Matthew Geddes Network Manager Xavier College Gawler SA From europa at li.net Mon Feb 7 04:04:48 2000 From: europa at li.net (GateKeeper) Date: Tue Dec 2 02:28:21 2003 Subject: (no subject) Message-ID: <389E4460.1503@li.net> I retrieved the tree that was specified in the NT DOMAIN FAQ. smbd -V gives me "Version pre-3.0.0". I don't know if this is correct or not. I do know that the features described in the FAQ... (ie) "domain group map=" "local group map=" "domain user map=" fail to parse with my version. I am simply trying to get the admin user stuff working. Any suggestions would be greatly appreciated. Sean From rad2921 at cup.edu Mon Feb 7 04:14:10 2000 From: rad2921 at cup.edu (Tim Radigan) Date: Tue Dec 2 02:28:21 2003 Subject: win98 and roaming profiles.. In-Reply-To: <389DC06A.EB2A4038@rfa.org> Message-ID: ok, i just switched my school computer back to win98 from winNT and it seems that roaming profiles and/or the home directories aren't working the way NT handled them.. i'll post my smb.conf file after the base of this message.. any help would be appreciated.. i'm not even sure that samba and/or win98 supports profiles for a win98 -> samba connection.. let me know if anyone has any suggestions.. here is my smb.conf file: [global] workgroup = NEWREV server string = New Revolutions Server guest account = nobody os level = 33 log level = 2 log file = /usr/local/samba/var/log.%m max log size = 50 security = user encrypt passwords = yes socket options = TCP_NODELAY domain master = yes local master = yes preferred master = yes domain logons = yes logon home = \\%N\%U logon path = \\%N\profiles\%U logon script = netlogon.bat wins support = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *password* %n\n *password* %n\n *successfull* dns proxy = no [netlogon] comment = Net Logon path = /home/scripts locking = no public = yes browseable = yes [profiles] comment = Windows User Profiles path = /home/profiles browseable = yes read only = no guest ok = yes writeable = yes [homes] comment = Home Directories browseable = no read only = no writable = yes create mode = 0600 directory mode = 0700 guest ok = no From vorlon at netexpress.net Mon Feb 7 05:04:20 2000 From: vorlon at netexpress.net (Steve Langasek) Date: Tue Dec 2 02:28:21 2003 Subject: Win2k & Samba compatibility? Message-ID: Hi all, I'm going to be giving a talk this week at the university LUG regarding Samba. Given the timing of this talk, and the diversity of the group that'll be attending :), someone is bound to ask the obvious questions re: getting Samba to work with Win2k. :) I see from the samba-ntdom archive that Win2k is now able to log into a Samba-TNG PDC. That's great news! How difficult is this to get working? And is this likely to be ported to any of the other CVS branches? I remember catching something last month about Win2k running in "NT4 compatibility mode". Is this still required for domain logins? What about Kerberos 5 support--are we likely to see that in Samba any time soon? :) If you're reading on samba-ntdom, please cc: as I don't follow the list. TIA, Steve Langasek postmodern programmer From hanak at IRIS.osu.cz Mon Feb 7 08:21:07 2000 From: hanak at IRIS.osu.cz (Ondrej Hanak) Date: Tue Dec 2 02:28:21 2003 Subject: Login permissions Message-ID: Hi samba men, only one question is on my mind. Does possibility exist to restrict some users from login into some workstations in NT dom? I'm looking for system solution, not like restrict user's reading permissions on system root. Thanks for any comment. Cus O.H. From dominik.kubla at uni-mainz.de Mon Feb 7 09:26:41 2000 From: dominik.kubla at uni-mainz.de (Dominik Kubla) Date: Tue Dec 2 02:28:21 2003 Subject: win98 and roaming profiles.. In-Reply-To: ; from Tim Radigan on Mon, Feb 07, 2000 at 03:22:08PM +1100 References: <389DC06A.EB2A4038@rfa.org> Message-ID: <20000207102641.A25478@uni-mainz.de> On Mon, Feb 07, 2000 at 03:22:08PM +1100, Tim Radigan wrote: > ok, i just switched my school computer back to win98 from winNT and it seems > that roaming profiles and/or the home directories aren't working the way NT > handled them.. i'll post my smb.conf file after the base of this message.. > any help would be appreciated.. i'm not even sure that samba and/or win98 > supports profiles for a win98 -> samba connection.. let me know if anyone > has any suggestions.. here is my smb.conf file: My guess is that it's a Win98 problem, because i am experiencing the same problem here with Win98 and a WinNT4 server... Sigh! Dominik Kubla From lk at netuse.de Mon Feb 7 09:37:32 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:21 2003 Subject: win98 and roaming profiles.. References: <389DC06A.EB2A4038@rfa.org> <20000207102641.A25478@uni-mainz.de> Message-ID: <389E925C.32608BA5@netuse.de> Dominik Kubla wrote: > > On Mon, Feb 07, 2000 at 03:22:08PM +1100, Tim Radigan wrote: > > ok, i just switched my school computer back to win98 from winNT and it seems > > that roaming profiles and/or the home directories aren't working the way NT > > handled them.. i'll post my smb.conf file after the base of this message.. > > any help would be appreciated.. i'm not even sure that samba and/or win98 > > supports profiles for a win98 -> samba connection.. let me know if anyone > > has any suggestions.. here is my smb.conf file: > > My guess is that it's a Win98 problem, because i am experiencing the same > problem here with Win98 and a WinNT4 server... Sigh! Wich Samba version do you use? Samba 2.0.6 has a problem with homedirectories or profiles. Only one is working correctly. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From jeremy at valinux.com Mon Feb 7 12:17:50 2000 From: jeremy at valinux.com (jeremy@valinux.com) Date: Tue Dec 2 02:28:21 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: from "Luke Kenneth Casson Leighton" at Feb 05, 2000 07:41:12 AM Message-ID: <200002071217.EAA14163@legion.su.valinux.com> > > phil, this isn't about root being trusted or untrusted. it's about making > sure that only root can decode a password stored in a location in a > publicly accessible file. > > > On Sat, 5 Feb 2000, Phil Mayers wrote: > > > I'm afraid I agree. If you don't trust root, then you're screwed. If > > someones get a root shell on the machine, you're deader than courdroy. > > They can essentially do anything, hence it adds no real security, just > > puts another step in the way. But passwords should *never* be stored in a publicly accessible file - not even obfuscated ! Remember, the originalUNIX system had hashed passwords stored in /etc/passwd. This was ok - because it was estimated that it was computationally impossible to attack the hash.... WRONG ! Faster processors made it possible within a decade or so. Solution - put the passwords in a *ROOT READ ONLY* file , /etc/shadow. We need to do the same. Any further obfuscation is unneeded,. Luke - just because NT does it doesn't mean it is a good idea. Don't code this up. If you do it'll be a waste of your efforts as it will not go into a stable release. If the key is stored off machine in some way then that's a different matter, as that actually does add some security. It would, however, mean that human intervention is needed to restart Samba on a machine. Every time (no unattended boots). Remember the famous quote (can't remember who said it originally :-). "Those who do not understand UNIX are doomed to re-invent it, badly" :-). Cheers, Jeremy. From sharpe at ns.aus.com Sun Feb 6 20:26:05 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:21 2003 Subject: win98 and roaming profiles.. In-Reply-To: <389E925C.32608BA5@netuse.de> References: <389DC06A.EB2A4038@rfa.org> <20000207102641.A25478@uni-mainz.de> Message-ID: <3.0.6.32.20000207062605.008d1e20@203.16.214.248> At 08:40 PM 2/7/00 +1100, Lars Kneschke wrote: >Dominik Kubla wrote: >> >> On Mon, Feb 07, 2000 at 03:22:08PM +1100, Tim Radigan wrote: >> > ok, i just switched my school computer back to win98 from winNT and it seems >> > that roaming profiles and/or the home directories aren't working the way NT >> > handled them.. i'll post my smb.conf file after the base of this message.. >> > any help would be appreciated.. i'm not even sure that samba and/or win98 >> > supports profiles for a win98 -> samba connection.. let me know if anyone >> > has any suggestions.. here is my smb.conf file: >> >> My guess is that it's a Win98 problem, because i am experiencing the same >> problem here with Win98 and a WinNT4 server... Sigh! >Wich Samba version do you use? >Samba 2.0.6 has a problem with homedirectories or profiles. Only one is >working correctly. Well, that is not exactly true. Win9X does different things than Win NT does WRT profiles ... With Win9X you can only have profiles in the home directory, but using a trick you can put your profiles into a subdirectory of your home share, ie: logon home = \\%L\%u\profiles With this, net use /home works as you would expect, and profiles go in the profiles go in the profiles directory. I suspect that if you did something similar on WinNT server in UserManager for Domains, Win 9X would work the same way. >Cu >-- >Lars Kneschke >NetUSE Kommunikationstechnologie GmbH >Siemenswall, D-24107 Kiel, Germany >Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From ckenevey at orbism.com Mon Feb 7 12:41:33 2000 From: ckenevey at orbism.com (Cormac Kenevey) Date: Tue Dec 2 02:28:21 2003 Subject: NT workstation service pack reduces performance Message-ID: <389EBD7C.ED7DDF46@orbism.com> Hi, I have a Toshiba tecra 8000 laptop running NT. It came with service pack 3 installed. It used to be very fast. When I installed service pack 4, I noticed a significant reduction in the performance of the machine. Has anyone encountered this behaviour before ? I have since installed service pack 5 and there is no improvement. It's a high-spec machine with buckets of RAM which should not be experiencing this kind of performance problem. cheers Cormac Kenevey From danny at cs.huji.ac.il Mon Feb 7 12:40:56 2000 From: danny at cs.huji.ac.il (Danny Braniss) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: Your message of Mon, 7 Feb 2000 22:21:34 +1100 . Message-ID: I have been hacking samba to use our private authentication method, mainly we have a server that given a hashed key/user pair will do the authentication. I only very resently started to look into samba-tng, and was wondering if thought was given in using some external authentication method, like pam or irs? it would make the next round easier. danny From greg at discreet.com Mon Feb 7 14:05:27 2000 From: greg at discreet.com (Greg Dickie) Date: Tue Dec 2 02:28:22 2003 Subject: samba in vmware? Message-ID: Hi, I just downloaded vmware 2.0beta for linux and it "looks like" they are packaging samba in with it to provide connectibility between the host and guest OSes. Was anybody aware of this? Does anybody care? I guess its not a bad thing... Greg --------------------------------------------------------------------- Greg Dickie Just A Guy greg@discreet.com From gosha at arvid.ee Mon Feb 7 14:05:00 2000 From: gosha at arvid.ee (Dmitri B.Gofmekler) Date: Tue Dec 2 02:28:22 2003 Subject: Raming profiles & Windows NT 4.0. Message-ID: <4.3.0.33.0.20000207155336.00aec890@mail> Hello, Probably someone knows how to fix it: Samba version is pre-3.0.0. Samba settings: ..... security = user encrypt passwords = yes domain master = yes local master = yes preferred master = yes domain logons = yes logon path = \\%L\Profiles\%U ..... [netlogon] path = /home/netlogon guest ok = yes writable = yes share modes = no [Profiles] path = /home/profiles browseable = no guest ok = no writeable = yes ..... The problem is the Windows NT reports error 240 (that Win NT can not load user profile). In the [Profiles] directory %U subdirs are created. And even old Win NT Profiles copied there. Why it does not works, somebody knows? Thanks, ---- Dmitri B. Gofmekler , ICQ: 8168758 GSM: (+37 25) 027705 ---- "http://www.sill.ee/~gosha/gosha.asc" - for PGP Encrypted messages. ===================================== Phone/Fax: (+372 6) 775681 A-Arvid Computers Ltd. < http://www.arvid.ee > From dominik.kubla at uni-mainz.de Mon Feb 7 14:11:54 2000 From: dominik.kubla at uni-mainz.de (Dominik Kubla) Date: Tue Dec 2 02:28:22 2003 Subject: win98 and roaming profiles.. In-Reply-To: <389E925C.32608BA5@netuse.de>; from Lars Kneschke on Mon, Feb 07, 2000 at 10:37:32AM +0100 References: <389DC06A.EB2A4038@rfa.org> <20000207102641.A25478@uni-mainz.de> <389E925C.32608BA5@netuse.de> Message-ID: <20000207151154.A27631@uni-mainz.de> On Mon, Feb 07, 2000 at 10:37:32AM +0100, Lars Kneschke wrote: > Wich Samba version do you use? > Samba 2.0.6 has a problem with homedirectories or profiles. Only one is > working correctly. I am using 2.0.5a to server the homedirectories with a NT4 SP4 PDC serving the profiles and the netlogon script. Dominik From lk at netuse.de Mon Feb 7 14:18:01 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:22 2003 Subject: Raming profiles & Windows NT 4.0. References: <4.3.0.33.0.20000207155336.00aec890@mail> Message-ID: <389ED419.F86CFA90@netuse.de> "Dmitri B.Gofmekler" wrote: > > Hello, > > Probably someone knows how to fix it: > > Samba version is pre-3.0.0. > > Samba settings: > .... > security = user > encrypt passwords = yes > domain master = yes > local master = yes > preferred master = yes > domain logons = yes > logon path = \\%L\Profiles\%U > .... > [netlogon] > path = /home/netlogon > guest ok = yes > writable = yes > share modes = no > > [Profiles] > path = /home/profiles > browseable = no > guest ok = no > writeable = yes > .... I have these settings, and it works. weigon is the name of PDC. [global] logon path = \\weigon\profiles\%U\profile [netlogon] path = /opt/samba-tng/netlogon writeable = no guest ok = no comment = Startscripte [profiles] path = /opt/samba-tng/profiles browseable=yes writeable=yes comment = Profile-Share directory mask = 0700 create mode = 0700 Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From Christian.Duclou at eeigm.inpl-nancy.fr Mon Feb 7 14:46:29 2000 From: Christian.Duclou at eeigm.inpl-nancy.fr (Christian Duclou) Date: Tue Dec 2 02:28:22 2003 Subject: NT Policy and groups Message-ID: <389EDAC5.DACC102B@eeigm.inpl-nancy.fr> Hello, How to use NT Policy with Samba 2.0.6 as PDC for NT 4.0 Workstations? The goal is to restrict locals ressources access on the stations for a group of users. Thanks, Christian -- _____________ EEIGM - Service Informatique _____________ 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 _______________ http://eeigm.inpl-nancy.fr _____________ From sharpe at ns.aus.com Sun Feb 6 23:38:40 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:22 2003 Subject: samba in vmware? In-Reply-To: Message-ID: <3.0.6.32.20000207093840.00a7ae00@203.16.214.248> At 01:07 AM 2/8/00 +1100, Greg Dickie wrote: > >Hi, > > I just downloaded vmware 2.0beta for linux and it "looks like" they are >packaging samba in with it to provide connectibility between the host and guest >OSes. Was anybody aware of this? Does anybody care? I guess its not a bad >thing... Hmmm, why would they need to do that. I run VMware under Linux with Win95 and Win98 in VMs, and Samba on the other side, and all works well. >Greg > >--------------------------------------------------------------------- >Greg Dickie >Just A Guy >greg@discreet.com > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From greg at discreet.com Mon Feb 7 14:59:38 2000 From: greg at discreet.com (Greg Dickie) Date: Tue Dec 2 02:28:22 2003 Subject: samba in vmware? In-Reply-To: <3.0.6.32.20000207093840.00a7ae00@203.16.214.248> Message-ID: me too. I guess it saves you the trouble of getting samba yourself. I'm not sure how it would act if you already had samba on the machine. Greg On 06-Feb-00 Richard Sharpe wrote: > At 01:07 AM 2/8/00 +1100, Greg Dickie wrote: >> >>Hi, >> >> I just downloaded vmware 2.0beta for linux and it "looks like" they are >>packaging samba in with it to provide connectibility between the host and > guest >>OSes. Was anybody aware of this? Does anybody care? I guess its not a bad >>thing... > > Hmmm, why would they need to do that. I run VMware under Linux with Win95 > and Win98 in VMs, and Samba on the other side, and all works well. > >>Greg >> >>--------------------------------------------------------------------- >>Greg Dickie >>Just A Guy >>greg@discreet.com >> > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course --------------------------------------------------------------------- Greg Dickie Just A Guy greg@discreet.com From zen at uninet.net.id Mon Feb 7 15:14:47 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:22 2003 Subject: NT SP6 Problem with Samba Message-ID: <0002072225280A.00638@zen.sphenisci.or.id> Hi, all A while ago I'm asking Luke about the possibility of NT Service Pack 6 problem with Samba. Well, Luke...I just got one this morning.... I installed SP6 on an NT Server. When my Linux box trying to save a file (approximately 5 MB) in its shared directory, the file was there. But when I opened the file, it was corrupted. The same thing happen when I want to put a file in my Linux box from that NT. But when I changed it again to SP5, the file transfer worked just fine... I don't know what else could be wrong with this SP6... :-) I'm using RH 6.0 Kernel 2.2.12 with Samba 2.0.6 ZEN From lk at netuse.de Mon Feb 7 15:44:18 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:22 2003 Subject: NT SP6 Problem with Samba References: <0002072225280A.00638@zen.sphenisci.or.id> Message-ID: <389EE852.7E9FE8AF@netuse.de> ZEN el GUAY wrote: > > Hi, all > A while ago I'm asking Luke about the possibility of NT Service Pack 6 problem > with Samba. Well, Luke...I just got one this morning.... > I installed SP6 on an NT Server. When my Linux box trying to save a file > (approximately 5 MB) in its shared directory, the file was there. But when I > opened the file, it was corrupted. The same thing happen when I want to put a > file in my Linux box from that NT. But when I changed it again to SP5, the > file transfer worked just fine... I don't know what else could be wrong with > this SP6... :-) > I'm using RH 6.0 Kernel 2.2.12 with Samba 2.0.6 Don't know if oyu know this already. But SP6 had a broken TCP-Stack. There exists a SP for SP6. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From Kai-H.Weutzing at TU-Berlin.DE Mon Feb 7 15:50:28 2000 From: Kai-H.Weutzing at TU-Berlin.DE (Kai-H. Weutzing) Date: Tue Dec 2 02:28:22 2003 Subject: Samba PDC in more than one Broadcast Domain Message-ID: <389EE9C4.EC0AA033@TU-Berlin.DE> Hi! I'am using a SuSE Linux Samba Server. It works fine, BUT... I must use this Server in more than one Broadcast Domain: In a.b.52. a.b.53. a.b.79. The Server has an NIC with IP Adresse a.b.53.241. So if I start a WinNT Ws in the a.b.52. net to use my Domain (supported by the Server) the WinNT Ws can't find the Server! I didn't like to buy a NIC with three or more Cons, so is there a way that the Server listen to more than one Broadcast. Thx Kai EOT From wenk at s4d.ch Mon Feb 7 16:03:10 2000 From: wenk at s4d.ch (Fabian Wenk) Date: Tue Dec 2 02:28:22 2003 Subject: NT SP6 Problem with Samba References: <0002072225280A.00638@zen.sphenisci.or.id> Message-ID: <389EECBE.8EEC8266@s4d.ch> ZEN el GUAY wrote: > I installed SP6 on an NT Server. When my Linux box trying to save a file > (approximately 5 MB) in its shared directory, the file was there. But when I > opened the file, it was corrupted. The same thing happen when I want to put a Could this be the same problem as it was with Lotus Notes, so you need the hotfix for SP6 (go to this link: http://www.microsoft.com/downloads/default.asp?Search=Keywords&LangIDCODE=20%3Ben-us&Value=SP6&OpSysID=252&Show=Alpha), or SP6a. The problem with SP6 was that some IP stuff works only if the user has admin rights. Maybe Samba has the same problem. I didn't try this out, this is just a hint. If you search in the M$ Technet (http://www.microsoft.com/technet) for SP6 you will find about 100 articles with SP6 in it, probably you should check this out also. bye Fabian From wenk at s4d.ch Mon Feb 7 16:15:06 2000 From: wenk at s4d.ch (Fabian Wenk) Date: Tue Dec 2 02:28:22 2003 Subject: Raming profiles & Windows NT 4.0. References: <4.3.0.33.0.20000207155336.00aec890@mail> Message-ID: <389EEF8A.616D5AC7@s4d.ch> "Dmitri B.Gofmekler" wrote: > Probably someone knows how to fix it: > The problem is the Windows NT reports error 240 (that Win NT can not load > user profile). > In the [Profiles] directory %U subdirs are created. And even old Win NT > Profiles copied there. Are the permissions on the unix files correct, the profiles directory needs mod 777. The directorys of the user need mode 700 and the user as owner. bye Fabian From wenk at s4d.ch Mon Feb 7 16:32:26 2000 From: wenk at s4d.ch (Fabian Wenk) Date: Tue Dec 2 02:28:22 2003 Subject: Samba PDC in more than one Broadcast Domain References: <389EE9C4.EC0AA033@TU-Berlin.DE> Message-ID: <389EF39A.8FA9CDD4@s4d.ch> "Kai-H. Weutzing" wrote: > I must use this Server in more than one Broadcast Domain: > > In > a.b.52. > a.b.53. > a.b.79. > The Server has an NIC with IP Adresse a.b.53.241. > > So if I start a WinNT Ws in the a.b.52. net to use my Domain (supported by the Server) the WinNT Ws can't find the Server! Are this three subnets on the same physical network (ethernet)? If so, just assign on the Samba server an additional IP addresses on the ethernet interface for each subnet (eg. a.b.52.? and a.b.79.?). I don't know how to do it in linux, on FreeBSD this is called an alias IP. Or are there switches in between? If so, place on every NT workstation the file c:\winnt\system32\drivers\etc\lmhosts with the content (there is also a lmhost.sam file there, check it out): a.b.53.241 NETBIOSNAME #PRE #DOM:NTDOMAIN replace NETBIOSNAME with the name of the Samba server, and replace NTDOMAIN with the NT domain Samba is running. This will tell the workstation a servername and that this is a Domain Controller, so the station will ask this one for logon. bye Fabian From mg at plum.de Mon Feb 7 16:43:02 2000 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:28:22 2003 Subject: NT SP6 Problem with Samba References: <0002072225280A.00638@zen.sphenisci.or.id> <389EECBE.8EEC8266@s4d.ch> Message-ID: <389EF616.D6CECF98@plum.de> Fabian Wenk wrote: > > ZEN el GUAY wrote: > > > I installed SP6 on an NT Server. When my Linux box trying to save a file > > (approximately 5 MB) in its shared directory, the file was there. But when I > > opened the file, it was corrupted. The same thing happen when I want to put a > > Could this be the same problem as it was with Lotus Notes, so you need > the hotfix for SP6 (go to this link: > http://www.microsoft.com/downloads/default.asp?Search=Keywords&LangIDCODE=20%3Ben-us&Value=SP6&OpSysID=252&Show=Alpha), > or SP6a. The problem with SP6 was that some IP stuff works only if the > user has admin rights. Maybe Samba has the same problem. I didn't try > this out, this is just a hint. No. I don't think so. Lotus had the problem, because MS did cut off all TCP server connections > port 1024. (same way in unix. big deal. software is broken :) (Samba does not "run" on NT, it only emulates NT behaviour) Although I'm still using SP5 for all my clients here ... :) regards, Michael -- Samba NT-Domain howto (in german) http://www.sambahq.de From GLeblanc at cu-portland.edu Mon Feb 7 17:03:24 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:22 2003 Subject: samba in vmware? Message-ID: > -----Original Message----- > From: Greg Dickie [mailto:greg@discreet.com] > Sent: Monday, February 07, 2000 7:03 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: samba in vmware? > > > me too. > > I guess it saves you the trouble of getting samba yourself. > I'm not sure how it > would act if you already had samba on the machine. If you bother to read the help that 2.0beta provides when you run vmware-config.pl , you'll notice that it suggests that you DON'T allow it to set up samba if you already have it running. From the looks of the files that shipped with my VMware install, it doesn't actually include Samba, but probably checks to see if you have samba, and then volunteers to configure it. I heard that VMware has donated a handful (bunch?) of VMware licenses to the Samba gurus so that they can test NT-samba connectivity without so many PeeCees floating around, or so many reboots. Greg L. From lars at kneschke.de Mon Feb 7 17:10:10 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:22 2003 Subject: Samba PDC in more than one Broadcast Domain References: <389EE9C4.EC0AA033@TU-Berlin.DE> Message-ID: <389EFC72.B3F65620@kneschke.de> "Kai-H. Weutzing" wrote: > > Hi! > > I'am using a SuSE Linux Samba Server. It works fine, BUT... > > I must use this Server in more than one Broadcast Domain: > > In > a.b.52. > a.b.53. > a.b.79. > The Server has an NIC with IP Adresse a.b.53.241. > > So if I start a WinNT Ws in the a.b.52. net to use my Domain (supported by the Server) the WinNT Ws can't find the Server! > > I didn't like to buy a NIC with three or more Cons, so is there a way that the Server listen to more than one Broadcast. If it's physically one network, you can use virtual interfaces on the NIC. But the better solution is to use a WINS server. Set wins support = yes in your global section. This lets act your Sambaserver as a WINS-Server. You must set the WINS-Server in the networkssettings of the WinNT-Workstation too. This need a working routing beetwenn the networks. Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From greg at discreet.com Mon Feb 7 17:43:22 2000 From: greg at discreet.com (Greg Dickie) Date: Tue Dec 2 02:28:22 2003 Subject: samba in vmware? In-Reply-To: Message-ID: RTFM? who me? never! Actually there are execs called vmware-nmbd and vmware-smnd and vmware-smbpasswd so I'm guessing those are samba renamed. Its not a problem I was just surprised to see it. Greg On 07-Feb-00 Gregory Leblanc wrote: >> -----Original Message----- >> From: Greg Dickie [mailto:greg@discreet.com] >> Sent: Monday, February 07, 2000 7:03 AM >> To: Multiple recipients of list SAMBA-NTDOM >> Subject: Re: samba in vmware? >> >> >> me too. >> >> I guess it saves you the trouble of getting samba yourself. >> I'm not sure how it >> would act if you already had samba on the machine. > > If you bother to read the help that 2.0beta provides when you run > vmware-config.pl , you'll notice that it suggests that you DON'T allow > it to set up samba if you already have it running. From the looks of the > files that shipped with my VMware install, it doesn't actually include > Samba, but probably checks to see if you have samba, and then volunteers to > configure it. I heard that VMware has donated a handful (bunch?) of VMware > licenses to the Samba gurus so that they can test NT-samba connectivity > without so many PeeCees floating around, or so many reboots. > Greg L. --------------------------------------------------------------------- Greg Dickie Just A Guy greg@discreet.com From GLeblanc at cu-portland.edu Mon Feb 7 17:58:25 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:22 2003 Subject: samba in vmware? Message-ID: > -----Original Message----- > From: Greg Dickie [mailto:greg@discreet.com] > Sent: Monday, February 07, 2000 9:46 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: RE: samba in vmware? > > RTFM? who me? never! Actually there are execs called vmware-nmbd and > vmware-smnd and vmware-smbpasswd so I'm guessing those are > samba renamed. Its > not a problem I was just surprised to see it. Hmm, hadn't noticed that, I was just browsing the RPM. Those files come back and report version 2.0.6, but they're not the same size as the samba 2.0.6 RPM executables that I've found. I also don't see any documentation/license information for samba. I think I'll take this up with somebody at vmware unless somebody ojbects... Greg (the other one). From lkcl at samba.org Mon Feb 7 18:09:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002071217.EAA14163@legion.su.valinux.com> Message-ID: On Mon, 7 Feb 2000 jeremy@valinux.com wrote: > > > > phil, this isn't about root being trusted or untrusted. it's about making > > sure that only root can decode a password stored in a location in a > > publicly accessible file. > > > > > > On Sat, 5 Feb 2000, Phil Mayers wrote: > > > > > I'm afraid I agree. If you don't trust root, then you're screwed. If > > > someones get a root shell on the machine, you're deader than courdroy. > > > They can essentially do anything, hence it adds no real security, just > > > puts another step in the way. > > But passwords should *never* be stored in a publicly accessible > file - not even obfuscated ! for, say, ldap, which is publicly accessible, we don't have any choice. > Luke - just because NT does it doesn't mean it is a good > idea. Don't code this up. If you do it'll be a waste of > your efforts as it will not go into a stable release. jeremy, that's silly. if this was only a matter of local-filesystem-based password storage, i wouldn't bother, or i would be pushing the off-line storage of syskey more. but it's not. think. ldap. sql. nis+. we can't trust them, and they're all publicly accessible network protocols. > If the key is stored off machine in some way then that's a > different matter, as that actually does add some security. that is one option. > It would, however, mean that human intervention is needed > to restart Samba on a machine. Every time (no unattended boots). yes. for those people prepared to pay that price, fine. From tavis at mahler.econ.columbia.edu Mon Feb 7 18:20:39 2000 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:28:22 2003 Subject: Login permissions In-Reply-To: Message-ID: On Mon, 7 Feb 2000, Ondrej Hanak wrote: > Hi samba men, ("Real men use Samba"?) :) > only one question is on my mind. Does possibility exist to restrict some > users from login into some workstations in NT dom? I'm looking for system > solution, not like restrict user's reading permissions on system root. > Thanks for any comment. A securely set up workstation will have a local group that you want to have Samba domain members (e.g., users or power users, depending on how much you trust your users). Normally at installation time, we use the workstation user manager to map that group to SAMBA_DOMAIN\"Domain Users" and use the domaingroup.map file to map "Domain Users" to a Unix group. Instead, you could map the local group to "Workstation_X_users" and then use the domaingroup.map file map "Workstation_X_Users" to a different Unix group. This requires TNG. Do not user 2.0.x. Good luck, Tavis From lkcl at samba.org Mon Feb 7 18:22:18 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: Message-ID: danny, i remember you tellimg me about that. samba does use pams, but remember, that's only active whe n" encrypt passwords = no", which doesn't help with your system. _however_, there is nothing to stop you now writing your own samrd, which should be a combined your-own-password-authentication-system with an _samr*() api on it. luke On Mon, 7 Feb 2000, Danny Braniss wrote: > I have been hacking samba to use our private authentication method, mainly > we have a server that given a hashed key/user pair will do the authentication. > > I only very resently started to look into samba-tng, and was wondering if > thought was given in using some external authentication method, like pam or > irs? > it would make the next round easier. > > danny > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 7 18:39:45 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: samba in vmware? In-Reply-To: Message-ID: yes please. samba should ALWAYS be provided with a copy of the GPL license. they are in violation of the GPL license, otherwise. On Tue, 8 Feb 2000, Gregory Leblanc wrote: > > -----Original Message----- > > From: Greg Dickie [mailto:greg@discreet.com] > > Sent: Monday, February 07, 2000 9:46 AM > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: RE: samba in vmware? > > > > RTFM? who me? never! Actually there are execs called vmware-nmbd and > > vmware-smnd and vmware-smbpasswd so I'm guessing those are > > samba renamed. Its > > not a problem I was just surprised to see it. > > Hmm, hadn't noticed that, I was just browsing the RPM. Those files come > back and report version 2.0.6, but they're not the same size as the samba > 2.0.6 RPM executables that I've found. I also don't see any > documentation/license information for samba. I think I'll take this up with > somebody at vmware unless somebody ojbects... > Greg (the other one). > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From p.mayers at ic.ac.uk Mon Feb 7 20:17:43 2000 From: p.mayers at ic.ac.uk (Phil Mayers) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments References: Message-ID: <389F2867.7F70D3A2@ic.ac.uk> Hmm. Interesting point which I hadn't considered. For LDAP I would say that the entry really ought to be ACL'd anyhow (they are here at my site) which is similar to having a seperate password-protected database file. Hmm. NIS and SQL I don't know about though. Cheers, Phil Luke Kenneth Casson Leighton wrote: > > On Mon, 7 Feb 2000 jeremy@valinux.com wrote: > > > > > > > phil, this isn't about root being trusted or untrusted. it's about making > > > sure that only root can decode a password stored in a location in a > > > publicly accessible file. > > > > > > > > > On Sat, 5 Feb 2000, Phil Mayers wrote: > > > > > > > I'm afraid I agree. If you don't trust root, then you're screwed. If > > > > someones get a root shell on the machine, you're deader than courdroy. > > > > They can essentially do anything, hence it adds no real security, just > > > > puts another step in the way. > > > > But passwords should *never* be stored in a publicly accessible > > file - not even obfuscated ! > > for, say, ldap, which is publicly accessible, we don't have any choice. > > > Luke - just because NT does it doesn't mean it is a good > > idea. Don't code this up. If you do it'll be a waste of > > your efforts as it will not go into a stable release. > > jeremy, that's silly. > > if this was only a matter of local-filesystem-based password storage, i > wouldn't bother, or i would be pushing the off-line storage of syskey > more. > > but it's not. think. ldap. sql. nis+. we can't trust them, and > they're all publicly accessible network protocols. > > > > If the key is stored off machine in some way then that's a > > different matter, as that actually does add some security. > > that is one option. > > > It would, however, mean that human intervention is needed > > to restart Samba on a machine. Every time (no unattended boots). > > yes. for those people prepared to pay that price, fine. From bojan at 4u.net Mon Feb 7 20:07:12 2000 From: bojan at 4u.net (bojan) Date: Tue Dec 2 02:28:22 2003 Subject: NT SP6 Problem with Samba References: <0002072225280A.00638@zen.sphenisci.or.id> Message-ID: <005301bf71a7$bde14f00$116511ac@maja> ----- Original Message ----- From: ZEN el GUAY To: Multiple recipients of list SAMBA-NTDOM Sent: 7. februar 2000 16:37 Subject: NT SP6 Problem with Samba > Hi, all > A while ago I'm asking Luke about the possibility of NT Service Pack 6 problem > with Samba. Well, Luke...I just got one this morning.... > I installed SP6 on an NT Server. When my Linux box trying to save a file > (approximately 5 MB) in its shared directory, the file was there. But when I > opened the file, it was corrupted. The same thing happen when I want to put a > file in my Linux box from that NT. But when I changed it again to SP5, the > file transfer worked just fine... I don't know what else could be wrong with > this SP6... :-) > I'm using RH 6.0 Kernel 2.2.12 with Samba 2.0.6 > > ZEN I have the same problem with SP6a, 2.2.12 and pre 3 Samba. Bojan From lkcl at samba.org Mon Feb 7 20:57:15 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <389F2867.7F70D3A2@ic.ac.uk> Message-ID: On Tue, 8 Feb 2000, Phil Mayers wrote: > Hmm. Interesting point which I hadn't considered. For LDAP I would say > that the entry really ought to be ACL'd anyhow (they are here at my > site) which is similar to having a seperate password-protected database > file. Hmm. NIS and SQL I don't know about though. and if you don't _have_ acls in your ldap implementation? or if you don't _realiase_ that ldap doesn't have any security? i don't want administrators bitching that their passwords were sent in-the-clear, and thinking it's our fault. i don't want a security report on bugtraq, either, bitching that we didn't document that passwords are sent in-the-clear for ldap / samba or mysql / samba. > Cheers, > Phil > > Luke Kenneth Casson Leighton wrote: > > > > On Mon, 7 Feb 2000 jeremy@valinux.com wrote: > > > > > > > > > > phil, this isn't about root being trusted or untrusted. it's about making > > > > sure that only root can decode a password stored in a location in a > > > > publicly accessible file. > > > > > > > > > > > > On Sat, 5 Feb 2000, Phil Mayers wrote: > > > > > > > > > I'm afraid I agree. If you don't trust root, then you're screwed. If > > > > > someones get a root shell on the machine, you're deader than courdroy. > > > > > They can essentially do anything, hence it adds no real security, just > > > > > puts another step in the way. > > > > > > But passwords should *never* be stored in a publicly accessible > > > file - not even obfuscated ! > > > > for, say, ldap, which is publicly accessible, we don't have any choice. > > > > > Luke - just because NT does it doesn't mean it is a good > > > idea. Don't code this up. If you do it'll be a waste of > > > your efforts as it will not go into a stable release. > > > > jeremy, that's silly. > > > > if this was only a matter of local-filesystem-based password storage, i > > wouldn't bother, or i would be pushing the off-line storage of syskey > > more. > > > > but it's not. think. ldap. sql. nis+. we can't trust them, and > > they're all publicly accessible network protocols. > > > > > > > If the key is stored off machine in some way then that's a > > > different matter, as that actually does add some security. > > > > that is one option. > > > > > It would, however, mean that human intervention is needed > > > to restart Samba on a machine. Every time (no unattended boots). > > > > yes. for those people prepared to pay that price, fine. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From zen at uninet.net.id Mon Feb 7 21:29:48 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:22 2003 Subject: NT SP6 Problem with Samba In-Reply-To: <389EE852.7E9FE8AF@netuse.de> References: <0002072225280A.00638@zen.sphenisci.or.id> <389EE852.7E9FE8AF@netuse.de> Message-ID: <00020804364701.00803@zen.sphenisci.or.id> > > > > Hi, all > > A while ago I'm asking Luke about the possibility of NT Service Pack 6 problem > > with Samba. Well, Luke...I just got one this morning.... > > I installed SP6 on an NT Server. When my Linux box trying to save a file > > (approximately 5 MB) in its shared directory, the file was there. But when I > > opened the file, it was corrupted. The same thing happen when I want to put a > > file in my Linux box from that NT. But when I changed it again to SP5, the > > file transfer worked just fine... I don't know what else could be wrong with > > this SP6... :-) > > I'm using RH 6.0 Kernel 2.2.12 with Samba 2.0.6 > Don't know if oyu know this already. > But SP6 had a broken TCP-Stack. There exists a SP for SP6. > Yeup, I've read it just a couple days after its release on October last year. I was just not sure how this 'buggy bugs fixes' effect with Samba. Now it happens. How can they be so messy about this Service Pack... From mgeddes at xavier.sa.edu.au Mon Feb 7 22:19:49 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments References: Message-ID: <389F4505.4C3260EC@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > On Tue, 8 Feb 2000, Phil Mayers wrote: > > > Hmm. Interesting point which I hadn't considered. For LDAP I would say > > that the entry really ought to be ACL'd anyhow (they are here at my > > site) which is similar to having a seperate password-protected database > > file. Hmm. NIS and SQL I don't know about though. > > and if you don't _have_ acls in your ldap implementation? or if you don't > _realiase_ that ldap doesn't have any security? > Which LDAP implementation would that be? I'm no expert, but I haven't seen one without ACLs (I actually thought it was part of the LDAP standard). > > i don't want administrators bitching that their passwords were sent > in-the-clear, and thinking it's our fault. > > i don't want a security report on bugtraq, either, bitching that we didn't > document that passwords are sent in-the-clear for ldap / samba Document it then. > I would personally keep the LDAP service running on the Samba PDC (where possible) to cut down on extra network packets that don't need to be there. You wouldn't have to worry about the Samba->LDAP password thing. When is the password sent in the clear? Or are you referring to the "encrypted" password? I agree that sending this kind of stuff over any network is not good, but there are things that can be done. My 2c, Matt From mgeddes at xavier.sa.edu.au Mon Feb 7 22:22:19 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:22 2003 Subject: NT Policy and groups References: <389EDAC5.DACC102B@eeigm.inpl-nancy.fr> Message-ID: <389F459B.DAA7DF27@xavier.sa.edu.au> Christian Duclou wrote: > Hello, > > How to use NT Policy with Samba 2.0.6 as PDC for NT 4.0 > Workstations? > > The goal is to restrict locals ressources access on the stations for > a group of users. > > Thanks, > Christian > -- > _____________ EEIGM - Service Informatique _____________ > 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France > Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 > _______________ http://eeigm.inpl-nancy.fr _____________ I do it the same way I do on an NT server. Save NTConfig.POL on \\PDC\netlogon. You just need to make sure that amdinistrators are the only people allowed to write to the share (everyone needs to read). Matt From lkcl at samba.org Mon Feb 7 22:17:18 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <389F4505.4C3260EC@xavier.sa.edu.au> Message-ID: > > and if you don't _have_ acls in your ldap implementation? or if you don't > > _realiase_ that ldap doesn't have any security? > > > > Which LDAP implementation would that be? I'm no expert, but I haven't seen one > without ACLs (I actually thought it was part of the LDAP standard). does it matter? ok, if it does, how about, we specify admins are supposed to lock the password field with an ACL and they don't bother. basically, there are too many steps to follow that are not under our control, in too many variable situations. sorry ppl, fed up with arguing and explaining this, my hands are now constantly hurting. i'm creating a syskey2, it's going in the source code, if you don't like it, jeremy, well, work it out for yourself as to why it's needed. luke From simonl at mirrormind.com Mon Feb 7 22:16:26 2000 From: simonl at mirrormind.com (Simon Lodal) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments References: Message-ID: <00e001bf71b8$fa31c4b0$0b00000a@home.mgs> I am not a security expert, but trying to keep up. I do not understand the real point in SYSKEY2, what is the primary purpose? I only see it making trouble, no solutions. Excuse me if I'm lame, I know that, but please read on. Quoting from luke's recent mails: > recently, netect / bindview posted a review of the syskey system and how > the RC4 cypher stream was reset each time. standard RC4 attack analysis > shows that XORing two obfuscated passwords together results in the XOR > cypher stream dropping out, and you have the two XORed password. further > attack analysis can decrypt the passwords. So the problem is that MS' encryption is again too weak? > i need to make the sam database read-accessible to all unix users. just > like /etc/passwd. So the real problem is that we can't hide these weak password hashes from anyone? Jeremy suggested something along the lines of /etc/shadow. > well, the trouble with that is that i will have to maintain (and lock, and > maintain), two databases, for users. So it could be done, only with a slight more trouble? What's worst; implementing a new encryption system (which may itself open vulnerabilities), or locking just another file? The same mail also said: > i won't be -- over-the-wire. i blank those out. But 3 days later: > but it's not. think. ldap. sql. nis+. we can't trust them, and > they're all publicly accessible network protocols. So the real problem has now turned out to be that we are using other protocols that someone might be able to listen on, over the wire? Sorry if I bother you, my intention is really to figure out what the problem is, and I am quite confused. I am surely mixing different concepts together. However I do have some general comments, ignorantly not knowing anything about the proposed encryption algorithms or protocols: 1) If the problem is only local storage, the obvious solution is a shadow password system. The argument that you must trust root applies. 2) If the problem is that we cannot avoid revealing password hashes, because they have to be sent over the wire, the solution is _not_ to add encryption to Samba. The right solution is to encrypt that wire. People know that when they choose to store passwords off the server. They must take care themselves to make it safe. Just like you should know the risk if you run a web- or mail-server using a DNS server running on another machine. People know that, and it is not the responsibility of neither Apache nor bind to solve that problem. It is a problem with IP (AFAIK). Same goes here; it's a problem with NIS or LDAP. I don't see the point in samba trying to solve their problems. I don't know anything about LDAP or NIS, but if they reveal password hashes to the users, they're no better than old-style UNIX passwd files. Not samba's problem. 3) The idea of storing the necessary key on a diskette off the machine only makes things much worse. In theory it will add security, but in real life there will be a major vulnerability: The human factor. Good old word says that the only safe server is one that is shut down and locked in a closet. It's the same if you need that disk to boot the machine. People will not lock it in a closet, and they will not carry it around all day long, keep it under their pillow when they sleep. So where will it be, in real life? Ha, probably in the disk drive. How disciplined would you be? So when a malicious person comes by the sysadms empty office, of course the sysadms keyboard/monitor is suitably locked ... but what about that disk in the drive, or on top of a pile of papers? Key to the entire system, thanks. ... just my 0,02 euros :) /Simon From lkcl at samba.org Mon Feb 7 22:28:17 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <00e001bf71b8$fa31c4b0$0b00000a@home.mgs> Message-ID: On Tue, 8 Feb 2000, Simon Lodal wrote: > I am not a security expert, but trying to keep up. I do not understand the > real point in SYSKEY2, what is the primary purpose? I only see it making > trouble, no solutions. Excuse me if I'm lame, I know that, but please read > on. Quoting from luke's recent mails: > > > recently, netect / bindview posted a review of the syskey system and how > > the RC4 cypher stream was reset each time. standard RC4 attack analysis > > shows that XORing two obfuscated passwords together results in the XOR > > cypher stream dropping out, and you have the two XORed password. further > > attack analysis can decrypt the passwords. > > So the problem is that MS' encryption is again too weak? no, that was a side-note explaining that microsoft's current algorithm is useless, indicating that i wish to do better. > > i need to make the sam database read-accessible to all unix users. just > > like /etc/passwd. > > So the real problem is that we can't hide these weak password hashes from > anyone? > > Jeremy suggested something along the lines of /etc/shadow. that's one specific inplementation option. it doesn't mean that SYSKEY2 isn't necessary. > > well, the trouble with that is that i will have to maintain (and lock, and > > maintain), two databases, for users. > > So it could be done, only with a slight more trouble? What's worst; > implementing a new encryption system (which may itself open > vulnerabilities), or locking just another file? > > The same mail also said: > > i won't be -- over-the-wire. i blank those out. > > But 3 days later: > > but it's not. think. ldap. sql. nis+. we can't trust them, and > > they're all publicly accessible network protocols. > > So the real problem has now turned out to be that we are using other > protocols that someone might be able to listen on, over the wire? YES. [thank you for noticing. noone else has]. > 1) If the problem is only local storage, the obvious solution is a shadow > password system. The argument that you must trust root applies. correct. as you noticed [the real problem], it's not JUST locak storage. > 3) The idea of storing the necessary key on a diskette off the machine only > makes things much worse. In theory it will add security, but in real life > there will be a major vulnerability: The human factor. Good old word says > that the only safe server is one that is shut down and locked in a closet. > It's the same if you need that disk to boot the machine. People will not > lock it in a closet, and they will not carry it around all day long, keep it > under their pillow when they sleep. So where will it be, in real life? Ha, > probably in the disk drive. How disciplined would you be? So when a that's their problem, not ours. thx 4 comments. luke From skvidal at phy.duke.edu Mon Feb 7 22:40:11 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:22 2003 Subject: rpcclient Message-ID: the last thing I heard was rpcclient had a bunch of registry editing abilities (once the user was authenticated) - is this still true. what date of HEAD should I have in order to do this (or should I have TNG) I just want to be able to add/delete/modify reg keys from a script on my linux machine (so I don't have to waddle around to all the machines to make 1 or 2 changes to HKLM) thanks -sv From simonl at mirrormind.com Mon Feb 7 22:40:53 2000 From: simonl at mirrormind.com (Simon Lodal) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments References: Message-ID: <011b01bf71bc$6a16e960$0b00000a@home.mgs> > > So the real problem has now turned out to be that we are using other > > protocols that someone might be able to listen on, over the wire? > > YES. [thank you for noticing. noone else has]. Thank you for clarifying :) > > probably in the disk drive. How disciplined would you be? So when a > > that's their problem, not ours. I think it's ours. The human factor is the biggest source of vulnerability in any system. If we can do anything to minimise the risk of human failure, we should do so. At least don't force users to need an external disk (I don't understand from the discussion if users will be forced to do this, or if it's an easy option). Also I have bad feeling about SYSKEY2 for another reason. It is all about implementing yet another security scheme which will surely be incompatible with others in some way. Also it will demand sysadms to learn and maintain yet another security measure. I feel so much better about generic methods, such as running everyting over ssh or the like (don't know if that's at all possible or relevant here). Regards, Simon From lkcl at samba.org Mon Feb 7 22:56:17 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: rpcclient In-Reply-To: Message-ID: On Tue, 8 Feb 2000, Seth Vidal wrote: > the last thing I heard was rpcclient had a bunch of registry editing > abilities (once the user was authenticated) - is this still true. yes. > what date of HEAD should I have in order to do this (or should I have TNG) tng only. > I just want to be able to add/delete/modify reg keys from a script on my > linux machine (so I don't have to waddle around to all the machines to > make 1 or 2 changes to HKLM) no problem. DWORD, string and binary supported (add key). From lkcl at samba.org Mon Feb 7 22:58:42 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <011b01bf71bc$6a16e960$0b00000a@home.mgs> Message-ID: On Tue, 8 Feb 2000, Simon Lodal wrote: > > > So the real problem has now turned out to be that we are using other > > > protocols that someone might be able to listen on, over the wire? > > > > YES. [thank you for noticing. noone else has]. > > Thank you for clarifying :) > > > > > probably in the disk drive. How disciplined would you be? So when a > > > > that's their problem, not ours. > > I think it's ours. The human factor is the biggest source of vulnerability > in any system. If we can do anything to minimise the risk of human failure, > we should do so. At least don't force users to need an external disk (I > don't understand from the discussion if users will be forced to do this, or > if it's an easy option). "syskey file = /floppy/syskey2" - we can't stop them or inhibit admins from doing this, or anything else. check perms = 0400 is good. > Also I have bad feeling about SYSKEY2 for another reason. It is all about > implementing yet another security scheme which will surely be incompatible > with others in some way. it's a local measure only (actually, local to a SAM, so therefore local to PDCs+allBDCs for the domain). > Also it will demand sysadms to learn and maintain > yet another security measure. I feel so much better about generic methods, > such as running everyting over ssh or the like (don't know if that's at all > possible or relevant here). yes it is. From GLeblanc at cu-portland.edu Mon Feb 7 23:11:24 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:22 2003 Subject: FW: VMware beta 2.0 and samba Message-ID: Well, looks like things are Kosher here. The VMware people sent this back to me already, and it's only been a couple of hours. I only follow the NT-DOMAIN list but perhaps if the issue arrises again (on other lists) they could refer to this message and save the VMware people from having to answer the same question 200 times (everybody on the list should know how dry that gets after a while). Greg > -----Original Message----- > From: Edouard Bugnion [mailto:bugnion@vmware.com] > Sent: Monday, February 07, 2000 1:56 PM > To: Gregory Leblanc > Cc: pr@vmware.com > Subject: Re: VMware beta 2.0 and samba > > > > Gregory, > > Thanks for your request. pr@vmware.com is probably as good > an alias as you > will find in this case. > > Yes, we are shipping a version of samba with VMware. > Although it is not > available yet on our web site, we are going to have a > technote page that > describes the filesystem integration using samba, and > includes a link to the > source diffs. These source diffs are very small and we are > hoping that the > maintainer of samba and copyright owner, Andrew Tridgell, > will incorporate > them soon. > > This has been VMware's policy from the start to make the > effort of getting > our changes back into the main branches of any free software > that we are > using. For example, we have put in some substantial work > (features and bug > fixes) in Xfree86 which have been incororated into 3.3.4 > > Andrew is aware of the project and very supportive of it. I > specifically > asked him if he wanted a copyright banner displayed as part of the > installation, but he declined. However, I believe that our > installation > script specifically mentions that we are using samba as a mechanism to > acheive this form of filesystem integration. > > My hope is that our technote web page will answer all of your > questions and > eventual concerns. Do not hestitate to contact me if this is > not the case, > or would like an additional clarification. > > Regards, > Ed Bugnion > VMware 2.0 Engineering > > > > > ----- Original Message ----- > From: Gregory Leblanc > Newsgroups: pr > Sent: Monday, February 07, 2000 10:55 AM > Subject: VMware beta 2.0 and samba > > > > I'm not sure where to send this, so it's going to PR. Bear > with me, and > > I'll explain. I just downloaded VMware beta 2.0 for linux, > and noticed > > that it ships with some binaries that look and act like samba, and > > report a samba version number. My concern stems from the > fact that I > > don't see a copy of the GPL shipping along with my VMware > RPM. I also > > do not see any mention of where/how this version of Samba > was obtained, > > and whether or not any changes were made. If you could > provide me with > > some additional information, I would greately appreciate it. > > Gregory Leblanc > From thien at ac.housing.berkeley.edu Tue Feb 8 00:35:44 2000 From: thien at ac.housing.berkeley.edu (Thien Vu) Date: Tue Dec 2 02:28:22 2003 Subject: Win98 Browsing Problems Message-ID: I'm having two browsing problems. They might be related, I'm not quite sure. I recently migrated an NT server to Samba PDC, using version 2.0.6. For the most part, everything works good. (Congrats Samba Team!) The two problems I'm having are Win98 related. 1) A machine on the local subnet is having problems browsing the domain although it is pointing to the Samba server as the WINS server. Samba is configured to be a WINS server. Logging in works fine, but browsing the domain takes a LONG time, the Win98 machine never spits out an error message. 2) A machine on another subnet is trying to logon to the NT domain, but it always spits back an error message "The domain password you supplied was incorrect..." Both the PDC and 98 are using encrypted password and the Win98 machine has the PDC as the WINS server (this is the same server as above) Thanks for any help! Thien Vu From godfrey at hattaway-associates.com Tue Feb 8 00:37:15 2000 From: godfrey at hattaway-associates.com (Godfrey Livingstone) Date: Tue Dec 2 02:28:22 2003 Subject: HD sectors cylinders Message-ID: <389F653B.1A2A9B10@hattaway-associates.com> I run samba 2.06 on Redhat 6.1 with software raid 1 (mirrored) disks. I want to install Folio Views 4.1 onto a Samba partition. Anyway the security in folio asks for the sectors and cylinders when the database is registered and then checks ever time the database is opened. When we register the database then 30 seconds latter try to open it itreports that the database is unregistered, this can happen if the file postion has been moved. I am not sure if it is a samba problem or a software raid issue but knowing if samba reports the sectors/cylinders would be a useful start. What I want to know is if samba reports the sector/cylinder if asked by a win9x program and what does it report Many thanks in advance Godfrey Livingstone From lkcl at samba.org Tue Feb 8 00:41:08 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: [samba-tng] Message-ID: ok, after fixing a few critical bugs, i think i'm starting to get back on track. one of them was the createuser rpcclient command, which typecast a structure incorrectly, causing memory corruption. oops. another was linking policy handles together with the correct user context. in a couple of days i'll do another alpha tar ball, i have a few more things to check. luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From vgill at technologist.com Tue Feb 8 00:08:18 2000 From: vgill at technologist.com (Vern H. Gill) Date: Tue Dec 2 02:28:22 2003 Subject: Errors compiling Message-ID: <000101bf71c8$9a701da0$3405a8c0@gillnet.org> When compiling TNG, CVS pulled at about 5:00 PM on Thur 3rd. I get the following error(s) This is RH 6.0 on a P75, if that helps. Compiling rpc_client/msrpc_samr.c with libtool rpc_client/msrpc_samr.c: In function `lookup_sam_names': rpc_client/msrpc_samr.c:118: warning: passing arg 4 of `samr_query_lookup_names' from incompatible pointer type Compiling rpc_parse/parse_net.c with libtool rpc_parse/parse_net.c: In function `make_dom_sid2s': rpc_parse/parse_net.c:543: warning: assignment discards `const' from pointer target type Compiling rpc_parse/parse_creds.c with libtool rpc_parse/parse_creds.c: In function `create_user_creds': rpc_parse/parse_creds.c:600: warning: assignment discards `const' from pointer target type Compiling lib/util.c with libtool lib/util.c: In function `nametouid': lib/util.c:2082: warning: passing arg 1 of `Get_Pwnam' discards `const' from pointer target type Compiling lib/domain_namemap.c lib/domain_namemap.c: In function `lookup_remote_ntname': lib/domain_namemap.c:913: warning: assignment discards `const' from pointer target type Compiling groupdb/aliasunix.c with libtool groupdb/aliasunix.c:317: warning: initialization from incompatible pointer type groupdb/aliasunix.c:318: warning: initialization from incompatible pointer type Compiling groupdb/builtinunix.c with libtool groupdb/builtinunix.c:310: warning: initialization from incompatible pointer type groupdb/builtinunix.c:311: warning: initialization from incompatible pointer type Compiling lib/domain_namemap.c with libtool lib/domain_namemap.c: In function `lookup_remote_ntname': lib/domain_namemap.c:913: warning: assignment discards `const' from pointer target type Compiling smbd/chgpasswd.c smbd/chgpasswd.c: In function `findpty': smbd/chgpasswd.c:72: warning: assignment makes pointer from integer without a cast Compiling web/cgi.c web/cgi.c: In function `cgi_handle_authorization': web/cgi.c:364: warning: assignment discards `const' from pointer target type From lkcl at samba.org Tue Feb 8 01:05:36 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:22 2003 Subject: Errors compiling In-Reply-To: <000101bf71c8$9a701da0$3405a8c0@gillnet.org> Message-ID: they're warnings only. thx for your report. On Tue, 8 Feb 2000, Vern H. Gill wrote: > When compiling TNG, CVS pulled at about 5:00 PM on Thur 3rd. I get the > following error(s) > This is RH 6.0 on a P75, if that helps. > > Compiling rpc_client/msrpc_samr.c with libtool > rpc_client/msrpc_samr.c: In function `lookup_sam_names': > rpc_client/msrpc_samr.c:118: warning: passing arg 4 of > `samr_query_lookup_names' from incompatible pointer type > > Compiling rpc_parse/parse_net.c with libtool > rpc_parse/parse_net.c: In function `make_dom_sid2s': > rpc_parse/parse_net.c:543: warning: assignment discards `const' from pointer > target type > > Compiling rpc_parse/parse_creds.c with libtool > rpc_parse/parse_creds.c: In function `create_user_creds': > rpc_parse/parse_creds.c:600: warning: assignment discards `const' from > pointer target type > > Compiling lib/util.c with libtool > lib/util.c: In function `nametouid': > lib/util.c:2082: warning: passing arg 1 of `Get_Pwnam' discards `const' from > pointer target type > > Compiling lib/domain_namemap.c > lib/domain_namemap.c: In function `lookup_remote_ntname': > lib/domain_namemap.c:913: warning: assignment discards `const' from pointer > target type > > Compiling groupdb/aliasunix.c with libtool > groupdb/aliasunix.c:317: warning: initialization from incompatible pointer > type > groupdb/aliasunix.c:318: warning: initialization from incompatible pointer > type > > Compiling groupdb/builtinunix.c with libtool > groupdb/builtinunix.c:310: warning: initialization from incompatible pointer > type > groupdb/builtinunix.c:311: warning: initialization from incompatible pointer > type > > Compiling lib/domain_namemap.c with libtool > lib/domain_namemap.c: In function `lookup_remote_ntname': > lib/domain_namemap.c:913: warning: assignment discards `const' from pointer > target type > > Compiling smbd/chgpasswd.c > smbd/chgpasswd.c: In function `findpty': > smbd/chgpasswd.c:72: warning: assignment makes pointer from integer without > a cast > > Compiling web/cgi.c > web/cgi.c: In function `cgi_handle_authorization': > web/cgi.c:364: warning: assignment discards `const' from pointer target type > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From abrock at georgefox.edu Mon Feb 7 23:03:32 2000 From: abrock at georgefox.edu (Anthony Brock) Date: Tue Dec 2 02:28:22 2003 Subject: Win98 Browsing Problems In-Reply-To: Message-ID: <4.2.0.58.20000207170228.00999a70@localhost> At 04:39 PM 2/7/00 -0800, thien@ac.housing.berkeley.edu wrote: >I'm having two browsing problems. They might be related, I'm not quite >sure. I recently migrated an NT server to Samba PDC, using version 2.0.6. >For the most part, everything works good. (Congrats Samba Team!) > >The two problems I'm having are Win98 related. >1) A machine on the local subnet is having problems browsing the domain >although it is pointing to the Samba server as the WINS server. Samba is >configured to be a WINS server. Logging in works fine, but browsing the >domain takes a LONG time, the Win98 machine never spits out an error >message. > >2) A machine on another subnet is trying to logon to the NT domain, but it >always spits back an error message "The domain password you supplied was >incorrect..." Both the PDC and 98 are using encrypted password and the >Win98 machine has the PDC as the WINS server (this is the same server as >above) > >Thanks for any help! > >Thien Vu Please pass along any answers you receive, and this sounds strikingly similar to my situation and problem. Tony ****************************************************************************** * Anthony Brock abrock@georgefox.edu * * Director of Network Services George Fox University * ****************************************************************************** From sharpe at ns.aus.com Tue Feb 8 06:12:28 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:22 2003 Subject: Trying to do net time /set from logon script Message-ID: <3.0.6.32.20000208161228.008ec4e0@203.16.214.248> Hi, I am trying to do net time \\server /set /yes from a logon scipt that runs from an NT 4.0 WS machine that has joined a Samba 2.0.6 domain. NTW complains that the user does not have a required privilege ... Can this be fixed by adding domain the list of people who can set the local time? Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From D.Bannon at latrobe.edu.au Tue Feb 8 05:38:41 2000 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:28:23 2003 Subject: Trying to do net time /set from logon script In-Reply-To: <3.0.6.32.20000208161228.008ec4e0@203.16.214.248> Message-ID: <3.0.6.32.20000208163841.008d1430@bioserve.latrobe.edu.au> At 04:15 PM 08/02/2000 +1100, Richard Sharpe wrote: >Hi, > >I am trying to do net time \\server /set /yes from a logon scipt that runs >from an NT 4.0 WS machine that has joined a Samba 2.0.6 domain. > >NTW complains that the user does not have a required privilege ... > I used a small programme called 'grant' to grant everyone to required privilege. To quote from the readme.txt file : Please send comments to andreas.hansson@mbox303.swipnet.se You can download GRANT.ZIP (15K) from http://www.franzo.co.nz/hansson/grant.htm Copyright Andreas Hansson 1997 I use it like this : k:\util\grant add SeSystemtimePrivilege everyone David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From andreak at xcon-data.no Tue Feb 8 07:16:42 2000 From: andreak at xcon-data.no (Andreas Krogh) Date: Tue Dec 2 02:28:23 2003 Subject: SV: Trying to do net time /set from logon script Message-ID: <257A420656DCD011BD3200A0C9495C5815C409@XCONSERVER> > -----Opprinnelig melding----- > Fra: David Bannon [mailto:D.Bannon@latrobe.edu.au] > Sendt: 8. februar 2000 06:40 > Til: Multiple recipients of list SAMBA-NTDOM > Emne: Re: Trying to do net time /set from logon script > > > At 04:15 PM 08/02/2000 +1100, Richard Sharpe wrote: > >Hi, > > > >I am trying to do net time \\server /set /yes from a logon > scipt that runs > >from an NT 4.0 WS machine that has joined a Samba 2.0.6 domain. > > > >NTW complains that the user does not have a required privilege ... > > > I used a small programme called 'grant' to grant everyone to required > privilege. To quote from the readme.txt file : > > Please send comments to andreas.hansson@mbox303.swipnet.se > You can download GRANT.ZIP (15K) from > http://www.franzo.co.nz/hansson/grant.htm > Copyright Andreas Hansson 1997 > > I use it like this : > k:\util\grant add SeSystemtimePrivilege everyone I had this problem once and wasn't happy with the "give everyone permissions" solution. I wanted the logon scripts to run as root(Administrator), but that is (afaik) impossible. So I made a service for NT which starts automatically at boot and sets the time from the given samba-server(located in registry). If you are interressted in it, mail me and you'll get it(free with source of cource - made with MSVC++ 6.0). -- Andreas Joseph Krogh From lkcl at samba.org Tue Feb 8 07:45:48 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002080732.XAA10068@silicon.su.valinux.com> Message-ID: On Mon, 7 Feb 100 jeremy@varesearch.com wrote: > > sorry ppl, fed up with arguing and explaining this, my hands are now > > constantly hurting. i'm creating a syskey2, it's going in the source > > code, if you don't like it, jeremy, well, work it out for yourself as to > > why it's needed. > > Luke, this is *not* going into the shipping source, for reasons I > have already explained. This is why I don't like you running off > in a branch. neither do i. > This is why your branches get abandoned. yeah, it pisses me off. > You have not demonstrated a need for this, you have not demonstrated > how it improves security in *any* way. You are just adding this as > NT does it. This is not a good enough reason. ok. exaplain to me exactly what you think i am attempting to do. problem to be solved, and proposed solution. because i can guarantee to you that the problem you think i am attempting to solve is not the one you think. if i was just proposing a stupid microsoft-like syskey algorithm, you think i'd actually bother??? me, who's been knee-deep in microsoft's *abysmal* track record on the use of rc4. let's see. places where microsoft messed up with rc4 that i can think of in under 1 minute... NetrSamSync SamrSetUserInfo - info levels 0x23 and 0x24 SYSKEY tick... tick... tick... damn, there's one more, i know it... SamrChgUserPassword ... sure there's another. anyway, you get the picture? i'm not about to bother with somestupid algorithm if i didn't think it was necessarey, yes? From lkcl at samba.org Tue Feb 8 07:46:35 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002080738.XAA10430@silicon.su.valinux.com> Message-ID: On Mon, 7 Feb 100 jeremy@varesearch.com wrote: > > > > if this was only a matter of local-filesystem-based password storage, i > > wouldn't bother, or i would be pushing the off-line storage of syskey > > more. > > > > but it's not. think. ldap. sql. nis+. we can't trust them, and > > they're all publicly accessible network protocols. > > IT IS NOT OUR JOB TO FIX THESE PROTOCOLS !!!!!! well, why didn't you say so in the first place? From truls.l.bergli at cc.uit.no Tue Feb 8 07:56:37 2000 From: truls.l.bergli at cc.uit.no (Truls L. Bergli) Date: Tue Dec 2 02:28:23 2003 Subject: SV: Trying to do net time /set from logon script References: <257A420656DCD011BD3200A0C9495C5815C409@XCONSERVER> Message-ID: <389FCC35.527DEECC@cc.uit.no> Hi ! I would rather use a service on the NT machines called NTP and a ntpd on the samba machine. http://www.eecis.udel.edu/~ntp/ Then the machines have correct time all the time. Truls -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Truls L. Bergli # "The man who makes no mistakes # # truls.l.bergli@cc.uit.no # does not usually make anything"# # Tlf/Phn 7764 4124 # William Connor Magee # v2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From Christian.Duclou at eeigm.inpl-nancy.fr Tue Feb 8 10:45:41 2000 From: Christian.Duclou at eeigm.inpl-nancy.fr (Christian Duclou) Date: Tue Dec 2 02:28:23 2003 Subject: NT Policy and groups References: <389EDAC5.DACC102B@eeigm.inpl-nancy.fr> <389F459B.DAA7DF27@xavier.sa.edu.au> Message-ID: <389FF3D5.CF427DCB@eeigm.inpl-nancy.fr> Matthew Geddes wrote: > Christian Duclou wrote: > > > Hello, > > > > How to use NT Policy with Samba 2.0.6 as PDC for NT 4.0 > > Workstations? > > > > The goal is to restrict locals ressources access on the stations for > > a group of users. > > > > Thanks, > > Christian > > -- > > _____________ EEIGM - Service Informatique _____________ > > 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France > > Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 > > _______________ http://eeigm.inpl-nancy.fr _____________ > > I do it the same way I do on an NT server. Save NTConfig.POL on > \\PDC\netlogon. You just need to make sure that amdinistrators are the only > people allowed to write to the share (everyone needs to read). > > Matt Thank for your answer, My problem is that except "Domain admins", no group is visible in "poledit" ...? Christian -- _____________ EEIGM - Service Informatique _____________ 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 _______________ http://eeigm.inpl-nancy.fr _____________ From isyn at isi.wat.waw.pl Tue Feb 8 10:54:24 2000 From: isyn at isi.wat.waw.pl (isyn@isi.wat.waw.pl) Date: Tue Dec 2 02:28:23 2003 Subject: Samba and more then one interface and workgroup In-Reply-To: <389EE9C4.EC0AA033@TU-Berlin.DE> Message-ID: Hello. I'm using a Debian linux Samba Server. It has three interfaces: *192.168.4.254 *192.168.3.254 *192.168.2.254 It's ofcourse local net. So, there are four workgroups placed on diffrent interfaces, but they don't see each other. I have set options interfaces properly. All workstation are using win95. Wins server is also set. SMB server is master of it's workgroup, if some computer is a member of it, everythin is alright, it is being seen by every one in the local net, but there must more then one workgroup. What to do? Thanks... -- ROBERT MAGIER From lucam at softeam.it Tue Feb 8 11:00:58 2000 From: lucam at softeam.it (Luca Micheletti) Date: Tue Dec 2 02:28:23 2003 Subject: NT user transfer with samba Message-ID: <3.0.3.32.20000208120058.00a2cae0@pop.softeam.it> Hi, is it possible transfer the users system accounts from WindowsNT to Linux by Samba???? Thank You for the attention. --Luca Micheletti. From s.striker at striker.nl Tue Feb 8 12:40:52 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002080732.XAA10068@silicon.su.valinux.com> Message-ID: >> sorry ppl, fed up with arguing and explaining this, my hands are now >> constantly hurting. i'm creating a syskey2, it's going in the source >> code, if you don't like it, jeremy, well, work it out for yourself as to >> why it's needed. > >Luke, this is *not* going into the shipping source, for reasons I >have already explained. This may be, but are you also following the thread in samba-tech? I don't think you two are on the same level of communication. :-) >This is why I don't like you running off >in a branch. This is why your branches get abandoned. Hey, this is not very nice. Luke's branch is probably the most active branch around and people are checking it out. Just look at the traffic on ntdom. Anyhow, Luke's DC code is really neccesairy to make Samba a mature product. >You have not demonstrated a need for this, you have not demonstrated >how it improves security in *any* way. You are just adding this as >NT does it. This is not a good enough reason. Granted, if this is what is happening. But, it is not. Just talk to Luke and get arguing on the same subject. >This will just make mine and Andrews job of extracting the *useful* >code from your branch even more difficult. And it's already *too* >difficult. Maybe the other way around is easier done :-) :-) >You have already implemented the UNIX daemon admin that was decided >to be undesirable. It would be undesirable if it would stay implemented this way. However it is not. I volunteered to implement the svcctl code in a way that you can use third party plugins, so samba's not to blame. This is btw Andrew's suggestion when you check the postings. >You have to stop doing these things and listen to others. Sometimes, areas have to be explored to find something usefull. Sometimes though, exploration doesn't lead to anything. That's life. The usefull things that do come out of it though, are worth it. >Then again, I think soon you'll *have* to do that :-) :-). And then again, some good communication both ways couldn't hurt. :-) >Jeremy. Sander Striker PS. Any thoughts on the release date of 3.0? Next quarter, or next year? From eiben at busitec.de Tue Feb 8 11:01:18 2000 From: eiben at busitec.de (Henning Eiben) Date: Tue Dec 2 02:28:23 2003 Subject: groups In-Reply-To: <000e01bf70ed$00b93100$285595c2@stben.be> Message-ID: <000001bf7223$d3893670$6800a8c0@busitec.de> > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Jean-Louis Noel > Sent: Sunday, February 06, 2000 10:57 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: groups > > > Michael Glauche wrote : > > > there is also "domain groups" , but it has no documentation ... > > More infos? > > [2000/02/06 22:41:00, 1] rpc_server/srv_util.c:make_dom_gids(141) > make_dom_gids: unknown well-known alias RID eleves/7 > [2000/02/06 22:45:49, 1] rpc_server/srv_util.c:make_dom_gids(141) > make_dom_gids: unknown well-known alias RID @eleves/7 Well, that doesn't help *me* much ... how do I have to setup my 2.0.6 to support domain groups? -- Henning Eiben eiben@busitec.de busitec GmbH business information technology http://www.busitec.de From simo.sorce at polimi.it Tue Feb 8 14:00:09 2000 From: simo.sorce at polimi.it (Simo Sorce) Date: Tue Dec 2 02:28:23 2003 Subject: Samba users to NT Message-ID: <38A02169.B9F50BF1@polimi.it> Is it possibile to push winnt accounts to a WinNT PDC by a samba server? I'm using samba 2.0.6 and the smbpasswd -a option is referenced to work only on local sam. -- Simo Sorce - Integrazione Sistemi Unix/Windows - Politecnico di Milano E-mail: simo.sorce@polimi.it Tel.int: 02 2399 5834 - Fax.int. 02 2399 5833 ----------------------------------------------------------------- Be happy, use Linux! From s.striker at striker.nl Tue Feb 8 14:48:52 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:23 2003 Subject: FW: SYSKEY2. Request For Comments Message-ID: >>> This is why I don't like you running off >>> in a branch. This is why your branches get abandoned. >> >> Hey, this is not very nice. Luke's branch is probably the most active >> branch around and people are checking it out. Just look at the traffic >> on ntdom. Anyhow, Luke's DC code is really neccesairy to make Samba a >> mature product. > >Jeremy's not disagreeing with that. We all want to get the NT Domain >stuff finished. I'm not trying to flame Jeremy or anything. Everyone wants the NT Domain code in, exactly. But I also want it to be a little secure, _also_ in combination with other protocols. >Do you remember the BRANCH_NTDOM code from '97 - '98? No, sorry, I wasn't anywhere near Samba back then. What happened to it? (I'm hoping that you don't reply with: 'it went into design deadlock' :-)) Greetings, Sander Striker From kevinc at grainsystems.com Tue Feb 8 15:02:18 2000 From: kevinc at grainsystems.com (Kevin Colby) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments References: <200002080738.XAA10430@silicon.su.valinux.com> Message-ID: <38A02FFA.E8F7C3BD@grainsystems.com> Given the enormous controversy over this, it seems like it could certainly wait until a future release (if then). That gets good DC code out faster. It gives time for these other protocols to improve, and when the time comes to reevaluate SYSKEY2, it may be clearer what to do. - Kevin Colby kevinc@grainsystems.com From cartegw at Eng.Auburn.EDU Tue Feb 8 15:05:05 2000 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:28:23 2003 Subject: FW: SYSKEY2. Request For Comments In-Reply-To: Message-ID: On Wed, 9 Feb 2000, Sander Striker wrote: > >Do you remember the BRANCH_NTDOM code from '97 - '98? > > No, sorry, I wasn't anywhere near Samba back then. What happened to > it? (I'm hoping that you don't reply with: 'it went into design deadlock' > :-)) > It is dead because the merge between that and the head branch was too horrible. That's what Jeremy is afraid will happen here. jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From timothy_d_cole at md.northgrum.com Tue Feb 8 15:11:21 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB5631FB@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > Sent: Friday, February 04, 2000 15:40 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: SYSKEY2. Request For Comments > > phil, this isn't about root being trusted or untrusted. it's about making > sure that only root can decode a password stored in a location in a > publicly accessible file. > From a mathematical standpoint, you can't guarantee that. The real solution is not to put the password in a publicly accessible file. From skvidal at phy.duke.edu Tue Feb 8 15:15:01 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:23 2003 Subject: rpcclient from tng Message-ID: hi folks, I know this is a more mundane question than the current controversy but... I downloaded and built tng (well rpcclient out of tng at least) and I've connected into an NT machine to registry edits. the situation: HKLM\SOFTWARE\COMPANYNAME\SOFTWARENAME\LICENSEKEY\ the only (default) key under this tree is a string type licensekey. How do I set the value for the default entry? As well when I do a regenum It never lists the current value. the errors I see: [skvidal@JORDAN]$ regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\LicenseKey" regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\LicenseKey" vuid_init_db: failed Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\LicenseKey Key Values ---------- REG_ENUM_VALUE: [skvidal@JORDAN]$ regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCOScientific\DataStudio\SerialNumber" regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\SerialNumber" vuid_init_db: failed Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\PASCOScientific\DataStudio\SerialNumber Key Values ---------- : string: 5895 so you see the next key does have values but the licensekey doesn't. I've checked the machine and there is an entry. what does vuid_init_db: failed mean? thanks -sv From kellermg at potsdam.edu Tue Feb 8 15:37:14 2000 From: kellermg at potsdam.edu (Matthew Keller) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments References: <200002080738.XAA10430@silicon.su.valinux.com> Message-ID: <38A0382A.1C6F1FB0@potsdam.edu> jeremy@varesearch.com wrote: > IT IS NOT OUR JOB TO FIX THESE PROTOCOLS !!!!!! Not to start a flame war, but isn't Samba all about "fixing" NT? Making it better and open? I agree that I think energies are better focused elsewhere (at the much-anticipated, much-requested, much-needed PDC code, IMHO), but I think that "fixing" things is good, and a part of what this project is about. Again, I don't pretend to know/understand/care about the politics involved with code branches and official releases and the like, but I think this attitude is a Bad Thing (tm). Perhaps you should direct such negativity directly towards the target, instead of at the list in the future, as I'm sure I'm not the only one who applauds the work Luke does for NOT-political reasons. -- - Matthew Keller - Lead Programmer/Analyst Distributed Computing and Telemedia State University of New York at Potsdam Web: http://mattwork.potsdam.edu/ PGP: http://mattwork.potsdam.edu/crypto/ From greg at discreet.com Tue Feb 8 15:45:44 2000 From: greg at discreet.com (Greg Dickie) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <38A0382A.1C6F1FB0@potsdam.edu> Message-ID: Let me just stick in my 2 cents please. I have no idea whether SYSKEY is a good thing in samba or not but in general I find the work that Luke is doing to be pretty good stuff. The DC code, the rpcclient code, the DSO break -up, it's all excellent. Note that I'm NOT saying what all the other guys are doing is not great but from my point-of-view at the moment, the TNG branch has the most activity and the most new features. If he wants to go off on a tangent and play with SYSKEY then "why not". again just my $0.02, Greg On 08-Feb-00 Matthew Keller wrote: > jeremy@varesearch.com wrote: >> IT IS NOT OUR JOB TO FIX THESE PROTOCOLS !!!!!! > > Not to start a flame war, but isn't Samba all about "fixing" NT? Making > it better and open? I agree that I think energies are better focused > elsewhere (at the much-anticipated, much-requested, much-needed PDC > code, IMHO), but I think that "fixing" things is good, and a part of > what this project is about. > Again, I don't pretend to know/understand/care about the politics > involved with code branches and official releases and the like, but I > think this attitude is a Bad Thing (tm). Perhaps you should direct such > negativity directly towards the target, instead of at the list in the > future, as I'm sure I'm not the only one who applauds the work Luke does > for NOT-political reasons. > > -- > > - Matthew Keller - > Lead Programmer/Analyst > Distributed Computing and Telemedia > State University of New York at Potsdam > > Web: http://mattwork.potsdam.edu/ > PGP: http://mattwork.potsdam.edu/crypto/ --------------------------------------------------------------------- Greg Dickie Just A Guy greg@discreet.com From s.striker at striker.nl Tue Feb 8 15:51:33 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <38A0382A.1C6F1FB0@potsdam.edu> Message-ID: >jeremy@varesearch.com wrote: >> IT IS NOT OUR JOB TO FIX THESE PROTOCOLS !!!!!! > > Not to start a flame war, but isn't Samba all about >"fixing" NT? Making >it better and open? I agree that I think energies are better focused >elsewhere (at the much-anticipated, much-requested, much-needed PDC >code, IMHO), but I think that "fixing" things is good, and a part of >what this project is about. > Again, I don't pretend to know/understand/care about the politics >involved with code branches and official releases and the like, but I >think this attitude is a Bad Thing (tm). Perhaps you should direct such >negativity directly towards the target, instead of at the list in the >future, as I'm sure I'm not the only one who applauds the work Luke does >for NOT-political reasons. I can say I totally agree with you. Sander Striker From jln-p at stben.be Tue Feb 8 15:48:02 2000 From: jln-p at stben.be (Jean-Louis Noel) Date: Tue Dec 2 02:28:23 2003 Subject: groups References: <000001bf7223$d3893670$6800a8c0@busitec.de> Message-ID: <000f01bf724b$e3afdbd0$285595c2@stben.be> Hello Henning, Henning Eiben wrote : > Well, that doesn't help *me* much ... how do I have to setup my 2.0.6 to > support domain groups? I don't know, it is what I test. On the other hand "domain groups" accepts: Administrators, Users, Guests, Power Users, Account Operators, System Operators, Print Operators, Backup Operators and Replicator. With an attribute in the form of unsigned 32 bits integer. Like : "domain groups Administrators/12345" Bye, Jean-Louis From snail_talk at yahoo.com Tue Feb 8 16:04:29 2000 From: snail_talk at yahoo.com (geoffrey lee) Date: Tue Dec 2 02:28:23 2003 Subject: FW: SYSKEY2. Request For Comments In-Reply-To: Message-ID: <000001bf724e$2e42f9a0$0200000a@workstation1> hi, but what will be exactly the use of this new feature? i think that luke has yet to explain that to everyone. right now, all i have seen is arguments as to whether it should be implemented or not, but not _why_ it should be there, well, no solid reasons anyway. > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Gerald W. Carter > Sent: Tuesday, February 08, 2000 11:10 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: FW: SYSKEY2. Request For Comments > > > On Wed, 9 Feb 2000, Sander Striker wrote: > > > >Do you remember the BRANCH_NTDOM code from '97 - '98? > > > > No, sorry, I wasn't anywhere near Samba back then. What happened to > > it? (I'm hoping that you don't reply with: 'it went into design > deadlock' > > :-)) > > > > It is dead because the merge between that and the head branch was too > horrible. That's what Jeremy is afraid will happen here. > > > > > > jerry > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > From mjwestkamper at weiinc.com Tue Feb 8 15:58:59 2000 From: mjwestkamper at weiinc.com (Mike Westkamper) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY & Etc Message-ID: <38A03D42.7BAAD971@weiinc.com> >From a interested observer... This project is good. Innovation is good. Personal commitment is good. And a lot of folks, that includes companies, universities and individuals, benefit from the efforts of those dedicated to this project. That is good. The only people who might criticize the work here must have another agenda. Who is most likely to find the efforts here not in their best interest? Hmmmmm.... Hey guys, go off on your tangents! You must shuck a lot of oysters to find a pearl. Mike From mhw at wittsend.com Tue Feb 8 16:16:14 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <38A0382A.1C6F1FB0@potsdam.edu>; from kellermg@potsdam.edu on Wed, Feb 09, 2000 at 02:31:45AM +1100 References: <200002080738.XAA10430@silicon.su.valinux.com> <38A0382A.1C6F1FB0@potsdam.edu> Message-ID: <20000208111614.B14081@alcove.wittsend.com> On Wed, Feb 09, 2000 at 02:31:45AM +1100, Matthew Keller wrote: > jeremy@varesearch.com wrote: > > IT IS NOT OUR JOB TO FIX THESE PROTOCOLS !!!!!! > Not to start a flame war, but isn't Samba all about "fixing" NT? Making > it better and open? I agree that I think energies are better focused > elsewhere (at the much-anticipated, much-requested, much-needed PDC > code, IMHO), but I think that "fixing" things is good, and a part of > what this project is about. Actually... No... These are different issues. Jeremy's remark was that it's not our job to fix these protocols. That is absolutely correct. But that is NOT the same thing as "fixing NT", which is also not our job, either. There are three issues here. Windows systems (clients, servers, NT, and other) The protocols (SMB, Netbios, CIFS) Non-windows systems (clients and servers) [us] Our goals are to provide a superior server and a more open server on Unix. That is NOT fixing NT. It's replacing it. We're not making NT better, we're giving the end user something better. We're not making NT more open (outside of force MS to open up more) we providing a more open alternative. We don't want to fix NT, we want to make it irrelevant. If we are to interoperate with existing Windows systems (our goal) WE inherently can not "fix" the protocols. We have to USE the protocols. In some cases, we have to be bug-for-bug, hole-for-hole, compatible over these protocols. If we DON'T then we don't interoperate with the other Windows systems out there. Then, we are the ones who are broken. Not the Windows systems and not the protocols (much as it may feel good to take the "moral high ground" and say they're busted) we are broken simply because we failed in our goal. We are trying to develop and provide a server on non-Windows systems which is superior to the Windows equivalent. We can't do that by breaking existing interoperability. That means we can't "fix" what we perceive to be broken protocols. We largely play the hand that is dealt us in the protcol arena. We may barely get away with a few minor enhancements to the protocols, if we are real careful, but that's not our main goal, either. Our main goal is not to do anything with the Windows systems other than interoperate with them. We aren't changing Windows NT at all. We aren't changing Windows 95/98 at all. Ok... Maybe we are changing them by uncovering bugs that Microsoft then has to go fix. But we aren't the ones doing to fixing. This may sound like a lot of semantics, but the difference is crucial. > Again, I don't pretend to know/understand/care about the politics > involved with code branches and official releases and the like, but I > think this attitude is a Bad Thing (tm). Perhaps you should direct such > negativity directly towards the target, instead of at the list in the > future, as I'm sure I'm not the only one who applauds the work Luke does > for NOT-political reasons. > -- > - Matthew Keller - > Lead Programmer/Analyst > Distributed Computing and Telemedia > State University of New York at Potsdam > Web: http://mattwork.potsdam.edu/ > PGP: http://mattwork.potsdam.edu/crypto/ Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From kellermg at potsdam.edu Tue Feb 8 16:30:19 2000 From: kellermg at potsdam.edu (Matthew Keller) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments References: <200002080738.XAA10430@silicon.su.valinux.com> <38A0382A.1C6F1FB0@potsdam.edu> <20000208111614.B14081@alcove.wittsend.com> Message-ID: <38A0449B.76BF1F1D@potsdam.edu> "Michael H. Warfield" wrote: > Our main goal is not to do anything with the Windows systems other > than interoperate with them. We aren't changing Windows NT at all. We > aren't changing Windows 95/98 at all. Ok... Maybe we are changing them > by uncovering bugs that Microsoft then has to go fix. But we aren't the > ones doing to fixing. > > This may sound like a lot of semantics, but the difference is > crucial. Depends on your interpretaion of "fixing NT". No, SAMBA project does not fix Windows NT- But it offers an enhanced competitor- A competitor that is more stable, more reliable, more scalable, and more configurable that NT. IMHO these are "fixes". :) -- - Matthew Keller - Lead Programmer/Analyst Distributed Computing and Telemedia State University of New York at Potsdam Web: http://mattwork.potsdam.edu/ PGP: http://mattwork.potsdam.edu/crypto/ From lkcl at samba.org Tue Feb 8 16:28:37 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:23 2003 Subject: NT user transfer with samba In-Reply-To: <3.0.3.32.20000208120058.00a2cae0@pop.softeam.it> Message-ID: yes. use rpcclient's samsync command. or use microsoft's equivalent to pwdump, it's with the NT serer resource kit - i.e you already have it on the c.d. use a script to generate a private/smbpasswd file. On Tue, 8 Feb 2000, Luca Micheletti wrote: > Hi, > > is it possible transfer the users system accounts from WindowsNT to Linux > > by Samba???? > > Thank You for the attention. > > --Luca Micheletti. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 8 16:41:06 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: Message-ID: @begin defensive-mode just a friendly "warning shot across the bows" - noone's allowed to flame jeremy. thx ppl, i hope you understand. sensible comments only, please @end defensive-mode On Tue, 8 Feb 2000, Sander Striker wrote: > >> sorry ppl, fed up with arguing and explaining this, my hands are now > >> constantly hurting. i'm creating a syskey2, it's going in the source > >> code, if you don't like it, jeremy, well, work it out for yourself as to > >> why it's needed. > > > >Luke, this is *not* going into the shipping source, for reasons I > >have already explained. > > This may be, but are you also following the thread in samba-tech? I don't > think you two are on the same level of communication. :-) jeremy's busy. i'm vocal, verbose, and not prone to summarising. > >This is why I don't like you running off > >in a branch. This is why your branches get abandoned. > > Hey, this is not very nice. it's ok, jeremy works on the main smb system code, almost exclusively, and really hard. he doesn't have time to catch up on two years worth of development of the nt domain stuff, despite wanting to stay current with it. > Luke's branch is probably the most active the branch i work in is _always_ the most active. > >This will just make mine and Andrews job of extracting the *useful* > >code from your branch even more difficult. And it's already *too* > >difficult. > > Maybe the other way around is easier done :-) :-) i know that, except it's going to have to be done piecemeal. From lkcl at samba.org Tue Feb 8 16:52:02 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:23 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <51FBD4A8EFD9D111BA7300A0C927DADB5631FB@xcgmd008.md.essd.northgrum.com> Message-ID: On Tue, 8 Feb 2000, Cole, Timothy D. wrote: > > -----Original Message----- > > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > > Sent: Friday, February 04, 2000 15:40 > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Re: SYSKEY2. Request For Comments > > > > phil, this isn't about root being trusted or untrusted. it's about making > > sure that only root can decode a password stored in a location in a > > publicly accessible file. > > > From a mathematical standpoint, you can't guarantee that. The real > solution is not to put the password in a publicly accessible file. for ldap, mysql, nis+ and other future systems, that's not possible, tim, unless the remote protocol supports the concept of "public" and "not-public" and "secure" and "in-the-clear" over-the-wire. which none of them do, and we're _still_ going to be using them. From lkcl at samba.org Tue Feb 8 16:53:36 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:23 2003 Subject: rpcclient from tng In-Reply-To: Message-ID: oops, it may be too long (large) for the current regenum code. does anyone with some MSDN / Reg* experience want to take a look at the code and try and fix this? the api is pretty much identical except it will be reg_enum_values not RegEnumValues etc :) On Wed, 9 Feb 2000, Seth Vidal wrote: > hi folks, > I know this is a more mundane question than the current controversy > but... > > I downloaded and built tng (well rpcclient out of tng at least) and I've > connected into an NT machine to registry edits. > the situation: > > HKLM\SOFTWARE\COMPANYNAME\SOFTWARENAME\LICENSEKEY\ > > the only (default) key under this tree is a string type licensekey. > > How do I set the value for the default entry? > As well when I do a regenum It never lists the current value. > the errors I see: > [skvidal@JORDAN]$ regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO > Scientific\DataStudio\LicenseKey" > regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\LicenseKey" > vuid_init_db: failed > Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\LicenseKey > Key Values > ---------- > REG_ENUM_VALUE: > > [skvidal@JORDAN]$ regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCOScientific\DataStudio\SerialNumber" > regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\SerialNumber" > vuid_init_db: failed > Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\PASCOScientific\DataStudio\SerialNumber > Key Values > ---------- > : string: 5895 > > > so you see the next key does have values but the licensekey doesn't. > > I've checked the machine and there is an entry. > > what does vuid_init_db: failed mean? > > thanks > -sv > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lclaudio at conectiva.com.br Tue Feb 8 17:01:37 2000 From: lclaudio at conectiva.com.br (Luis Claudio R. Goncalves) Date: Tue Dec 2 02:28:23 2003 Subject: Preallocated file size... Message-ID: Hi! Following this message there's a little patch that "corrects" a weird behavior (or feature) of reply.c - at least in Linux and Solaris boxes. If you're writing a file in the disk and you reach the quota roof, the file will be truncated and zero filled 'till its nominal size - it isn't a Samba problem, it's a filesystem feature. This simple and ugly patch corrects the truncated file size every time the above scene happens to any user. This patch was released last year and it works fine on 1.9.19 and 2.x . I haven't tested it aginst TNG... Hope this helps. Luis Claudio [ Luis Claudio R. Goncalves lclaudio@conectiva.com.br ] [ BSc in Computer Science -- MSc coming soon -- Gospel User -- Linuxer ] [ Fault Tolerance - Real-Time - Distributed Systems - IECLB - IS 40:31 ] [ LateNite Programmer -- Jesus Is The Solid Rock On Which I Stand -- ] # -----------------cut here-------------------- --- source/smbd/reply.c.orig Thu Feb 25 16:22:59 1999 +++ source/smbd/reply.c Thu Feb 25 16:24:56 1999 @@ -2399,14 +2399,21 @@ if (lp_syncalways(SNUM(conn))) sync_file(conn,fsp); - if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) + if(((nwritten == 0) && (numtowrite != 0))||(nwritten < 0)) { + nwritten = set_filelen(fsp->fd_ptr->fd, (SMB_OFF_T)startpos); + DEBUG(0,("REPLY.C: File [%s] truncated to %d bytes\n", + fsp->fsp_name, (SMB_OFF_T)startpos)); return(UNIXERROR(ERRDOS,ERRnoaccess)); + } outsize = set_message(outbuf,1,0,True); SSVAL(outbuf,smb_vwv0,nwritten); if (nwritten < (ssize_t)numtowrite) { + nwritten = set_filelen(fsp->fd_ptr->fd, (SMB_OFF_T)startpos + nwritten); + DEBUG(0,("REPLY.C: File [%s] truncated to %d bytes\n", + fsp->fsp_name, (SMB_OFF_T)startpos)); CVAL(outbuf,smb_rcls) = ERRHRD; SSVAL(outbuf,smb_err,ERRdiskfull); } From skvidal at phy.duke.edu Tue Feb 8 17:13:12 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:24 2003 Subject: rpcclient from tng In-Reply-To: Message-ID: > oops, it may be too long (large) for the current regenum code. does > anyone with some MSDN / Reg* experience want to take a look at the code > and try and fix this? the api is pretty much identical except it will be > reg_enum_values not RegEnumValues etc :) if anyone needs someone to test this I'll be GLAD TO! thanks -sv From lkcl at samba.org Tue Feb 8 17:13:40 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002081655.IAA14226@silicon.su.valinux.com> Message-ID: from what jeremy explained yesterday, he doesn't see it as our job to fix broken network protocols that don't support secure transfer of passwords , or either presumably, an administrator's inability to use or set up such secure transfers. well, i don't trust administrators to do a decent job (read the README on security, or go to a security talk), so i'd _like_ to add a mechanism that will make me not wince when i see this kind of message: hi, my name is joe, and i'm setting up samba with ldap. i just wanted to check that my schema is right. please could you review it for me, thank you: accountName: administrator smbPassword: 01fc5a6be7bc6929aad3b4351404ee etc... From george at biomed.abdn.ac.uk Tue Feb 8 17:15:44 2000 From: george at biomed.abdn.ac.uk (George Cameron) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments Message-ID: <200002081715.RAA25034@hebe.biomed.abdn.ac.uk> > Let me just stick in my 2 cents please. I have no idea whether SYSKEY is a good > thing in samba or not but in general I find the work that Luke is doing to be > pretty good stuff. The DC code, the rpcclient code, the DSO break -up, it's all > excellent. Note that I'm NOT saying what all the other guys are doing is not > great but from my point-of-view at the moment, the TNG branch has the most > activity and the most new features. If he wants to go off on a tangent and play > with SYSKEY then "why not". No, I don't agree with that. Samba is fully professional software in most people's estimation. It takes a lot of work to attain and retain that quality. Samba is also cutting edge, ground-breaking software - the evolving PDC capabilities are very impressive and much-needed. Its fast evolution and new capabilities are very desirable in such a fast-changing and competitive arena as computing. But these two aspects (quality, capability), while both essential, can sometimes compete. AND Samba is a shared, distributed project, which is in itself a task and a half to administer. So the "why not" is that it is essential to prevent Samba from fragmenting. A code branch can be a good idea, but it needs a backwards glance on a regular basis to consider how easy it is going to be to re-integrate new developments into the main code - just as important as getting the next piece of protocol working. So I have sympathies with both sides - Luke's work is to be highly commended and keeps Samba at the forefront, but Jeremy and Andrew's striving for quality and maintainability mean that their angle is also valid. So my (humble) suggestion would be that it might be worth detuning the 'performance engine' by a couple of percentage points (98% of your current speed is still pretty damn good) and if you really do re-deploy that effort into dialogue with the main branch folks on exactly how and when to incorporate the new developments into the mainstream, that should help to keep them happier AND is probably the fastest way of getting the 'new generation' out into the field, which should keep both the hungry users (and yourself) happy! For a case like this, I think you need something like the RFC, but when it (unexpectedly I guess) turned up so much controversy, I would re-submit it couched in different terms: 1. what I believe the problem to be 2. where it manifests itself 3. what I think Samba's role should be in addressing it 4. list of possible options for solution 5. my preferred option and why Then discuss for a bit (amongst the Samba team probably rather than the wider discussion list) to try to obtain consensus - even having a counted vote if you find that people are not in agreement. And then *stick by the consensus*. Only in the most exceptional circumstances should somebody branch out against the group, and then only on the basis of making it a temporary fully private development, and being able to demonstrate something and win the others around once you can demonstrate that it really does have its merits. In this case I guess it's a policy issue rather than a performance one, so it should really be decided in advance. OK, I'm only an interested observer, and perhaps sticking my neck out a bit, but this was my reaction to the recent discussion - my my .02's worth also I suppose. --------------------------------------------------------------------- George Cameron g.cameron@biomed.abdn.ac.uk Dept. BioMedical Physics Aberdeen University Foresterhill Fax: +44 (0)1224-685645 Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210 Scotland, UK From skvidal at phy.duke.edu Tue Feb 8 17:17:50 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002081705.JAA14878@silicon.su.valinux.com> Message-ID: > You are correct though, that I'm trying to keep current on > SAMBA_TNG and with the rate of change it's very hard > at the moment. I hope that to get easier soon(hint hint :-) :-). For whatever reason I think you're trying to hint at maybe a code freeze of some type. If this is the case I'd love to see it. Keeping up with the CVS is not very easy for me right now. The NFS-Linux CVS went through this same problem then a couple of people bitched and it settled down. Do you think the updates could be settled down and a new release could be put out sometime soon? -sv From lkcl at samba.org Tue Feb 8 17:19:42 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: FW: SYSKEY2. Request For Comments In-Reply-To: <000001bf724e$2e42f9a0$0200000a@workstation1> Message-ID: On Wed, 9 Feb 2000, geoffrey lee wrote: > hi, > > but what will be exactly the use of this new feature? i think that luke has > yet to explain that to everyone. :) sorry. > right now, all i have seen is arguments as to whether it should be > implemented or not, but not _why_ it should be there, well, no solid reasons > anyway. ok, let me try again. ldap, mysql, nis+ all don't store passwords encrypted or access-protected by default, and some of these remote database-like systems don't _have_ password encryption. in this case, i'd still like samba admins to be able to use these protocols, without even having to KNOW that their passwords are protected over-the-wire. i.e if they didn't read the damn documentation, they still don't get screwed over, and we don't end up with a report on bugtraq. > > > > -----Original Message----- > > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > > Gerald W. Carter > > Sent: Tuesday, February 08, 2000 11:10 PM > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Re: FW: SYSKEY2. Request For Comments > > > > > > On Wed, 9 Feb 2000, Sander Striker wrote: > > > > > >Do you remember the BRANCH_NTDOM code from '97 - '98? > > > > > > No, sorry, I wasn't anywhere near Samba back then. What happened to > > > it? (I'm hoping that you don't reply with: 'it went into design > > deadlock' > > > :-)) > > > > > > > It is dead because the merge between that and the head branch was too > > horrible. That's what Jeremy is afraid will happen here. > > > > > > > > > > > > jerry > > ________________________________________________________________________ > > Gerald ( Jerry ) Carter > > Engineering Network Services Auburn University > > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > > > "...a hundred billion castaways looking for a home." > > - Sting "Message in a Bottle" ( 1979 ) > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 8 17:28:50 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: Message-ID: > The NFS-Linux CVS went through this same problem then a couple of people > bitched and it settled down. Do you think the updates could be settled > down and a new release could be put out sometime soon? YES PLEASE! From Jean-Francois.Micouleau at dalalu.fr Tue Feb 8 17:35:46 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: Message-ID: On Wed, 9 Feb 2000, Seth Vidal wrote: > > You are correct though, that I'm trying to keep current on > > SAMBA_TNG and with the rate of change it's very hard > > at the moment. I hope that to get easier soon(hint hint :-) :-). > > For whatever reason I think you're trying to hint at maybe a code freeze > of some type. If this is the case I'd love to see it. Keeping up with the > CVS is not very easy for me right now. YES ! YES ! YES ! A code freeze of the TNG branch !!! So we can do partial patchs to integrate the good stuff in the HEAD branch. I think I'm dreaming :-) J.F. From Alan.Hourihane at pinacl.co.uk Tue Feb 8 17:46:57 2000 From: Alan.Hourihane at pinacl.co.uk (Alan Hourihane) Date: Tue Dec 2 02:28:24 2003 Subject: it's 6 levels ? In-Reply-To: Message-ID: <006d01bf725c$7e5c7750$1ad120c1@pinacl.co.uk> Keep getting this in Samba TNG authorise_login: TODO. split function, it's 6 levels! and I've got the include file = ...%L with 3 different machine configs which don't seem to be picked up. Only the primary NetBIOS name and no Aliases. Alan. From mhw at wittsend.com Tue Feb 8 17:39:10 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <38A0449B.76BF1F1D@potsdam.edu>; from kellermg@potsdam.edu on Wed, Feb 09, 2000 at 03:24:52AM +1100 References: <200002080738.XAA10430@silicon.su.valinux.com> <38A0382A.1C6F1FB0@potsdam.edu> <20000208111614.B14081@alcove.wittsend.com> <38A0449B.76BF1F1D@potsdam.edu> Message-ID: <20000208123910.A23774@alcove.wittsend.com> On Wed, Feb 09, 2000 at 03:24:52AM +1100, Matthew Keller wrote: > "Michael H. Warfield" wrote: > > Our main goal is not to do anything with the Windows systems other > > than interoperate with them. We aren't changing Windows NT at all. We > > aren't changing Windows 95/98 at all. Ok... Maybe we are changing them > > by uncovering bugs that Microsoft then has to go fix. But we aren't the > > ones doing to fixing. > > > > This may sound like a lot of semantics, but the difference is > > crucial. > Depends on your interpretaion of "fixing NT". No, SAMBA project does > not fix Windows NT- But it offers an enhanced competitor- A competitor > that is more stable, more reliable, more scalable, and more configurable > that NT. IMHO these are "fixes". :) No offense, but that interpretation sounds like you would call purchasing a Porshe to be a fix for a Ford. I won't disagree with your view, it's just that your choice of terminology in non-obvious and confusing. > -- > - Matthew Keller - > Lead Programmer/Analyst > Distributed Computing and Telemedia > State University of New York at Potsdam > Web: http://mattwork.potsdam.edu/ > PGP: http://mattwork.potsdam.edu/crypto/ Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From skvidal at phy.duke.edu Tue Feb 8 17:42:05 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: Message-ID: > > The NFS-Linux CVS went through this same problem then a couple of people > > bitched and it settled down. Do you think the updates could be settled > > down and a new release could be put out sometime soon? > > YES PLEASE! ok upon this request I am semi-officially bitching and requesting a code freeze. :) -sv From ldoan at knowledgeplanet.com Tue Feb 8 17:46:44 2000 From: ldoan at knowledgeplanet.com (Long Doan) Date: Tue Dec 2 02:28:24 2003 Subject: Mergings References: Message-ID: <002101bf725c$76ebb620$1502140a@mindq.com> Dear All, I have been reading all these messages about merges, so I figure I'd put my own .02 in... First off, I have no experiences running merges under CVS, so my comments might be completely invalid. In that case, simply ignore them. I have, however, done quite a few branch/merges under other source control systems such as Perforce and ClearCase. In my experience, it makes the merges a lot easier if the development branch is keep up-to-date with the main branch. The intention is, after all, to merge the development branch back. So, instead of doing a whole-sale merge from samba_tng into samba, it might be easier to periodically merge samba into samba_tng to keep _tng somewhat in line with the main line. Then samba_tng can be merged back to the main line without much hassles when it is appropriate. Just my 0.02. Long. Long Doan Senior Software Engineer KnowledgePlanet.com 703-262-6610 ldoan@knowledgeplanet.com From timothy_d_cole at md.northgrum.com Tue Feb 8 17:48:13 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:24 2003 Subject: one of those horrible realisations Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB5631FD@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > Sent: Friday, February 04, 2000 16:02 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: one of those horrible realisations > > On Fri, 4 Feb 2000, Charles N. Owens wrote: > > > There is probably some room for improvement on the Samba side in terms > of > > scalability. With this registry fix in place, of course, each TSE user > gets > > their own smbd process... consuming 1.5-2 MB of RAM. I'm guessing that > the > > the samba-tng library architecture reduces the size of processes > dramatically. > On most Unix systems, processes using the same executable share text (code) pages anyway. You can pretty much assume TSS is shared. From lkcl at samba.org Tue Feb 8 17:51:50 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: Message-ID: On Wed, 9 Feb 2000, Jean Francois Micouleau wrote: > > On Wed, 9 Feb 2000, Seth Vidal wrote: > > > > You are correct though, that I'm trying to keep current on > > > SAMBA_TNG and with the rate of change it's very hard > > > at the moment. I hope that to get easier soon(hint hint :-) :-). > > > > For whatever reason I think you're trying to hint at maybe a code freeze > > of some type. If this is the case I'd love to see it. Keeping up with the > > CVS is not very easy for me right now. > > YES ! YES ! YES ! A code freeze of the TNG branch !!! sure, why not. everything except *samr* as i'm still working on samrtdbd, luke's recovering from doing samrnt5ldapd, and i will have to improve rpcclient, too (there's no delete user function, for example!) From lkcl at samba.org Tue Feb 8 17:54:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: it's 6 levels ? In-Reply-To: <006d01bf725c$7e5c7750$1ad120c1@pinacl.co.uk> Message-ID: alan, i went over that function, and i considered it to be crazy that it's 6 indentation levels deep. so i added that "TODO" warning. { if (this) { if (that) { for(ever) { if (some more) { you get the picture. it's really difficult to know what's going on. On Wed, 9 Feb 2000, Alan Hourihane wrote: > Keep getting this in Samba TNG > > authorise_login: TODO. split function, it's 6 levels! > > and I've got the include file = ...%L > > with 3 different machine configs which don't seem to > be picked up. Only the primary NetBIOS name and no > Aliases. > > Alan. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 8 17:56:56 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: [samba-tng] samba-tng-alpha-0.1.tar.gz released Message-ID: can be obtained from a samba ftp mirror site or from ftp://samba.org/pub/samba/alpha/samba-tng-alpha-0.1.tar.gz produced for those people who are unable to use cvs (http://samba.org/cvs.html). luke (samba team) Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From timothy_d_cole at md.northgrum.com Tue Feb 8 18:05:18 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB563201@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: Phil Mayers [SMTP:p.mayers@ic.ac.uk] > Sent: Monday, February 07, 2000 15:13 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: SYSKEY2. Request For Comments > > Hmm. Interesting point which I hadn't considered. For LDAP I would say > that the entry really ought to be ACL'd anyhow (they are here at my > site) which is similar to having a seperate password-protected database > file. Hmm. NIS and SQL I don't know about though. > NIS is NIS. The hashed passwords are visible to everyone. NIS+ does do some sort of limited-access thing, though. From lkcl at samba.org Tue Feb 8 18:13:49 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: tng feedback needed Message-ID: periodically, i send out requests to find out who's running what. well, this is one of them :) please could people respond either to samba-ntdom (or to me, privately if you prefer) so that i can get an idea of who's actually using samba-tng, in what kind of config, does it work, did you give up on it, are you waiting for a more stable version, if so what was the last date/version you checked out from cvs or are you using samba-tng-alpha-*.tar.gz etc., etc.. please consider sending the [global] section of your smb.conf file, too, with security-related info removed, if you consider it to be so. thx ppl! luke From Nicolas.Williams at wdr.com Tue Feb 8 18:23:01 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts Message-ID: <20000208132300.O3726@sm2p1386swk.wdr.com> Gratouitous advice follows. - SYSKEY I'm now for it as Luke's LDAP/NIS/other name services argument is a winning one. The /etc/shadow approach should still be supported and used where no such cleartext protocols are in use. The question now should be one of scheduling/prioritizing. SYSKEY is not needed urgently to allow TNG to make progress, unless Luke Howard thinks otherwise (he's doing the SAM-via-LDAP-with-win2k-schema work). - TNG code freeze Don't do it yet; wait a few more weeks. So much progress is taking place that it seems worthwhile to wait a bit longer. - 2.0.x->TNG merge This should be easy, actually: take smbd code from 2.0.x as is, drop all the MSRPC code save for the loopback to MSRPC daemons code. That's it. TNG seems to be much further ahead on the MSRPC issues, which means there's no merge to do from 2.0.x there. Same thing with utilities such as rpcclient, though smbclient and nmblookup might be best taken from 2.0.x. I think it's safe to say that TNG is so jam-packed with good ideas that it will become the next Samba. But then, that's just a view from the sidelines... others may differ on that... Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From lkcl at samba.org Tue Feb 8 18:28:33 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <200002081802.KAA18847@silicon.su.valinux.com> Message-ID: > > ok upon this request I am semi-officially bitching and requesting a code > > freeze. > > :) > > Ok I agree with you. Unfortunately Luke is the one who has to > stop adding new code and do the freeze before we can look at the > merge :-). > > How about it Luke ? Don't say yes please, just stop adding new code :-). except for the following, yes: samr/*.c rpc_client/*sam*.c rpcclient/cmd_samr.c lib/surs*.c as i'm still not done with these. ... *thinks* ... i'd _like_ to include rpc_server/srv_pipe_srv.c and msrpc/msrpc*.c in that, as well, because that's one other outstanding issue that's broken for more than one smbd vuid context (and consequently, more than one msrpc security context). but that needs more thought, and i suppose it can wait. From lkcl at samba.org Tue Feb 8 18:29:50 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: <51FBD4A8EFD9D111BA7300A0C927DADB563201@xcgmd008.md.essd.northgrum.com> Message-ID: On Wed, 9 Feb 2000, Cole, Timothy D. wrote: > > -----Original Message----- > > From: Phil Mayers [SMTP:p.mayers@ic.ac.uk] > > Sent: Monday, February 07, 2000 15:13 > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Re: SYSKEY2. Request For Comments > > > > Hmm. Interesting point which I hadn't considered. For LDAP I would say > > that the entry really ought to be ACL'd anyhow (they are here at my > > site) which is similar to having a seperate password-protected database > > file. Hmm. NIS and SQL I don't know about though. > > > NIS is NIS. The hashed passwords are visible to everyone. NIS+ yes, but they're one-way hashes, not clear-text-equivalent hashes! > does do some sort of limited-access thing, though. yes. From timothy_d_cole at md.northgrum.com Tue Feb 8 18:35:41 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB563203@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > Sent: Tuesday, February 08, 2000 13:30 > To: Cole, Timothy D. > Cc: Multiple recipients of list SAMBA-NTDOM > Subject: RE: SYSKEY2. Request For Comments > > On Wed, 9 Feb 2000, Cole, Timothy D. wrote: > > > > -----Original Message----- > > > From: Phil Mayers [SMTP:p.mayers@ic.ac.uk] > > > Sent: Monday, February 07, 2000 15:13 > > > To: Multiple recipients of list SAMBA-NTDOM > > > Subject: Re: SYSKEY2. Request For Comments > > > > > > Hmm. Interesting point which I hadn't considered. For LDAP I would say > > > that the entry really ought to be ACL'd anyhow (they are here at my > > > site) which is similar to having a seperate password-protected > database > > > file. Hmm. NIS and SQL I don't know about though. > > > > > NIS is NIS. The hashed passwords are visible to everyone. NIS+ > > yes, but they're one-way hashes, not clear-text-equivalent hashes! > *whistles* ... really? damn... > > does do some sort of limited-access thing, though. > > yes. From frlord at webmethods.com Tue Feb 8 19:34:35 2000 From: frlord at webmethods.com (F. Ross Lord) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments In-Reply-To: Message-ID: On Wed, 9 Feb 2000, Jean Francois Micouleau wrote: > YES ! YES ! YES ! A code freeze of the TNG branch !!! > > So we can do partial patchs to integrate the good stuff in the HEAD > branch. > > I think I'm dreaming :-) > > J.F. Of course I have no place making these requests since I don't contribute any code, but I would also like to voice my support for a code freeze. I know there is some important stuff such as the samr code that is still being contributed, but it would be great if no new features are added and all efforts are focused on integrating the SAMBA_TNG branch into a full blown 3.0 release. Just my US$.02 -- frl From timothy_d_cole at md.northgrum.com Tue Feb 8 19:40:41 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB563206@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: F. Ross Lord [SMTP:frlord@webmethods.com] > Sent: Tuesday, February 08, 2000 14:32 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: SYSKEY2. Request For Comments > > On Wed, 9 Feb 2000, Jean Francois Micouleau wrote: > > YES ! YES ! YES ! A code freeze of the TNG branch !!! > > > > So we can do partial patchs to integrate the good stuff in the HEAD > > branch. > > > > I think I'm dreaming :-) > > > > J.F. > > Of course I have no place making these requests since I don't contribute > any code, but I would also like to voice my support for a code freeze. I > know there is some important stuff such as the samr code that is still > being contributed, but it would be great if no new features are added and > all efforts are focused on integrating the SAMBA_TNG branch into a full > blown 3.0 release. > Just integrating it back into the HEAD branch (or given the amount of changes, effectively the other way around!) would be a good start, before things get TOO out-of-sync. Maybe unfreeze for a time after the merge to allow samr and friends to make it directly into HEAD? From lkcl at samba.org Tue Feb 8 19:54:35 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000208132300.O3726@sm2p1386swk.wdr.com> Message-ID: > I'm now for it as Luke's LDAP/NIS/other name services argument is a > winning one. The /etc/shadow approach should still be supported and > used where no such cleartext protocols are in use. the SYSKEY2 thing also means that private/smbpasswd can be made world-readable. sounds weird, neh? WAIT - hear me out, before shooting mouths and telling me it's a stupid idea. i didn't say make the SYSKEY2 key world-reabalb, that _is_ a stupid idea. however, the _only_ reason that we have to do this, in ALL samba user-enumeration code in samrd: _sam_query_userinfo() { become_root() getsmbpwnam(user_rid) unbecmome_root() ... } _samr_enum_dom_users() { become_root() startsmbpwent() getsmbpwent() endsmbpwent() unbecome_root() ... } is because private/smbpasswd is root-only readable. yes, there appears to only be a password in it, but there's not, it identifes which unix accoutns are also samba accounts. so the ONLY two places (three) in which become_root() should be acalled are (and it should be called around the get_syskey2_file() call, nothing else) _samr_query_userinfo() info level 0x12, to obtain LM# and NT# _samr_set_userinfo() info level 0x12, to set LM# and NT# actually, only these two, because i was going to say samr_chg_userpasswd, but that can be implemented in terms of the two above calls, internally. > The question now should be one of scheduling/prioritizing. SYSKEY is > not needed urgently to allow TNG to make progress, unless Luke Howard correct. > thinks otherwise (he's doing the SAM-via-LDAP-with-win2k-schema work). well, actually, we realy need to work out _microsoft's_ syskey2 for their password ldap fields. and if we [or someone else, and releases code inder gpl] work it out, it's GOING into samba source code. > - TNG code freeze > > Don't do it yet; wait a few more weeks. So much progress is taking > place that it seems worthwhile to wait a bit longer. hm. > - 2.0.x->TNG merge > > This should be easy, actually: take smbd code from 2.0.x as is, drop > all the MSRPC code save for the loopback to MSRPC daemons code. > > That's it. not quite. there are three things: 1) clientgen.c, pwd_cache.c and other password-related code for NTLMv2 support samba tng doesn't work without the support of this code. 2) authorise_login(), password_ok(), pass_check(), smb_password_ok(), pass_check_smb(), all take const char* user, const char*domain - they shouldn't, these s houls be UNICODE - and return a NET_USER_INFO_3 structure which is stored in the user_struct structure. 3) user_structs are now not stored in memory of the smbd process, they are stored in a vuser.tdb database. the key is the smbd pid + the smbd SMB vuid field. this is so this info can be accessed from an msrpc daemon in order to be able to do a standard_sub_vuser() call. standard_sub_vuser(), and all... 20 or so uses of it, need to be updated, too, in 2_0. YES, i damn well needed standard_sub_vuser(), i wouldn't bother modifying smbd code that is 2 years out-of-date, otherwise. i think that's all. if someone wants to take each of these things, starting in that order, there'd be lots of grateful people around. oh and you'd be entitled to a samba team t-shirt, of course. From laa at ipt.pt Tue Feb 8 19:53:03 2000 From: laa at ipt.pt (laa@ipt.pt) Date: Tue Dec 2 02:28:24 2003 Subject: samba / switch hub /win9x Message-ID: <38A0741F.E62867E5@ipt.pt> I have a FreeBSD box with samba that works well when the FreeBSDBOX and all the win9x boxes are on the same hub. The problem is when i put a switch_hub between the FreeBSDbox and the win9x boxes. Win98 can see the samba server but they reject the passwords when we try to mount the remote unix drive. With NT worksation boxes everything works fine!! (I think that NT implements NETBUI under TCP/IP, but win9x can not do this). I do not have any VLAN setup on our LAN. Any tip to solve this problem? Thanks e-mail: laa@ipt.pt From patl at cag.lcs.mit.edu Tue Feb 8 20:04:43 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Nicolas Williams's message of "Wed, 9 Feb 2000 05:31:47 +1100" References: <20000208132300.O3726@sm2p1386swk.wdr.com> Message-ID: Nicolas Williams writes: > Gratuitous advice follows. Ditto. > - SYSKEY > > I'm now for it as Luke's LDAP/NIS/other name services argument is a > winning one. Actually, Jeremy is right: Providing a trusted path to a database is not Samba's job. Fix LDAP/NIS/whatever to make them secure (or have /etc/smbshadow), do not clutter Samba. > - TNG code freeze > > Don't do it yet; wait a few more weeks. So much progress is taking > place that it seems worthwhile to wait a bit longer. I disagree. Official PDC support for Samba has been "coming real soon" for, what, three years now? It is long past time to stabilize this stuff, whatever the feature set, and get it out there. Release early, release often. > - 2.0.x->TNG merge > > This should be easy, actually: take smbd code from 2.0.x as is, > drop all the MSRPC code save for the loopback to MSRPC daemons > code. I hope you are right. It has been too long since a merge already. Every experience with branches I have ever had (or heard of) suggests that if you wait more than a few weeks to do a merge, you *never* do a merge. Just another shot from the peanut gallery... - Pat From Nicolas.Williams at wdr.com Tue Feb 8 20:06:23 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: ; from lkcl@samba.org on Wed, Feb 09, 2000 at 06:54:35AM +1100 References: <20000208132300.O3726@sm2p1386swk.wdr.com> Message-ID: <20000208150621.R3726@sm2p1386swk.wdr.com> On Wed, Feb 09, 2000 at 06:54:35AM +1100, Luke Kenneth Casson Leighton wrote: > > I'm now for it as Luke's LDAP/NIS/other name services argument is a > > winning one. The /etc/shadow approach should still be supported and > > used where no such cleartext protocols are in use. > > the SYSKEY2 thing also means that private/smbpasswd can be made > world-readable. sounds weird, neh? WAIT - hear me out, before shooting > mouths and telling me it's a stupid idea. i didn't say make the SYSKEY2 > key world-reabalb, that _is_ a stupid idea. No, what you're suggesting is silly. The SAM RPC daemon should always run as root, so there will be no need for those become_root()/ unbecome_root() calls. Trust me: the SAM RPC daemon should always run as root. > however, the _only_ reason that we have to do this, in ALL samba > user-enumeration code in samrd: [... psuedo-code with become_root()/unbecome_root() calls ...] > is because private/smbpasswd is root-only readable. yes, there appears to > only be a password in it, but there's not, it identifes which unix > accoutns are also samba accounts. The SAM RPC daemon should always run as root. [...] > > The question now should be one of scheduling/prioritizing. SYSKEY is > > not needed urgently to allow TNG to make progress, unless Luke Howard > > correct. Good. > > thinks otherwise (he's doing the SAM-via-LDAP-with-win2k-schema work). > > well, actually, we realy need to work out _microsoft's_ syskey2 for their > password ldap fields. Fine, then your SYSKEY idea becomes really low-priority ;) (This from a lurker who hasn't contributed any code [well, one small feature patch...].) > and if we [or someone else, and releases code inder gpl] work it out, it's > GOING into samba source code. Sure. This particular case is an issue of compatibility with Windows 2000: supporting the use of Samba DCs as part of an ActiveDirectory system (strange, eh? but doable). > > - TNG code freeze > > > > Don't do it yet; wait a few more weeks. So much progress is taking > > place that it seems worthwhile to wait a bit longer. > > hm. > > > - 2.0.x->TNG merge > > > > This should be easy, actually: take smbd code from 2.0.x as is, drop > > all the MSRPC code save for the loopback to MSRPC daemons code. > > > > That's it. > > not quite. there are three things: > > 1) clientgen.c, pwd_cache.c and other password-related code for NTLMv2 > support samba tng doesn't work without the support of this code. > > 2) authorise_login(), password_ok(), pass_check(), smb_password_ok(), > pass_check_smb(), all take const char* user, const char*domain - they > shouldn't, these s houls be UNICODE - and return a NET_USER_INFO_3 > structure which is stored in the user_struct structure. > > 3) user_structs are now not stored in memory of the smbd process, they are > stored in a vuser.tdb database. the key is the smbd pid + the smbd SMB > vuid field. this is so this info can be accessed from an msrpc daemon in > order to be able to do a standard_sub_vuser() call. standard_sub_vuser(), > and all... 20 or so uses of it, need to be updated, too, in 2_0. > > YES, i damn well needed standard_sub_vuser(), i wouldn't bother modifying > smbd code that is 2 years out-of-date, otherwise. Yes, finish (2) and (3) and merge in the rest of smbd from 2.0.x + (1) into TNG and you've got a TNG that is production quality for file serving and still a bit alpha for domain serving but getting there. > i think that's all. if someone wants to take each of these things, > starting in that order, there'd be lots of grateful people around. oh and > you'd be entitled to a samba team t-shirt, of course. ah, uh, well, ah, I'm busy (scurries off). :) Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From lkcl at samba.org Tue Feb 8 20:17:35 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: > this stuff, whatever the feature set, and get it out there. Release > early, release often. yep. wanted to do that. > > - 2.0.x->TNG merge > > > > This should be easy, actually: take smbd code from 2.0.x as is, > > drop all the MSRPC code save for the loopback to MSRPC daemons > > code. > > I hope you are right. It has been too long since a merge already. > Every experience with branches I have ever had (or heard of) suggests > that if you wait more than a few weeks to do a merge, you *never* do a > merge. that's why i don't ever want this to happen again. > Just another shot from the peanut gallery... [pding] OUCH! :) From dpe at clark.net Tue Feb 8 20:22:10 2000 From: dpe at clark.net (David Edwards) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: More gratuitous advice: On Wed, 9 Feb 2000, Patrick J. LoPresti wrote: > Nicolas Williams writes: > > > - TNG code freeze > > > > Don't do it yet; wait a few more weeks. So much progress is taking > > place that it seems worthwhile to wait a bit longer. > > I disagree. Official PDC support for Samba has been "coming real > soon" for, what, three years now? It is long past time to stabilize > this stuff, whatever the feature set, and get it out there. Release > early, release often. Pick a date for a freeze. Better yet, pick a date for a feature freeze, then spend two weeks fixing bugs for a final freeze that gets released to anyone waiting to do a merge back to the 2.0.x series. And then resume development. As for dates: maybe the first Monday of March for the feature freeze, with a "final" freeze on the third Monday of March? I'm not demanding a freeze, I'm just throwing out dates to get people thinking about a timeline... Feel free to tell me to butt out. Y'all are doing absolutely stellar work... keep it up! From kellermg at potsdam.edu Tue Feb 8 20:31:55 2000 From: kellermg at potsdam.edu (Matthew Keller) Date: Tue Dec 2 02:28:24 2003 Subject: SYSKEY2. Request For Comments References: <200002080738.XAA10430@silicon.su.valinux.com> <38A0382A.1C6F1FB0@potsdam.edu> <20000208111614.B14081@alcove.wittsend.com> <38A0449B.76BF1F1D@potsdam.edu> <20000208123910.A23774@alcove.wittsend.com> Message-ID: <38A07D3B.3F4A1505@potsdam.edu> "Michael H. Warfield" wrote: > No offense, but that interpretation sounds like you would call > purchasing a Porshe to be a fix for a Ford. I won't disagree with your > view, it's just that your choice of terminology in non-obvious and > confusing. *ROTFLMAO* Taken out of context, yes. :o) *LOL* "Fix" implies a problem: if you problem is car performance and you have a Ford, if you buy a Porsche, isn't the problem fixed? If you problem is server performance and configuration, and/or the need to use a Real OS (tm) that is actively developed and you're running NT, isn't using Linux/Solaris/*IX and Samba a "fix"? -- - Matthew Keller - Lead Programmer/Analyst Distributed Computing and Telemedia State University of New York at Potsdam Web: http://mattwork.potsdam.edu/ PGP: http://mattwork.potsdam.edu/crypto/ From lkcl at samba.org Tue Feb 8 20:32:11 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000208150621.R3726@sm2p1386swk.wdr.com> Message-ID: On Tue, 8 Feb 2000, Nicolas Williams wrote: > On Wed, Feb 09, 2000 at 06:54:35AM +1100, Luke Kenneth Casson Leighton wrote: > > > I'm now for it as Luke's LDAP/NIS/other name services argument is a > > > winning one. The /etc/shadow approach should still be supported and > > > used where no such cleartext protocols are in use. > > > > the SYSKEY2 thing also means that private/smbpasswd can be made > > world-readable. sounds weird, neh? WAIT - hear me out, before shooting > > mouths and telling me it's a stupid idea. i didn't say make the SYSKEY2 > > key world-reabalb, that _is_ a stupid idea. > > No, what you're suggesting is silly. The SAM RPC daemon should always > run as root, so there will be no need for those become_root()/ > unbecome_root() calls. > > Trust me: the SAM RPC daemon should always run as root. ah ha. no it shouldn't. no MSRPC daemon should ever run always as root. why? implement this as the msrpc loop-back mechanism, and it becomes clear. cut out all the marshalling code (cli_*.c and srv_*.c) and replace it with this: uint32 samr_open_domain(....) { return _samr_open_domain(0...) } then, if you link rpcclient together with this, it should still work as _if_ you had the cli_*.c and srv_*.c marshalling code in there. of course, the become_root() / unbecome_root() calls screw that up right royally, unless you were _already_ running as root. the consequences of "always run as root" are that client-side programs, in order to work on loop-back with the above implementation of ncalrpc, must _also_ be run as root or have the setuid bit set on the binary, whatever. which means a TOTAL, and unnecessary, code security review, of all client-side msrpc and msrpc-using programs. not a happy prospect. rpcclient is 40,000 lines, last count, if you include cmd_*.c. 50,243 to be precise, and that's excluding libsmb/*.c and lib/*.c. > > is because private/smbpasswd is root-only readable. yes, there appears to > > only be a password in it, but there's not, it identifes which unix > > accoutns are also samba accounts. > > The SAM RPC daemon should always run as root. andrew keeps telling me that _All_ the msrpc daemons should run as root, because the only reason that smbd doesn't run as root is because of file-create atomicity issues (in posix, you can't create a file as root and then chown it to another user, atomically, which introduces race conditions). well, the same reasons apply. any msrpc daemon that creates files (spoolss being the only one at the moment) or spawns programs (spoolss and svcctl being the only ones... IF you damn well choose to RUN svcctl. WHICH you don't have to] should also not be run as root. basically, MSRPC is a remote function call mechanism. if the caller is root, the remote function call is root. if the caller is a threaded applcication, the remote function call is a threaded implementation. if the caller is user-foo, the remote function call is user-foo. that's the way MSRPC is designed, that's its job, and to expect it to do anything else (e.g run remotely as root) is, in my opinion, asking for trouble. > > well, actually, we realy need to work out _microsoft's_ syskey2 for their > > password ldap fields. > > Fine, then your SYSKEY idea becomes really low-priority ;) yes, i won't need it, i'll use ms's approach instead... if it's any good! > Sure. This particular case is an issue of compatibility with Windows > 2000: supporting the use of Samba DCs as part of an ActiveDirectory > system (strange, eh? but doable). yep! > Yes, finish (2) and (3) and merge in the rest of smbd from 2.0.x + (1) > into TNG and you've got a TNG that is production quality for file > serving and still a bit alpha for domain serving but getting there. yep > > i think that's all. if someone wants to take each of these things, > > starting in that order, there'd be lots of grateful people around. oh and > > you'd be entitled to a samba team t-shirt, of course. > > ah, uh, well, ah, I'm busy (scurries off). :) From owensc at enc.edu Tue Feb 8 20:47:27 2000 From: owensc at enc.edu (Charles N. Owens) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts References: <20000208132300.O3726@sm2p1386swk.wdr.com> Message-ID: <38A080DF.998BDE14@enc.edu> Is there any update available as to when Luke Howard's SAM-via-LDAP-with-win2k-schema will make into the codebase (either TNG or TNG-post-merge) ? Getting a somewhat finalized schema in place seems to me to be a critical milestone for obvious reasons. I need to roll out some more implementations and would much prefer to use the new schema (as would everyone I'm sure ;-). Charles Nicolas Williams wrote: > Gratouitous advice follows. > > - SYSKEY > > I'm now for it as Luke's LDAP/NIS/other name services argument is a > winning one. The /etc/shadow approach should still be supported and > used where no such cleartext protocols are in use. > > The question now should be one of scheduling/prioritizing. SYSKEY is > not needed urgently to allow TNG to make progress, unless Luke Howard > thinks otherwise (he's doing the SAM-via-LDAP-with-win2k-schema work). > > - TNG code freeze > > Don't do it yet; wait a few more weeks. So much progress is taking > place that it seems worthwhile to wait a bit longer. > > - 2.0.x->TNG merge > > This should be easy, actually: take smbd code from 2.0.x as is, drop > all the MSRPC code save for the loopback to MSRPC daemons code. > > That's it. > > TNG seems to be much further ahead on the MSRPC issues, which means > there's no merge to do from 2.0.x there. > > Same thing with utilities such as rpcclient, though smbclient and > nmblookup might be best taken from 2.0.x. > > I think it's safe to say that TNG is so jam-packed with good ideas that > it will become the next Samba. But then, that's just a view from the > sidelines... others may differ on that... > > Nico > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- > -to a public e-mail mailing list I hereby grant permission to distribute- > -and copy this message.- > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. -- ------------------------------------------------------------------------- Charles N. Owens Email: owensc@enc.edu http://www.enc.edu/~owensc Network & Systems Administrator Information Technology Services "Outside of a dog, a book is a man's Eastern Nazarene College best friend. Inside of a dog it's too dark to read." - Groucho Marx ------------------------------------------------------------------------- From Nicolas.Williams at wdr.com Tue Feb 8 21:05:42 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: ; from lkcl@samba.org on Wed, Feb 09, 2000 at 07:32:11AM +1100 References: <20000208150621.R3726@sm2p1386swk.wdr.com> Message-ID: <20000208160541.S3726@sm2p1386swk.wdr.com> BTW, I knew that you'd respond as below. :) On Wed, Feb 09, 2000 at 07:32:11AM +1100, Luke Kenneth Casson Leighton wrote: > On Tue, 8 Feb 2000, Nicolas Williams wrote: > > Trust me: the SAM RPC daemon should always run as root. > > ah ha. no it shouldn't. no MSRPC daemon should ever run always as root. > why? > > implement this as the msrpc loop-back mechanism, and it becomes clear. > cut out all the marshalling code (cli_*.c and srv_*.c) and replace it with > this: > > uint32 samr_open_domain(....) > { > return _samr_open_domain(0...) > } > > then, if you link rpcclient together with this, it should still work as > _if_ you had the cli_*.c and srv_*.c marshalling code in there. > > of course, the become_root() / unbecome_root() calls screw that up right > royally, unless you were _already_ running as root. > > the consequences of "always run as root" are that client-side programs, in > order to work on loop-back with the above implementation of ncalrpc, must > _also_ be run as root or have the setuid bit set on the binary, whatever. > > which means a TOTAL, and unnecessary, code security review, of all > client-side msrpc and msrpc-using programs. Wait a minute. The goal, ultimately, is to have ONE set of MSRPC daemons for ALL smbds on a host, not what you have now (ONE set of MSRPC daemons for EACH smbd on a host). Once you get to your stated destination you'll not have to worry about how to start those MSRPC daemons: /etc/init.d/ scripts will take care of that. As for the way TNG does this now, with each smbd fork()/exec()ing the MSRPC daemons as necessary, smbd should become_root() before starting them. As for rpcclient it should ALWAYS do DCE/RPC calls via SMB, even when running on the host that would be servicing those calls. So forget about linking in server-side code into rpcclient. So that's a non-issue. > > > is because private/smbpasswd is root-only readable. yes, there appears to > > > only be a password in it, but there's not, it identifes which unix > > > accoutns are also samba accounts. > > > > The SAM RPC daemon should always run as root. > > andrew keeps telling me that _All_ the msrpc daemons should run as root, > because the only reason that smbd doesn't run as root is because of > file-create atomicity issues (in posix, you can't create a file as root > and then chown it to another user, atomically, which introduces race > conditions). He's right about why SMBD needs to do become_root()/unbecome_root(). SMBD exports a filesystem and so can make use of POSIX features (uid/euig/gid/egid/getgroups()/setgroups()) to let the Unix kernel do as much of the work of authorization as possible. MSRPC daemons export a set of functions and whether or not each daemon can take advantage of POSIX semantics to implement any part of the MSRPC authorization semantics is an issue that is specific to the implementation of each MSRPC daemon. See below. > well, the same reasons apply. any msrpc daemon that creates files > (spoolss being the only one at the moment) or spawns programs (spoolss and > svcctl being the only ones... IF you damn well choose to RUN svcctl. WHICH > you don't have to] should also not be run as root. And you're right that it is conceivable that some MSRPC daemons should change privileges as well. [BTW, Unix spoolers never run as the user that launched each job. Nor does ypserv ever switch to the calling user's uid/gid. I could go on.] But the LSA, SAM and NETLOGON RPC daemons should not. > basically, MSRPC is a remote function call mechanism. if the caller is > root, the remote function call is root. if the caller is a threaded > applcication, the remote function call is a threaded implementation. if > the caller is user-foo, the remote function call is user-foo. LSA simply does SAM/NETLOGON calls on behalf of the client -- the client's POSIX uid has no impact on this. Similarly with NETLOGON. SAM accesses a database the same way no matter who is making the SAM calls (I mean at the system call level). SAM will need to do authorization internally; no Unix authorization mechanism will change this (unless you use a filesystem as a database -- as opposed to TDB or LDAP -- but that has its problems and is a non-starter, I bet). Andrew is right. > that's the way MSRPC is designed, that's its job, and to expect it to do > anything else (e.g run remotely as root) is, in my opinion, asking for > trouble. [...] > > Yes, finish (2) and (3) and merge in the rest of smbd from 2.0.x + (1) > > into TNG and you've got a TNG that is production quality for file > > serving and still a bit alpha for domain serving but getting there. > > yep There's the merge strategy. > > > i think that's all. if someone wants to take each of these things, > > > starting in that order, there'd be lots of grateful people around. oh and > > > you'd be entitled to a samba team t-shirt, of course. > > > > ah, uh, well, ah, I'm busy (scurries off). > > :) :) Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From frlord at webmethods.com Tue Feb 8 21:21:40 2000 From: frlord at webmethods.com (F. Ross Lord) Date: Tue Dec 2 02:28:25 2003 Subject: tng feedback needed In-Reply-To: Message-ID: I'm using the HEAD branch from 11/2/99 because I haven't found the time or made the effort to move to the TNG branch. I also need smbmount, so I haven't moved to the TNG branch. I know that I can mix HEAD with TNG in order to get all the functionality I need, but there is a big "if it ain't broke don't fix it" feeling right now. It's running on a Dell 4300 running RedHat Linux 6.1. Previously the same code was running on a VA Reseach box with RedHat Linux 5.2. There are 275 users, and we use shadow passwords and smbpasswd for authentication. Samba provides file sharing from the server it runs on, and it provides authentication for three other servers. We don't do any domain logins or profiles, so I haven't had to mess with much of that. Here's the global section.... #======================= Global Settings ===================================== [global] workgroup = xxxxxxxxxx server string = Samba Server hosts allow = xxxxxxxxxxxxxxxxxxxxx printcap name = /etc/printcap load printers = yes printing = bsd log file = /var/log/samba/log.%m max log size = 50 security = user encrypt passwords = yes smb passwd file = /usr/local/samba/private/smbpasswd socket options = TCP_NODELAY local master = yes os level = 65 domain master = yes preferred master = yes domain logons = yes wins support = yes dns proxy = no preserve case = yes share modes = yes unix password sync = yes passwd program = /usr/local/samba/bin/passwd %u passwd chat = *password* %n\n *password* %n\n *successfull* -- frl On Wed, 9 Feb 2000, Luke Kenneth Casson Leighton wrote: > periodically, i send out requests to find out who's running what. well, > this is one of them :) > > please could people respond either to samba-ntdom (or to me, privately if > you prefer) so that i can get an idea of who's actually using samba-tng, > in what kind of config, does it work, did you give up on it, are you > waiting for a more stable version, if so what was the last date/version > you checked out from cvs or are you using samba-tng-alpha-*.tar.gz etc., > etc.. > > please consider sending the [global] section of your smb.conf file, too, > with security-related info removed, if you consider it to be so. > > thx ppl! > > luke > From martin at tantalus.com Tue Feb 8 21:24:52 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:25 2003 Subject: Strange Error Message-ID: <000001bf727a$f049fae0$12f066cf@tantalus> I configured Samba 2.0.6 with --with-ldap and I get configure: error: LDAP password database not supported in this version. But I was sure 2.0.6 supported LDAP.. no? From GLeblanc at cu-portland.edu Tue Feb 8 21:30:36 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:25 2003 Subject: samba / switch hub /win9x Message-ID: > -----Original Message----- > From: laa@ipt.pt [mailto:laa@ipt.pt] > Sent: Tuesday, February 08, 2000 12:03 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: samba / switch hub /win9x > > I have a FreeBSD box with samba that works well when the > FreeBSDBOX and > > all the win9x boxes are on the same hub. > The problem is when i put a switch_hub between the FreeBSDbox and the > win9x boxes. Win98 can see the samba server but they reject the > passwords when we try to mount the remote unix drive. > > With NT worksation boxes everything works fine!! (I think that NT > implements NETBUI under TCP/IP, > but win9x can not do this). I do not have any VLAN setup on our LAN. > Any tip to solve this problem? Both NT and 9x can run NetBIOS over (inside?) TCP/IP. I'm not going to go into NetBEUI. Check to make sure that TCP/IP is the only protocol on those machines, and perhaps enable the WINS server on Samba. Although I'd expect WINS to affect NT more than 9x. Have you checked on encryption settings, and things of that nature? You might also try bumping up the logging level a few notches and see if that turns up any useful information in the samba logs. Greg From lkcl at samba.org Tue Feb 8 21:35:09 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <38A080DF.998BDE14@enc.edu> Message-ID: On Wed, 9 Feb 2000, Charles N. Owens wrote: > Is there any update available as to when Luke Howard's > SAM-via-LDAP-with-win2k-schema will make into the codebase (either TNG or > TNG-post-merge) ? Getting a somewhat finalized schema in place seems to me ./configure --with-nt5pdap or: ./configure --with-nt5pdap --with-sam-pwd=nt5ldap it's experimental and subject to change. > to be a critical milestone for obvious reasons. I need to roll out some more > implementations and would much prefer to use the new schema (as would > everyone I'm sure ;-). > > Charles > > Nicolas Williams wrote: > > > Gratouitous advice follows. > > > > - SYSKEY > > > > I'm now for it as Luke's LDAP/NIS/other name services argument is a > > winning one. The /etc/shadow approach should still be supported and > > used where no such cleartext protocols are in use. > > > > The question now should be one of scheduling/prioritizing. SYSKEY is > > not needed urgently to allow TNG to make progress, unless Luke Howard > > thinks otherwise (he's doing the SAM-via-LDAP-with-win2k-schema work). > > > > - TNG code freeze > > > > Don't do it yet; wait a few more weeks. So much progress is taking > > place that it seems worthwhile to wait a bit longer. > > > > - 2.0.x->TNG merge > > > > This should be easy, actually: take smbd code from 2.0.x as is, drop > > all the MSRPC code save for the loopback to MSRPC daemons code. > > > > That's it. > > > > TNG seems to be much further ahead on the MSRPC issues, which means > > there's no merge to do from 2.0.x there. > > > > Same thing with utilities such as rpcclient, though smbclient and > > nmblookup might be best taken from 2.0.x. > > > > I think it's safe to say that TNG is so jam-packed with good ideas that > > it will become the next Samba. But then, that's just a view from the > > sidelines... others may differ on that... > > > > Nico > > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- > > -to a public e-mail mailing list I hereby grant permission to distribute- > > -and copy this message.- > > > > This message contains confidential information and is intended only > > for the individual named. If you are not the named addressee you > > should not disseminate, distribute or copy this e-mail. Please > > notify the sender immediately by e-mail if you have received this > > e-mail by mistake and delete this e-mail from your system. > > > > E-mail transmission cannot be guaranteed to be secure or error-free > > as information could be intercepted, corrupted, lost, destroyed, > > arrive late or incomplete, or contain viruses. The sender therefore > > does not accept liability for any errors or omissions in the contents > > of this message which arise as a result of e-mail transmission. If > > verification is required please request a hard-copy version. This > > message is provided for informational purposes and should not be > > construed as a solicitation or offer to buy or sell any securities or > > related financial instruments. > > -- > ------------------------------------------------------------------------- > Charles N. Owens Email: owensc@enc.edu > http://www.enc.edu/~owensc > Network & Systems Administrator > Information Technology Services "Outside of a dog, a book is a man's > Eastern Nazarene College best friend. Inside of a dog it's > too dark to read." - Groucho Marx > ------------------------------------------------------------------------- > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From greg at discreet.com Tue Feb 8 21:44:09 2000 From: greg at discreet.com (Greg Dickie) Date: Tue Dec 2 02:28:25 2003 Subject: TNG does not compile Message-ID: ompiling param/loadparm.c with libtool param/loadparm.c:1426: conflicting types for `lp_logon_script' include/proto.h:1680: previous declaration of `lp_logon_script' param/loadparm.c:1427: conflicting types for `lp_logon_path' include/proto.h:1681: previous declaration of `lp_logon_path' param/loadparm.c:1428: conflicting types for `lp_logon_drive' include/proto.h:1682: previous declaration of `lp_logon_drive' param/loadparm.c:1429: conflicting types for `lp_logon_home' include/proto.h:1683: previous declaration of `lp_logon_home' Gmake: *** [param/loadparm.lo] Error 1 --------------------------------------------------------------------- Greg Dickie Just A Guy greg@discreet.com From s.striker at striker.nl Tue Feb 8 22:00:26 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000208160541.S3726@sm2p1386swk.wdr.com> Message-ID: I think I have to agree with a lot of people that posted in reaction to the merge. Here are my thoughts on the subject: - Code freeze TNG's new development next week (just long enough for quick 'Luke' commits) - Merge the HEAD code into TNG - Freeze this merged code - Store a copy of the merged code in an _internal_ branch - Unfreeze TNG for new development (this is the public copy of the merged code) - Merge the TNG branch into HEAD (using the private copy of the merged code) Note: after the unfreeze of TNG do _not_ make the mistake of adding fundamental changes. It must be easily incorporated in the new HEAD code. Sander Striker From lkcl at samba.org Tue Feb 8 21:59:04 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000208160541.S3726@sm2p1386swk.wdr.com> Message-ID: On Tue, 8 Feb 2000, Nicolas Williams wrote: > > BTW, I knew that you'd respond as below. :) he he :) > Wait a minute. The goal, ultimately, is to have ONE set of MSRPC daemons > for ALL smbds on a host, not what you have now (ONE set of MSRPC daemons > for EACH smbd on a host). don't forget any client-side msrpc connections that smbd may make, too, not just the pass-through-on-loop-back stuff! > Once you get to your stated destination you'll not have to worry about > how to start those MSRPC daemons: /etc/init.d/ scripts will take care of > that. > > As for the way TNG does this now, with each smbd fork()/exec()ing the > MSRPC daemons as necessary, smbd should become_root() before starting > them. uhh... yes, > As for rpcclient it should ALWAYS do DCE/RPC calls via SMB, even when > running on the host that would be servicing those calls. So forget about > linking in server-side code into rpcclient. So that's a non-issue. ? why? that's a silly restriction [always doing dce/rpc via smb]. 1) for test purposes and if i want, as root, to bypass SMB authentication stages (which may not be up or working, say, if i have broken netlogond or don't _have_ one!), unix# bin/rpcclient -S . -U root%dummypassword -l log [root@.$ ] and i get an rpcclient prompt, and i can do the equivalent of an su like this: unix# bin/rpcclient -S . -U someuser%nopassword -l log [someuser@. $] and issue rpc commands in the security context of someuser. 2) i may end up replacing the unix-socket-loopback code (as a compile-time option) with this: uint32 samr_open_domain(...) { return dlsym(dlopen("libsmbsampass.so"), "_samr_open_domain")(...) } this is a perfectly feasible and rational thing to do. it also means i can't assume that libsmbsampass.so will always be run in a root security context. > > > The SAM RPC daemon should always run as root. > > > > andrew keeps telling me that _All_ the msrpc daemons should run as root, > > because the only reason that smbd doesn't run as root is because of > > file-create atomicity issues (in posix, you can't create a file as root > > and then chown it to another user, atomically, which introduces race > > conditions). > > He's right about why SMBD needs to do become_root()/unbecome_root(). [actually, become_user(), not become_root()] > SMBD exports a filesystem and so can make use of POSIX features > (uid/euig/gid/egid/getgroups()/setgroups()) to let the Unix kernel do as > much of the work of authorization as possible. yep. > MSRPC daemons export a set of functions and whether or not each daemon > can take advantage of POSIX semantics to implement any part of the MSRPC > authorization semantics is an issue that is specific to the > implementation of each MSRPC daemon. See below. uhh... no it isn't [up to each msrpc daemon]. it's up to the security-context-switching code. if you have multiple smbd connections to one msrpc daemon, users are going to get _very_ unhappy if they don't have their own user security context. > > well, the same reasons apply. any msrpc daemon that creates files > > (spoolss being the only one at the moment) or spawns programs (spoolss and > > svcctl being the only ones... IF you damn well choose to RUN svcctl. WHICH > > you don't have to] should also not be run as root. > > And you're right that it is conceivable that some MSRPC daemons should > change privileges as well. yes, i'm not saying that msrpc daemons _shouldn't_ switch to root, if they need to. > [BTW, Unix spoolers never run as the user > that launched each job. Nor does ypserv ever switch to the calling > user's uid/gid. I could go on.] > > basically, MSRPC is a remote function call mechanism. if the caller is > > root, the remote function call is root. if the caller is a threaded > > applcication, the remote function call is a threaded implementation. if > > the caller is user-foo, the remote function call is user-foo. > > LSA simply does SAM/NETLOGON calls on behalf of the client -- the > client's POSIX uid has no impact on this. ... not quite. we have to inherit the security context of the smbd process. the smbd sec-ctx (POSIX uid) is mapped one-to-one to an NT sec-ctx, and that's the way i want it to stay. i do NOT want to have to code up one POSIX uid [root] mapping to multiple [any] NT sec-ctx [SID]. there's too much work involved. you are aware of LsaRetrievePrivateData, LsaSetPrivateData, LsasomethinglikeCreateUserAccount. you want me to run these as root? fine, i'll run them as root. then, when they call Samr functions, those will be run as root, too. so an anonymous user connecting to \PIPE\samr can add user accounts to a SAM database. > Similarly with NETLOGON. no, NETLOGON should only become_root() to call _samr_query_userinfo(), _samr_set_userinfo() to obtain or set user passwords. unbecome_root(). > SAM accesses a database the same way no matter who is making the SAM > calls (I mean at the system call level). SAM will need to do > authorization internally; no Unix authorization mechanism will change > this (unless you use a filesystem as a database -- as opposed to TDB or > LDAP -- but that has its problems and is a non-starter, I bet). tdb _is_ a filesystem-based database, and yes: i am relying on the unix security context to provide me with samtdb access authorisation. an anonymous user is mapped to the guest account. if the guest account doesn't have write permission on S-1-5-21-xxx-xxx-xxx.usr.tdb, they can't do any damage to user accounts or modify the SAM database in any way. like i said earlier, the only reason to allow become_root() is to do an _samr_set_userinfo() at level 0x12 or an _samr_query_userinfo() at level 0x12, which return or set the user LM#/NT# direct unbecome_root(). in the entire samtdb code, there _aren't_ any become_root / unbecome_root calls (except from cut/paste from srv_samr_passdb.c, which i haven't got round to removing) From lkcl at samba.org Tue Feb 8 22:01:23 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:25 2003 Subject: TNG does not compile In-Reply-To: Message-ID: fixed. On Wed, 9 Feb 2000, Greg Dickie wrote: > ompiling param/loadparm.c with libtool > param/loadparm.c:1426: conflicting types for `lp_logon_script' > include/proto.h:1680: previous declaration of `lp_logon_script' > param/loadparm.c:1427: conflicting types for `lp_logon_path' > include/proto.h:1681: previous declaration of `lp_logon_path' > param/loadparm.c:1428: conflicting types for `lp_logon_drive' > include/proto.h:1682: previous declaration of `lp_logon_drive' > param/loadparm.c:1429: conflicting types for `lp_logon_home' > include/proto.h:1683: previous declaration of `lp_logon_home' > Gmake: *** [param/loadparm.lo] Error 1 > > --------------------------------------------------------------------- > Greg Dickie > Just A Guy > greg@discreet.com > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From Nicolas.Williams at wdr.com Tue Feb 8 22:24:51 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: ; from lkcl@samba.org on Wed, Feb 09, 2000 at 08:59:04AM +1100 References: <20000208160541.S3726@sm2p1386swk.wdr.com> Message-ID: <20000208172449.U3726@sm2p1386swk.wdr.com> On Wed, Feb 09, 2000 at 08:59:04AM +1100, Luke Kenneth Casson Leighton wrote: > On Tue, 8 Feb 2000, Nicolas Williams wrote: > > > > > BTW, I knew that you'd respond as below. :) > > he he :) :) > > Wait a minute. The goal, ultimately, is to have ONE set of MSRPC daemons > > for ALL smbds on a host, not what you have now (ONE set of MSRPC daemons > > for EACH smbd on a host). > > don't forget any client-side msrpc connections that smbd may make, too, > not just the pass-through-on-loop-back stuff! So? ... > > As for rpcclient it should ALWAYS do DCE/RPC calls via SMB, even when > > running on the host that would be servicing those calls. So forget about > > linking in server-side code into rpcclient. So that's a non-issue. > > ? why? that's a silly restriction [always doing dce/rpc via smb]. > > 1) for test purposes and if i want, as root, to bypass SMB authentication > stages (which may not be up or working, say, if i have broken netlogond or > don't _have_ one!), Ok. So for testing have rpcclient on the localhost talk to the MSRPC daemons directly via the Unix domain sockets. That would cut SMBD out of the picture and you still don't have to link in the MSRPC server-side code in rpcclient. This is for testing, so you don't have to be strict about authenticating rpcclient's user (which would otherwise have been done by SMBD). > 2) i may end up replacing the unix-socket-loopback code (as a compile-time > option) with this: > > > uint32 samr_open_domain(...) > { > return dlsym(dlopen("libsmbsampass.so"), "_samr_open_domain")(...) > } > > this is a perfectly feasible and rational thing to do. it also means i > can't assume that libsmbsampass.so will always be run in a root security > context. So you finally read the man pages for dlopen()/dlsym() and thought them to be cool :) Ok, but then, while this goes along with the modularity of TNG, it does not help reduce resource consumption as much as having a separate set of MSRPC daemon processes, one set per server host, that SMBD talks to via DCE/RPC over local IPC. > > > > The SAM RPC daemon should always run as root. > > > > > > andrew keeps telling me that _All_ the msrpc daemons should run as root, > > > because the only reason that smbd doesn't run as root is because of > > > file-create atomicity issues (in posix, you can't create a file as root > > > and then chown it to another user, atomically, which introduces race > > > conditions). > > > > He's right about why SMBD needs to do become_root()/unbecome_root(). > > [actually, become_user(), not become_root()] Yup. > > SMBD exports a filesystem and so can make use of POSIX features > > (uid/euig/gid/egid/getgroups()/setgroups()) to let the Unix kernel do as > > much of the work of authorization as possible. > > yep. > > > MSRPC daemons export a set of functions and whether or not each daemon > > can take advantage of POSIX semantics to implement any part of the MSRPC > > authorization semantics is an issue that is specific to the > > implementation of each MSRPC daemon. See below. > > uhh... no it isn't [up to each msrpc daemon]. it's up to the > security-context-switching code. > > if you have multiple smbd connections to one msrpc daemon, users are going > to get _very_ unhappy if they don't have their own user security context. We've already settled that point by having SMBD pass in PID/VUID information with the DCE/RPC calls and storing the user context info in a TDB keyed by PID/VUID. Why rehash this? So the MSRPC daemons will have access to the user context information. They have to implement authorization functionality internally because the objects which most of those MSRPC daemons deal with are NOT Unix kernel objects (files, pipes, Unix sockets, processes, whatever); if those objects are not Unix kernel objects then switching Unix security contexts (euid/egid) HAS NO EFFECT. Why rehash this? > > > well, the same reasons apply. any msrpc daemon that creates files > > > (spoolss being the only one at the moment) or spawns programs (spoolss and > > > svcctl being the only ones... IF you damn well choose to RUN svcctl. WHICH > > > you don't have to] should also not be run as root. > > > > And you're right that it is conceivable that some MSRPC daemons should > > change privileges as well. > > yes, i'm not saying that msrpc daemons _shouldn't_ switch to root, if they > need to. Ok. But I'm saying that neither LSA, nor SAM nor NETLOGON need to run as any user other than root. > > [BTW, Unix spoolers never run as the user > > that launched each job. Nor does ypserv ever switch to the calling > > user's uid/gid. I could go on.] > > > > basically, MSRPC is a remote function call mechanism. if the caller is > > > root, the remote function call is root. if the caller is a threaded > > > applcication, the remote function call is a threaded implementation. if > > > the caller is user-foo, the remote function call is user-foo. > > > > LSA simply does SAM/NETLOGON calls on behalf of the client -- the > > client's POSIX uid has no impact on this. > > ... not quite. we have to inherit the security context of the smbd > process. the smbd sec-ctx (POSIX uid) is mapped one-to-one to an NT > sec-ctx, and that's the way i want it to stay. i do NOT want to have to > code up one POSIX uid [root] mapping to multiple [any] NT sec-ctx [SID]. > there's too much work involved. See above. The context is passed in by SMBD via the PID/VUID and the TDB record indexed by the same. But switching the POSIX context will turn out to be a usless thing to do, most of the time. See above. > you are aware of LsaRetrievePrivateData, LsaSetPrivateData, > LsasomethinglikeCreateUserAccount. No. I was not. I looked at your book. They're not listed in it, thus I did not know about them. > you want me to run these as root? fine, i'll run them as root. then, > when they call Samr functions, those will be run as root, too. Yes, if the those items are records in a larger database. No if those items are _files_ in a Unix filesystem. By 'items' I mean the 'PrivateData' referred to in the function names you list above. Of course, if you store those items in a database with other user's items, then you'll have to implement your own authorization mechanism. If the items are kept as individual files then you _can_ let Unix do access control, in which case the LSA daemon must switch POSIX security contexts. > so an anonymous user connecting to \PIPE\samr can add user accounts to a > SAM database. No, why? LSA would know the security context of the caller from the PID/VUID passed in by the intermediate SMBD and TDB record indexed by that PID/VUID tuple and it would know that the caller is anonymous and so would deny access as appropriate. > > Similarly with NETLOGON. > > no, NETLOGON should only become_root() to call _samr_query_userinfo(), > _samr_set_userinfo() to obtain or set user passwords. unbecome_root(). I disagree. NETLOGON should always run as root. Let me ask you a question: how does NT do it? Do the equivalent NT services (the processes that implement them) ever switch security contexts? Or do they always run privileged? > > SAM accesses a database the same way no matter who is making the SAM > > calls (I mean at the system call level). SAM will need to do > > authorization internally; no Unix authorization mechanism will change > > this (unless you use a filesystem as a database -- as opposed to TDB or > > LDAP -- but that has its problems and is a non-starter, I bet). > > tdb _is_ a filesystem-based database, and yes: i am relying on the unix > security context to provide me with samtdb access authorisation. No, you misunderstood. TDB is stored in a file, but each TDB record is represented as data in that file, not as a _separate_ file. I.e., TDB is not a directory/file hierarchy with each record being stored as a _separate_ file!! > an anonymous user is mapped to the guest account. if the guest account > doesn't have write permission on S-1-5-21-xxx-xxx-xxx.usr.tdb, they can't > do any damage to user accounts or modify the SAM database in any way. > > like i said earlier, the only reason to allow become_root() is to do an > _samr_set_userinfo() at level 0x12 or an _samr_query_userinfo() at level > 0x12, which return or set the user LM#/NT# direct unbecome_root(). If you always run as root you don't need to do this. > in the entire samtdb code, there _aren't_ any become_root / unbecome_root > calls (except from cut/paste from srv_samr_passdb.c, which i haven't got > round to removing) Good, so it works then? Always running as root? Why argue then? :) (BTW, I don't want to get too adversarial here; I don't know you personally.) :) Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Jean-Francois.Micouleau at dalalu.fr Tue Feb 8 22:30:53 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000208132300.O3726@sm2p1386swk.wdr.com> Message-ID: On Wed, 9 Feb 2000, Nicolas Williams wrote: > - SYSKEY > > I'm now for it as Luke's LDAP/NIS/other name services argument is a > winning one. The /etc/shadow approach should still be supported and > used where no such cleartext protocols are in use. Everyone has a point of view :) > - TNG code freeze > > Don't do it yet; wait a few more weeks. So much progress is taking > place that it seems worthwhile to wait a bit longer. NO. freeze Now ! I know Luke well enough to say that if you leave him just a week, he will have a new idea he'll want to code. Of course if you have spent more than an afternoon on his roof then you know him better than I :-) > - 2.0.x->TNG merge > > This should be easy, actually: take smbd code from 2.0.x as is, drop > all the MSRPC code save for the loopback to MSRPC daemons code. totally unrealistic. You know why ? Because I've done it. And give up. And felt some much depressed than I was close to install win95 on my machines. Merging TNG in HEAD is not much realistic. I also tried, still have a tar.gz of the result somewhere. The only viable path is to extract features of TNG in diff files and incorporate by hand in HEAD. > TNG seems to be much further ahead on the MSRPC issues, which means > there's no merge to do from 2.0.x there. wrong. the smb/rpc layer (the prs_struct structure) is much cleaner in HEAD. Some RPC functions have been rewritten in HEAD and must be kept. > Same thing with utilities such as rpcclient, though smbclient and > nmblookup might be best taken from 2.0.x. rpcclient yes. > I think it's safe to say that TNG is so jam-packed with good ideas that > it will become the next Samba. But then, that's just a view from the > sidelines... others may differ on that... it's also jam-packed with unstability and non-portability. And stability and portability are much more important than new features. J.F. From kevinc at grainsystems.com Tue Feb 8 22:42:04 2000 From: kevinc at grainsystems.com (Kevin Colby) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY2. Request For Comments References: <200002080738.XAA10430@silicon.su.valinux.com> <38A0382A.1C6F1FB0@potsdam.edu> <20000208111614.B14081@alcove.wittsend.com> <38A0449B.76BF1F1D@potsdam.edu> <20000208123910.A23774@alcove.wittsend.com> <38A07D3B.3F4A1505@potsdam.edu> Message-ID: <38A09BBC.473938ED@grainsystems.com> Off-topic rant: Okay, I wasn't going to nit-pick, but this persists. Matthew Keller wrote: > > "Fix" implies a problem Actually, in the sentence "Can/Should Samba fix NT?", "fix" is verb acting on the direct object "NT". Therefore, you are "fixing" the product, not a problem (in that usage, at least). Given that, Samba is not a "fix" for NT. It is a possible replacement for it. If anyone would like to say "Samba can fix various problems caused by or inherent in NT", they may do so. Sheesh. - Kevin Colby kevinc@grainsystems.com From Nicolas.Williams at wdr.com Tue Feb 8 22:39:21 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: ; from Jean-Francois.Micouleau@dalalu.fr on Tue, Feb 08, 2000 at 11:30:53PM +0100 References: <20000208132300.O3726@sm2p1386swk.wdr.com> Message-ID: <20000208173920.W3726@sm2p1386swk.wdr.com> On Tue, Feb 08, 2000 at 11:30:53PM +0100, Jean Francois Micouleau wrote: > > On Wed, 9 Feb 2000, Nicolas Williams wrote: > > > - SYSKEY > > > > I'm now for it as Luke's LDAP/NIS/other name services argument is a > > winning one. The /etc/shadow approach should still be supported and > > used where no such cleartext protocols are in use. > > Everyone has a point of view :) Heh! > > - TNG code freeze > > > > Don't do it yet; wait a few more weeks. So much progress is taking > > place that it seems worthwhile to wait a bit longer. > > NO. freeze Now ! I know Luke well enough to say that if you leave him just > a week, he will have a new idea he'll want to code. Of course if you have > spent more than an afternoon on his roof then you know him better than I > :-) Yes, but I wanted to give Luke a chance to settle the PID/VUID standard_sub_vuser stuff that's been going on in a separate thread. That bit is important. > > - 2.0.x->TNG merge > > > > This should be easy, actually: take smbd code from 2.0.x as is, drop > > all the MSRPC code save for the loopback to MSRPC daemons code. > > totally unrealistic. You know why ? Because I've done it. And give up. And > felt some much depressed than I was close to install win95 on my machines. > > Merging TNG in HEAD is not much realistic. I also tried, still have a > tar.gz of the result somewhere. No, no. I didn't mean merge TNG into HEAD. I meant merge 2.0.x into TNG, and then ONLY the SMBD fileserving portions. Think about it, Luke has already modified the head so that non-TNG SMBDs can play with TNG MSRPC daemons! So completing the merge of head into TNG is a simple matter of dropping the _dead_ MSRPC code in SMBD. Pardon my naming of the various branches. I've not done any CVS checkouts of any Samba CVS branches, so I don't know which is which... Anyways, once that merge into TNG is done, do as someone else has already said: make a copy of TNG and call it something else and that branch will be the release branch and TNG will be the development branch for it, with future TNG work being merged into the new branch in a timely fashion. > The only viable path is to extract features of TNG in diff files and > incorporate by hand in HEAD. That should work too, I guess. > > TNG seems to be much further ahead on the MSRPC issues, which means > > there's no merge to do from 2.0.x there. > > wrong. the smb/rpc layer (the prs_struct structure) is much cleaner in > HEAD. Some RPC functions have been rewritten in HEAD and must be kept. Really?! > > Same thing with utilities such as rpcclient, though smbclient and > > nmblookup might be best taken from 2.0.x. > > rpcclient yes. > > > I think it's safe to say that TNG is so jam-packed with good ideas that > > it will become the next Samba. But then, that's just a view from the > > sidelines... others may differ on that... > > it's also jam-packed with unstability and non-portability. And stability > and portability are much more important than new features. Yes, but the domain-related MSRPC stuff is unstable in ALL branches. TNG's domain-related code seems to be the best, from reading these lists. At least TNG's modular architecture is already paying off, with more than one different implementation of the SAM RPC daemon, each with different database backends. The TNG modularity ought to be kept. That's the best feature by far of TNG. But Luke must settle the PID/VUID/standard_sub_vuser stuff soon. > J.F. Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From koiler at nisbic.com Tue Feb 8 23:04:13 2000 From: koiler at nisbic.com (John Koyle) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts References: Message-ID: <38A0A0ED.5E7C520A@nisbic.com> Jean Francois Micouleau wrote: > > On Wed, 9 Feb 2000, Nicolas Williams wrote: > > > - SYSKEY > > > > I'm now for it as Luke's LDAP/NIS/other name services argument is a > > winning one. The /etc/shadow approach should still be supported and > > used where no such cleartext protocols are in use. > > Everyone has a point of view :) > > > - TNG code freeze > > > > Don't do it yet; wait a few more weeks. So much progress is taking > > place that it seems worthwhile to wait a bit longer. > > NO. freeze Now ! I know Luke well enough to say that if you leave him just > a week, he will have a new idea he'll want to code. Of course if you have > spent more than an afternoon on his roof then you know him better than I > :-) FREEZE! I agree, I've spent about the last 2 weeks just trying to get TNG setup and working properly against an LDAP backend. I've done so many cvs updates my head is spinning. Code compiles then doesn't, etc. Finally, I got it working but not after the decision was made to hold off awhile (I know it is enterprise ready, but we're still a small shop that could deal alpha code). In the meantime I'll be cursed with NT2000 until TNG becomes more reliable/stable. This does mean that I'll get to test any 2000/TNG items you'd like, or that I won't keep working/hacking with it. ;-) The point is new people like myself (to TNG) would very much like to test/debug TNG, and it's nearly impossible to do that when there are 30 cvs updates per day. If it began to stablize people (like myself again, Lars, etc.) could generate FAQ's that are a little more useful since things aren't so dynamic. On a side note, the ldap search scope should be a configuration option, rather than hard-coded in ldap.c. For a small organization like ours with a single PDC, I still have my directory divided into ou's. John From lkcl at samba.org Tue Feb 8 23:24:52 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000208172449.U3726@sm2p1386swk.wdr.com> Message-ID: > > 1) for test purposes and if i want, as root, to bypass SMB authentication > > stages (which may not be up or working, say, if i have broken netlogond or > > don't _have_ one!), > > Ok. So for testing have rpcclient on the localhost talk to the MSRPC > daemons directly via the Unix domain sockets. correct. > That would cut SMBD out of > the picture and you still don't have to link in the MSRPC server-side > code in rpcclient. yep. i was just giving you an example (simple one) of how to implement ncalrpc in a [bad] way, the dlopen / dlsym oway is a better example. > This is for testing, so you don't have to be strict about authenticating > rpcclient's user (which would otherwise have been done by SMBD). .... i'm taking "advantage" of the unix-socket-loopback code. > > 2) i may end up replacing the unix-socket-loopback code (as a compile-time > > option) with this: > > > > > > uint32 samr_open_domain(...) > > { > > return dlsym(dlopen("libsmbsampass.so"), "_samr_open_domain")(...) > > } > > > > this is a perfectly feasible and rational thing to do. it also means i > > can't assume that libsmbsampass.so will always be run in a root security > > context. > > So you finally read the man pages for dlopen()/dlsym() and thought them > to be cool :) um, i didn't read them, but people keep telling me about them :) > Ok, but then, while this goes along with the modularity of TNG, it does > not help reduce resource consumption as much as having a separate set of > MSRPC daemon processes, one set per server host, that SMBD talks to via > DCE/RPC over local IPC. true :) > > if you have multiple smbd connections to one msrpc daemon, users are going > > to get _very_ unhappy if they don't have their own user security context. > > We've already settled that point by having SMBD pass in PID/VUID > information with the DCE/RPC calls and storing the user context info in > a TDB keyed by PID/VUID. > > Why rehash this? we're not. when you receive an MSRPC PDU, it comes in with a context_id in it. i overload that with the VUID, and do a become_vuser(context_id), thereby ensuring that the remote function call has EXACTLY the same setuid / setgit / simulated-NT-security-context as the local function caller environment. > So the MSRPC daemons will have access to the user context information. yes. > They have to implement authorization functionality internally because no. they don't. see rpc_server/srv_pipe_ntlmssp.c api_pipe_verify(). this is (should be) exactly the same code as in smbd/reply.c reply_sesssetup_x(). call domain_client_validate(), obtain a NET_USER_INFO3, obtain uid/gid/getgroups, create a user_struct, do a become_vuser(). otherwise, if the msrpc daemon was fired up from smbd, the msrpc daemon INHERITS the sec_ctx of the smbd process, it doesn't _do_ authorisation itself, it trusts that the msrpc loop-back interface hasn't been compromised because it's root-only-access. > the objects which most of those MSRPC daemons deal with are NOT Unix > kernel objects (files, pipes, Unix sockets, processes, whatever); if > those objects are not Unix kernel objects then switching Unix security > contexts (euid/egid) HAS NO EFFECT. > Why rehash this? because i am not thinking in terms of _just_ NT, here, any more. i'm thinking in terms of a proper dce/rpc full implementation. except, without the thread library, for now. > > yes, i'm not saying that msrpc daemons _shouldn't_ switch to root, if they > > need to. > > Ok. But I'm saying that neither LSA, nor SAM nor NETLOGON need to run as > any user other than root. need? what has the need of three little services that _use_ dce/rpc got to do with the design of a dce/rpc implementation [dce/rpc the mechanism itself is different from dce/rpc-based services themselves]. > > ... not quite. we have to inherit the security context of the smbd > > process. the smbd sec-ctx (POSIX uid) is mapped one-to-one to an NT > > sec-ctx, and that's the way i want it to stay. i do NOT want to have to > > code up one POSIX uid [root] mapping to multiple [any] NT sec-ctx [SID]. > > there's too much work involved. > > See above. The context is passed in by SMBD via the PID/VUID and the TDB > record indexed by the same. But switching the POSIX context will turn > out to be a usless thing to do, most of the time. no it won't. there are currently 9 msrpc daemons. only 3 of them, IF the implemeters choose to, HAVE to, at some point, jump to root, OR, if the implementers choose to, CAN run as root all the time. if you're suggesting that just because _some_ msrpc service implementations _should_, in your opinion (and a few others), be run as root, that the entire MSRPC service-running-system _must_ run _all_ services as root, then i have to say, that's silly. > See above. > > > you are aware of LsaRetrievePrivateData, LsaSetPrivateData, > > LsasomethinglikeCreateUserAccount. > > No. I was not. I looked at your book. They're not listed in it, thus I > did not know about them. i found out about them when someone requested doing a SvcCreateService function. NT threw all sorts of wobbly-looking LSAs at me on the network, and i freaked out, and told them i couldn't do a SvcCreateService right now. that was four months ago. > > you want me to run these as root? fine, i'll run them as root. then, > > when they call Samr functions, those will be run as root, too. > > Yes, if the those items are records in a larger database. No if those > items are _files_ in a Unix filesystem. By 'items' I mean the > 'PrivateData' referred to in the function names you list above. well, createuseraccount, say. so, what you're saying is, it's an implementation-specific issue, on a per-msrpc-daemon basis? because if so, why [as it seems] are you suggesting that i only run msrpc-service-running as root, and drop the become_vuid() function call? > Of course, if you store those items in a database with other user's > items, then you'll have to implement your own authorization mechanism. ... *sigh*... > If the items are kept as individual files then you _can_ let Unix do > access control, in which case the LSA daemon must switch POSIX security > contexts. separate the concepts of msrpc-service-running from msrpc-service-implementation and then let's go over this, again. > > so an anonymous user connecting to \PIPE\samr can add user accounts to a > > SAM database. > > No, why? LSA would know the security context of the caller from the > PID/VUID passed in by the intermediate SMBD and TDB record indexed by > that PID/VUID tuple and it would know that the caller is anonymous and > so would deny access as appropriate. yeah. that's implementing an entire NT security model, including access right checks, inside samba. i _really_, _really_ don't want to have to do that... _right_ now. do you have any idea how much work would be involved? there are well over 100 msrpc-service-functions in samba in all 9 msrpc daemons. no thank you. not today. therefore, i am "thunking" NT to unix, maintaining one-to-one mapping between NT security contexts and unix security contexts, as the first implementation. > > > Similarly with NETLOGON. > > > > no, NETLOGON should only become_root() to call _samr_query_userinfo(), > > _samr_set_userinfo() to obtain or set user passwords. unbecome_root(). > > I disagree. NETLOGON should always run as root. that's just one implementation of a netlogon daemon, nico. doesn't mean _all_ nelogonds should be root. > Let me ask you a question: how does NT do it? Do the equivalent NT > services (the processes that implement them) ever switch security > contexts? Or do they always run privileged? MSRPC connections to NETLOGON are anonymous (over SMB IPC$). however, microsoft run the NETLOGON services at the SYSTEM context in order to be able to access SYSTEM-ACL-locked functions, such as SamQueryUserInfo(level 0x12) in SAMSRV.DLL. answer: don't know. i can make a guess. > > > SAM accesses a database the same way no matter who is making the SAM > > > calls (I mean at the system call level). SAM will need to do > > > authorization internally; no Unix authorization mechanism will change > > > this (unless you use a filesystem as a database -- as opposed to TDB or > > > LDAP -- but that has its problems and is a non-starter, I bet). > > > > tdb _is_ a filesystem-based database, and yes: i am relying on the unix > > security context to provide me with samtdb access authorisation. > > No, you misunderstood. TDB is stored in a file, but each TDB record is > represented as data in that file, not as a _separate_ file. I.e., TDB is > not a directory/file hierarchy with each record being stored as a > _separate_ file!! well, actually, i _was_ considering doing exactly that... > > an anonymous user is mapped to the guest account. if the guest account > > doesn't have write permission on S-1-5-21-xxx-xxx-xxx.usr.tdb, they can't > > do any damage to user accounts or modify the SAM database in any way. > > > > like i said earlier, the only reason to allow become_root() is to do an > > _samr_set_userinfo() at level 0x12 or an _samr_query_userinfo() at level > > 0x12, which return or set the user LM#/NT# direct unbecome_root(). > > If you always run as root you don't need to do this. > > > in the entire samtdb code, there _aren't_ any become_root / unbecome_root > > calls (except from cut/paste from srv_samr_passdb.c, which i haven't got > > round to removing) > > Good, so it works then? Always running as root? no, it runs as the smbd-connected security context, which is usually anonymous! i've designed the samtdb implementation so that the tdb files are all 644, and owned by root. i _may_ change this, based on what i find out with the rpcclient samquerysec command on individual user accounts. ok, the _owner_ of the invidual user account infos is S-1-5-32-544, which is Administrators. the _user_ themselves have "create" and "Readcontrol" permissions. i.e they can create a user password, and they can read their own user profile. > (BTW, I don't want to get too adversarial here; I don't know you personally.) no problem, nico :) From lkcl at samba.org Tue Feb 8 23:31:32 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: > > TNG seems to be much further ahead on the MSRPC issues, which means > > there's no merge to do from 2.0.x there. > > wrong. the smb/rpc layer (the prs_struct structure) is much cleaner in > HEAD. Some RPC functions have been rewritten in HEAD and must be kept. don't want to do it. point me in the direction of specific functions and i'll rewrite them in TNG. i don't want ANY of the dce/rpc code from 2_0 or cvs main in any future version of samba, i have no idea of its trustworthiness. there _is_ one feature i do want: the byte-ordering that jeremy added. From duehr at id-pro.net Wed Feb 9 00:38:33 2000 From: duehr at id-pro.net (Stephan Duehr) Date: Tue Dec 2 02:28:25 2003 Subject: difference between NT WS and Server Message-ID: <20000209013833.A2238@qwerty.office.id-pro.net> I have set up a Samba PDC with LDAP and have no problem logging in from Win98 and NT Workstation SP4. But there's a NT Server (exactly Terminal Server Edition with Citrix) SP3 that successfully joined the domain, but always gets refused to log in, I always get something like [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(417) smb_password_ok: Check NT MD4 password [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(426) NT MD4 password check failed [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(438) Checking LM MD4 password [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(457) LM MD4 password check failed [2000/01/31 20:27:38, 3] smbd/password.c:pass_check_smb(542) Error pass_check_smb failed but loggin in with the same user and password works from NT WS. Are there some funny differences in the way NT Server logs in to a domain compared to WS? Or may SP4 solve the problem? (btw: I use cvs of 1999/10/15) -- Stephan Duehr * ID-PRO Deutschland GmbH * Tel +49 228 4 21 54 0 * Fax +49 228 4 21 54 29 * http://open-for-the-better.com/ From mgeddes at xavier.sa.edu.au Wed Feb 9 00:48:20 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:25 2003 Subject: NT Policy and groups References: <389EDAC5.DACC102B@eeigm.inpl-nancy.fr> <389F459B.DAA7DF27@xavier.sa.edu.au> <389FF3D5.CF427DCB@eeigm.inpl-nancy.fr> Message-ID: <38A0B954.96C683E0@xavier.sa.edu.au> Christian Duclou wrote: > Matthew Geddes wrote: > > > Christian Duclou wrote: > > > > > Hello, > > > > > > How to use NT Policy with Samba 2.0.6 as PDC for NT 4.0 > > > Workstations? > > > > > > The goal is to restrict locals ressources access on the stations for > > > a group of users. > > > > > > Thanks, > > > Christian > > > -- > > > _____________ EEIGM - Service Informatique _____________ > > > 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France > > > Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 > > > _______________ http://eeigm.inpl-nancy.fr _____________ > > > > I do it the same way I do on an NT server. Save NTConfig.POL on > > \\PDC\netlogon. You just need to make sure that amdinistrators are the only > > people allowed to write to the share (everyone needs to read). > > > > Matt > > Thank for your answer, > My problem is that except "Domain admins", no group is visible in "poledit" > ..? Did you try add group? You should be able to type in the name of a group if you don't get a list up. Matt From tastas at home.com Wed Feb 9 00:51:57 2000 From: tastas at home.com (Todd Sabin) Date: Tue Dec 2 02:28:25 2003 Subject: rpcclient from tng In-Reply-To: Luke Kenneth Casson Leighton's message of "Wed, 9 Feb 2000 03:58:25 +1100" References: Message-ID: Luke Kenneth Casson Leighton writes: > oops, it may be too long (large) for the current regenum code. does > anyone with some MSDN / Reg* experience want to take a look at the code > and try and fix this? the api is pretty much identical except it will be > reg_enum_values not RegEnumValues etc :) > The problem appears to be that the registry value has no name. I.e., its name is "", the null string. Yes, the geniuses at Microsoft allow you to create values with the null string as its name. If fact, large sections of the registry (typically the stuff developed on Win9x first) are full of this. When you look at them with regedit.exe it calls them "Default" in the UI. When you look at them with regedt32.exe it calls them "". Not sure what rpcclient needs to do to handle this... Todd > On Wed, 9 Feb 2000, Seth Vidal wrote: > > HKLM\SOFTWARE\COMPANYNAME\SOFTWARENAME\LICENSEKEY\ > > > > the only (default) key under this tree is a string type licensekey. > > > > How do I set the value for the default entry? > > As well when I do a regenum It never lists the current value. > > the errors I see: > > [skvidal@JORDAN]$ regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO > > Scientific\DataStudio\LicenseKey" > > regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\LicenseKey" > > vuid_init_db: failed > > Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\LicenseKey > > Key Values > > ---------- > > REG_ENUM_VALUE: > > > > [skvidal@JORDAN]$ regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCOScientific\DataStudio\SerialNumber" > > regenum "HKEY_LOCAL_MACHINE\SOFTWARE\PASCO Scientific\DataStudio\SerialNumber" > > vuid_init_db: failed > > Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\PASCOScientific\DataStudio\SerialNumber > > Key Values > > ---------- > > : string: 5895 > > > > > > so you see the next key does have values but the licensekey doesn't. > > > > I've checked the machine and there is an entry. From tastas at home.com Wed Feb 9 01:04:05 2000 From: tastas at home.com (Todd Sabin) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Luke Kenneth Casson Leighton's message of "Wed, 9 Feb 2000 07:33:17 +1100" References: Message-ID: Luke Kenneth Casson Leighton writes: > > basically, MSRPC is a remote function call mechanism. if the caller is > root, the remote function call is root. if the caller is a threaded > applcication, the remote function call is a threaded implementation. if > the caller is user-foo, the remote function call is user-foo. > > that's the way MSRPC is designed, that's its job, and to expect it to do > anything else (e.g run remotely as root) is, in my opinion, asking for > trouble. > No, that's not how MSRPC is designed. The server runs in whatever security context it starts up in. If the call is authenticated, and if the client has permitted it, and if the server decides to do it, the server can impersonate the client for some part of the duration of the call. On NT, lsass (the thing that implements samr and lsarpc) runs in the SYSTEM context, and does so most of the time, even when servicing an RPC. It impersonates the client only briefly to validate that the client has the proper permissions to do what it's asking. Todd From mgeddes at xavier.sa.edu.au Wed Feb 9 01:34:22 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:25 2003 Subject: Browsing and stuff Message-ID: <38A0C41E.E31C4041@xavier.sa.edu.au> Hi guys, If I have two Samba servers set up like so: os level = 65 domain master = yes local master = yes preferred master = yes and os level = 60 domain master = yes local master = yes preferred master = yes and the top machine goes down, will that force an election that will then be won by the second machine? If not, is it a built in thing or a "Matt's configured it wrong" thing? Also, does Samba BDC pass all authrentication on to the PDC, or does it cache or store a copy of the SAM? Thanks heaps, Matt From mgeddes at xavier.sa.edu.au Wed Feb 9 01:37:57 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:25 2003 Subject: difference between NT WS and Server References: <20000209013833.A2238@qwerty.office.id-pro.net> Message-ID: <38A0C4F5.F445BCD@xavier.sa.edu.au> Stephan Duehr wrote: > I have set up a Samba PDC with LDAP and have no problem > logging in from Win98 and NT Workstation SP4. But there's > a NT Server (exactly Terminal Server Edition with Citrix) SP3 > that successfully joined the domain, but always gets refused > to log in, I always get something like > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(417) > smb_password_ok: Check NT MD4 password > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(426) > NT MD4 password check failed > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(438) > Checking LM MD4 password > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(457) > LM MD4 password check failed > [2000/01/31 20:27:38, 3] smbd/password.c:pass_check_smb(542) > Error pass_check_smb failed > > but loggin in with the same user and password works from NT WS. > > Are there some funny differences in the way NT Server logs in > to a domain compared to WS? Or may SP4 solve the problem? > Your server hasn't been set to use plaintext passwords at any stage has it? Just a guess.... Matt -------------- next part -------------- HTML attachment scrubbed and removed From sharpe at ns.aus.com Wed Feb 9 02:54:12 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:25 2003 Subject: Browsing and stuff In-Reply-To: <38A0C41E.E31C4041@xavier.sa.edu.au> Message-ID: <3.0.6.32.20000209125412.00988d00@203.16.214.248> Hi, At 12:26 PM 2/9/00 +1100, Matthew Geddes wrote: >Hi guys, > >If I have two Samba servers set up like so: > > os level = 65 > domain master = yes > local master = yes > preferred master = yes > >and > > os level = 60 > domain master = yes > local master = yes > preferred master = yes > >and the top machine goes down, will that force an election that will >then be won by the second machine? If not, is it a built in thing or a >"Matt's configured it wrong" thing? No, it will not necessarily force an election. The things that will cause an election are: 1. A client trying to browse (send GetBackupList) and not getting a response within the timeout. 2. A backup browser trying to get the browse list from the master and not getting a response. 3. A server coming up and having prefered master = yes 4. Maybe something else. You have not necessarily configured it wrong, but you do not need the preferred master on the second server, as that just forces it to have an election when it comes up, which is useless if the other one is running, I think. >Also, does Samba BDC pass all authrentication on to the PDC, or does it >cache or store a copy of the SAM? PDC keeps its own copy of the SAM. Samba TNG's rpcclient program contains a samsync command, IIRC. >Thanks heaps, > >Matt > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From mgeddes at xavier.sa.edu.au Wed Feb 9 02:04:00 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:25 2003 Subject: Browsing and stuff References: <3.0.6.32.20000209125412.00988d00@203.16.214.248> Message-ID: <38A0CB10.A5DC52D9@xavier.sa.edu.au> Richard Sharpe wrote: > Hi, > > At 12:26 PM 2/9/00 +1100, Matthew Geddes wrote: > >Hi guys, > > > >If I have two Samba servers set up like so: > > > > os level = 65 > > domain master = yes > > local master = yes > > preferred master = yes > > > >and > > > > os level = 60 > > domain master = yes > > local master = yes > > preferred master = yes > > > >and the top machine goes down, will that force an election that will > >then be won by the second machine? If not, is it a built in thing or a > >"Matt's configured it wrong" thing? > > No, it will not necessarily force an election. The things that will cause > an election are: > > 1. A client trying to browse (send GetBackupList) and not getting a > response within the timeout. > > 2. A backup browser trying to get the browse list from the master > and not getting a response. > > 3. A server coming up and having prefered master = yes > > 4. Maybe something else. > > You have not necessarily configured it wrong, but you do not need the > preferred master on the second server, as that just forces it to have an > election when it comes up, which is useless if the other one is running, I > think. Sounds about right. I was just thinking it might be nice as a redundancy thing. Not important. > > > >Also, does Samba BDC pass all authrentication on to the PDC, or does it > >cache or store a copy of the SAM? > > PDC keeps its own copy of the SAM. Samba TNG's rpcclient program contains > a samsync command, IIRC. > Does this mean you need to manually update the BDCs whenever you a) start samba on the BDC or b) whenever changes are made. > > >Thanks heaps, > > > >Matt Thanks again, Matt From martinb at tantalus.com Wed Feb 9 02:23:45 2000 From: martinb at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:25 2003 Subject: [samba tng] Compiling Error Message-ID: <000e01bf72a4$b798a320$bc2235d1@bconnected.net> I'm trying to compile the latest samba tng CVS. I have LDAP support enabled. Linux 2.2.5-15 #1 Mon Apr 19 22:21:09 EDT 1999 i586 unknown This is the error I get. Linking shared library bin/libnmb.la Compiling param/loadparm.c with libtool param/loadparm.c:790: structure has no member named `szLdapRealm' param/loadparm.c:790: initializer element for `parm_table[204].ptr' is not constant make: *** [param/loadparm.lo] Error 1 Any ideas? -------------- next part -------------- HTML attachment scrubbed and removed From sharpe at ns.aus.com Wed Feb 9 04:49:16 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:25 2003 Subject: Samba 2.0.6, NT and logon scripts Message-ID: <3.0.6.32.20000209144916.0097e5f0@203.16.214.248> Hi, I have been experimenting and messing around with Samba 2.0.6 as a PDC ... and have found that is you set logon script to %u.bat, things do not work very well. It seems that the code that handles the RPC call that retrieves all the appropriate info does not call standard_sub on lp_logon_script :-( Thus if you had a mixed Win9X and NT environment, you would be forced to use include files to allow you to: 1. Generate scripts for Win 9X users 2. Have a logon script for NT users that was relevant ... ie, logon script = %u.bat include = /etc/smb.conf.%a Let's see if this works ... Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From dave at deakin.edu.au Wed Feb 9 03:55:54 2000 From: dave at deakin.edu.au (David Schwarz) Date: Tue Dec 2 02:28:25 2003 Subject: Samba 2.0.6, NT and logon scripts In-Reply-To: <3.0.6.32.20000209144916.0097e5f0@203.16.214.248> Message-ID: Richard wrote >Thus if you had a mixed Win9X and NT environment, you would be forced to >use include files to allow you to: > >1. Generate scripts for Win 9X users >2. Have a logon script for NT users that was relevant ... Or inside the script you simply check which OS you are running on, usually by checking if %OS% exists if it doesn't your on Win3x or Win9x or DOS, otherwise your on Windows_NT, which is how most NT admins would be doing it currently. Thanks Dave...... ______________________________________________________________________ David Schwarz Desktop /Workgroup Section Leader ITS, Deakin University Ph (03) 52278938 Fax (03) 52278xxx This years quote: "Linux is only free if your time has no value" - Jamie Zawinski ______________________________________________________________________ From David.Bear at asu.edu Wed Feb 9 04:04:17 2000 From: David.Bear at asu.edu (David Bear) Date: Tue Dec 2 02:28:25 2003 Subject: pre 3.0 code base stability? Message-ID: I am running 2.0.5 on Caldera Openlinux 2.3. They made some changes as to where smb.conf and the logs are stored. However, I am contemplating a move to the pre 3.0 code. I got the cvs main code 2 weeks ago and installed it on FreeBSD. Works terrific. Solves the file time stamp problem we were having. So I thought about changing the production server to the pre 3.0 code. I am wondering how stable the pre 3.0 code is and if anyone is running it in production mode? Or, if there are alternative recommendations... David Bear College of Public Programs/ASU A word is just two nibbles and a byte... From sharpe at ns.aus.com Wed Feb 9 05:10:05 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:25 2003 Subject: Samba 2.0.6 with NT and profiles Message-ID: <3.0.6.32.20000209151005.008eee30@203.16.214.248> Hi, I am seeing some strange results with profiles under Samba 2.0.6 and NT Workstation, and wonder if this is the nature of the beast (Samba 2.0.6 as a PDC being unsupported) or whether I have something wrong. Every time I log onto NT Workstation 4.0, I am told that my local profile is more up to date than the remote profile and do I want to use the local profile ... Interestingly, but perhaps of little use, but NT accesses profiles before the logon script, while Win 9X does it the other way around. Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From sharpe at ns.aus.com Wed Feb 9 05:06:45 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:25 2003 Subject: Samba 2.0.6, NT and logon scripts In-Reply-To: References: <3.0.6.32.20000209144916.0097e5f0@203.16.214.248> Message-ID: <3.0.6.32.20000209150645.00980a00@203.16.214.248> At 02:57 PM 2/9/00 +1100, David Schwarz wrote: >Richard wrote > >>Thus if you had a mixed Win9X and NT environment, you would be forced to >>use include files to allow you to: >> >>1. Generate scripts for Win 9X users >>2. Have a logon script for NT users that was relevant ... > > >Or inside the script you simply check which OS you are running on, > >usually by checking if %OS% exists >if it doesn't your on Win3x or Win9x or DOS, >otherwise your on Windows_NT, which is how most NT admins would be doing it >currently. Sure, but I guess I was thinking in the context of dynamically generating scripts so on Win3X or Win9X doing more complex things than standard logon scripts allow you to do. >Thanks >Dave...... > >______________________________________________________________________ >David Schwarz >Desktop /Workgroup Section Leader >ITS, Deakin University >Ph (03) 52278938 >Fax (03) 52278xxx > >This years quote: >"Linux is only free if your time has no value" - Jamie Zawinski >______________________________________________________________________ > > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From GLeblanc at cu-portland.edu Wed Feb 9 04:36:05 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:25 2003 Subject: Browsing and stuff Message-ID: > -----Original Message----- > From: Matthew Geddes [mailto:mgeddes@xavier.sa.edu.au] > Sent: Tuesday, February 08, 2000 5:58 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: Browsing and stuff > > > >Also, does Samba BDC pass all authrentication on to the > PDC, or does it > > >cache or store a copy of the SAM? > > > > PDC keeps its own copy of the SAM. Samba TNG's rpcclient > program contains > > a samsync command, IIRC. > > > Does this mean you need to manually update the BDCs whenever > you a) start > samba on the BDC or b) whenever changes are made. I don't know exactly how samba does it, but NT propogates (sp?) changes to the SAM at regular intervals. I think you can even change it in the registry of the PDC, and it is most definately a "push" operation for a strictly NT network. Somebody who knows more about TNG will have to answer, but my question is "Does Samba TNG accept and NT PDCs send of the SAM DB?" Greg From lkcl at samba.org Wed Feb 9 04:51:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:25 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <38A0A0ED.5E7C520A@nisbic.com> Message-ID: > The point is new people like myself (to TNG) would very much like to > test/debug TNG, > and it's nearly impossible to do that when there are 30 cvs updates per is that all? *giggle*. *sigh*. ok, i promise i won't do anything more than bug-fixes, samrtdbd and libsurs work. From skvidal at phy.duke.edu Wed Feb 9 04:58:52 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:26 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: > *sigh*. ok, i promise i won't do anything more than bug-fixes, samrtdbd > and libsurs work. I know this may sound weird but: thanks for all the work on this - and thanks for being willing to slow down somewhat. -sv From sharpe at ns.aus.com Wed Feb 9 05:47:11 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:26 2003 Subject: Browsing and stuff In-Reply-To: <38A0CB10.A5DC52D9@xavier.sa.edu.au> References: <3.0.6.32.20000209125412.00988d00@203.16.214.248> Message-ID: <3.0.6.32.20000209154711.0097ed40@203.16.214.248> At 12:34 PM 2/9/00 +1030, Matthew Geddes wrote: >Richard Sharpe wrote: > >> >Also, does Samba BDC pass all authrentication on to the PDC, or does it >> >cache or store a copy of the SAM? >> >> PDC keeps its own copy of the SAM. Samba TNG's rpcclient program contains >> a samsync command, IIRC. >> > >Does this mean you need to manually update the BDCs whenever you a) start >samba on the BDC or b) whenever changes are made. I think you can do a samsync from cron ... >> >> >Thanks heaps, >> > >> >Matt > >Thanks again, >Matt > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From lkcl at samba.org Wed Feb 9 04:59:39 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: difference between NT WS and Server In-Reply-To: <20000209013833.A2238@qwerty.office.id-pro.net> Message-ID: hmm, is it nT server in the same domain, joined to the samba tng domain? On Wed, 9 Feb 2000, Stephan Duehr wrote: > I have set up a Samba PDC with LDAP and have no problem > logging in from Win98 and NT Workstation SP4. But there's > a NT Server (exactly Terminal Server Edition with Citrix) SP3 > that successfully joined the domain, but always gets refused > to log in, I always get something like > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(417) > smb_password_ok: Check NT MD4 password > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(426) > NT MD4 password check failed > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(438) > Checking LM MD4 password > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(457) > LM MD4 password check failed > [2000/01/31 20:27:38, 3] smbd/password.c:pass_check_smb(542) > Error pass_check_smb failed > > but loggin in with the same user and password works from NT WS. > > Are there some funny differences in the way NT Server logs in > to a domain compared to WS? Or may SP4 solve the problem? > > (btw: I use cvs of 1999/10/15) > -- > Stephan Duehr > > * ID-PRO Deutschland GmbH > * Tel +49 228 4 21 54 0 > * Fax +49 228 4 21 54 29 > * http://open-for-the-better.com/ > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 9 05:01:00 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: rpcclient from tng In-Reply-To: Message-ID: On 8 Feb 2000, Todd Sabin wrote: > Luke Kenneth Casson Leighton writes: > > > oops, it may be too long (large) for the current regenum code. does > > anyone with some MSDN / Reg* experience want to take a look at the code > > and try and fix this? the api is pretty much identical except it will be > > reg_enum_values not RegEnumValues etc :) > > > > The problem appears to be that the registry value has no name. I.e., > its name is "", the null string. Yes, the geniuses at Microsoft allow > you to create values with the null string as its name. If fact, large ... *blink* :) > sections of the registry (typically the stuff developed on Win9x > first) are full of this. When you look at them with regedit.exe it > calls them "Default" in the UI. When you look at them with > regedt32.exe it calls them "". > > Not sure what rpcclient needs to do to handle this... i need a netmon trace and/or a debug log level 100 (log.client from rpcclient) to track it down. From lkcl at samba.org Wed Feb 9 05:05:49 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On 8 Feb 2000, Todd Sabin wrote: > Luke Kenneth Casson Leighton writes: > > > > > basically, MSRPC is a remote function call mechanism. if the caller is > > root, the remote function call is root. if the caller is a threaded > > applcication, the remote function call is a threaded implementation. if > > the caller is user-foo, the remote function call is user-foo. > > > > that's the way MSRPC is designed, that's its job, and to expect it to do > > anything else (e.g run remotely as root) is, in my opinion, asking for > > trouble. > > > > No, that's not how MSRPC is designed. you sure about that? > The server runs in whatever > security context it starts up in. If the call is authenticated, and > if the client has permitted it, and if the server decides to do it, > the server can impersonate the client for some part of the duration of > the call. > > On NT, lsass (the thing that implements samr and lsarpc) runs in the > SYSTEM context, and does so most of the time, even when servicing an > RPC. It impersonates the client only briefly to validate that the > client has the proper permissions to do what it's asking. i am curious. what happens inside LsaOpenPolicy(). the connection is anonymous, yes. the server is running as SYSTEM context. is it the job of the _lsaopenpolicy call_ to switch to the context of the cient (impersonatenamedpipeclient), or is it the job of the _msrpc hanlder_ to call impersonatenamedpipeclient? logically, i would expect the msrpc handling code to switch the context to that of the client, whereup the function call decides to switch it back again because they need SYSTEM privileges. From lkcl at samba.org Wed Feb 9 05:13:08 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: Samba 2.0.6, NT and logon scripts In-Reply-To: <3.0.6.32.20000209144916.0097e5f0@203.16.214.248> Message-ID: i _told_ ya - the tandard_sub stuff is totally stupidly broken :) anyway, you can't use %u, in lp_logon_script() you have to use %U. On Wed, 9 Feb 2000, Richard Sharpe wrote: > Hi, > > I have been experimenting and messing around with Samba 2.0.6 as a PDC ... > and have found that is you set logon script to %u.bat, things do not work > very well. It seems that the code that handles the RPC call that retrieves > all the appropriate info does not call standard_sub on lp_logon_script :-( > > Thus if you had a mixed Win9X and NT environment, you would be forced to > use include files to allow you to: > > 1. Generate scripts for Win 9X users > 2. Have a logon script for NT users that was relevant ... > > ie, > > logon script = %u.bat > include = /etc/smb.conf.%a > > Let's see if this works ... > > > > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 9 05:15:19 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: Browsing and stuff In-Reply-To: Message-ID: the way it works is that the PDC sends out "delta" notifications on UDP 138 braoadcasts, and the BDCs notice them (hopefully), and do a "pull"of hte SAM using a NetrSamLogon MSRPC call. we have a client-side _and_ server-side netr_sam_logon implementaion in samba tng netlogond and rpcclient, we don't have the UDP 138 notifications. On Wed, 9 Feb 2000, Gregory Leblanc wrote: > > -----Original Message----- > > From: Matthew Geddes [mailto:mgeddes@xavier.sa.edu.au] > > Sent: Tuesday, February 08, 2000 5:58 PM > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Re: Browsing and stuff > > > > > >Also, does Samba BDC pass all authrentication on to the > > PDC, or does it > > > >cache or store a copy of the SAM? > > > > > > PDC keeps its own copy of the SAM. Samba TNG's rpcclient > > program contains > > > a samsync command, IIRC. > > > > > Does this mean you need to manually update the BDCs whenever > > you a) start > > samba on the BDC or b) whenever changes are made. > > I don't know exactly how samba does it, but NT propogates (sp?) changes to > the SAM at regular intervals. I think you can even change it in the > registry of the PDC, and it is most definately a "push" operation for a > strictly NT network. Somebody who knows more about TNG will have to answer, > but my question is "Does Samba TNG accept and NT PDCs send of the SAM DB?" > Greg > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 9 05:15:45 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Tue, 8 Feb 2000, Seth Vidal wrote: > > *sigh*. ok, i promise i won't do anything more than bug-fixes, samrtdbd > > and libsurs work. > > I know this may sound weird but: > thanks for all the work on this - and thanks for being willing to slow > down somewhat. makes sense to me! From GLeblanc at cu-portland.edu Wed Feb 9 05:18:55 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:26 2003 Subject: Browsing and stuff Message-ID: > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@samba.org] > Sent: Tuesday, February 08, 2000 9:15 PM > To: Gregory Leblanc > Cc: Multiple recipients of list SAMBA-NTDOM > Subject: RE: Browsing and stuff > > > the way it works is that the PDC sends out "delta" > notifications on UDP > 138 braoadcasts, and the BDCs notice them (hopefully), and do > a "pull"of > hte SAM using a NetrSamLogon MSRPC call. Guess I missed a couple of steps there... :) Still ends up with the same result, though. > > we have a client-side _and_ server-side netr_sam_logon > implementaion in > samba tng netlogond and rpcclient, we don't have the UDP 138 > notifications. Cool, so TNG is capable of both giving the diffs to BDCs, and taking the diffs from PDCs, it just can't do it automagically. Assuming that I have that right, how in the heck does a samba PDC get changes to go to an NT BDC? Greg > > On Wed, 9 Feb 2000, Gregory Leblanc wrote: > > > > -----Original Message----- > > > From: Matthew Geddes [mailto:mgeddes@xavier.sa.edu.au] > > > Sent: Tuesday, February 08, 2000 5:58 PM > > > To: Multiple recipients of list SAMBA-NTDOM > > > Subject: Re: Browsing and stuff > > > > > > > >Also, does Samba BDC pass all authrentication on to the > > > PDC, or does it > > > > >cache or store a copy of the SAM? > > > > > > > > PDC keeps its own copy of the SAM. Samba TNG's rpcclient > > > program contains > > > > a samsync command, IIRC. > > > > > > > Does this mean you need to manually update the BDCs whenever > > > you a) start > > > samba on the BDC or b) whenever changes are made. > > > > I don't know exactly how samba does it, but NT propogates > (sp?) changes to > > the SAM at regular intervals. I think you can even change it in the > > registry of the PDC, and it is most definately a "push" > operation for a > > strictly NT network. Somebody who knows more about TNG > will have to answer, > > but my question is "Does Samba TNG accept and NT PDCs send > of the SAM DB?" > > Greg > > > > Luke Kenneth Casson > Leighton > Samba and Network > Development > Samba Web site > > Internet Security > Systems, Inc. > Macmillan Technical > Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain > Internals > From lkcl at samba.org Wed Feb 9 05:27:12 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: Browsing and stuff In-Reply-To: Message-ID: > Cool, so TNG is capable of both giving the diffs to BDCs, and taking the > diffs from PDCs, it just can't do it automagically. Assuming that I have > that right, how in the heck does a samba PDC get changes to go to an NT BDC? > Greg don't know. From sharpe at ns.aus.com Wed Feb 9 06:30:05 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:26 2003 Subject: Samba 2.0.6, NT and logon scripts In-Reply-To: References: <3.0.6.32.20000209144916.0097e5f0@203.16.214.248> Message-ID: <3.0.6.32.20000209163005.0098e100@203.16.214.248> Hi, At 04:13 PM 2/9/00 +1100, Luke Kenneth Casson Leighton wrote: >i _told_ ya - the tandard_sub stuff is totally stupidly broken :) > >anyway, you can't use %u, in lp_logon_script() you have to use %U. Hmmm, well, OK, you are right ... However, %u works for Win9X logons, and now I know that %U works for Win NT logons ... >On Wed, 9 Feb 2000, Richard Sharpe wrote: > >> Hi, >> >> I have been experimenting and messing around with Samba 2.0.6 as a PDC ... >> and have found that is you set logon script to %u.bat, things do not work >> very well. It seems that the code that handles the RPC call that retrieves >> all the appropriate info does not call standard_sub on lp_logon_script :-( >> >> Thus if you had a mixed Win9X and NT environment, you would be forced to >> use include files to allow you to: >> >> 1. Generate scripts for Win 9X users >> 2. Have a logon script for NT users that was relevant ... >> >> ie, >> >> logon script = %u.bat >> include = /etc/smb.conf.%a >> >> Let's see if this works ... >> >> >> >> >> Regards >> ------- >> Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), >> Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) >> Co-author, SAMS Teach Yourself Samba in 24 Hours >> Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course >> > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From lkcl at samba.org Wed Feb 9 06:16:21 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: Samba 2.0.6, NT and logon scripts In-Reply-To: <3.0.6.32.20000209163005.0098e100@203.16.214.248> Message-ID: %U only works for NT because i hacked it, by setting a global BOOLean flag and using it to indicate thatsamlogon_user psrring should be temporarily used instead of sesssetup_user pstring. this is _not_ a solution, it's something i thought up after 2 minutes as the easiest work-around, over 2 yeasrs ago. On Wed, 9 Feb 2000, Richard Sharpe wrote: > Hi, > > At 04:13 PM 2/9/00 +1100, Luke Kenneth Casson Leighton wrote: > >i _told_ ya - the tandard_sub stuff is totally stupidly broken :) > > > >anyway, you can't use %u, in lp_logon_script() you have to use %U. > > Hmmm, well, OK, you are right ... However, %u works for Win9X logons, and > now I know that %U works for Win NT logons ... > > >On Wed, 9 Feb 2000, Richard Sharpe wrote: > > > >> Hi, > >> > >> I have been experimenting and messing around with Samba 2.0.6 as a PDC ... > >> and have found that is you set logon script to %u.bat, things do not work > >> very well. It seems that the code that handles the RPC call that retrieves > >> all the appropriate info does not call standard_sub on lp_logon_script :-( > >> > >> Thus if you had a mixed Win9X and NT environment, you would be forced to > >> use include files to allow you to: > >> > >> 1. Generate scripts for Win 9X users > >> 2. Have a logon script for NT users that was relevant ... > >> > >> ie, > >> > >> logon script = %u.bat > >> include = /etc/smb.conf.%a > >> > >> Let's see if this works ... > >> > >> > >> > >> > >> Regards > >> ------- > >> Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > >> Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > >> Co-author, SAMS Teach Yourself Samba in 24 Hours > >> Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > >> > > > > Luke Kenneth Casson Leighton > > Samba and Network Development > > Samba Web site > > Internet Security Systems, Inc. > > Macmillan Technical Publishing > > > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > > > > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lonnie at borntreger.com Wed Feb 9 06:43:15 2000 From: lonnie at borntreger.com (Lonnie J. Borntreger) Date: Tue Dec 2 02:28:26 2003 Subject: FW: tng feedback needed Message-ID: <00a801bf72c8$f2080220$0500000a@borntreger.com> OK, Luke. This is my official bitching to the list. :) I need someone with access to a NT-PDC to do a netmon capture of packets during a successful win95/98 logon session so Luke can fix this in TNG. I have access to a win95 machine that logs into an NT domain, but it's rather hard to capture the logon packets since the logon occurs before I could start the packet capture. Can anyone __please__ help? (See Luke's comments below for more specifics on the things to capture.) Thanks, Lonnie Borntreger > -----Original Message----- > From: Luke Leighton [mailto:lkcl@samba.org] > Subject: RE: tng feedback needed > > On Tue, 8 Feb 2000, Lonnie J. Borntreger wrote: > > Luke, [snip] > > My biggest beef with TNG is that > > it can't handle non-NT authentication. Since most networks > > in the "real > > world" are a combo, I would think that this would be important. > > i know what it is, i know how to fix it, i refuse to install > win95 _to_ > fix it. bitch about it on the lists, i need a win95 to NT-PDC domain > logon, UDP 138 traffic (GETDC request and response or it may > be a SAMLOGON > request/response). From sharpe at ns.aus.com Wed Feb 9 07:50:04 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:26 2003 Subject: FW: tng feedback needed In-Reply-To: <00a801bf72c8$f2080220$0500000a@borntreger.com> Message-ID: <3.0.6.32.20000209175004.0098dd20@203.16.214.248> Hi, At 05:45 PM 2/9/00 +1100, Lonnie J. Borntreger wrote: >OK, Luke. This is my official bitching to the list. :) > >I need someone with access to a NT-PDC to do a netmon capture of packets >during a successful win95/98 logon session so Luke can fix this in TNG. I >have access to a win95 machine that logs into an NT domain, but it's rather >hard to capture the logon packets since the logon occurs before I could >start the packet capture. > >Can anyone __please__ help? (See Luke's comments below for more specifics >on the things to capture.) Well, hell, I have heaps of these ... I can possibly even add the code back in. It is not hard ... Win95 and 98 (I have captures of both) only send a NETLOGON request, probably a GETDC, and then connect to the server server specified and do a NetWkstaUserLogon or some such ... Then the rest should be standard stuff. >Thanks, >Lonnie Borntreger > >> -----Original Message----- >> From: Luke Leighton [mailto:lkcl@samba.org] >> Subject: RE: tng feedback needed >> >> On Tue, 8 Feb 2000, Lonnie J. Borntreger wrote: >> > Luke, >[snip] >> > My biggest beef with TNG is that >> > it can't handle non-NT authentication. Since most networks >> > in the "real >> > world" are a combo, I would think that this would be important. >> >> i know what it is, i know how to fix it, i refuse to install >> win95 _to_ >> fix it. bitch about it on the lists, i need a win95 to NT-PDC domain >> logon, UDP 138 traffic (GETDC request and response or it may >> be a SAMLOGON >> request/response). > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From lkcl at samba.org Wed Feb 9 07:05:11 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:26 2003 Subject: FW: tng feedback needed In-Reply-To: <3.0.6.32.20000209175004.0098dd20@203.16.214.248> Message-ID: On Wed, 9 Feb 2000, Richard Sharpe wrote: > Hi, > > At 05:45 PM 2/9/00 +1100, Lonnie J. Borntreger wrote: > >OK, Luke. This is my official bitching to the list. :) > > > >I need someone with access to a NT-PDC to do a netmon capture of packets > >during a successful win95/98 logon session so Luke can fix this in TNG. I > >have access to a win95 machine that logs into an NT domain, but it's rather > >hard to capture the logon packets since the logon occurs before I could > >start the packet capture. > > > >Can anyone __please__ help? (See Luke's comments below for more specifics > >on the things to capture.) > > Well, hell, I have heaps of these ... I can possibly even add the code back > in. It is not hard ... Win95 and 98 (I have captures of both) only send a > NETLOGON request, probably a GETDC, and then connect to the server server you _have_ to make sure that the code _correctly_ distingushes between win95 GETDC and an nt GETDC (likewise for SAMLOGON request) on UDP 138. doing this: if (strequal(mailslot_name, "\\MAILSLOT\NTLOGON)) which is the way 2_0 and cv main do it is not, repeat, not, correct. From lk at netuse.de Wed Feb 9 08:15:13 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:26 2003 Subject: Browsing and stuff References: Message-ID: <38A12211.905F71DE@netuse.de> Luke Kenneth Casson Leighton wrote: > > > Cool, so TNG is capable of both giving the diffs to BDCs, and taking the > > diffs from PDCs, it just can't do it automagically. Assuming that I have > > that right, how in the heck does a samba PDC get changes to go to an NT BDC? > > Greg > > don't know. This should work: http://www.kneschke.de/projekte/samba_tng/faq/samba_bdc.php3 Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From snail_talk at yahoo.com Wed Feb 9 09:29:57 2000 From: snail_talk at yahoo.com (geoffrey lee) Date: Tue Dec 2 02:28:27 2003 Subject: FW: SYSKEY2. Request For Comments In-Reply-To: Message-ID: <000001bf72e0$3b12ecc0$0200000a@workstation1> hi, > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Luke Kenneth Casson Leighton > Sent: Wednesday, February 09, 2000 1:27 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: RE: FW: SYSKEY2. Request For Comments > > > On Wed, 9 Feb 2000, geoffrey lee wrote: > > > hi, > > > > but what will be exactly the use of this new feature? i think > that luke has > > yet to explain that to everyone. > > :) sorry. > > > right now, all i have seen is arguments as to whether it should be > > implemented or not, but not _why_ it should be there, well, no > solid reasons > > anyway. > > ok, let me try again. ldap, mysql, nis+ all don't store passwords > encrypted or access-protected by default, and some of these remote > database-like systems don't _have_ password encryption. > ok, i can see why you are worried. but this will have to be eventually merged into main, so i guess some two-way communication between you and the other samba developers woudl be nice. ;) > in this case, i'd still like samba admins to be able to use these > protocols, without even having to KNOW that their passwords are protected > over-the-wire. > > i.e if they didn't read the damn documentation, they still don't get > screwed over, and we don't end up with a report on bugtraq. > > > > > > > > -----Original Message----- > > > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > > > Gerald W. Carter > > > Sent: Tuesday, February 08, 2000 11:10 PM > > > To: Multiple recipients of list SAMBA-NTDOM > > > Subject: Re: FW: SYSKEY2. Request For Comments > > > > > > > > > On Wed, 9 Feb 2000, Sander Striker wrote: > > > > > > > >Do you remember the BRANCH_NTDOM code from '97 - '98? > > > > > > > > No, sorry, I wasn't anywhere near Samba back then. What happened to > > > > it? (I'm hoping that you don't reply with: 'it went into design > > > deadlock' > > > > :-)) > > > > > > > > > > It is dead because the merge between that and the head branch was too > > > horrible. That's what Jeremy is afraid will happen here. > > > > > > > > > > > > > > > > > > jerry > > > > ________________________________________________________________________ > > > Gerald ( Jerry ) Carter > > > Engineering Network Services Auburn > University > > > jerry@eng.auburn.edu > http://www.eng.auburn.edu/users/cartegw > > > > > > "...a > hundred billion castaways looking for a home." > > > - Sting "Message in a > Bottle" ( 1979 ) > > > > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From hanak at IRIS.osu.cz Wed Feb 9 09:44:34 2000 From: hanak at IRIS.osu.cz (Ondrej Hanak) Date: Tue Dec 2 02:28:27 2003 Subject: Windows broadcast message Message-ID: Hallo all, does anybody know how to send broadcast message from Linux (UNIX) to all Windows clients on local network? Or better to connected stations to samba server? I wanna send this during shutdown sequence signaled by UPS. Thanks for tips and nice day with samba ;) Hoj O.H. From lk at netuse.de Wed Feb 9 09:48:13 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:27 2003 Subject: Windows broadcast message References: Message-ID: <38A137DD.97D06D8A@netuse.de> Ondrej Hanak wrote: > > Hallo all, > does anybody know how to send broadcast message from Linux (UNIX) to all > Windows clients on local network? Or better to connected stations to > samba server? > I wanna send this during shutdown sequence signaled by UPS. > Thanks for tips and nice day with samba ;) > > Hoj O.H. smbclient -M host will send a message to a host. Don't know how to send a message to all Windows Clients. But this was discussed some days ago on this list. Maybe the mailingslist archive can help you. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From steffen at easybrowse.com Wed Feb 9 10:13:27 2000 From: steffen at easybrowse.com (Steffen Ullrich) Date: Tue Dec 2 02:28:27 2003 Subject: Windows broadcast message In-Reply-To: <38A137DD.97D06D8A@netuse.de>; from Lars Kneschke on Wed, Feb 09, 2000 at 08:50:26PM +1100 References: <38A137DD.97D06D8A@netuse.de> Message-ID: <20000209111327.A18774@MAX.local> Try attached quick perl hack, usage: echo "System goes down in 10 seconds" | ./smb2all.pl It tries to get the list of connected hosts thru smbstatus, and then sends each host the message. On Wed, Feb 09, 2000 at 08:50:26PM +1100, Lars Kneschke wrote: > Ondrej Hanak wrote: > > > > Hallo all, > > does anybody know how to send broadcast message from Linux (UNIX) to all > > Windows clients on local network? Or better to connected stations to > > samba server? > > I wanna send this during shutdown sequence signaled by UPS. > > Thanks for tips and nice day with samba ;) > > > > Hoj O.H. > smbclient -M host will send a message to a host. Don't know how to send > a message to all Windows Clients. But this was discussed some days ago > on this list. Maybe the mailingslist archive can help you. > Cu > -- > Lars Kneschke > NetUSE Kommunikationstechnologie GmbH > Siemenswall, D-24107 Kiel, Germany > Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 -------------- next part -------------- A non-text attachment was scrubbed... Name: smb2all.pl Type: application/x-perl Size: 400 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000209/3a3eda3d/smb2all.bin From Olivier.Brousselle at univ-lehavre.fr Wed Feb 9 10:33:32 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:27 2003 Subject: [TNG] : write on home dir Message-ID: <38A1427C.F9D34F69@univ-lehavre.fr> hi, I'm using samba TNG as a PDC. I have 55 workstations on this domain, with the same configuration. I have problem with the home directories. Some workstation refuse to write on the network drive. It's not a user problem, it's a machine problem. This morning, I was alone on the domain, and the machine refuse to write with Excel, but it was possible to copy from the Explorer. Any idea ? -- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Facult? des sciences Laboratoire de m?canique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From lucam at softeam.it Wed Feb 9 10:34:40 2000 From: lucam at softeam.it (Luca Micheletti) Date: Tue Dec 2 02:28:27 2003 Subject: From smbpasswd to passwd Message-ID: <3.0.3.32.20000209113440.00a2d590@pop.softeam.it> Hi, I have used pwdump to convert NT users to smb users. Now i have my text file smbpasswd style, but i need these users in /etc/passwd not in smbpasswd. How can i convert smbpasswd in /etc/passwd file??? P.S. I use shadow passwords. Best regards. --Luca Micheletti. From Kai-H.Weutzing at TU-Berlin.DE Wed Feb 9 10:44:33 2000 From: Kai-H.Weutzing at TU-Berlin.DE (Kai-H. Weutzing) Date: Tue Dec 2 02:28:27 2003 Subject: Samba PDC in more than one Broadcast Domain References: <389EE9C4.EC0AA033@TU-Berlin.DE> Message-ID: <38A14511.2EF8A21A@TU-Berlin.DE> Hi! Here is the result of my tryings: - Solution lmhosts dosn't works on three Machines, why? I didn't know, but I didn't search for the reason. - Solution wins support works fine! Oh, these are one Network with Switches in the middle! bye... Kai-H. Weutzing > I'am using a SuSE Linux Samba Server. It works fine, BUT... > I must use this Server in more than one Broadcast Domain: > In a.b.52. a.b.53. a.b.79. > The Server has an NIC with IP Adresse a.b.53.241. > So if I start a WinNT Ws in the a.b.52. net to use my Domain (supported by the Server) the WinNT Ws can't find the Server! > I didn't like to buy a NIC with three or more Cons, so is there a way that the Server listen to more than one Broadcast. Fabian Wenk wrote: > Are this three subnets on the same physical network (ethernet)? If so, > just assign on the Samba server an additional IP addresses on the > ethernet interface for each subnet (eg. a.b.52.? and a.b.79.?). I don't > know how to do it in linux, on FreeBSD this is called an alias IP. > Or are there switches in between? If so, place on every NT workstation > the file c:\winnt\system32\drivers\etc\lmhosts with the content (there > is also a lmhost.sam file there, check it out): > a.b.53.241 NETBIOSNAME #PRE #DOM:NTDOMAIN > replace NETBIOSNAME with the name of the Samba server, and replace > NTDOMAIN with the NT domain Samba is running. This will tell the > workstation a servername and that this is a Domain Controller, so the > station will ask this one for logon. Lars Kneschke wrote: > If it's physically one network, you can use virtual interfaces on the NIC. > But the better solution is to use a WINS server. Set wins support = yes > in your global section. This lets act your Sambaserver as a > WINS-Server. You must set the WINS-Server in the networkssettings of the > WinNT-Workstation too. This need a working routing beetwenn the > networks. EOT From Christian.Duclou at eeigm.inpl-nancy.fr Wed Feb 9 11:34:27 2000 From: Christian.Duclou at eeigm.inpl-nancy.fr (Christian Duclou) Date: Tue Dec 2 02:28:27 2003 Subject: Compile Error Main and TNG Message-ID: <38A150C3.AC763442@eeigm.inpl-nancy.fr> Hello, Here is the error while compiling source using the check list: http://www.kneschke.de/projekte/samba_tng/faq/installation.php3 mkdir /usr/src/samba-main mkdir /usr/src/samba-tng cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login cd /usr/src/samba-main cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba cd /usr/src/samba-tng cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co -r SAMBA_TNG samba cd /usr/src/samba-tng/samba/source ./configure --prefix=/opt/samba-tng <= ******** seem to be all right the command gives : "configure OK" make <= ******** ERROR [root@m0061 source]# cat /root/make.rpt Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -DLOGFILEBASE=" /opt/samba-tng/var" -DSMBLOGFILE="/opt/samba-tng/var/log.smb" -DNMBLOGFILE="/opt /samba-tng/var/log.nmb" -DCONFIGFILE="/opt/samba-tng/lib/smb.conf" -DLMHOSTSFILE ="/opt/samba-tng/lib/lmhosts" -DSWATDIR="/opt/samba-tng/swat" -DSBINDIR="/opt/ samba-tng/bin" -DLOCKDIR="/opt/samba-tng/var/locks" -DSMBRUN="/opt/samba-tng/bin /smbrun" -DCODEPAGEDIR="/opt/samba-tng/lib/codepages" -DDRIVERFILE="/opt/samba-t ng/lib/printers.def" -DBINDIR="/opt/samba-tng/bin" -DFORMSFILE="/opt/samba-tng/l ib/ntforms.def" -DNTDRIVERSDIR="/opt/samba-tng/lib" -DHAVE_INCLUDES_H -DPASSWD_P ROGRAM="/bin/passwd" -DSMB_PASSWD_PROGRAM="/opt/samba-tng/bin/smbpasswd" -DSMB_P ASSWD_FILE="/opt/samba-tng/private/smbpasswd" -DSAM_DIR="/opt/samba-tng/sam" -DS MB_PASSGRP_FILE="/opt/samba-tng/private/smbpassgrp" -DSMB_GROUP_FILE="/opt/samba -tng/private/smbgroup" -DSMB_ALIAS_FILE="/opt/samba-tng/private/smbalias" Using LIBS = -lreadline -ldl -lcrypt -lpam -lcurses Linking shared library bin/libmsrpc.la Linking shared library bin/libsmb.la Compiling libsmb/namequery.c with libtool libsmb/namequery.c: In function `resolve_bcast': libsmb/namequery.c:484: too many arguments to function `open_socket_in' libsmb/namequery.c: In function `resolve_wins': libsmb/namequery.c:545: too many arguments to function `open_socket_in' make: *** [libsmb/namequery.lo] Error 1 -- _____________ EEIGM - Service Informatique _____________ 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 _______________ http://eeigm.inpl-nancy.fr _____________ From duehr at id-pro.net Wed Feb 9 11:40:59 2000 From: duehr at id-pro.net (Stephan Duehr) Date: Tue Dec 2 02:28:27 2003 Subject: difference between NT WS and Server In-Reply-To: <38A0C4F5.F445BCD@xavier.sa.edu.au>; from mgeddes@xavier.sa.edu.au on Wed, Feb 09, 2000 at 12:29:38PM +1100 References: <20000209013833.A2238@qwerty.office.id-pro.net> <38A0C4F5.F445BCD@xavier.sa.edu.au> Message-ID: <20000209124059.C2919@qwerty.office.id-pro.net> On Wed, Feb 09, 2000 at 12:29:38PM +1100, Matthew Geddes wrote: > Stephan Duehr wrote: > > > I have set up a Samba PDC with LDAP and have no problem > > logging in from Win98 and NT Workstation SP4. But there's > > a NT Server (exactly Terminal Server Edition with Citrix) SP3 > > that successfully joined the domain, but always gets refused > > to log in, I always get something like > > > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(417) > > smb_password_ok: Check NT MD4 password > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(426) > > NT MD4 password check failed > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(438) > > Checking LM MD4 password > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(457) > > LM MD4 password check failed > > [2000/01/31 20:27:38, 3] smbd/password.c:pass_check_smb(542) > > Error pass_check_smb failed > > > > but loggin in with the same user and password works from NT WS. > > > > Are there some funny differences in the way NT Server logs in > > to a domain compared to WS? Or may SP4 solve the problem? > > > > Your server hasn't been set to use plaintext passwords at any stage has > it? It has been set to plaintext passwords. But NT WS has no Problem logging in to the domain, even if plaintext passwords are enabled, and we tried to disable them setting the reg-key to 0 instead of 1. -- Stephan Duehr * ID-PRO Deutschland GmbH * Tel +49 228 4 21 54 0 * Fax +49 228 4 21 54 29 * http://open-for-the-better.com/ From mg at plum.de Wed Feb 9 12:33:29 2000 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:28:27 2003 Subject: Windows broadcast message References: Message-ID: <38A15E99.7BC2E5B9@plum.de> Ondrej Hanak wrote: > > Hallo all, > does anybody know how to send broadcast message from Linux (UNIX) to all > Windows clients on local network? Or better to connected stations to > samba server? > I wanna send this during shutdown sequence signaled by UPS. > Thanks for tips and nice day with samba ;) > > Hoj O.H. I wrote some small PHP3 script for exact this purpose. It parses the output of smbstatus, then sends smbclient -M to those hosts. You can get it from: http://www.sambahq.de/projekte/smbmessage/ regards, Michael -- Samba NT-Domain howto (in german) http://www.sambahq.de From s.striker at striker.nl Wed Feb 9 12:34:42 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:27 2003 Subject: Compile Error Main and TNG In-Reply-To: <38A150C3.AC763442@eeigm.inpl-nancy.fr> Message-ID: >Here is the error while compiling source using the check list: > http://www.kneschke.de/projekte/samba_tng/faq/installation.php3 When did you do this? I just tried and it seems to work just fine. The only thing you get is a lot of warnings, but that is a known problem. Sander Striker >mkdir /usr/src/samba-main >mkdir /usr/src/samba-tng >cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login >cd /usr/src/samba-main >cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba >cd /usr/src/samba-tng >cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co -r SAMBA_TNG samba >cd /usr/src/samba-tng/samba/source >/configure --prefix=/opt/samba-tng <= ******** seem to be all right >the command gives : "configure OK" >make <= ******** ERROR > >[root@m0061 source]# cat /root/make.rpt >Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper >-DLOGFILEBASE=" >/opt/samba-tng/var" -DSMBLOGFILE="/opt/samba-tng/var/log.smb" >-DNMBLOGFILE="/opt >/samba-tng/var/log.nmb" -DCONFIGFILE="/opt/samba-tng/lib/smb.conf" >-DLMHOSTSFILE >="/opt/samba-tng/lib/lmhosts" -DSWATDIR="/opt/samba-tng/swat" >-DSBINDIR="/opt/ >samba-tng/bin" -DLOCKDIR="/opt/samba-tng/var/locks" >-DSMBRUN="/opt/samba-tng/bin >/smbrun" -DCODEPAGEDIR="/opt/samba-tng/lib/codepages" >-DDRIVERFILE="/opt/samba-t >ng/lib/printers.def" -DBINDIR="/opt/samba-tng/bin" >-DFORMSFILE="/opt/samba-tng/l >ib/ntforms.def" -DNTDRIVERSDIR="/opt/samba-tng/lib" -DHAVE_INCLUDES_H >-DPASSWD_P >ROGRAM="/bin/passwd" -DSMB_PASSWD_PROGRAM="/opt/samba-tng/bin/smbpasswd" > >-DSMB_P >ASSWD_FILE="/opt/samba-tng/private/smbpasswd" >-DSAM_DIR="/opt/samba-tng/sam" -DS >MB_PASSGRP_FILE="/opt/samba-tng/private/smbpassgrp" >-DSMB_GROUP_FILE="/opt/samba >-tng/private/smbgroup" >-DSMB_ALIAS_FILE="/opt/samba-tng/private/smbalias" >Using LIBS = -lreadline -ldl -lcrypt -lpam -lcurses >Linking shared library bin/libmsrpc.la >Linking shared library bin/libsmb.la >Compiling libsmb/namequery.c with libtool >libsmb/namequery.c: In function `resolve_bcast': >libsmb/namequery.c:484: too many arguments to function `open_socket_in' >libsmb/namequery.c: In function `resolve_wins': >libsmb/namequery.c:545: too many arguments to function `open_socket_in' >make: *** [libsmb/namequery.lo] Error 1 > > >-- >_____________ EEIGM - Service Informatique _____________ > 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France > Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 >_______________ http://eeigm.inpl-nancy.fr _____________ > > > From jem.at at cwcom.net Wed Feb 9 12:42:21 2000 From: jem.at at cwcom.net (Jem Atahan) Date: Tue Dec 2 02:28:27 2003 Subject: samba-ntdom production use Message-ID: <38A160AD.A86946CF@cwcom.net> hey there, i want to use samba-ntdom in a production environment. go ahead, tell me its alpha, but i'm not going to listen. its just too cool. my requirements are primarily to have a central pool of users across nt and unix, there is no requirement for profiles, print serving, file sharing or the like. a nice extra would be ACLs based on domain users/groups (which is supported under some tools i believe?). our unix users will be served from an LDAP backend, so this is also good (but it seems possible to rely on the underlying UINX nsswitch and use smbpasswd, no?). the killer, and the hard bit to test, is that this has to scale to potentially 10000 domain member machines, and at least this many users. so, i have seen posts by people who sound like they are indeed using samba-ntdom live. i would be very interested to hear about your experiences, especially if you have a large number of users. thanks y'all From Christian.Duclou at eeigm.inpl-nancy.fr Wed Feb 9 12:54:49 2000 From: Christian.Duclou at eeigm.inpl-nancy.fr (Christian Duclou) Date: Tue Dec 2 02:28:27 2003 Subject: Compile Error Main and TNG References: Message-ID: <38A16399.126FE4FD@eeigm.inpl-nancy.fr> I did it this morning. Sander Striker wrote: > >Here is the error while compiling source using the check list: > > http://www.kneschke.de/projekte/samba_tng/faq/installation.php3 > > When did you do this? > I just tried and it seems to work just fine. The only thing you > get is a lot of warnings, but that is a known problem. > > Sander Striker > > >mkdir /usr/src/samba-main > >mkdir /usr/src/samba-tng > >cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login > >cd /usr/src/samba-main > >cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba > >cd /usr/src/samba-tng > >cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co -r SAMBA_TNG samba > >cd /usr/src/samba-tng/samba/source > >/configure --prefix=/opt/samba-tng <= ******** seem to be all right > >the command gives : "configure OK" > >make <= ******** ERROR > > > >[root@m0061 source]# cat /root/make.rpt > >Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper > >-DLOGFILEBASE=" > >/opt/samba-tng/var" -DSMBLOGFILE="/opt/samba-tng/var/log.smb" > >-DNMBLOGFILE="/opt > >/samba-tng/var/log.nmb" -DCONFIGFILE="/opt/samba-tng/lib/smb.conf" > >-DLMHOSTSFILE > >="/opt/samba-tng/lib/lmhosts" -DSWATDIR="/opt/samba-tng/swat" > >-DSBINDIR="/opt/ > >samba-tng/bin" -DLOCKDIR="/opt/samba-tng/var/locks" > >-DSMBRUN="/opt/samba-tng/bin > >/smbrun" -DCODEPAGEDIR="/opt/samba-tng/lib/codepages" > >-DDRIVERFILE="/opt/samba-t > >ng/lib/printers.def" -DBINDIR="/opt/samba-tng/bin" > >-DFORMSFILE="/opt/samba-tng/l > >ib/ntforms.def" -DNTDRIVERSDIR="/opt/samba-tng/lib" -DHAVE_INCLUDES_H > >-DPASSWD_P > >ROGRAM="/bin/passwd" -DSMB_PASSWD_PROGRAM="/opt/samba-tng/bin/smbpasswd" > > > >-DSMB_P > >ASSWD_FILE="/opt/samba-tng/private/smbpasswd" > >-DSAM_DIR="/opt/samba-tng/sam" -DS > >MB_PASSGRP_FILE="/opt/samba-tng/private/smbpassgrp" > >-DSMB_GROUP_FILE="/opt/samba > >-tng/private/smbgroup" > >-DSMB_ALIAS_FILE="/opt/samba-tng/private/smbalias" > >Using LIBS = -lreadline -ldl -lcrypt -lpam -lcurses > >Linking shared library bin/libmsrpc.la > >Linking shared library bin/libsmb.la > >Compiling libsmb/namequery.c with libtool > >libsmb/namequery.c: In function `resolve_bcast': > >libsmb/namequery.c:484: too many arguments to function `open_socket_in' > >libsmb/namequery.c: In function `resolve_wins': > >libsmb/namequery.c:545: too many arguments to function `open_socket_in' > >make: *** [libsmb/namequery.lo] Error 1 > > > > > >-- > >_____________ EEIGM - Service Informatique _____________ > > 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France > > Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 > >_______________ http://eeigm.inpl-nancy.fr _____________ > > > > > > -- _____________ EEIGM - Service Informatique _____________ 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 _______________ http://eeigm.inpl-nancy.fr _____________ From s.striker at striker.nl Wed Feb 9 13:15:48 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:27 2003 Subject: Compile Error Main and TNG In-Reply-To: <38A16399.126FE4FD@eeigm.inpl-nancy.fr> Message-ID: Ok. Send your machine/os specs and the output of ./configure to the list, maybe someone can help you out. >I did it this morning. > >> When did you do this? >> I just tried and it seems to work just fine. The only thing you >> get is a lot of warnings, but that is a known problem. From cartegw at Eng.Auburn.EDU Wed Feb 9 13:22:07 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:27 2003 Subject: samba-ntdom production use References: <38A160AD.A86946CF@cwcom.net> Message-ID: <38A169FF.1C0BEB7A@eng.auburn.edu> Jem Atahan wrote: > > the killer, and the hard bit to test, is that this has to scale to > potentially 10000 domain member machines, and at least this many users. You need to use some type of searchable password backend like LDAP or gdbm. The linear searches of yoru smbpasswd file will kill you. jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From tas at webspan.net Wed Feb 9 13:30:39 2000 From: tas at webspan.net (Todd Sabin) Date: Tue Dec 2 02:28:27 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Luke Kenneth Casson Leighton's message of "Wed, 9 Feb 2000 16:11:39 +1100" References: Message-ID: Luke Kenneth Casson Leighton writes: > On 8 Feb 2000, Todd Sabin wrote: > > > Luke Kenneth Casson Leighton writes: > > > > > > > > basically, MSRPC is a remote function call mechanism. if the caller is > > > root, the remote function call is root. if the caller is a threaded > > > applcication, the remote function call is a threaded implementation. if > > > the caller is user-foo, the remote function call is user-foo. > > > > > > that's the way MSRPC is designed, that's its job, and to expect it to do > > > anything else (e.g run remotely as root) is, in my opinion, asking for > > > trouble. > > > > > > > No, that's not how MSRPC is designed. > > you sure about that? > Well, I don't know what was in the mind of the people when they wrote it, but the stuff below is how it works in practice. > > The server runs in whatever > > security context it starts up in. If the call is authenticated, and > > if the client has permitted it, and if the server decides to do it, > > the server can impersonate the client for some part of the duration of > > the call. > > > > On NT, lsass (the thing that implements samr and lsarpc) runs in the > > SYSTEM context, and does so most of the time, even when servicing an > > RPC. It impersonates the client only briefly to validate that the > > client has the proper permissions to do what it's asking. > > i am curious. what happens inside LsaOpenPolicy(). the connection is > anonymous, yes. the server is running as SYSTEM context. is it the job > of the _lsaopenpolicy call_ to switch to the context of the cient > (impersonatenamedpipeclient), or is it the job of the _msrpc hanlder_ to > call impersonatenamedpipeclient? > It's the job of every call that wants to impersonate. The msrpc part of it handles marshalling and making sure that there's a token there to impersonate, should the server want to. It's entirely up to the server to call RpcImpersonateClient(), and then RpcRevertToSelf() when it's done. > logically, i would expect the msrpc handling code to switch the context to > that of the client, whereup the function call decides to switch it back > again because they need SYSTEM privileges. Nope, it's the exact opposite. :) Todd p.s. Sorry about sending from the old address. Should have it fixed now. (This should be from tas@webspan.net) From Christian.Duclou at eeigm.inpl-nancy.fr Wed Feb 9 13:48:57 2000 From: Christian.Duclou at eeigm.inpl-nancy.fr (Christian Duclou) Date: Tue Dec 2 02:28:27 2003 Subject: Compile Error Main and TNG References: Message-ID: <38A17049.F38C0AD6@eeigm.inpl-nancy.fr> The machine is PC Pentium PRO 200 runing RH6.1 [root@m0061 source]# uname -a Linux m0061.eeigm.u-nancy.fr 2.2.12-20 #1 Mon Sep 27 10:40:35 EDT 1999 i686 unknown The files : configure confiure.in are in this place http://corvette.eeigm.u-nancy.fr/tng/ Sander Striker wrote: > Ok. Send your machine/os specs and the output of ./configure to the list, > maybe someone can help you out. -- _____________ EEIGM - Service Informatique _____________ 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 _______________ http://eeigm.inpl-nancy.fr _____________ From eiben at busitec.de Wed Feb 9 09:31:47 2000 From: eiben at busitec.de (Henning Eiben) Date: Tue Dec 2 02:28:27 2003 Subject: AW: groups In-Reply-To: <000f01bf724b$e3afdbd0$285595c2@stben.be> Message-ID: -----Urspr?ngliche Nachricht----- Von: Jean-Louis Noel [mailto:jln-p@stben.be] Gesendet: Dienstag, 8. Februar 2000 16:48 An: eiben@busitec.de; Multiple recipients of list SAMBA-NTDOM Betreff: Re: groups > Well, that doesn't help *me* much ... how do I have to setup my 2.0.6 to > support domain groups? I don't know, it is what I test. On the other hand "domain groups" accepts: Administrators, Users, Guests, Power Users, Account Operators, System Operators, Print Operators, Backup Operators and Replicator. With an attribute in the form of unsigned 32 bits integer. Like : "domain groups Administrators/12345" Just to be a pain ... :=) so I put something like domain groups Users/100 in my smb.conf and I get a Domain Group (like I would I would be using a NT Server) with Domain Users mapped to GUID 100 on linux box? Or am I assuming something totally wrong? -- Henning Eiben eiben@busitec.de busitec GmbH business information technology http://www.busitec.de From duehr at id-pro.net Wed Feb 9 14:38:41 2000 From: duehr at id-pro.net (Stephan Duehr) Date: Tue Dec 2 02:28:27 2003 Subject: difference between NT WS and Server In-Reply-To: <38A11A95.1CD0BCDD@cc.uit.no>; from truls.l.bergli@cc.uit.no on Wed, Feb 09, 2000 at 08:43:17AM +0100 References: <20000209013833.A2238@qwerty.office.id-pro.net> <38A11A95.1CD0BCDD@cc.uit.no> Message-ID: <20000209153841.C3162@qwerty.office.id-pro.net> On Wed, Feb 09, 2000 at 08:43:17AM +0100, Truls L. Bergli wrote: > Stephan Duehr wrote: > > > > I have set up a Samba PDC with LDAP and have no problem > > logging in from Win98 and NT Workstation SP4. But there's > > a NT Server (exactly Terminal Server Edition with Citrix) SP3 > > that successfully joined the domain, but always gets refused > > to log in, I always get something like > > > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(417) > > smb_password_ok: Check NT MD4 password > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(426) > > NT MD4 password check failed > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(438) > > Checking LM MD4 password > > [2000/01/31 20:27:38, 4] smbd/password.c:smb_password_ok(457) > > LM MD4 password check failed > > [2000/01/31 20:27:38, 3] smbd/password.c:pass_check_smb(542) > > Error pass_check_smb failed > > > > but loggin in with the same user and password works from NT WS. > > > > Are there some funny differences in the way NT Server logs in > > to a domain compared to WS? Or may SP4 solve the problem? > > Hi ! > > I am using NT TS with SP4 and Samba 2.1.* prealpha and 2.0.6 and > everything works fine. Exept licensing. (The NT server thinks the PDC > also is running licensing services...) > > So it is worth to apply SP4 to your NTTS. > hmm, I just tried a newly installed NTTS SP3, it worked. Couldn't it be Citrix changing something authentication related? -- Stephan Duehr * ID-PRO Deutschland GmbH * Tel +49 228 4 21 54 0 * Fax +49 228 4 21 54 29 * http://open-for-the-better.com/ From kevinc at grainsystems.com Wed Feb 9 14:55:02 2000 From: kevinc at grainsystems.com (Kevin Colby) Date: Tue Dec 2 02:28:27 2003 Subject: rpcclient from tng References: Message-ID: <38A17FC6.978EE389@grainsystems.com> Luke Kenneth Casson Leighton wrote: > On 8 Feb 2000, Todd Sabin wrote: > > > > The problem appears to be that the registry value has no name. I.e., > > its name is "", the null string. Yes, the geniuses at Microsoft allow > > you to create values with the null string as its name. If fact, large > > .. *blink* :) I can't confirm this as not working, but I can confirm that null-named registry keys are, in fact, quite commonplace. I hope that isn't a problem. - Kevin Colby kevinc@grainsystems.com From duehr at id-pro.net Wed Feb 9 15:41:26 2000 From: duehr at id-pro.net (Stephan Duehr) Date: Tue Dec 2 02:28:27 2003 Subject: difference between NT WS and Server In-Reply-To: <20000209153841.C3162@qwerty.office.id-pro.net>; from duehr@id-pro.net on Thu, Feb 10, 2000 at 01:41:00AM +1100 References: <20000209013833.A2238@qwerty.office.id-pro.net> <38A11A95.1CD0BCDD@cc.uit.no> <20000209153841.C3162@qwerty.office.id-pro.net> Message-ID: <20000209164126.A3264@qwerty.office.id-pro.net> On Thu, Feb 10, 2000 at 01:41:00AM +1100, Stephan Duehr wrote: > On Wed, Feb 09, 2000 at 08:43:17AM +0100, Truls L. Bergli wrote: > > Stephan Duehr wrote: > > > > > hmm, I just tried a newly installed NTTS SP3, it worked. > Couldn't it be Citrix changing something authentication related? I just found something, maybe someone knows what that means: ... [2000/02/09 16:13:04, 5] rpc_server/srv_reg.c:reg_reply_open_entry(143) reg_open_entry: System\CurrentControlSet\Control\Citrix\UserConfig\do [2000/02/09 16:13:04, 5] rpc_parse/parse_prs.c:prs_debug(36) 000000 reg_io_r_open_entry [2000/02/09 16:13:04, 5] rpc_parse/parse_prs.c:prs_uint8s(178) 0000 data: 00 00 00 00 52 00 00 00 00 00 00 00 00 84 a1 38 47 24 00 00 [2000/02/09 16:13:04, 5] rpc_parse/parse_prs.c:prs_uint32(160) 0014 status: 0c000022 [2000/02/09 16:13:04, 5] rpc_server/srv_reg.c:reg_reply_open_entry(161) reg_open_entry: 161 [2000/02/09 16:13:04, 5] rpc_server/srv_pipe.c:create_rpc_reply(90) create_rpc_reply: data_start: 0 data_end: 24 max_tsize: 5680 [2000/02/09 16:13:04, 5] rpc_parse/parse_prs.c:prs_debug(36) 000000 smb_io_rpc_hdr hdr [2000/02/09 16:13:04, 5] rpc_parse/parse_prs.c:prs_uint8(111) 0000 major : 05 [2000/02/09 16:13:04, 5] rpc_parse/parse_prs.c:prs_uint8(111) 0001 minor : 00 ... -- Stephan Duehr * ID-PRO Deutschland GmbH * Tel +49 228 4 21 54 0 * Fax +49 228 4 21 54 29 * http://open-for-the-better.com/ From lk at netuse.de Wed Feb 9 15:44:31 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:27 2003 Subject: The sameNetscape Profile on every machine References: Message-ID: <38A18B5F.1D7FE5E9@netuse.de> fricke@team.owl-online.de wrote: > > Hi there, > > is there any solution to have the same Netscape-Profile on every > NT-Machine in the network? > I always have to configure the Netscape if somebody is changing his place > or just working on another machine. http://www.patoche.org/LTT/all/00000011.html should help a liitle bit. There exists also another page, but i can't find it. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From fricke at team.owl-online.de Wed Feb 9 15:31:18 2000 From: fricke at team.owl-online.de (fricke@team.owl-online.de) Date: Tue Dec 2 02:28:27 2003 Subject: Antwort: Re: The sameNetscape Profile on every machine Message-ID: I know what you mean but that?s what I have. What I want is, that a new user on a new machine gets his profile without setting the path to a server manually Any Ideas? -------------------------------------------------------------------------------------------------- Cord-H. Fricke Fon: 0 52 1 / 52 51-133 Fax: 0 52 1 / 52 51- 115 fricke@team.owl-online.de http://team.owl-online.de/ ...keep on headbangin? , that rocks!!! From ertl at emp.paed.uni-muenchen.de Wed Feb 9 16:52:21 2000 From: ertl at emp.paed.uni-muenchen.de (Bernhard Ertl) Date: Tue Dec 2 02:28:27 2003 Subject: Sum: The sameNetscape Profile on every machine References: Message-ID: <38A19B45.B0BE6AFC@emp.paed.uni-muenchen.de> > I know what you mean but that?s what I have. > What I want is, that a new user on a new machine gets his profile without > setting the path to a server manually > Any Ideas? If Z is the server drive. Then you might create a directory like z:\netscape (for every user) and copy a sample netscape configuration inside. Then you create one user called Serverconfiguration on every machine which reads its properties from z:\netscape. So every user gets the configuration from his server drive when chooseing the Serverconfiguration profile, even if he hadn't ever been at this machine before. If a user hasn't configured it$ Serverprofile, he gets the sample profile copied in his serverdirectory. he only has to adjust the username and the mail address. If a user once adjusted it$ profile on the server, he can get its netscape profile from every machine, because all the personal data (like username, Mailservers etc.) is read from Z:\netscape Clear?? Be From appro at fy.chalmers.se Wed Feb 9 16:42:18 2000 From: appro at fy.chalmers.se (Andy Polyakov) Date: Tue Dec 2 02:28:27 2003 Subject: Antwort: Re: The sameNetscape Profile on every machine References: Message-ID: <38A198EA.E72B5427@fy.chalmers.se> > I know what you mean but that?s what I have. > What I want is, that a new user on a new machine gets his profile without > setting the path to a server manually > Any Ideas? If your setup is policy driven (NTconfig.POL on DC's netlogon share), then consider throwing following to CLASS USER section: CATEGORY "Netscape" KEYNAME "Software\Netscape\Netscape Navigator\UserInfo" POLICY "Freeze Profile location" VALUENAME "ProfileDirectory" VALUEON "Z:\.nt\Netscape\profile" ACTIONLISTON KEYNAME "Software\Netscape\Netscape Navigator\UserInfo" VALUENAME "DirRoot" VALUE "Z:\.nt\Netscape\profile" END ACTIONLISTON PART "Bind Netscape profile to Z:\.nt" TEXT END PART END POLICY ; Freeze Profile location END CATEGORY ; Netscape It's based upon http://help.netscape.com/kb/consumer/19990708-9.html. It should be explicitely noted that the page in question mentions Software\Netscape\Navigator\UserInfo key which we found incorrect for later versons of Netscape. Andy. From lkcl at samba.org Wed Feb 9 17:04:12 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:27 2003 Subject: [TNG] : write on home dir In-Reply-To: <38A1427C.F9D34F69@univ-lehavre.fr> Message-ID: does this problem occur when a SECOND user logs in on a workstation (different from the first)? On Wed, 9 Feb 2000, Olivier Brousselle wrote: > hi, > > I'm using samba TNG as a PDC. I have 55 workstations on this domain, > with the same configuration. > > I have problem with the home directories. Some workstation refuse > to write on the network drive. It's not a user problem, it's a > machine problem. > > This morning, I was alone on the domain, and the machine refuse to > write with Excel, but it was possible to copy from the Explorer. > > Any idea ? > > -- > Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr > ================================================================== > Facult? des sciences Laboratoire de m?canique > du lundi au mercredi jeudi et vendredi > Tel : 02/32/74/43/37 02/32/74/49/67 > Fax : 02/32/74/43/14 02/32/74/49/60 > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 9 17:05:09 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: Compile Error Main and TNG In-Reply-To: <38A150C3.AC763442@eeigm.inpl-nancy.fr> Message-ID: when was this? the public cvs may be out of sync again. On Wed, 9 Feb 2000, Christian Duclou wrote: > Hello, > > Here is the error while compiling source using the check list: > http://www.kneschke.de/projekte/samba_tng/faq/installation.php3 > > mkdir /usr/src/samba-main > mkdir /usr/src/samba-tng > cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login > cd /usr/src/samba-main > cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba > cd /usr/src/samba-tng > cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co -r SAMBA_TNG samba > cd /usr/src/samba-tng/samba/source > /configure --prefix=/opt/samba-tng <= ******** seem to be all right > the command gives : "configure OK" > make <= ******** ERROR > > [root@m0061 source]# cat /root/make.rpt > Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper > -DLOGFILEBASE=" > /opt/samba-tng/var" -DSMBLOGFILE="/opt/samba-tng/var/log.smb" > -DNMBLOGFILE="/opt > /samba-tng/var/log.nmb" -DCONFIGFILE="/opt/samba-tng/lib/smb.conf" > -DLMHOSTSFILE > ="/opt/samba-tng/lib/lmhosts" -DSWATDIR="/opt/samba-tng/swat" > -DSBINDIR="/opt/ > samba-tng/bin" -DLOCKDIR="/opt/samba-tng/var/locks" > -DSMBRUN="/opt/samba-tng/bin > /smbrun" -DCODEPAGEDIR="/opt/samba-tng/lib/codepages" > -DDRIVERFILE="/opt/samba-t > ng/lib/printers.def" -DBINDIR="/opt/samba-tng/bin" > -DFORMSFILE="/opt/samba-tng/l > ib/ntforms.def" -DNTDRIVERSDIR="/opt/samba-tng/lib" -DHAVE_INCLUDES_H > -DPASSWD_P > ROGRAM="/bin/passwd" -DSMB_PASSWD_PROGRAM="/opt/samba-tng/bin/smbpasswd" > > -DSMB_P > ASSWD_FILE="/opt/samba-tng/private/smbpasswd" > -DSAM_DIR="/opt/samba-tng/sam" -DS > MB_PASSGRP_FILE="/opt/samba-tng/private/smbpassgrp" > -DSMB_GROUP_FILE="/opt/samba > -tng/private/smbgroup" > -DSMB_ALIAS_FILE="/opt/samba-tng/private/smbalias" > Using LIBS = -lreadline -ldl -lcrypt -lpam -lcurses > Linking shared library bin/libmsrpc.la > Linking shared library bin/libsmb.la > Compiling libsmb/namequery.c with libtool > libsmb/namequery.c: In function `resolve_bcast': > libsmb/namequery.c:484: too many arguments to function `open_socket_in' > libsmb/namequery.c: In function `resolve_wins': > libsmb/namequery.c:545: too many arguments to function `open_socket_in' > make: *** [libsmb/namequery.lo] Error 1 > > > -- > _____________ EEIGM - Service Informatique _____________ > 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France > Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 > _______________ http://eeigm.inpl-nancy.fr _____________ > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From abrooks at css.tayloru.edu Wed Feb 9 17:26:31 2000 From: abrooks at css.tayloru.edu (Aaron D. Brooks) Date: Tue Dec 2 02:28:28 2003 Subject: The sameNetscape Profile on every machine In-Reply-To: Message-ID: On Thu, 10 Feb 2000 fricke@team.owl-online.de wrote: > Date: Thu, 10 Feb 2000 02:16:21 +1100 > From: fricke@team.owl-online.de > To: Multiple recipients of list SAMBA-NTDOM > Subject: The sameNetscape Profile on every machine > > Hi there, > > is there any solution to have the same Netscape-Profile on every > NT-Machine in the network? > I always have to configure the Netscape if somebody is changing his place > or just working on another machine. > I work with Samba 2.04b and it´s great... > -------------------------------------------------------------------------------------------------- I'm not sure if this answeres the problem you posed but what we do in our labs is set the C:\winnt\nsreg.dat to direct Netscape to look to X:\.netscape (X is where we map the user's home directory on the network) for the profile. We do this using the Netscape profile editor and then remove the profile editor from the lab machines. All users use the default profile which points to their account. No matter where they log in, their profile is with them. (Plus their configuration and bookmarks follow them, AND since we have some links set up and use the .netscape directory their Netscape bookmarks follow them even if they log in on the UNIX side of the network). Having the directory named .netscape is not necessary if you are only having Win32 clients use the Netscape profiles. One other thing to note is that if the user's home dir does not mount for some reason, Netscape will automagically try to break everything. To prevent this our login script copies over the generic nsreg.dat to the C:\winnt directory. This system works wonderfully. Another alternative, actually a set of alternatives, is to use Netscapes roaming profile configuration. This can be implemented either via LDAP or an Apache module. Due to how Netscape implements this, however, it seems to be less reliable. Plus, these methods make the system less maintainable since they are not part of the filesystem. -Aaron +-------> Aaron D. Brooks, 765 . 998 . 5168 Computing Systems Resource Manager Taylor University, CSS Department abrooks [SHIFT"2"] css.tayloru.edu From Christian.Duclou at eeigm.inpl-nancy.fr Wed Feb 9 17:30:27 2000 From: Christian.Duclou at eeigm.inpl-nancy.fr (Christian Duclou) Date: Tue Dec 2 02:28:28 2003 Subject: Compile Error Main and TNG Message-ID: <38A1A433.E6E242F1@eeigm.inpl-nancy.fr> It was download Tuesday, 8 Feb - 6h00 PM (FRANCE) and compile this morning Wednesday, 9 Feb - 10h00 AM (FRANCE) Luke Kenneth Casson Leighton wrote: > when was this? the public cvs may be out of sync again. > > On Wed, 9 Feb 2000, Christian Duclou wrote: > > > Hello, > > > > Here is the error while compiling source using the check list: > > http://www.kneschke.de/projekte/samba_tng/faq/installation.php3 > > > > mkdir /usr/src/samba-main > > mkdir /usr/src/samba-tng > > cvs -d :pserver:cvs@cvs.samba.org:/cvsroot login > > cd /usr/src/samba-main > > cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co samba > > cd /usr/src/samba-tng > > cvs -d :pserver:cvs@cvs.samba.org:/cvsroot co -r SAMBA_TNG samba > > cd /usr/src/samba-tng/samba/source > > /configure --prefix=/opt/samba-tng <= ******** seem to be all right > > the command gives : "configure OK" > > make <= ******** ERROR > > > > [root@m0061 source]# cat /root/make.rpt > > Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper > > -DLOGFILEBASE=" > > /opt/samba-tng/var" -DSMBLOGFILE="/opt/samba-tng/var/log.smb" > > -DNMBLOGFILE="/opt > > /samba-tng/var/log.nmb" -DCONFIGFILE="/opt/samba-tng/lib/smb.conf" > > -DLMHOSTSFILE > > ="/opt/samba-tng/lib/lmhosts" -DSWATDIR="/opt/samba-tng/swat" > > -DSBINDIR="/opt/ > > samba-tng/bin" -DLOCKDIR="/opt/samba-tng/var/locks" > > -DSMBRUN="/opt/samba-tng/bin > > /smbrun" -DCODEPAGEDIR="/opt/samba-tng/lib/codepages" > > -DDRIVERFILE="/opt/samba-t > > ng/lib/printers.def" -DBINDIR="/opt/samba-tng/bin" > > -DFORMSFILE="/opt/samba-tng/l > > ib/ntforms.def" -DNTDRIVERSDIR="/opt/samba-tng/lib" -DHAVE_INCLUDES_H > > -DPASSWD_P > > ROGRAM="/bin/passwd" -DSMB_PASSWD_PROGRAM="/opt/samba-tng/bin/smbpasswd" > > > > -DSMB_P > > ASSWD_FILE="/opt/samba-tng/private/smbpasswd" > > -DSAM_DIR="/opt/samba-tng/sam" -DS > > MB_PASSGRP_FILE="/opt/samba-tng/private/smbpassgrp" > > -DSMB_GROUP_FILE="/opt/samba > > -tng/private/smbgroup" > > -DSMB_ALIAS_FILE="/opt/samba-tng/private/smbalias" > > Using LIBS = -lreadline -ldl -lcrypt -lpam -lcurses > > Linking shared library bin/libmsrpc.la > > Linking shared library bin/libsmb.la > > Compiling libsmb/namequery.c with libtool > > libsmb/namequery.c: In function `resolve_bcast': > > libsmb/namequery.c:484: too many arguments to function `open_socket_in' > > libsmb/namequery.c: In function `resolve_wins': > > libsmb/namequery.c:545: too many arguments to function `open_socket_in' > > make: *** [libsmb/namequery.lo] Error 1 > > > > > > -- > > _____________ EEIGM - Service Informatique _____________ > > 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France > > Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 > > _______________ http://eeigm.inpl-nancy.fr _____________ > > > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals -- _____________ EEIGM - Service Informatique _____________ 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 _______________ http://eeigm.inpl-nancy.fr _____________ From abrooks at css.tayloru.edu Wed Feb 9 17:30:37 2000 From: abrooks at css.tayloru.edu (Aaron D. Brooks) Date: Tue Dec 2 02:28:28 2003 Subject: The sameNetscape Profile on every machine In-Reply-To: <38A18B5F.1D7FE5E9@netuse.de> Message-ID: On Thu, 10 Feb 2000, Lars Kneschke wrote: > http://www.patoche.org/LTT/all/00000011.html should help a liitle bit. > There exists also another page, but i can't find it. Sorry for the repost. Started the message, went to lunch, and then sent. ;) -A. From lkcl at samba.org Wed Feb 9 17:28:14 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: On Wed, 9 Feb 100 jeremy@varesearch.com wrote: > > > > > > TNG seems to be much further ahead on the MSRPC issues, which means > > > > there's no merge to do from 2.0.x there. > > > > > > wrong. the smb/rpc layer (the prs_struct structure) is much cleaner in > > > HEAD. Some RPC functions have been rewritten in HEAD and must be kept. > > > > don't want to do it. point me in the direction of specific functions and > > i'll rewrite them in TNG. > > > > i don't want ANY of the dce/rpc code from 2_0 or cvs main in any future > > version of samba, i have no idea of its trustworthiness. > > > > there _is_ one feature i do want: the byte-ordering that jeremy added. > > Actually luke, don't mix up the RPC server/client stub code > with the RPC *implementation* code in 2.0.x. The implementation i wasn't. > code in 2.0.x is much more reliable than the TNG code (not > the actual server/client functions though). just because it's been running in production for two yeasrs doesn't mimply that uit's good code or does the correct job. for example, that patch to srv_reg.c by hp? it iit turns samba from a pdc to a domain-member. that means that running usrmgr.exe or running srvmgr.exe wilon samba will report the wrong info, and may cause usrmgr.exe to fail, or become "musrmgr" which can't do domain groups! as i kept requesting you repeatedly every single damn time i saw a mod to the rpc implementation (serve-side) code, i don't _want_ any code from the 2-=year-old branch to be in a future release of samba, therefore i repeatedly asked you to kdual-mod what is now tng and what is 2_0. reason: when the time comes, i dont want _any_ 2_0 rpc code in the resultant release. so, i'll do a cvs diff from 2 years ago, review what's been added and make sure it's in tng. if you don't trust _me_ to do that job, please consider doing it yourself. because i certainly don't trust any of the [very limited, small, alpha, first-version, development-quality] 2_0 rpc code -- server, marshalling _or_ client. From lkcl at samba.org Wed Feb 9 17:31:30 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: > > i am curious. what happens inside LsaOpenPolicy(). the connection is > > anonymous, yes. the server is running as SYSTEM context. is it the job > > of the _lsaopenpolicy call_ to switch to the context of the cient > > (impersonatenamedpipeclient), or is it the job of the _msrpc hanlder_ to > > call impersonatenamedpipeclient? > > > > It's the job of every call that wants to impersonate. The msrpc part > of it handles marshalling and making sure that there's a token there > to impersonate, should the server want to. It's entirely up to the > server to call RpcImpersonateClient(), and then RpcRevertToSelf() when > it's done. excellent! thank you for clarifying. hmm, now i wonder what i should do... From lkcl at samba.org Wed Feb 9 17:48:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: > Actually luke, don't mix up the RPC server/client stub code > with the RPC *implementation* code in 2.0.x. The implementation > code in 2.0.x is much more reliable than the TNG code (not > the actual server/client functions though). cvs -t co -r SAMBA_2_0 samba cvs -t diff -u -r "1.8" source/rpc_server > foo i'm just reviewing srv_lsa.c diffs. it shows, for example that the implementation of lsa_open_policy() is this: for (i = 4; i < 20; i++) { r_u.policy_hnd[i] = i; } you are not telling me that this is more reliable than the tng implementation, i take it? what i _do_ like about 2_0 is this: api_reply_lsa_open_policy() { if (!lsa_io_q_open_policy(...) { return False; } ... From Jean-Francois.Micouleau at dalalu.fr Wed Feb 9 17:53:18 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote: > On Wed, 9 Feb 100 jeremy@varesearch.com wrote: > > code in 2.0.x is much more reliable than the TNG code (not > > the actual server/client functions though). > > just because it's been running in production for two yeasrs doesn't mimply > that uit's good code or does the correct job. We're talking about different things. With Jeremy we're talking about the prs_struct itself and the prs_init(), prs_grow(), prs_whatever() functions. Jeremy rewrote them a year ago, between 2.0.0 and 2.0.2 And these are much better than in TNG. Or at least they don't LEAK MEMORY like in TNG. Comprendo ? > because i certainly don't trust any of the [very limited, small, alpha, > first-version, development-quality] 2_0 rpc code -- server, marshalling > _or_ client. I can't stand that any more. You're totally over-exagerating. The diff is not so big. It's a fact, I MADE MYSELF THE DIFF. OK, as I'm honest, you're right on the client code. J.F. From lkcl at samba.org Wed Feb 9 17:55:54 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: srv_netlogon.c. aside from being totally rewritten, extended etc in tng, 2_0 netlogon is one-process-specific. if the 2_0 netlogon services terminate, the connection cannot be re-established without the client having to redo the credential chain. 2_0 netlogon code only does NTLMv1. it also doesn't do "network" pass-through to trusted domain controllers. it doesn't generate a "user session key". it doesn't have the "general" logon type - type 0x4. it also assumes that all strings are ascii not Unicode in the user's profile, and it doesn't support other samr daemons that _do_ support Unicode. matthew chapman also added proper functionality for the following: net_trust_dom_list net_logon_control net_sam_sync. so srv_netlogon.c needs to be totally replaced with srv_netlogon_nt.c and srv_netlogon.c from TNG. next... From thien at ac.housing.berkeley.edu Wed Feb 9 17:56:02 2000 From: thien at ac.housing.berkeley.edu (Thien Vu) Date: Tue Dec 2 02:28:28 2003 Subject: Unable to set default printer on ntws4 Message-ID: I am running a Samba 2.0.6PDC with NT4 Workstation. I am able to add the printer to the local machine, and print and set the printer as default as an administrator, but when I log in as a normal user, the setting for the printer as the default printer disappears and so programs (like Netscape) that requires a default printer before you can even select a printer will not print. Other programs, in which you can select the printer, will still print if I manually select the printer. I was wondering if there is a fix for this, or if a registry setting needed to be made on the local machine, user profile, or where. Thanks, Thien Vu From anders at aae.wisc.edu Wed Feb 9 17:57:21 2000 From: anders at aae.wisc.edu (Anders C. Thorsen) Date: Tue Dec 2 02:28:28 2003 Subject: Strange Error In-Reply-To: <000101bf727d$b1dc3360$12f066cf@tantalus> from Martin Brown at "Feb 8, 2000 01:44:36 pm" Message-ID: <200002091757.LAA02268@pug.aae.wisc.edu> One solution is to have one Linux box running TNG as PDC w/LDAP, and have the samba 2.0.x be a member of that domain.. Please don't use any higher version than the current stable (2.0.6, soon 2.0.7) for file-sharing purposes in production environments. [You'll only get yourself into trouble!] --Anders > > damn.. I really really need ldap to work with samba. What my goal is this. > To use Samba as the PDC for my NT domain, but have Samba reference LDAP for > authorization. > > -----Original Message----- > From: Anders C. Thorsen [mailto:anders@aae.wisc.edu] > > The support for LDAP in the 2.0 version vas EXPERIMENTAL, and was > removed in 2.0.5 (i think it was 5, but not sure) because > it is not properly working, and not SUPPORTED. > > (You can always force it to include LDAP, but not recommended..) > > --Anders > > > > I configured Samba 2.0.6 with --with-ldap and I get > > > > configure: error: LDAP password database not supported in this version. > > > > But I was sure 2.0.6 supported LDAP.. no? From lkcl at samba.org Wed Feb 9 17:57:56 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: srv_pipe.c. totally rewritten, there's no point in my looking at this code, because i re-architected it and added "netlogon secure channel" as an MSRPC authentication api-instance. i also split ntlmssp into its own MSRPC auth api-instance, so that it is _only_ added - at run-time - into \PIPE\samr [because we don't want people encrypting user data etc etc]. next... From lkcl at samba.org Wed Feb 9 18:00:21 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: there is _one_ area that needs to be reviewed in srv_pipe.c, which is now in srv_pipe_ntlmssp.c in tng, and that is what to do for user authentication. no, the "anonymous" code in 2_0 is not correct - it is _not_ the responsibility of the srv_pipe code to make that decision, it is the responsibility of the NETLOGON [authentication server] to decide whether to accept an anonymous user or not. From lkcl at samba.org Wed Feb 9 18:01:05 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: excellent! a bind nak! maybe i was wrong about some of srv_pipe.c. From lkcl at samba.org Wed Feb 9 18:03:19 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: srv_pipe_hnd.c totally goes, because it has dce/rpc pipe-handling in it. tng srv_pipe_hnd.c does not, it's just a data-redirector. next... From lkcl at samba.org Wed Feb 9 18:08:21 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: srv_reg.c. why does 2_0 only check sys/ccs/control/productoptions for being ServerNT? tng has sys/ccs/control/netlogon/parameters as well. tng and 2_0 registry code are _both_ stupidly brain-dead. lars, we need that registry conversion so we can start doing a decent job! From lkcl at samba.org Wed Feb 9 18:10:26 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: srv_samr.c. i'm only going to go over this one because i was surprised and pleased to see useful stuff in srv_pipe.c. nope, the whole lot has to go. From lkcl at samba.org Wed Feb 9 18:16:35 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: srv_util.c isn't useful. hmm... that diff command failed to catch a couple of files: srv_srvsvc.c and srv_wkssvc.c damn, tag 1.8 not 1.18. *sigh* have to do it all again.... From Nicolas.Williams at wdr.com Wed Feb 9 18:21:38 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000209133213Z13175737-24228+50447@samba.anu.edu.au>; from tridge@linuxcare.com on Thu, Feb 10, 2000 at 12:32:12AM +1100 References: <20000208160541.S3726@sm2p1386swk.wdr.com> <20000208172449.U3726@sm2p1386swk.wdr.com> <20000209133213Z13175737-24228+50447@samba.anu.edu.au> Message-ID: <20000209132137.Z3726@sm2p1386swk.wdr.com> I'll make this quick. My hands are hurting. I didn't say ALL MSRPC daemons need not bother switching euig/egid to the caller's, but that LSA/NETLOGON/SAM certainly don't. I can imagine that some MSRPC services would need to switch the Unix security context to the caller's, say, like a remote application launcher (something like Terminal Server, say, of which I know nothing). But look, if Luke wants to put become_user()/unbecome_user() calls in his code, they'll amount to nothing in most cases and so there will be no isse; someday someone will notice the utter uselessness of those calls and drop them. The only harm of using those calls will be: - possibly a false sense of security - possibly complicate any attempt to multi-thread those daemons Now, my hands hurt, so I'll drop out of all of this for a while. Oh, and, as for SYSKEY, I just realized yesterday that SYSKEY and similar systems are going to be specific to each SAM database backend implementation, not generic to Samba. E.g., Luke Howard's SAM with LDAP with Windows 2000 schema will likely need to implement Microsoft's system, not Luke's. So if Samba is to have its own SYSKEY system it should really just be a library for some, not all, SAM implementations to use. Also, as for which TNG ideas to keep in a merge to a stable branch, IMNSHO (I stress the 'NS' bit :): - Modular MSRPC external to SMBD using localhost IPC for communication between SMBD and MSRPC daemons, including the latest PID/VUID and standard_sub_vuser() stuff we've been talking about. - Marshalling/Unmarshalling code separated from the implementation functions. Preferably the MSRPC daemons should consist only of the marshalling/unmarshalling functions and should dlopen() the shared object that contains the implementation functions; this would allow SAM/LSA/NETLOGON implementation options be configurable via smb.conf instead of just compile-time options. - Multiple SAM backends (only one can run at a given time, of course). This capability is a result of the above two items. Same thing with LSA and NETLOGON implementations. - TNG's MSRPC implementations. Again, IMNSHO. Bye for now, Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- On Thu, Feb 10, 2000 at 12:32:12AM +1100, tridge@linuxcare.com wrote: > > So the MSRPC daemons will have access to the user context information. > > They have to implement authorization functionality internally because > > the objects which most of those MSRPC daemons deal with are NOT Unix > > kernel objects (files, pipes, Unix sockets, processes, whatever); if > > those objects are not Unix kernel objects then switching Unix security > > contexts (euid/egid) HAS NO EFFECT. > > I am so glad to see that somebody else understands this. It is a very > important concept. > > We have to decouple the unix security context from the RPC security > context. We have the SMB and Unix security contexts coupled in smbd, > but we get away with that because we are dealing with objects that the > unix kernel knows about so the unix security handling does all the > work for us. In msrpcd the situation is quite different as we are > manipulating objects that have no parallel in the unix world - so we > must not couple the security contexts or we end up relying on > protection that the kernel just can't provide. > > In NT things are different. There they have the objects in the kernel > and the kernel knows how to protect them. The NT kernel security > context provides protection of the objects manipulated by msrpc > calls so there is no issues as to whether these two contexts should be > coupled - they are the same thing. On non-NT systems we must design > things quite differently. > > Think about the above couple of points carefully Luke. They are central > to what you are working on. > > Cheers, Tridge > > PS: I'm away for the next month - expect only occasional email > responses. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Jean-Francois.Micouleau at dalalu.fr Wed Feb 9 18:43:42 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote: > srv_reg.c. why does 2_0 only check sys/ccs/control/productoptions for > being ServerNT? PIPE \\winreg is disabled in 2.0.X. From s.striker at striker.nl Wed Feb 9 19:00:57 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: Luke, I'll help Lars out this week. Should be finished soon with two persons working on it :-) >tng and 2_0 registry code are _both_ stupidly brain-dead. lars, we need >that registry conversion so we can start doing a decent job! Sander PS. Should we put in the 2_0 if (!req_io_reg_xxx()) return False scheme? From lkcl at samba.org Wed Feb 9 18:57:51 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002091257.EAA10553@silicon.su.valinux.com> Message-ID: heere we go again. srv_lookup.c out-of-date concepts. broken concepts. broken code. e.g contains hard-code table of the BUILTIN domain's Aliases. make_dom_gids is redundant. lookup_xxx_xxx() functions were a first implementation attempt at a time when i didn't understand what was going on. this code should be abandoned and replaced (including in tng, what is left of it). conclusion: replace. srv_lsa.c open_policy2 also exists in tng. open_policy and open_policy2 use of for-loop to create policy handles is not acceptable. elrond has totally rewritten tng instance-implementation to be UNICODE and also i not do direct database-lookups but to use SAM database calls instead. conclusion: replace srv_lsa_hnd.c out-of-date policy handling, not suitable for use in thg. conclusion: replace srv_netlog.c same as before. code only does NTLMv1. doesn't generate user session keys. susceptible to client-side behaviour. doesn't handle pass-through-to-trusted-domain-controllers. doesn't handle cases where SSAM database can handle UNICODE. doesn't have net_trust_dom_list, net_logon_ctrl2 or net_sam_sync of tng. conclusion: replace srv_pipe.c doesn't handle netlogon secure channel. ntlmssp hard-coded, should be abstracted. shouldn't be processing anonymous users (or making decisions about them) that's the job of the NETLOGON process, not srv_pipe.c doesn't handle NTLMv2 sign-seal, but neither does tng. we're missing some constants. i know they exist, i just don't know what they are. _does_ do bind_nak, which is really good. _doesn't_ do a fault pdu, which is not. conclusion: replace, use bind_nak code from 2_0, put into tng. srv_pipe_hnd.c code deals with dce/rpc which it shouldn't. tng is a data-redirector conclusino: replace srv_reg.c only does ProductOptions not NETLOGON\Control as well. NG responds LanmanNT, 2_0 responsds ServerNT. need to resolve this conclusion: replace with lars conversion, resolve unknown issues. srv_samr.c nothing useful at all. conclusion: replace srv_srvsvc.c: there's a considerable amount of formatting-changes that make it difficult to review this. nothing new except in net_srv_get_info that andrew added code to truncate the server name to 48 chars. the hard-coded 0x4100b (a pdc) server-type has already also been added to tng nset_srv_get_info. init_share_info looks like it's had a pstring_sub("%S", lp_servicename(snum)) processing. conclusion: replace, add seerver-truncate-to-48-chars code. write decent code that takes account of connection-state from smbd. this is going to be really tricky to get right. may have to stick with the pstring_sub() hack for now. ask elrond to make srv_srvsvc_nt.c code dynamically-allocated. srv_util.c hard-coded BUILTIN domain's aliases not acceptable. get_domain_users_groups() isunacceptable, it uses hacked-up parameters i created just for the sheer hell of it because i needed something to put in the user's groups. lookup_xxx_xxx() is a broken design, broken concept, broken code, and also unacceptable. conclusion: replace ok, that's it. overall: api_reply_xxx() code should check that marshalling succeeded, this is a good idea (add totng's rpc_server/srv_*.c marshalling/dispatcher code). conclusion: no significant "reliability" changes noticed that are vitally important except the server-truncate-to-48-chars and the init_share_info() being dynamically allocated. jeremy, i think tht you may be considering that the server-implementation code in 2_0 is "considerably more reliable" because of about... four changes in functionality. the tng code DWARFS the 2_0 code in comparison -- 7,655 lines of code compared to 21,511. so no, i do _not_ want to keep the tng server-side implementation code, it too out-of-date. i hope that this message will help you realise, now, WHY i kept telling you that using the 2_0 code is not a good idea, and also why i persistently asked you to keep 2_0 mods and tng mods up-to-date. thx, luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 9 18:59:31 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: rpcclient from tng In-Reply-To: <38A17FC6.978EE389@grainsystems.com> Message-ID: On Thu, 10 Feb 2000, Kevin Colby wrote: > Luke Kenneth Casson Leighton wrote: > > On 8 Feb 2000, Todd Sabin wrote: > > > > > > The problem appears to be that the registry value has no name. I.e., > > > its name is "", the null string. Yes, the geniuses at Microsoft allow > > > you to create values with the null string as its name. If fact, large > > > > .. *blink* :) > > I can't confirm this as not working, but I can confirm that > null-named registry keys are, in fact, quite commonplace. > I hope that isn't a problem. no, i just need a netmon trace to fix it. From lkcl at samba.org Wed Feb 9 19:06:34 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Wed, 9 Feb 2000, Jean Francois Micouleau wrote: > > On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote: > > > On Wed, 9 Feb 100 jeremy@varesearch.com wrote: > > > > code in 2.0.x is much more reliable than the TNG code (not > > > the actual server/client functions though). > > > > just because it's been running in production for two yeasrs doesn't mimply > > that uit's good code or does the correct job. > > We're talking about different things. With Jeremy we're talking about the > prs_struct itself and the prs_init(), prs_grow(), prs_whatever() > functions. Jeremy rewrote them a year ago, between 2.0.0 and 2.0.2 and as a result, and to add more functionality, i rewrote it myself, too. > And these are much better than in TNG. Or at least they don't LEAK MEMORY > like in TNG. Comprendo ? oh dear. more memory leaks? *sigh*. gonna have to fix that. > > because i certainly don't trust any of the [very limited, small, alpha, > > first-version, development-quality] 2_0 rpc code -- server, marshalling > > _or_ client. > > I can't stand that any more. You're totally over-exagerating. The diff is no i'm not. > not so big. It's a fact, I MADE MYSELF THE DIFF. yes, so did i. a diff of rpc_server/*.c against 2_0 from the time it was created up till now is 8,000 lines long. i reviewed it. From tas at webspan.net Wed Feb 9 19:09:17 2000 From: tas at webspan.net (Todd Sabin) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Luke Kenneth Casson Leighton's message of "Thu, 10 Feb 2000 05:21:48 +1100" References: Message-ID: Luke Kenneth Casson Leighton writes: > > tng and 2_0 registry code are _both_ stupidly brain-dead. lars, we need > that registry conversion so we can start doing a decent job! OOC, what registry conversion are you talking about? Todd From martin at tantalus.com Wed Feb 9 19:14:24 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:28 2003 Subject: lib reference error Message-ID: <003101bf7331$e1359480$12f066cf@tantalus> Linking bin/samrd bin/.libs/libsmbpw.so: undefined reference to `samlogon_user' bin/.libs/libsmbpw.so: undefined reference to `sam_logon_in_ssb' collect2: ld returned 1 exit status make: *** [bin/samrd] Error 1 This seems like an odd error, has anyone else come acorss this? ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From lkcl at samba.org Wed Feb 9 19:12:45 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000209132137.Z3726@sm2p1386swk.wdr.com> Message-ID: On Wed, 9 Feb 2000, Nicolas Williams wrote: > But look, if Luke wants to put become_user()/unbecome_user() calls in > his code, they'll amount to nothing in most cases and so there will be > no isse; someday someone will notice the utter uselessness of those the way that NT does it is to provide a user security context for the daemon to switch to _if_ they so desire. i'd *prefer* to switch _to_ the user context, allowing the daemon to switch back to its default context (root) if it so desires. > - possibly a false sense of security > - possibly complicate any attempt to multi-thread those daemons > > Now, my hands hurt, so I'll drop out of all of this for a while. > > Oh, and, as for SYSKEY, I just realized yesterday that SYSKEY and > similar systems are going to be specific to each SAM database backend > implementation, not generic to Samba. E.g., Luke Howard's SAM with LDAP > with Windows 2000 schema will likely need to implement Microsoft's > system, not Luke's. So if Samba is to have its own SYSKEY system it > should really just be a library for some, not all, SAM implementations > to use. YES! of course it is! additionally, it's user-configureable option, so what's everyone's problem?? > Also, as for which TNG ideas to keep in a merge to a stable branch, > IMNSHO (I stress the 'NS' bit :): > > - Modular MSRPC external to SMBD using localhost IPC for communication > between SMBD and MSRPC daemons, including the latest PID/VUID and > standard_sub_vuser() stuff we've been talking about. > > - Marshalling/Unmarshalling code separated from the implementation > functions. Preferably the MSRPC daemons should consist only of the > marshalling/unmarshalling functions and should dlopen() the shared > object that contains the implementation functions; this would allow > SAM/LSA/NETLOGON implementation options be configurable via smb.conf > instead of just compile-time options. that's the intent. > - Multiple SAM backends (only one can run at a given time, of course). > This capability is a result of the above two items. Same thing with > LSA and NETLOGON implementations. yep!!! From lkcl at samba.org Wed Feb 9 19:15:38 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Wed, 9 Feb 2000, Jean Francois Micouleau wrote: > > > On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote: > > > srv_reg.c. why does 2_0 only check sys/ccs/control/productoptions for > > being ServerNT? > > PIPE \\winreg is disabled in 2.0.X. :) that's funny. From lkcl at samba.org Wed Feb 9 19:17:45 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Wed, 9 Feb 2000, Sander Striker wrote: > Luke, > > I'll help Lars out this week. Should be finished soon with two persons > working on it :-) it's only 5 functions. > >tng and 2_0 registry code are _both_ stupidly brain-dead. lars, we need > >that registry conversion so we can start doing a decent job! > > Sander > > PS. Should we put in the 2_0 if (!req_io_reg_xxx()) return False scheme? YES! :) From lkcl at samba.org Wed Feb 9 19:21:04 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: conversion of all samba code to separate marshalling code form actual server-side omplementation of msrpc service. registry is the only one left to be so-converted (srv_reg.c). On 9 Feb 2000, Todd Sabin wrote: > Luke Kenneth Casson Leighton writes: > > > > tng and 2_0 registry code are _both_ stupidly brain-dead. lars, we need > > that registry conversion so we can start doing a decent job! > > OOC, what registry conversion are you talking about? > > > Todd > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 9 19:23:47 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: lib reference error In-Reply-To: <003101bf7331$e1359480$12f066cf@tantalus> Message-ID: ah. i know what that is. you haven't told anyone, but you're compiling with --with-ldap, aren't you? i'll fix it. On Thu, 10 Feb 2000, Martin Brown wrote: > > Linking bin/samrd > bin/.libs/libsmbpw.so: undefined reference to `samlogon_user' > bin/.libs/libsmbpw.so: undefined reference to `sam_logon_in_ssb' > collect2: ld returned 1 exit status > make: *** [bin/samrd] Error 1 > > This seems like an odd error, has anyone else come acorss this? > > ___________________________________________ > Martin Brown, Unix Systems Administrator > Tantalus Communications Inc. > 500-1122 Mainland Street > Vancouver, BC, Canada V6B 5L1 > martin@tantalus.com > > Direct 604.721-0351 > Main 604.609.0700 > Fax 604.609.0705 > Toll Free 1.877.326.6776 > > http://www.tantalus.com > "When eBusiness experience counts." > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From martin at tantalus.com Wed Feb 9 19:31:06 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:28 2003 Subject: lib reference error In-Reply-To: Message-ID: <003201bf7334$3658b4e0$12f066cf@tantalus> Yeah, oops.. did I leave that out? =) -----Original Message----- From: Luke Leighton [mailto:lkcl@samba.org] Sent: Wednesday, February 09, 2000 11:24 AM To: Martin Brown Cc: Multiple recipients of list SAMBA-NTDOM Subject: Re: lib reference error ah. i know what that is. you haven't told anyone, but you're compiling with --with-ldap, aren't you? i'll fix it. On Thu, 10 Feb 2000, Martin Brown wrote: > > Linking bin/samrd > bin/.libs/libsmbpw.so: undefined reference to `samlogon_user' > bin/.libs/libsmbpw.so: undefined reference to `sam_logon_in_ssb' > collect2: ld returned 1 exit status > make: *** [bin/samrd] Error 1 > > This seems like an odd error, has anyone else come acorss this? > > ___________________________________________ > Martin Brown, Unix Systems Administrator > Tantalus Communications Inc. > 500-1122 Mainland Street > Vancouver, BC, Canada V6B 5L1 > martin@tantalus.com > > Direct 604.721-0351 > Main 604.609.0700 > Fax 604.609.0705 > Toll Free 1.877.326.6776 > > http://www.tantalus.com > "When eBusiness experience counts." > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lars at kneschke.de Wed Feb 9 19:44:27 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:28 2003 Subject: Code conversion References: Message-ID: <38A1C39B.636F3327@kneschke.de> Luke Kenneth Casson Leighton wrote: > > On Wed, 9 Feb 2000, Sander Striker wrote: > > > Luke, > > > > I'll help Lars out this week. Should be finished soon with two persons > > working on it :-) > > it's only 5 functions. > > > >tng and 2_0 registry code are _both_ stupidly brain-dead. lars, we need > > >that registry conversion so we can start doing a decent job! > > > > Sander > > > > PS. Should we put in the 2_0 if (!req_io_reg_xxx()) return False scheme? > > YES! :) Ok! I need to write an abstract for the Linux Day. I want to make a talk about Samba TNG and the future about Samba. The Linux Day is one of the biggest Linux Events here in Europe. I need to send in the abstract till tomorrow. Grr, bad timing from my side! It's now 20:42. I need half a hour to write this. After i'll start converting the functions. I'll send the patches to you both, so that Sander can see what i have done. Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From lkcl at samba.org Wed Feb 9 20:40:48 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: Code conversion In-Reply-To: <38A1C39B.636F3327@kneschke.de> Message-ID: > > > PS. Should we put in the 2_0 if (!req_io_reg_xxx()) return False scheme? > > > > YES! :) > Ok! I need to write an abstract for the Linux Day. I want to make a talk > about Samba TNG and the future about Samba. The Linux Day is one of the nice. > biggest Linux Events here in Europe. I need to send in the abstract till > tomorrow. Grr, bad timing from my side! It's now 20:42. I need half a > hour to write this. After i'll start converting the functions. I'll send > the patches to you both, so that Sander can see what i have done. okie. From Christian.Duclou at eeigm.inpl-nancy.fr Wed Feb 9 20:51:35 2000 From: Christian.Duclou at eeigm.inpl-nancy.fr (Christian Duclou) Date: Tue Dec 2 02:28:28 2003 Subject: Compile Error Main and TNG References: Message-ID: <38A1D357.6F9387F6@eeigm.inpl-nancy.fr> I restart de download & compile procedure. It seems to be all right. I'll test it tomorrow morning, good night... Thanks all you. -- _____________ EEIGM - Service Informatique _____________ 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 _______________ http://eeigm.inpl-nancy.fr _____________ From jln at stben.be Wed Feb 9 21:04:28 2000 From: jln at stben.be (Jean-Louis Noel) Date: Tue Dec 2 02:28:28 2003 Subject: groups References: <000f01bf724b$e3afdbd0$285595c2@stben.be> Message-ID: <003701bf7341$408cc8e0$285595c2@stben.be> Henning Eiben a ?crit dans le message : > domain groups = Users/100 > > in my smb.conf and I get a Domain Group (like I would I would be using a NT > Server) with Domain Users mapped to GUID 100 on linux box? Or am I assuming > something totally wrong? Do not seem to function like that! Bye, Jean-Louis From lkcl at samba.org Wed Feb 9 21:29:06 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:28 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002092109.NAA31322@silicon.su.valinux.com> Message-ID: On Wed, 9 Feb 100 jeremy@varesearch.com wrote: > > jeremy, i think tht you may be considering that the server-implementation > > code in 2_0 is "considerably more reliable" because of about... four > > changes in functionality. the tng code DWARFS the 2_0 code in comparison > > -- 7,655 lines of code compared to 21,511. > > > > No Luke, you don't get it. I'm not talking about the functions > you are referring to *at all*. I know the code that implements > these in TNG is better and should be used (once reviewed). [see rest of message, i got it the wrong way round] > I am talking about the whole underlying substrate of the > rpc_parse stuff, and the way the 2.0.x code handles the > PDUs and buffers for the RPC packets. It is *this* code > that is more advanced in 2.0.x, not the server functions. based on your work there, and some really irritating memory corruption errors i kept getting, i too replaced and rewrote the rpc_parse code in tng. you trust that code and think it's more advanced, because you wrote it, and understand it. > I know this code is missing the fault PDU, and the NTLMv2 > stuff, but this is easily added on top of the stable code > that handles RPC packets in 2.0.x. no it can't. check the review i did. there's entire areas of fucntionality missing from rpc packet-handling code. 1) SSPI abstraction. 2) netlogon secure channel as an SSPI instance 3) SMBwrite and SMBtrans and SMBtranss multi-PDU support, needed for jean-francois' work on spoolss. if you want to back-port this fucntionality to 2.0, go ahead. if that's the only way it will get into a release, fine. [actually, not fine, but it doesn't look like there's anything i can _do_ about it]. > J.F. agrees with me on this. > > I thought I explicitly mentioned that :-). Aparently not > clearly enough :-). That's what I meant when I spoke about > the "server implementation" in TNG being more advanced, but > the RPC code in the 2.0.x branch being better. ah, i thought you meant server-instance implementations, so i got it the wrong way round. i included this code in a review. it too is also not up to scratch. sorry. From lkcl at samba.org Wed Feb 9 21:33:02 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:29 2003 Subject: RpcImpersonateNamedPipeClient Message-ID: i think i have a possible reason why microsoft implements DCE/RPC daemons as the SYSTEM cotnext (whatever) and only calls RpcImpNPC if needed. it's because the implementation of this call takes TOO DAMN LONG on nt to be called for every single function call. luke From lkcl at samba.org Wed Feb 9 22:03:04 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:29 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002092138.NAA00953@silicon.su.valinux.com> Message-ID: > Well don't get too upset. You want someone to look > at your code and review it, and if you've implemented yes please. > this functionality in a stable mannor, I'd love nothing > better than to drop your code right in. I won't do that > without looking at it however (which is what I thought > you wanted :-). nah, course not! > The RPC parse stuff in 2.0.x is what has been used in > production sending ACL entries and browse list entries > to millions of client machines. yeah. why hasn't the tng code been through the same process? > It has also been run > through Purify and it's clean. This counts for a *lot* in stability > reasoning (trust me on this :-). wish i had access to tools like that. From pfaff at edge.cis.mcmaster.ca Wed Feb 9 22:03:53 2000 From: pfaff at edge.cis.mcmaster.ca (Todd Pfaff) Date: Tue Dec 2 02:28:29 2003 Subject: The sameNetscape Profile on every machine In-Reply-To: Message-ID: this is how i do it... after installing netscape on an nt workstation, set these registry keys: \Registry\Machine\SOFTWARE\Netscape\Netscape Navigator\Users = CurrentUser = Default Default DirRoot = h:\.netscape UserName = EmailAddr = then add something like this to your nt workstation logon script: rem copy netscape preferences file if it doesn't exist. if not exist H:\.netscape md H:\.netscape if not exist H:\.netscape\prefs.js xcopy /f /v s:\netscape\users\default\prefs.js H:\.netscape\ this will create a default h:\.netscape profile directory at user logon if it does not yet exist. you could also do a little more work to, for example, merge global changes to the netscape preferences into each user's h:\.netscape\prefs.js. h: is mapped to the user's unix/nt shared home directory on a samba server. h:\.netscape is then shared by netscape in both unix and nt environments. as far as i know, this is working fine as of netscape 4.7 (at least no one has complained to me about problems with their netscape preferences when moving between the two platforms). On Thu, 10 Feb 2000 fricke@team.owl-online.de wrote: > Hi there, > > is there any solution to have the same Netscape-Profile on every > NT-Machine in the network? > I always have to configure the Netscape if somebody is changing his place > or just working on another machine. > I work with Samba 2.04b and it´s great... > -------------------------------------------------------------------------------------------------- > > Cord-H. Fricke > Fon: 0 52 1 / 52 51-133 > Fax: 0 52 1 / 52 51- 115 > fricke@team.owl-online.de > http://team.owl-online.de/ > > ..keep on headbangin´ , that rocks!!! > -- Todd Pfaff \ Email: pfaff@mcmaster.ca Computing and Information Services \ Voice: (905) 525-9140 x22920 ABB 132 \ FAX: (905) 528-3773 McMaster University \ Hamilton, Ontario, Canada L8S 4M1 \ From Jean-Francois.Micouleau at dalalu.fr Wed Feb 9 22:18:09 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:29 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote: > 3) SMBwrite and SMBtrans and SMBtranss multi-PDU support, needed for > jean-francois' work on spoolss. why do I need them ? for the server code or the client one ? From Jean-Francois.Micouleau at dalalu.fr Wed Feb 9 22:34:28 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:29 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton wrote: > you know those large, stupid buffers you receive at the server end, the > ones that contain trash? non-zeroed [in out] buffers for the pure and young ears :-) > well, they're sent over-the-wire, right (you know this)? yes I damn know ! I'm currently spending between 8 and 10 hours a day rewritting that code ! > and the server says, error, buffer too small, you need 1megabyte buffer to > contain the 10,000 printers on this server, right? yes. > so the client says, ok! and sends you an msrpc request with a TRASH, > blank, unused 1megabyte char* buffer, right, and then you fill the > 1megabyte buffer in with real data, and send it back? yes. > well, the msrpc request is split into multiple PDUs. those PDUs are sent > _to_ you with SMBtrans+SMBtranssecondary OR SMBwriteXes, depending on > client/server DCE/RPC negotiations. > > therefore, in order to support spoolss properly, you need that code. what's the size of the PDUs ? But in 2.0.x you can have RpcEnumShares with 10000 shares, and that's split in multiples PDUs ? From lukeh at PADL.COM Wed Feb 9 22:36:12 2000 From: lukeh at PADL.COM (Luke Howard) Date: Tue Dec 2 02:28:29 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts Message-ID: <200002092236.JAA38158@au.padl.com> Only the nt5ldap passdb stuff is anywhere near complete. The nt5samrldap stuff is just not done. That's really tricky, and I need to get some serious time to work on that again, and I'm busy the next couple of weeks. -- Luke >From: Luke Kenneth Casson Leighton >Subject: Re: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts >To: Multiple recipients of list SAMBA-NTDOM >Date: Wed, 9 Feb 2000 08:37:55 +1100 > >On Wed, 9 Feb 2000, Charles N. Owens wrote: > >> Is there any update available as to when Luke Howard's >> SAM-via-LDAP-with-win2k-schema will make into the codebase (either TNG or >> TNG-post-merge) ? Getting a somewhat finalized schema in place seems to me > >/configure --with-nt5pdap > >or: > >/configure --with-nt5pdap --with-sam-pwd=nt5ldap > >it's experimental and subject to change. > >> to be a critical milestone for obvious reasons. I need to roll out some more >> implementations and would much prefer to use the new schema (as would >> everyone I'm sure ;-). >> >> Charles >> >> Nicolas Williams wrote: >> >> > Gratouitous advice follows. >> > >> > - SYSKEY >> > >> > I'm now for it as Luke's LDAP/NIS/other name services argument is a >> > winning one. The /etc/shadow approach should still be supported and >> > used where no such cleartext protocols are in use. >> > >> > The question now should be one of scheduling/prioritizing. SYSKEY is >> > not needed urgently to allow TNG to make progress, unless Luke Howard >> > thinks otherwise (he's doing the SAM-via-LDAP-with-win2k-schema work). >> > >> > - TNG code freeze >> > >> > Don't do it yet; wait a few more weeks. So much progress is taking >> > place that it seems worthwhile to wait a bit longer. >> > >> > - 2.0.x->TNG merge >> > >> > This should be easy, actually: take smbd code from 2.0.x as is, drop >> > all the MSRPC code save for the loopback to MSRPC daemons code. >> > >> > That's it. >> > >> > TNG seems to be much further ahead on the MSRPC issues, which means >> > there's no merge to do from 2.0.x there. >> > >> > Same thing with utilities such as rpcclient, though smbclient and >> > nmblookup might be best taken from 2.0.x. >> > >> > I think it's safe to say that TNG is so jam-packed with good ideas that >> > it will become the next Samba. But then, that's just a view from the >> > sidelines... others may differ on that... >> > >> > Nico >> > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- >> > -to a public e-mail mailing list I hereby grant permission to distribute- >> > -and copy this message.- >> > >> > This message contains confidential information and is intended only >> > for the individual named. If you are not the named addressee you >> > should not disseminate, distribute or copy this e-mail. Please >> > notify the sender immediately by e-mail if you have received this >> > e-mail by mistake and delete this e-mail from your system. >> > >> > E-mail transmission cannot be guaranteed to be secure or error-free >> > as information could be intercepted, corrupted, lost, destroyed, >> > arrive late or incomplete, or contain viruses. The sender therefore >> > does not accept liability for any errors or omissions in the contents >> > of this message which arise as a result of e-mail transmission. If >> > verification is required please request a hard-copy version. This >> > message is provided for informational purposes and should not be >> > construed as a solicitation or offer to buy or sell any securities or >> > related financial instruments. >> >> -- >> ------------------------------------------------------------------------- >> Charles N. Owens Email: owensc@enc.edu >> http://www.enc.edu/~owensc >> Network & Systems Administrator >> Information Technology Services "Outside of a dog, a book is a man's >> Eastern Nazarene College best friend. Inside of a dog it's >> too dark to read." - Groucho Marx >> ------------------------------------------------------------------------- >> >> > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > -- Luke Howard PADL Software Pty Ltd http://www.padl.com From lkcl at samba.org Wed Feb 9 22:41:02 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:29 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: Message-ID: On Wed, 9 Feb 2000, Jean Francois Micouleau wrote: > > well, they're sent over-the-wire, right (you know this)? > > yes I damn know ! I'm currently spending between 8 and 10 hours a day > rewritting that code ! [i was stating things for other readers :)] > > well, the msrpc request is split into multiple PDUs. those PDUs are sent > > _to_ you with SMBtrans+SMBtranssecondary OR SMBwriteXes, depending on > > client/server DCE/RPC negotiations. > > > > therefore, in order to support spoolss properly, you need that code. > > what's the size of the PDUs ? it's negotiated. AS/U negotiates 2k. NT and samba negotiate 0x1630 (5680) bytes. > But in 2.0.x you can have RpcEnumShares with 10000 shares, and that's > split in multiples PDUs ? > no, because the _request_ fits into one PDU (the [in] arguments are only a serv-ername and an info level). the _Response_ goes back in multiple PDUs (the [out] arguments). unfortunately for the spoolss (and the svcctl code), you have to send a STUPID buffer as an [in] argument with NOTHING in it which is the same size as the [out] argument. potentially this could be up to a megabyte of data. actually, it can't be a megabyte, because the NT MSRPC marhsalling code can't _cope_ with a megabyte of data, SPOOLSS.EXE dr-watsons if you do that. From lukeh at PADL.COM Wed Feb 9 22:43:16 2000 From: lukeh at PADL.COM (Luke Howard) Date: Tue Dec 2 02:28:29 2003 Subject: unicodePwd and dBCSPwd attributes Message-ID: <200002092243.JAA38249@au.padl.com> These are the two LDAP attributes Microsoft uses to store the NT and LM passwords, respectively. (I expect that additional key types, such as DES passwords, are also stored in the unicodePwd attribute.) I haven't yet figured out how to expose these in Active Directory (ie. I know they're there because of the schema, but I can never see them over LDAP), let alone figure out their syntax. So... if anyone is planning on using the nt5ldap stuff maybe it would be wiser to s/unicodePwd/sambaNtPwd/g s/dBCSPwd/sambaLmPwd/g until such time that we can use the AD attributes properly. Which brings me to... (a) the nt5ldap is a long way off but... (b) using the nt5ldap with an Active Directory server, rather than an OpenLDAP server, is an even further way off! It's likely that a lot of the attributes we create, like objectSid, Active Directory won't let user programs modify, instead expecting to create them itself. -- Luke -- Luke Howard PADL Software Pty Ltd http://www.padl.com From lkcl at samba.org Wed Feb 9 22:53:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:29 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <200002092236.JAA38158@au.padl.com> Message-ID: On Thu, 10 Feb 2000, Luke Howard wrote: > > Only the nt5ldap passdb stuff is anywhere near complete. > > The nt5samrldap stuff is just not done. That's really tricky, and > I need to get some serious time to work on that again, and I'm > busy the next couple of weeks. ok. that should give me enough time to pull ahead with samtdb so that you can track it without duplicating effort or having to worry about SAM-related design issues, let me worry about that. From stat at atria.com Wed Feb 9 23:58:30 2000 From: stat at atria.com (Seiichi Tatsukawa) Date: Tue Dec 2 02:28:29 2003 Subject: RpcImpersonateNamedPipeClient References: Message-ID: <031901bf7359$90e98590$c968f3ce@atria.com> | i think i have a possible reason why microsoft implements DCE/RPC | daemons as the SYSTEM cotnext (whatever) and only calls RpcImpNPC | if needed. it's because the implementation of this call takes TOO | DAMN LONG on nt to be called for every single function call. Look, DCE/RPC was developed on the operating system which had no native thread support, thus no security context per thread. That system "Unix" had (still has) the process-wide security context only. DCE/RPC server runtime was multi-threaded, but the client security context (delegation and impersonation), obtained by rpc_binding_inq_auth_caller() (or rpc_binding_inq_auth_client()), was only used by DCE APIs, not by Unix's native APIs (e.g., file-system access, etc.). It's up to the server application writer to decide whether to use the client context or not. MSRPC simply follows this model. (Obviously, MSRPC has better integration with OS because Win32 APIs can use the client security context once the server thread impersonates the client.) --- Seiichi From lkcl at samba.org Thu Feb 10 00:02:27 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:29 2003 Subject: RpcImpersonateNamedPipeClient In-Reply-To: <031901bf7359$90e98590$c968f3ce@atria.com> Message-ID: hi seiichi! i'm really glad to hear from you on this issue. On Wed, 9 Feb 2000, Seiichi Tatsukawa wrote: > | i think i have a possible reason why microsoft implements DCE/RPC > | daemons as the SYSTEM cotnext (whatever) and only calls RpcImpNPC > | if needed. it's because the implementation of this call takes TOO > | DAMN LONG on nt to be called for every single function call. > > Look, DCE/RPC was developed on the operating system which had no native > thread support, thus no security context per thread. That system "Unix" > had (still has) the process-wide security context only. DCE/RPC server > runtime was multi-threaded, but the client security context (delegation > and impersonation), obtained by rpc_binding_inq_auth_caller() (or > rpc_binding_inq_auth_client()), was only used by DCE APIs, not by Unix's > native APIs (e.g., file-system access, etc.). > oo... ok, so... dce api server application writers chose to implement their own security context? (not dce/rpc itself, that's different). > It's up to the server application writer to decide whether to use the > client context or not. MSRPC simply follows this model. (Obviously, MSRPC > has better integration with OS because Win32 APIs can use the client > security context once the server thread impersonates the client.) starting to understand. thanks. From zwluxx at chopin.cipic.ucdavis.edu Thu Feb 10 00:39:41 2000 From: zwluxx at chopin.cipic.ucdavis.edu (Zhi-Wei Lu) Date: Tue Dec 2 02:28:29 2003 Subject: NT registry Permission problem Message-ID: <200002100039.QAA12715@chopin.cipic.ucdavis.edu> Dear Samba gurus, I have been running samba Head-branch for over half year. I am running the PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the head-branch code on July 23, 1999. The samba PDC had been running just fine until recently, I noticed that the smbd leaks memory very quickly. I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, the PDC will let NT domain users to log into the NT machine, but it failed to grant them the privilege to write to local user registry, such as adding a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not work right at all. I then switched to the main branch 2.0.6, the same problem happened too (Of course, I have to rejoin the samba domain for an NT worstation). I am using the same smb.conf file for all three cases. I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and on Linux machines. I have encountered similar problems consisntly. I still havn't tracked down to the root of the problem. Do anybody experience similar problem? Thank you for your help in advance. Zhi-Wei Lu CIPIC (Center for Image Processing and Integrated Computing) UC Davis Phone: (530)-752-0494 Davis, CA 95616 Fax: (530)-752-8894 From martin at tantalus.com Thu Feb 10 00:56:16 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:29 2003 Subject: the man Message-ID: <004301bf7361$a324c0a0$12f066cf@tantalus> Who is he? LUKE! Luke's the man Thanks for your help, and consistent dedication to making our (admins) lives easier.. ;) =) ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From lkcl at samba.org Thu Feb 10 01:00:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:29 2003 Subject: the man In-Reply-To: <004301bf7361$a324c0a0$12f066cf@tantalus> Message-ID: thank you martin. make me feel better, trying to track down some horrible, simple memory corruption instead of doing _real_ work :) On Thu, 10 Feb 2000, Martin Brown wrote: > > Who is he? LUKE! > > Luke's the man > > Thanks for your help, and consistent dedication to making our (admins) lives > easier.. ;) From Olivier.Brousselle at univ-lehavre.fr Thu Feb 10 07:37:35 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:29 2003 Subject: [TNG] : write on home dir References: Message-ID: <38A26ABF.667A@univ-lehavre.fr> Luke Kenneth Casson Leighton wrote: > > does this problem occur when a SECOND user logs in on a workstation > (different from the first)? Yes, if I log into the system with another name, the problem is the same. In the logs, the machines seems to have lost connection with the server and the result is a panic : [2000/02/09 07:57:42, 1] smbd/service.c:make_connection(604) lasombra (172.16.1.68) connect to service mbitest as user mbitest (uid=24029, gid=24000) (pid 276) [2000/02/09 07:57:44, 1] smbd/service.c:make_connection(604) lasombra (172.16.1.68) connect to service netlogon as user mbitest (uid=24029, gid=24000 ) (pid 276) [2000/02/09 07:58:12, 0] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(140) user session key not available (yet). [2000/02/09 07:58:12, 0] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(141) password-change operations may fail. [2000/02/09 07:59:23, 0] lib/fault.c:fault_report(40) =============================================================== [2000/02/09 07:59:23, 0] lib/fault.c:fault_report(41) INTERNAL ERROR: Signal 11 in pid 276 (pre-3.0.0) Please read the file BUGS.txt in the distribution [2000/02/09 07:59:23, 0] lib/fault.c:fault_report(43) =============================================================== [2000/02/09 07:59:23, 0] lib/util.c:smb_panic(2377) PANIC: internal error > > I'm using samba TNG as a PDC. I have 55 workstations on this domain, > > with the same configuration. > > > > I have problem with the home directories. Some workstation refuse > > to write on the network drive. It's not a user problem, it's a > > machine problem. > > > > This morning, I was alone on the domain, and the machine refuse to > > write with Excel, but it was possible to copy from the Explorer. -- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Faculte des sciences Laboratoire de mecanique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From lk at netuse.de Thu Feb 10 07:45:38 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:29 2003 Subject: Samba and more then one interface and workgroup References: Message-ID: <38A26CA2.C7797D74@netuse.de> isyn@isi.wat.waw.pl wrote: > > Hello. > I'm using a Debian linux Samba Server. > It has three interfaces: > *192.168.4.254 > *192.168.3.254 > *192.168.2.254 > > It's ofcourse local net. > So, there are four workgroups placed on diffrent interfaces, but they > don't see each other. I have set options interfaces properly. > All workstation are using win95. Wins server is also set. > SMB server is master of it's workgroup, if some computer is a member of > it, everythin is alright, it is being seen by every one in the local net, > but there must more then one workgroup. > What to do? > Thanks... The Samba server must also be domain master browser. Have you set this? Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lkcl at samba.org Thu Feb 10 07:55:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:29 2003 Subject: [TNG] : write on home dir In-Reply-To: <38A26ABF.667A@univ-lehavre.fr> Message-ID: yep, this is a problem with microsoft clients. it's a known bug where the WINLOGON.EXE process maintains a connection to \\yoursambaserver\homes EVEN though the previous user has logged out. when the new user logs in, the stupid NT client tries to reuse the existing connection to \\yoursambaserver\homes to access the new user's profile. On Thu, 10 Feb 2000, Olivier Brousselle wrote: > Luke Kenneth Casson Leighton wrote: > > > > does this problem occur when a SECOND user logs in on a workstation > > (different from the first)? > Yes, if I log into the system with another name, the problem is > the same. > > In the logs, the machines seems to have lost connection with the server > and the result is a panic : > > [2000/02/09 07:57:42, 1] smbd/service.c:make_connection(604) > lasombra (172.16.1.68) connect to service mbitest as user mbitest > (uid=24029, gid=24000) > (pid 276) > [2000/02/09 07:57:44, 1] smbd/service.c:make_connection(604) > lasombra (172.16.1.68) connect to service netlogon as user mbitest > (uid=24029, gid=24000 > ) (pid 276) > [2000/02/09 07:58:12, 0] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(140) > user session key not available (yet). > [2000/02/09 07:58:12, 0] rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(141) > password-change operations may fail. > > [2000/02/09 07:59:23, 0] lib/fault.c:fault_report(40) > =============================================================== > [2000/02/09 07:59:23, 0] lib/fault.c:fault_report(41) > INTERNAL ERROR: Signal 11 in pid 276 (pre-3.0.0) > Please read the file BUGS.txt in the distribution > [2000/02/09 07:59:23, 0] lib/fault.c:fault_report(43) > =============================================================== > [2000/02/09 07:59:23, 0] lib/util.c:smb_panic(2377) > PANIC: internal error > > > > > I'm using samba TNG as a PDC. I have 55 workstations on this domain, > > > with the same configuration. > > > > > > I have problem with the home directories. Some workstation refuse > > > to write on the network drive. It's not a user problem, it's a > > > machine problem. > > > > > > This morning, I was alone on the domain, and the machine refuse to > > > write with Excel, but it was possible to copy from the Explorer. > > -- > Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr > ================================================================== > Faculte des sciences Laboratoire de mecanique > du lundi au mercredi jeudi et vendredi > Tel : 02/32/74/43/37 02/32/74/49/67 > Fax : 02/32/74/43/14 02/32/74/49/60 > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From thien_vu at hotmail.com Thu Feb 10 10:32:55 2000 From: thien_vu at hotmail.com (Thien Vu) Date: Tue Dec 2 02:28:29 2003 Subject: NT registry Permission problem References: <200002100039.QAA12715@chopin.cipic.ucdavis.edu> Message-ID: <20000210103317.73916.qmail@hotmail.com> I believe I'm encountering the same problem you are, but in particular, the non-administrator users cannot set a default printer. I'm not sure where the registry for this key is exactly. Also a similar problem with settings and preferences being saved for the non-admin users. Thien Vu Administrative Computing, RSSP UC Berkeley From jon at bugjr.com Thu Feb 10 11:30:34 2000 From: jon at bugjr.com (Jon Westfall) Date: Tue Dec 2 02:28:29 2003 Subject: unsubscribe Message-ID: <000a01bf73ba$3ef94ca0$0200a8c0@smartworld.net> unsubscribe jon@bugjr.com -------------- next part -------------- HTML attachment scrubbed and removed From s.striker at striker.nl Thu Feb 10 12:05:20 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:29 2003 Subject: unsubscribe In-Reply-To: <000a01bf73ba$3ef94ca0$0200a8c0@smartworld.net> Message-ID: Aargh !! Not again. Take a look at http://lists.samba.org and read what you have to do. Can someone please do something about all the subscribe/unsubscribe mails on the list? Sander Striker -----Original Message----- From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of Jon Westfall Sent: Thursday, February 10, 2000 12:32 PM To: Multiple recipients of list SAMBA-NTDOM Subject: unsubscribe unsubscribe jon@bugjr.com From eiben at busitec.de Thu Feb 10 13:22:11 2000 From: eiben at busitec.de (Henning Eiben) Date: Tue Dec 2 02:28:30 2003 Subject: groups In-Reply-To: <003701bf7341$408cc8e0$285595c2@stben.be> Message-ID: <002e01bf73c9$d6cc57c0$7200a8c0@busitec.de> > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Jean-Louis Noel > Sent: Wednesday, February 09, 2000 10:07 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: groups > > > Henning Eiben a ?crit dans le message : > > > domain groups = Users/100 > > > > in my smb.conf and I get a Domain Group (like I would I would be using a > NT > > Server) with Domain Users mapped to GUID 100 on linux box? Or am I > assuming > > something totally wrong? > > Do not seem to function like that! Well, how *does* it function? -- Henning Eiben eiben@busitec.de busitec GmbH business information technology http://www.busitec.de From Nicolas.Williams at wdr.com Thu Feb 10 13:38:27 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:30 2003 Subject: RpcImpersonateNamedPipeClient Message-ID: <20000210083826.F3726@sm2p1386swk.wdr.com> On Thu, 10 Feb 2000, Luke Kenneth Casson Leighton: > hi seiichi! i'm really glad to hear from you on this issue. > > On Wed, 9 Feb 2000, Seiichi Tatsukawa wrote: > > > | i think i have a possible reason why microsoft implements DCE/RPC > > | daemons as the SYSTEM cotnext (whatever) and only calls RpcImpNPC > > | if needed. it's because the implementation of this call takes TOO > > | DAMN LONG on nt to be called for every single function call. > > > > Look, DCE/RPC was developed on the operating system which had no native > > thread support, thus no security context per thread. That system "Unix" > > had (still has) the process-wide security context only. DCE/RPC server > > runtime was multi-threaded, but the client security context (delegation > > and impersonation), obtained by rpc_binding_inq_auth_caller() (or > > rpc_binding_inq_auth_client()), was only used by DCE APIs, not by Unix's > > native APIs (e.g., file-system access, etc.). > > > > oo... ok, so... dce api server application writers chose to implement > their own security context? (not dce/rpc itself, that's different). Yes. That's what I've been saying. Different MSRPC daemons will act differently with respect to the callers security context. It's upto each service's design and each implementation. > > It's up to the server application writer to decide whether to use the > > client context or not. MSRPC simply follows this model. (Obviously, MSRPC > > has better integration with OS because Win32 APIs can use the client > > security context once the server thread impersonates the client.) > > starting to understand. :) > thanks. > Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From richard.ferris at ncn.ac.uk Thu Feb 10 14:01:35 2000 From: richard.ferris at ncn.ac.uk (Richard Ferris) Date: Tue Dec 2 02:28:30 2003 Subject: unsubscribe Message-ID: <6114EF4D9AF0D1119ADD00805F9F11B198B07B@exchange.ncn.internal> unsubscribe Richard Ferris - Visions Systems Analyst Visions Project Clarendon City College Stoney Street Nottingham NG1 1NG email: richard.ferris@ncn.ac.uk SMS: richardferris@sms.genie.co.uk Tel: 0115 9104 566 -------------- next part -------------- HTML attachment scrubbed and removed From Nicolas.Williams at wdr.com Thu Feb 10 14:09:31 2000 From: Nicolas.Williams at wdr.com (Nicolas Williams) Date: Tue Dec 2 02:28:30 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts Message-ID: <20000210090928.G3726@sm2p1386swk.wdr.com> Luke, Why are you so willing to code up SYSKEY, which we all agree is only necessary for some SAM backend implementations, AND YET you don't want to code up an ACL system that's more reusable than SYSKEY?? Nico -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From lkcl at samba.org Thu Feb 10 14:24:47 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts In-Reply-To: <20000210090928.G3726@sm2p1386swk.wdr.com> Message-ID: On Thu, 10 Feb 2000, Nicolas Williams wrote: > > Luke, > > Why are you so willing to code up SYSKEY, which we all agree is only > necessary for some SAM backend implementations, AND YET you don't want > to code up an ACL system that's more reusable than SYSKEY?? SYSKEY is 4 lines of code and maybe 10 or 15in strategic place to use it to secure _all_ not, some, SAM impls. an ACL system is an indeterminate number of lines, used in an estimated 100 to 150 places. From lkcl at samba.org Thu Feb 10 15:32:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: LSA secrets tdb Message-ID: did i promise not to add any new code? oops. well, there now exists a "secrets" database, and it's now storing the trust account passwords. no, it's not secured. no, i don't implement any security like i do in samrtdb, so any user can access the trust account passwords. i will fix this later on, when i feel like it, i'm still pissed at the people who tell me it's not ok to choose to implement samtdb as files. no, i don't want to hear about it, unless you've actually examined the code. if you haven't looked at the code, don't speak to me until you have. right. have fun, i'm off for probably... the rest of the day. luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 10 15:43:08 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: NT ACL / Security descriptor checking function Message-ID: well, i mentioned that we needed this function about four, six and twelve months ago. no response. now, i take it, that people are starting to realise _why_ it's needed. so, if someone implements it, i'll use it. deal? security descriptor code is in rpc_parse/parse_sec.c. please do not modify this code, use it. add your own wrappers if necessary. you should reference the MSDN for the exact function parameters and name of the function. it will be something like this: check_access(NET_USER_INFO_3 *user_info, uint32 access_rights, SEC_DESC_BUF *security_descriptor). user_info contains the user RID, primary group RID and array-of-group-member-RIDs. access_rights is the TYPE of operation being requested security descriptor is a list of permitted and/or denied operations to certain users / groups for certain kinds of rights. you should check each entry in the ACL list: if the user (or group or group members) match one of the ACL entries, the permissions (grant/deny) should be checked agaoinst access_rights. any volunteers, please sort it out amongst yourselfves on the samba-technical list. no volunteers, i carry on with mapping to unix-files and unix-permission checks until there are. tired, luke From ed at schernau.com Thu Feb 10 16:57:09 2000 From: ed at schernau.com (Edward Schernau) Date: Tue Dec 2 02:28:30 2003 Subject: pam_ntdom-0.24 Message-ID: <38A2EDE5.79BA0B14@schernau.com> Anyone have a working copy of this? I'm trying to compile and its dying in rpc_validate.c with parse errors. -- Edward Schernau http://www.schernau.com Network Architect mailto:ed@schernau.com Rational Computing Providence, RI, USA From neimeyer at youth-guard.org Thu Feb 10 16:55:01 2000 From: neimeyer at youth-guard.org (Matt Neimeyer) Date: Tue Dec 2 02:28:30 2003 Subject: Newbie Message-ID: <4.2.2.20000210115256.00a59b60@ambriel.youth-guard.org> I'm newish to Linux and brand new to Samba and I've been lurking on this list for a couple weeks now. I've come to realize that this is NOT a general list... Which is what I need. Are there any good basic Samba lists? Or at least any good web how-to basics? If it makes a difference I'm running Red Hat 6.1 and I installed Samba as a Package. Thanks! Matt From cartegw at Eng.Auburn.EDU Thu Feb 10 17:08:37 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:30 2003 Subject: Newbie References: <4.2.2.20000210115256.00a59b60@ambriel.youth-guard.org> Message-ID: <38A2F095.D202D6E8@eng.auburn.edu> Matt Neimeyer wrote: > > I'm newish to Linux and brand new to Samba and I've > been lurking on this list for a couple weeks now. > > I've come to realize that this is NOT a general list... > Which is what I need. > > Are there any good basic Samba lists? Or at least any > good web how-to basics? > Matt, You probably want to subscribe to the main samba list. See http://www.samba.org/listproc for details. You can find more information about Samba, setup, etc... at the main Samba web site as well. Hope this helps, Cheers, jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From stat at atria.com Thu Feb 10 18:01:24 2000 From: stat at atria.com (Seiichi Tatsukawa) Date: Tue Dec 2 02:28:30 2003 Subject: RpcImpersonateNamedPipeClient References: Message-ID: <007d01bf73f0$d8301bc0$c968f3ce@atria.com> | oo... ok, so... dce api server application writers chose to | implement their own security context? (not dce/rpc itself, that's | different). DCE/RPC is the middle-ware. (It is the tool to make it easier to write the distributed applications without knowing, say, the socket programing.) It doesn't enforce the policy in this regard. The RPC client, written by the application writers, makes its own decision whether to use the authenticated RPC or not, the level of the protection (you have seen these 6 levels in which pkt_privacy isn't expotable from US) if the authenticated RPC is used. The RPC server, again written by the application writers, makes its own decision whether to accept the un-authenticated RPC or not, what is the lowest acceptable protection level, who can execute this function (i.e., authorization check), etc. (It's not different from what you do with the opaque_auth field of ONC RPC.) Just because the server knows the client's security context, it doesn't mean it always wants to impersonate the client. It may use it for the authorization only. You could argue that it simplifies the application development if DCE/RPC runtime took care of the security context. However, not all distributed applications want the security. (Silly, huh? People are still using ONC RPC without Kerberos. OMG's first CORBA spec. had no security, at all, when Kerberos, DCE, etc., were already available.) Well, Microsoft offers help for simplifying the application development. That's DCOM, which isolates the application writers from these details (e.g., calling RpcBindingSetAuthInfo(), RpcBindingInqAuthClient(), etc.). --- Seiichi From isyn at isi.wat.waw.pl Thu Feb 10 18:14:42 2000 From: isyn at isi.wat.waw.pl (isyn@isi.wat.waw.pl) Date: Tue Dec 2 02:28:30 2003 Subject: Samba and more then one interface and workgroup In-Reply-To: <38A26CA2.C7797D74@netuse.de> Message-ID: On Thu, 10 Feb 2000, Lars Kneschke wrote: > > Hello. > > I'm using a Debian linux Samba Server. > > It has three interfaces: > > *192.168.4.254 > > *192.168.3.254 > > *192.168.2.254 > > It's ofcourse local net. > > So, there are four workgroups placed on diffrent interfaces, but they > > don't see each other. I have set options interfaces properly. > > All workstation are using win95. Wins server is also set. > > SMB server is master of it's workgroup, if some computer is a member of > > it, everythin is alright, it is being seen by every one in the local net, > > but there must more then one workgroup. > > What to do? > > Thanks... > The Samba server must also be domain master browser. Have you set this? > Cu Yes, but it didn't help me. Local master and preffered master is also set , because I read that the server must be a local master if it want to be a domain master. Wins is also set, I think so. I just started the nmbd deamon. And set the wins support in smb.conf -- ROBERT MAGIER From jquesada at ceteca.es Thu Feb 10 19:49:13 2000 From: jquesada at ceteca.es (Jose Quesada) Date: Tue Dec 2 02:28:30 2003 Subject: subscribe Message-ID: <000a01bf73ff$ecfb9a70$0201a8c0@simpsons> -------------- next part -------------- HTML attachment scrubbed and removed From bj at mcs.uts.edu.au Thu Feb 10 22:52:57 2000 From: bj at mcs.uts.edu.au (Benjamin Kuit) Date: Tue Dec 2 02:28:30 2003 Subject: Can profiles stop policies ? Message-ID: <200002102252.JAA08066@thing.socs.uts.EDU.AU> We have a Samba PDC running on a Solaris box. We have on occasion run up against the problem where a particular profile of a user can hinder the effect of the policy (ie ntconfig.pol). eg, recently we're setting up the machines, with everything working quite harmoniously, policies and the single mandatory profile working together nicely, until its found we have to install internet explorer and check in the changes into the mandatory profile. Now when users log in using this mandatory profile, their session is consistant with having no profile, ie the "Shut Down" option in the start button is visible (when we've disabled it in the ntconfig.pol) and etc. Last time we've had this situation, we had to delete the ntuser.man file within the profile and start it again. I've gone through the logs and seen that the ntconfig.pol file is loaded, so I guess the workstation is ignoring it for whatever reason. We're running an oldish version of samba (was built a year ago), we've hadn't needed to update it since then because appart from this policy/profile conflict problem, we've had little problems, and I dont know if this problem is the fault of samba or not. Any ideas would be appreciated. caio Bj +-------------------------------+--------------------------------------+ | Benjamin (Bj) Kuit | Faculty of Mathematical | | Systems Programmer | and Computing Sciences. | | Phone: 02 9514 1841 | University of Technology, Sydney | | Mobile: 0412 182 972 | bj@mcs.uts.edu.au | +-------------------------------+--------------------------------------+ From mml1000 at cam.ac.uk Thu Feb 10 23:19:53 2000 From: mml1000 at cam.ac.uk (Matthew M Lavy) Date: Tue Dec 2 02:28:30 2003 Subject: Workstation: domain account lists Message-ID: Hi, I've been asked to help out on a network running a small number of NT4.0 (SP6) workstations; they are all in a domain which is being run off samba 2.0.6. The samba server is being used for authentication, profiles and homedirs, and appears to be stable and reliable (of course!!). However, there is one very weird problem: There is a printer hanging off the parallel port of one of the workstations. This is shared, but it needs to be made so that only a specific domain user has permissions to print to it. This is not in itself a problem: in theory, you go to the permissions dialog, click "add", select the domain and click "show users". You do this and the thing then basically behaves correctly, showing a list of domain users (which it presumably got somehow from the samba server). The problem is that not everyone with an account in smbpasswd shows up on that list! Can anyone tell me how the NT workstation goes about getting this list of domain users from the samba server, so I can try to work out how some user accounts, which are identical to the rest in every other way, do not show up on the list of users in the printer permissions dialog? These users CAN log on to an NT workstation with no problem... I'd be very grateful if anyone had any ideas... Matthew Lavy -- Matthew M Lavy BA MPhil ARCM LTCL Jesus College, Cambridge CB5 8BL Tel: +44 1223 511338 email: mml1000@jesus.cam.ac.uk From thien_vu at hotmail.com Thu Feb 10 23:22:35 2000 From: thien_vu at hotmail.com (Thien Vu) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem Message-ID: <20000210232235.73736.qmail@hotmail.com> I have confirmed that I have the same problem with non-admin users. Does anyone know of a fix for this problem?? It prevents several of my users from having any preferences saved, setting a default printer and other several critical issues. Seems to be a very serious problem. I ran regedt32 and looked at the permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, but only System and the Local Administrator has FULL CONTROL. I will try to set this hive to allow Everyone to have FULL CONTROL because this hive gets dumped back to the NTUSER.DAT file in the profiles right?? Thien Vu >From: Zhi-Wei Lu >Reply-To: zwluxx@chopin.cipic.ucdavis.edu >To: Multiple recipients of list SAMBA-NTDOM >Subject: NT registry Permission problem >Date: Thu, 10 Feb 2000 11:42:32 +1100 > >Dear Samba gurus, > >I have been running samba Head-branch for over half year. I am running the >PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the >head-branch code on July 23, 1999. The samba PDC had been running just >fine >until recently, I noticed that the smbd leaks memory very quickly. > >I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, >the >PDC will let NT domain users to log into the NT machine, but it failed to >grant them the privilege to write to local user registry, such as adding >a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not >work right at all. I then switched to the main branch 2.0.6, >the same problem happened too (Of course, I have to rejoin the samba domain >for an NT worstation). I am using the same smb.conf file for all three >cases. > >I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and >on Linux machines. I have encountered similar problems consisntly. I >still >havn't tracked down to the root of the problem. Do anybody experience >similar problem? > >Thank you for your help in advance. > >Zhi-Wei Lu >CIPIC (Center for Image Processing and Integrated Computing) >UC Davis Phone: (530)-752-0494 >Davis, CA 95616 Fax: (530)-752-8894 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From thien_vu at hotmail.com Fri Feb 11 01:03:36 2000 From: thien_vu at hotmail.com (Thien Vu) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem Message-ID: <20000211010336.57038.qmail@hotmail.com> I think I know whats happening, but don't know how to fix it. When the user logs in, he is authenticated by Samba. Also his profile is entered into the registry and Desktop settings are set up. The home directory is also mapped. But the Samba server doesn't pass the "correct" SID to the NTWorkstation so the HKEY_CURRENT_USER doesn't point to the HKEY_USERS\(USER SID) but to HKEY_USERS\.Default If any of this doesn't sound right or if there is a solution, it would be greatly appreciated. Thien >From: "Thien Vu" >Reply-To: thien_vu@hotmail.com >To: Multiple recipients of list SAMBA-NTDOM >Subject: Re: NT registry Permission problem >Date: Fri, 11 Feb 2000 10:26:00 +1100 > >I have confirmed that I have the same problem with non-admin users. Does >anyone know of a fix for this problem?? It prevents several of my users >from >having any preferences saved, setting a default printer and other several >critical issues. > >Seems to be a very serious problem. I ran regedt32 and looked at the >permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, >but only System and the Local Administrator has FULL CONTROL. I will try to >set this hive to allow Everyone to have FULL CONTROL because this hive gets >dumped back to the NTUSER.DAT file in the profiles right?? > >Thien Vu > > >>From: Zhi-Wei Lu >>Reply-To: zwluxx@chopin.cipic.ucdavis.edu >>To: Multiple recipients of list SAMBA-NTDOM >>Subject: NT registry Permission problem >>Date: Thu, 10 Feb 2000 11:42:32 +1100 >> >>Dear Samba gurus, >> >>I have been running samba Head-branch for over half year. I am running >>the >>PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the >>head-branch code on July 23, 1999. The samba PDC had been running just >>fine >>until recently, I noticed that the smbd leaks memory very quickly. >> >>I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, >>the >>PDC will let NT domain users to log into the NT machine, but it failed to >>grant them the privilege to write to local user registry, such as adding >>a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not >>work right at all. I then switched to the main branch 2.0.6, >>the same problem happened too (Of course, I have to rejoin the samba >>domain >>for an NT worstation). I am using the same smb.conf file for all three >>cases. >> >>I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and >>on Linux machines. I have encountered similar problems consisntly. I >>still >>havn't tracked down to the root of the problem. Do anybody experience >>similar problem? >> >>Thank you for your help in advance. >> >>Zhi-Wei Lu >>CIPIC (Center for Image Processing and Integrated Computing) >>UC Davis Phone: (530)-752-0494 >>Davis, CA 95616 Fax: (530)-752-8894 > >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From isyn at isi.wat.waw.pl Fri Feb 11 01:27:35 2000 From: isyn at isi.wat.waw.pl (isyn@isi.wat.waw.pl) Date: Tue Dec 2 02:28:30 2003 Subject: Samba and more then one interface and workgroup In-Reply-To: <38A31C0F.EF149AC7@linvision.com> Message-ID: -- ROBERT MAGIER On Thu, 10 Feb 2000, Geerten Schram wrote: > Have you told the win95 computers to use the (samba-) WINS server? Yes i did it... I set the wins server ( exacly i set wins server's ip) I noticed that the computers (win95,98) from the server's wokrgroup see other workgroups in the browsing list, but they can't get the ip of it. I checked in the wins.dat in samba directory if there it is, and it is. Computer from the workgroups diffrent then server's see only their selves and servers workgroup but don't the rest of workgroups ( there are 4 ). -- ROBERT MAGIER From sharpe at ns.aus.com Fri Feb 11 06:38:08 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:30 2003 Subject: Samba 2.0.6 and PDC mode Message-ID: <3.0.6.32.20000211163808.00a37650@203.16.214.248> I seem to recall that Microsoft have changed the way that NT SP5 and above join a domain to remove that well known password that is used. Is this the case? This suggests that SP5 cannot be used with Samba 2.0.x in PDC mode. Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From lkcl at samba.org Fri Feb 11 06:27:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: Samba 2.0.6 and PDC mode In-Reply-To: <3.0.6.32.20000211163808.00a37650@203.16.214.248> Message-ID: On Fri, 11 Feb 2000, Richard Sharpe wrote: > I seem to recall that Microsoft have changed the way that NT SP5 and above > join a domain to remove that well known password that is used. no, they haven't. it's still as insecure as hell, icluding when a backup domain controller is added to an NT domain. just as mark russovitch wrote a small utility for NT to fix this by directly modifying the well-known trust account password on _both_ the local workstation / server _and_ the SAM database, last night i wrote up lsa_set_secret_value so that rpcclient can do the same job. > Is this the case? This suggests that SP5 cannot be used with Samba 2.0.x > in PDC mode. well, you cna't properly use 2.0.x as a pdc _Anyway_, but aside from that, yes you can use SP5 --- just that if you're paranoid about security, the solutions are a damn nuisance. the only client-side fixes have been added to NT5. you _can't_ join NT5 to a dmoain without the admin user/pass, now, which is REALLY good. From thien_vu at hotmail.com Fri Feb 11 07:06:41 2000 From: thien_vu at hotmail.com (Thien Vu) Date: Tue Dec 2 02:28:30 2003 Subject: Samba 2.0.6 and PDC mode References: Message-ID: <20000211070650.88085.qmail@hotmail.com> > > Is this the case? This suggests that SP5 cannot be used with Samba 2.0.x > > in PDC mode. > > well, you cna't properly use 2.0.x as a pdc _Anyway_, but aside from that, > yes you can use SP5 --- just that if you're paranoid about security, the > solutions are a damn nuisance. I was wondering what the issue with SP5 and Samba 2.0.x as a PDC. You probably have noticed several of my last posts deal with the inability to modify the HKEY_CURRENT_USER hive. Were my guesses correct about Samba not handling the user SIDs or is it way off base? According to Zhi-Wei Lu, this inability to write to that registry hive is on the 2.0.6 and the HEAD branches. Does the TNG branch fix this problem? Thanks, Thien From lkcl at samba.org Fri Feb 11 07:22:22 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: Samba 2.0.6 and PDC mode In-Reply-To: <20000211070650.88085.qmail@hotmail.com> Message-ID: On Fri, 11 Feb 2000, Thien Vu wrote: > > > Is this the case? This suggests that SP5 cannot be used with Samba > 2.0.x > > > in PDC mode. > > > > well, you cna't properly use 2.0.x as a pdc _Anyway_, but aside from that, > > yes you can use SP5 --- just that if you're paranoid about security, the > > solutions are a damn nuisance. > > I was wondering what the issue with SP5 and Samba 2.0.x as a PDC. You > probably have noticed several of my last posts deal with the inability to > modify the HKEY_CURRENT_USER hive. Were my guesses correct about Samba not > handling the user SIDs or is it way off base? you're more than likely absolutely correct. > According to Zhi-Wei Lu, this inability to write to that registry hive is on > the 2.0.6 and the HEAD branches. Does the TNG branch fix this problem? i really don't know. unlikely. none of the samba branches handles SID to uid translation correctly, due to the use of a mathematical algorithm that excludes anything but SIDs relative to the SAMBA server's SID. regardless of whether it is a PDC, BDC or a Domain member. the solution is to farm-off the responsibility for SID to uid / SID to gid and vice-versa translation to an nssswitch-like system that i've named "surs - sid to uid resolution". the default behaviour will bethe limited, default behaviour of 2.0.x (unless someone can convince jeremy that it's necessary to provide a better solution, and it's not difficult to come up with a better one). that will be the default sursswitch module. other surs systems, capable of dealing with the BUILTIN domain, trusted domain, LDAP databases that have user and group entries with both SID _and_ uid/gid pairs in them, will then be able to be plugged in at your discretion. see discussions about SURS tables in archives, over new year, for [far too many] details. see http://cb1.com/~lkcl/cifs/draft-sidtouidmap-01.html for a discussion of the issues, problems and solutions. luke From lkcl at samba.org Fri Feb 11 08:39:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: samba-tng-alpha-0.2.tar.gz Message-ID: ftp://samba.org/pub/samba/alpha. From sharpe at ns.aus.com Fri Feb 11 09:30:35 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:30 2003 Subject: Trying to join domain with Samba TNG Message-ID: <3.0.6.32.20000211193035.00846100@203.16.214.248> Hi, I have Samba TNG from two days ago. I pulled it from the cvs tree, and it compiled cleanly. I have added accounts for the server and have tried to join the server to the domain: useradd linsrv1\$ smbpasswd -a -m linsrv1 smbpasswd -j samba1 But I get an error message back from the attempt to join the domain saying that it was unable to change the passwd ... CHANGE_TRUST_ACCOUNT_PASSWD or something like that. I have a trace but it is too large to include but it is available. Here are the daemons that are running: 4542 ? S 0:00 ../bin/nmbd -D -d 10 4632 ? S 0:00 ../bin/nmbd -D -d 10 4638 ? S 0:00 ../bin/browserd -D -d 100 4640 ? S 0:00 ../bin/lsarpcd -D -d 100 4642 ? S 0:00 ../bin/netlogond -D -d 100 4644 ? S 0:00 ../bin/samrd -D -d 100 4646 ? S 0:00 ../bin/srvsvcd -D -d 100 4648 ? S 0:00 ../bin/svcctld -D -d 100 4650 ? S 0:00 ../bin/winregd -D -d 100 4652 ? S 0:00 ../bin/wkssvcd -D -d 100 What is going wrong? Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From otto.thoresen at icl.no Fri Feb 11 12:55:28 2000 From: otto.thoresen at icl.no (Thoresen Otto) Date: Tue Dec 2 02:28:30 2003 Subject: Windows 2000 disconnect drives on Samba Message-ID: We use Samba 1.9.16p9 on Solaris 2.5 and 2.6 as a file server. Accessing the drives from a MS Advance Server 2000 with terminal services. It works properly. BUT Some applications has ini and other important files on this drives. After a while this applications crash, and we can se that the drive is disconnected in explorer and "net use". Usually we can go in and view the files on the mapped drive. But it use some time to get up again. Sometimes we also get the message of wrong username and password. If we try and wait long enough times, we will always get the drives up again, but we can loose them again at once or after 1/2 hour The server also disconnect the drive on a NT server. But this mappings comes up again wery fast. Please help me out! Best regards, Otto From ba2k at virginia.edu Fri Feb 11 13:15:56 2000 From: ba2k at virginia.edu (Burt Avery) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem In-Reply-To: <20000210232235.73736.qmail@hotmail.com> Message-ID: <3.0.6.32.20000211081556.009f6720@127.0.0.1> That parallels the origin of the locked HKCU problem I have been seeing that causes the Tips and IE4Tour to run as if for the initial user startup. User account had no access to rewrite any component of HKCU. -ba- At 10:25 AM 2/11/2000 +1100, Thien Vu wrote: >I have confirmed that I have the same problem with non-admin users. Does >anyone know of a fix for this problem?? It prevents several of my users from >having any preferences saved, setting a default printer and other several >critical issues. > >Seems to be a very serious problem. I ran regedt32 and looked at the >permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, >but only System and the Local Administrator has FULL CONTROL. I will try to >set this hive to allow Everyone to have FULL CONTROL because this hive gets >dumped back to the NTUSER.DAT file in the profiles right?? > >Thien Vu > > >>From: Zhi-Wei Lu >>Reply-To: zwluxx@chopin.cipic.ucdavis.edu >>To: Multiple recipients of list SAMBA-NTDOM >>Subject: NT registry Permission problem >>Date: Thu, 10 Feb 2000 11:42:32 +1100 >> >>Dear Samba gurus, >> >>I have been running samba Head-branch for over half year. I am running the >>PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the >>head-branch code on July 23, 1999. The samba PDC had been running just >>fine >>until recently, I noticed that the smbd leaks memory very quickly. >> >>I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, >>the >>PDC will let NT domain users to log into the NT machine, but it failed to >>grant them the privilege to write to local user registry, such as adding >>a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not >>work right at all. I then switched to the main branch 2.0.6, >>the same problem happened too (Of course, I have to rejoin the samba domain >>for an NT worstation). I am using the same smb.conf file for all three >>cases. >> >>I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and >>on Linux machines. I have encountered similar problems consisntly. I >>still >>havn't tracked down to the root of the problem. Do anybody experience >>similar problem? >> >>Thank you for your help in advance. >> >>Zhi-Wei Lu >>CIPIC (Center for Image Processing and Integrated Computing) >>UC Davis Phone: (530)-752-0494 >>Davis, CA 95616 Fax: (530)-752-8894 > >______________________________________________________ >Get Your Private, Free Email at http://www.hotmail.com > > > Burt Avery Computer Systems Engineer LSP Department of Biomedical Engineering University of Virginia Charlottesville, VA 22908 804-924-8065 (w) 804-245-5813 (h) From p.mayers at ic.ac.uk Fri Feb 11 16:32:32 2000 From: p.mayers at ic.ac.uk (Phil Mayers) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem References: <3.0.6.32.20000211081556.009f6720@127.0.0.1> Message-ID: <38A439A0.471D51BE@ic.ac.uk> We have that here at IC in an (almost) pure NT environment. Our CCS recommended method is to delete NTuser.dat, and NT will create a new one on next logon with the correct permissions. I wrote a utility (regsec) which you could use to reset these profiles without doing it manually if you would like it. I think it's an NT problem, in short, although we've had a ticket open with MS for a long time IIRC regarding this. (I could be wrong however). Cheers, Phil Burt Avery wrote: > > That parallels the origin of the locked HKCU problem I have been seeing > that causes the Tips and IE4Tour to run as if for the initial user startup. > User account had no access to rewrite any component of HKCU. > > -ba- > > At 10:25 AM 2/11/2000 +1100, Thien Vu wrote: > >I have confirmed that I have the same problem with non-admin users. Does > >anyone know of a fix for this problem?? It prevents several of my users from > >having any preferences saved, setting a default printer and other several > >critical issues. > > > >Seems to be a very serious problem. I ran regedt32 and looked at the > >permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, > >but only System and the Local Administrator has FULL CONTROL. I will try to > >set this hive to allow Everyone to have FULL CONTROL because this hive gets > >dumped back to the NTUSER.DAT file in the profiles right?? > > > >Thien Vu > > > > > >>From: Zhi-Wei Lu > >>Reply-To: zwluxx@chopin.cipic.ucdavis.edu > >>To: Multiple recipients of list SAMBA-NTDOM > >>Subject: NT registry Permission problem > >>Date: Thu, 10 Feb 2000 11:42:32 +1100 > >> > >>Dear Samba gurus, > >> > >>I have been running samba Head-branch for over half year. I am running the > >>PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the > >>head-branch code on July 23, 1999. The samba PDC had been running just > >>fine > >>until recently, I noticed that the smbd leaks memory very quickly. > >> > >>I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, > >>the > >>PDC will let NT domain users to log into the NT machine, but it failed to > >>grant them the privilege to write to local user registry, such as adding > >>a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not > >>work right at all. I then switched to the main branch 2.0.6, > >>the same problem happened too (Of course, I have to rejoin the samba domain > >>for an NT worstation). I am using the same smb.conf file for all three > >>cases. > >> > >>I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and > >>on Linux machines. I have encountered similar problems consisntly. I > >>still > >>havn't tracked down to the root of the problem. Do anybody experience > >>similar problem? > >> > >>Thank you for your help in advance. > >> > >>Zhi-Wei Lu > >>CIPIC (Center for Image Processing and Integrated Computing) > >>UC Davis Phone: (530)-752-0494 > >>Davis, CA 95616 Fax: (530)-752-8894 > > > >______________________________________________________ > >Get Your Private, Free Email at http://www.hotmail.com > > > > > > > > Burt Avery > Computer Systems Engineer > LSP > Department of Biomedical Engineering > University of Virginia > Charlottesville, VA 22908 > 804-924-8065 (w) > 804-245-5813 (h) From inge at cc.uit.no Fri Feb 11 16:49:14 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:30 2003 Subject: Compiling error Samba_TNG Message-ID: <38A43D8A.2EC77839@cc.uit.no> When trying to compile today's TNG and the tng-alpha.0.2 from last night under RH6.1 I got this error. Initially I tried to "configure --with-ldap", but the same thing happened after doing a "make distclean" and a configure without any flags. Compiling utils/testprns.c Linking bin/testprns Compiling utils/smbrun.c Linking bin/smbrun Compiling utils/status.c Linking bin/smbstatus Compiling lib/cmd_interp.c lib/cmd_interp.c: In function `completion_fn': lib/cmd_interp.c:926: `fn' undeclared (first use in this function) lib/cmd_interp.c:926: (Each undeclared identifier is reported only once lib/cmd_interp.c:926: for each function it appears in.) lib/cmd_interp.c: At top level: lib/cmd_interp.c:939: parse error before `return' gmake: *** [lib/cmd_interp.o] Error 1 zsh: 27441 exit 2 gmake Then I tried to compile tng-alpha.0.1 with ldap support and I got this error: Compiling rpc_parse/parse_ntlmssp.c with libtool Compiling rpc_parse/parse_prs.c with libtool Compiling rpc_parse/parse_vuid.c with libtool Compiling lib/vuser.c with libtool Compiling lib/vuser_db.c with libtool Compiling rpc_parse/parse_misc.c with libtool Linking shared library bin/libsmb.la Compiling libsmb/namequery.c with libtool Compiling libsmb/nmblib.c with libtool Linking shared library bin/libnmb.la Compiling param/loadparm.c with libtool param/loadparm.c:790: structure has no member named `szLdapRealm' param/loadparm.c:790: initializer element for `parm_table[204].ptr' is not const ant make: *** [param/loadparm.lo] Error 1 but compiling without ldap support was successful with tng-alpha.0.1 on my RH6.1 box. Is the compiling with ldap support supposed to work? I've seen the warnings about the introduction of a new ldap schema, but since this support for NT5 ldap schema had it's own switch for configure, I thought that the schema still works. Thanks for all your help. inge From zwluxx at chopin.cipic.ucdavis.edu Fri Feb 11 16:58:10 2000 From: zwluxx at chopin.cipic.ucdavis.edu (Zhi-Wei Lu) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem In-Reply-To: Message from Burt Avery of "Sat, 12 Feb 2000 00:24:48 +1100." <3.0.6.32.20000211081556.009f6720@127.0.0.1> Message-ID: <200002111658.IAA02358@chopin.cipic.ucdavis.edu> I have tested the 2.0.6 PDC functionality many more times on a few platforms since I sent my first post. Even with the same server and configuration file, samba PDC will fail to grant NT user proper registry right most of the time, but it will work once in a while. In these tests, I always delete machine.sid file, restart the server, and rejoining NT domain. I think that there are some instability/bug in samba/NT codes that cause this problem. I think that it is quite serious that many people probably don't even realize that they are having problem, user that still login in to the NT machine, ms office will work, but as if you are using it the first time. Since I have a working samba server (at certain times, it leaks memory like a running train, 1M/1s, it dies and respawn another), when I upgraded or switched the server, I noticed the problem. I wonder if the samba team member can take a look at the problem and I can send in my smb.conf file. Thanks. -- Zhi-Wei Lu CIPIC (Center for Image Processing and Integrated Computing) UC Davis Phone: (530)-752-0494 Davis, CA 95616 Fax: (530)-752-8894 > That parallels the origin of the locked HKCU problem I have been seeing > that causes the Tips and IE4Tour to run as if for the initial user startup. > User account had no access to rewrite any component of HKCU. > > -ba- > > At 10:25 AM 2/11/2000 +1100, Thien Vu wrote: > >I have confirmed that I have the same problem with non-admin users. Does > >anyone know of a fix for this problem?? It prevents several of my users from > >having any preferences saved, setting a default printer and other several > >critical issues. > > > >Seems to be a very serious problem. I ran regedt32 and looked at the > >permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, > >but only System and the Local Administrator has FULL CONTROL. I will try to > >set this hive to allow Everyone to have FULL CONTROL because this hive gets > >dumped back to the NTUSER.DAT file in the profiles right?? > > > >Thien Vu > > > > > >>From: Zhi-Wei Lu > >>Reply-To: zwluxx@chopin.cipic.ucdavis.edu > >>To: Multiple recipients of list SAMBA-NTDOM > >>Subject: NT registry Permission problem > >>Date: Thu, 10 Feb 2000 11:42:32 +1100 > >> > >>Dear Samba gurus, > >> > >>I have been running samba Head-branch for over half year. I am running the > >>PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the > >>head-branch code on July 23, 1999. The samba PDC had been running just > >>fine > >>until recently, I noticed that the smbd leaks memory very quickly. > >> > >>I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, > >>the > >>PDC will let NT domain users to log into the NT machine, but it failed to > >>grant them the privilege to write to local user registry, such as adding > >>a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not > >>work right at all. I then switched to the main branch 2.0.6, > >>the same problem happened too (Of course, I have to rejoin the samba domain > >>for an NT worstation). I am using the same smb.conf file for all three > >>cases. > >> > >>I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and > >>on Linux machines. I have encountered similar problems consisntly. I > >>still > >>havn't tracked down to the root of the problem. Do anybody experience > >>similar problem? > >> > >>Thank you for your help in advance. > >> > >>Zhi-Wei Lu > >>CIPIC (Center for Image Processing and Integrated Computing) > >>UC Davis Phone: (530)-752-0494 > >>Davis, CA 95616 Fax: (530)-752-8894 > > > >______________________________________________________ > >Get Your Private, Free Email at http://www.hotmail.com > > > > > > > > > Burt Avery > Computer Systems Engineer > LSP > Department of Biomedical Engineering > University of Virginia > Charlottesville, VA 22908 > 804-924-8065 (w) > 804-245-5813 (h) > From karl at Denninger.Net Fri Feb 11 17:06:34 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem In-Reply-To: <200002111658.IAA02358@chopin.cipic.ucdavis.edu>; from Zhi-Wei Lu on Sat, Feb 12, 2000 at 04:02:16AM +1100 References: <200002111658.IAA02358@chopin.cipic.ucdavis.edu> Message-ID: <20000211110634.A18308@Denninger.Net> I have NEVER seen this, and if I did, I'd know. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Sat, Feb 12, 2000 at 04:02:16AM +1100, Zhi-Wei Lu wrote: > I have tested the 2.0.6 PDC functionality many more times on a few > platforms since I sent my first post. Even with the same server and > configuration file, samba PDC will fail to grant NT user proper > registry right most of the time, but it will work once in a while. In these > tests, I always delete machine.sid file, restart the server, and rejoining > NT domain. I think that there are some instability/bug in samba/NT codes that > cause > this problem. I think that it is quite serious that many people probably don't > even > realize that they are having problem, user that still login in to the NT > machine, ms office > will work, but as if you are using it the first time. Since I have a working > samba server > (at certain times, it leaks memory like a running train, 1M/1s, it dies and > respawn another), when I upgraded or switched the server, I noticed the > problem. I wonder if the samba team member can take a look at the problem > and I can send in my smb.conf file. > > Thanks. > -- > Zhi-Wei Lu > CIPIC (Center for Image Processing and Integrated Computing) > UC Davis Phone: (530)-752-0494 > Davis, CA 95616 Fax: (530)-752-8894 > > > That parallels the origin of the locked HKCU problem I have been seeing > > that causes the Tips and IE4Tour to run as if for the initial user startup. > > User account had no access to rewrite any component of HKCU. > > > > -ba- > > > > At 10:25 AM 2/11/2000 +1100, Thien Vu wrote: > > >I have confirmed that I have the same problem with non-admin users. Does > > >anyone know of a fix for this problem?? It prevents several of my users from > > >having any preferences saved, setting a default printer and other several > > >critical issues. > > > > > >Seems to be a very serious problem. I ran regedt32 and looked at the > > >permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, > > >but only System and the Local Administrator has FULL CONTROL. I will try to > > >set this hive to allow Everyone to have FULL CONTROL because this hive gets > > >dumped back to the NTUSER.DAT file in the profiles right?? > > > > > >Thien Vu > > > > > > > > >>From: Zhi-Wei Lu > > >>Reply-To: zwluxx@chopin.cipic.ucdavis.edu > > >>To: Multiple recipients of list SAMBA-NTDOM > > >>Subject: NT registry Permission problem > > >>Date: Thu, 10 Feb 2000 11:42:32 +1100 > > >> > > >>Dear Samba gurus, > > >> > > >>I have been running samba Head-branch for over half year. I am running the > > >>PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the > > >>head-branch code on July 23, 1999. The samba PDC had been running just > > >>fine > > >>until recently, I noticed that the smbd leaks memory very quickly. > > >> > > >>I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, > > >>the > > >>PDC will let NT domain users to log into the NT machine, but it failed to > > >>grant them the privilege to write to local user registry, such as adding > > >>a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not > > >>work right at all. I then switched to the main branch 2.0.6, > > >>the same problem happened too (Of course, I have to rejoin the samba domain > > >>for an NT worstation). I am using the same smb.conf file for all three > > >>cases. > > >> > > >>I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and > > >>on Linux machines. I have encountered similar problems consisntly. I > > >>still > > >>havn't tracked down to the root of the problem. Do anybody experience > > >>similar problem? > > >> > > >>Thank you for your help in advance. > > >> > > >>Zhi-Wei Lu > > >>CIPIC (Center for Image Processing and Integrated Computing) > > >>UC Davis Phone: (530)-752-0494 > > >>Davis, CA 95616 Fax: (530)-752-8894 > > > > > >______________________________________________________ > > >Get Your Private, Free Email at http://www.hotmail.com > > > > > > > > > > > > > > > Burt Avery > > Computer Systems Engineer > > LSP > > Department of Biomedical Engineering > > University of Virginia > > Charlottesville, VA 22908 > > 804-924-8065 (w) > > 804-245-5813 (h) > > > > From zen at uninet.net.id Fri Feb 11 17:00:03 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem Message-ID: <0002120001160A.00661@zen.sphenisci.or.id> > > Seems to be a very serious problem. I ran regedt32 and looked at the > permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, > but only System and the Local Administrator has FULL CONTROL. I will try to > set this hive to allow Everyone to have FULL CONTROL because this hive gets > dumped back to the NTUSER.DAT file in the profiles right?? > I suggest you are not doing that... Let the System with FC (Full Control). Everyone Read is fine. Cause the user that write to registry is not Administrator or Users, but System, since NT considered him as an 'Administrative Invisible User.' But if such thing happen there might be some problems in HKEY_USERS\Default, considering it affects all users From zen at uninet.net.id Fri Feb 11 16:08:14 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:30 2003 Subject: Can profiles stop policies ? In-Reply-To: <200002102252.JAA08066@thing.socs.uts.EDU.AU> References: <200002102252.JAA08066@thing.socs.uts.EDU.AU> Message-ID: <00021123472508.00661@zen.sphenisci.or.id> > > We have on occasion run up against the problem where a particular > profile of a user can hinder the effect of the policy (ie ntconfig.pol). > Last time we've had this situation, we had to delete the ntuser.man > file within the profile and start it again. > I've gone through the logs and seen that the ntconfig.pol file is loaded, > so I guess the workstation is ignoring it for whatever reason. > Actually the relationship between profiles and policies should go the other way, policies rank is above the profiles. Did you do it on the reverse? That the desire setting was set in profiles instead of policies? Which it will be overwritten. From martin at tantalus.com Fri Feb 11 17:40:32 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:30 2003 Subject: Samba LDAP Message-ID: <003301bf74b7$18d32070$12f066cf@tantalus> Does anyone know who is heading the Samba with LDAP project? I am using Samba-TNG frmo a few days ago, after a few of my own modifications to the code and Lukes help I have gotten it to compile successfully. And I can even change passwords using smbpasswd in my LDAP database. But I get the strangest error when I try to auth from NT against Samba as the PDC. Samba should be referencing the LDAP server, but it's not. Here is what I get in my log.smb [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) Unknown parameter encountered: "ldap suffix" [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) Ignoring unknown parameter "ldap suffix" [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) Unknown parameter encountered: "ldap bind as" [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) Ignoring unknown parameter "ldap bind as" [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) Unknown parameter encountered: "ldap passwd file" [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) Ignoring unknown parameter "ldap passwd file" [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) Unknown parameter encountered: "ldap server" [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) Ignoring unknown parameter "ldap server" [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) Unknown parameter encountered: "ldap port" [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) Ignoring unknown parameter "ldap port" [2000/02/10 12:51:01, 1] smbd/password.c:pass_check_smb(500) Couldn't find user 'martin1' in smb_passwd file. [2000/02/10 12:51:01, 1] smbd/password.c:pass_check_smb(500) Couldn't find user 'martin1' in smb_passwd file. [2000/02/10 12:51:21, 0] smbd/process.c:timeout_processing(795) Reloading services after SIGHUP (Sorry for the huge paste, but I swear each line is different from the next!! =) ) Any suggestions, or fingers pointing me in the right direction would be grateful. Thanks. ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From martin.lorenz at cynapsis.de Fri Feb 11 18:09:14 2000 From: martin.lorenz at cynapsis.de (Martin Lorenz) Date: Tue Dec 2 02:28:30 2003 Subject: more domains on one server Message-ID: <3.0.6.32.20000211190914.008f7c00@pop.muenster.de> i have an urgent problem: my boss wants me to get a NT domain-controller up and running by friday next week and i definitely want to do this with samba under linux. the main problem is: he wants to have three different domains managed by one server. how do i do this? tnx -- Cynapsis Kommunikationsagentur Dipl.-Ing. Martin Lorenz Tel: +49 251 48265 14 Fax:+49 251 57634 Bahnofstrasse 44 D-48143 Muenster From lkcl at samba.org Fri Feb 11 18:15:07 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: Trying to join domain with Samba TNG In-Reply-To: <3.0.6.32.20000211193035.00846100@203.16.214.248> Message-ID: richard, use the alternative: createuser in rpcclient (or the new! samedit) command. On Fri, 11 Feb 2000, Richard Sharpe wrote: > Hi, > > I have Samba TNG from two days ago. I pulled it from the cvs tree, and it > compiled cleanly. > > I have added accounts for the server and have tried to join the server to > the domain: > > useradd linsrv1\$ > smbpasswd -a -m linsrv1 > smbpasswd -j samba1 > > But I get an error message back from the attempt to join the domain saying > that it was unable to change the passwd ... CHANGE_TRUST_ACCOUNT_PASSWD or > something like that. > > I have a trace but it is too large to include but it is available. > > Here are the daemons that are running: > > 4542 ? S 0:00 ../bin/nmbd -D -d 10 > 4632 ? S 0:00 ../bin/nmbd -D -d 10 > 4638 ? S 0:00 ../bin/browserd -D -d 100 > 4640 ? S 0:00 ../bin/lsarpcd -D -d 100 > 4642 ? S 0:00 ../bin/netlogond -D -d 100 > 4644 ? S 0:00 ../bin/samrd -D -d 100 > 4646 ? S 0:00 ../bin/srvsvcd -D -d 100 > 4648 ? S 0:00 ../bin/svcctld -D -d 100 > 4650 ? S 0:00 ../bin/winregd -D -d 100 > 4652 ? S 0:00 ../bin/wkssvcd -D -d 100 > > What is going wrong? > > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 11 18:16:59 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: Windows 2000 disconnect drives on Samba In-Reply-To: Message-ID: thoresen, if i remember correctly, tses don't access 1.9.16p9s correctly. suggest upgrading to 2.0.x and try again. bear in mind that the default for "security = " changed to "user" in 1.9.18. On Fri, 11 Feb 2000, Thoresen Otto wrote: > We use Samba 1.9.16p9 on Solaris 2.5 and 2.6 as a file server. > Accessing the drives from a MS Advance Server 2000 with terminal services. > It works properly. BUT > Some applications has ini and other important files on this drives. After a > while this applications crash, and we can se that the drive is disconnected > in explorer and "net use". Usually we can go in and view the files on the > mapped drive. But it use some time to get up again. Sometimes we also get > the message of wrong username and password. If we try and wait long enough > times, we will always get the drives up again, but we can loose them again > at once or after 1/2 hour > > The server also disconnect the drive on a NT server. But this mappings comes > up again wery fast. > > Please help me out! > > Best regards, > Otto > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From skvidal at phy.duke.edu Fri Feb 11 18:17:06 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:30 2003 Subject: more domains on one server In-Reply-To: <3.0.6.32.20000211190914.008f7c00@pop.muenster.de> Message-ID: > my boss wants me to get a NT domain-controller up and running by friday > next week and i definitely want to do this with samba under linux. > > the main problem is: he wants to have three different domains managed by > one server. > > how do i do this? as far as I know you'll need 3 samba servers running on one machine. very do-able. -sv From lkcl at samba.org Fri Feb 11 18:23:35 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem In-Reply-To: <3.0.6.32.20000211081556.009f6720@127.0.0.1> Message-ID: *sigh* ok. i h ave some suspicions about where this is to be dealt with: in the "Other SIDS" part of the NET_USER_INFO_3. ok. at line 824 of rpc_server/srV_netlog.c, there is an argument "other sids" to init_net_user_ionfo3(). can you make this "S-1-1-0" -- the "everyone" SID, and see what happens. please bear in mind that this may result in everyone being allowed access to the logged-in-user's desktop, user-profile, whatever, i really don't know. so be careful. On Sat, 12 Feb 2000, Burt Avery wrote: > That parallels the origin of the locked HKCU problem I have been seeing > that causes the Tips and IE4Tour to run as if for the initial user startup. > User account had no access to rewrite any component of HKCU. > > -ba- > > At 10:25 AM 2/11/2000 +1100, Thien Vu wrote: > >I have confirmed that I have the same problem with non-admin users. Does > >anyone know of a fix for this problem?? It prevents several of my users from > >having any preferences saved, setting a default printer and other several > >critical issues. > > > >Seems to be a very serious problem. I ran regedt32 and looked at the > >permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, > >but only System and the Local Administrator has FULL CONTROL. I will try to > >set this hive to allow Everyone to have FULL CONTROL because this hive gets > >dumped back to the NTUSER.DAT file in the profiles right?? > > > >Thien Vu > > > > > >>From: Zhi-Wei Lu > >>Reply-To: zwluxx@chopin.cipic.ucdavis.edu > >>To: Multiple recipients of list SAMBA-NTDOM > >>Subject: NT registry Permission problem > >>Date: Thu, 10 Feb 2000 11:42:32 +1100 > >> > >>Dear Samba gurus, > >> > >>I have been running samba Head-branch for over half year. I am running the > >>PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the > >>head-branch code on July 23, 1999. The samba PDC had been running just > >>fine > >>until recently, I noticed that the smbd leaks memory very quickly. > >> > >>I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, > >>the > >>PDC will let NT domain users to log into the NT machine, but it failed to > >>grant them the privilege to write to local user registry, such as adding > >>a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not > >>work right at all. I then switched to the main branch 2.0.6, > >>the same problem happened too (Of course, I have to rejoin the samba domain > >>for an NT worstation). I am using the same smb.conf file for all three > >>cases. > >> > >>I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and > >>on Linux machines. I have encountered similar problems consisntly. I > >>still > >>havn't tracked down to the root of the problem. Do anybody experience > >>similar problem? > >> > >>Thank you for your help in advance. > >> > >>Zhi-Wei Lu > >>CIPIC (Center for Image Processing and Integrated Computing) > >>UC Davis Phone: (530)-752-0494 > >>Davis, CA 95616 Fax: (530)-752-8894 > > > >______________________________________________________ > >Get Your Private, Free Email at http://www.hotmail.com > > > > > > > > > Burt Avery > Computer Systems Engineer > LSP > Department of Biomedical Engineering > University of Virginia > Charlottesville, VA 22908 > 804-924-8065 (w) > 804-245-5813 (h) > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From nazard at dragoninc.on.ca Fri Feb 11 18:54:20 2000 From: nazard at dragoninc.on.ca (nazard@dragoninc.on.ca) Date: Tue Dec 2 02:28:30 2003 Subject: Samba LDAP In-Reply-To: <003301bf74b7$18d32070$12f066cf@tantalus> Message-ID: <20000211185433Z13176733-16204+51720@samba.anu.edu.au> On 12 Feb, Martin Brown wrote: > > Does anyone know who is heading the Samba with LDAP project? I am using > Samba-TNG frmo a few days ago, after a few of my own modifications to the > code and Lukes help I have gotten it to compile successfully. And I can > even change passwords using smbpasswd in my LDAP database. But I get the > strangest error when I try to auth from NT against Samba as the PDC. Samba > should be referencing the LDAP server, but it's not. Here is what I get in > my log.smb I'm not sure what modifications have been made but it looks like ldap support has been removed from loadparm.c all together. Here are my current changes to get ldap working here. Note this is not samldap but the original ldap support. Index: source/passdb/ldap.c =================================================================== RCS file: /cvsroot/samba/source/passdb/ldap.c,v retrieving revision 1.36 diff -u -w -u -r1.36 ldap.c --- ldap.c 1999/03/25 13:54:30 1.36 +++ ldap.c 2000/02/11 18:50:28 @@ -272,11 +272,11 @@ *mods = NULL; if(operation == LDAP_MOD_ADD) { /* immutable attributes */ ldap_make_mod(mods, LDAP_MOD_ADD, "objectclass", "sambaAccount"); - +/* ldap_make_mod(mods, LDAP_MOD_ADD, "uid", newpwd->unix_name); slprintf(temp, sizeof(temp)-1, "%d", newpwd->unix_uid); ldap_make_mod(mods, LDAP_MOD_ADD, "uidNumber", temp); - +*/ ldap_make_mod(mods, LDAP_MOD_ADD, "ntuid", newpwd->nt_name); slprintf(temp, sizeof(temp)-1, "%x", newpwd->user_rid); ldap_make_mod(mods, LDAP_MOD_ADD, "rid", temp); Index: source/param/loadparm.c =================================================================== RCS file: /cvsroot/samba/source/param/loadparm.c,v retrieving revision 1.190.2.11 diff -u -w -u -r1.190.2.11 loadparm.c --- loadparm.c 2000/02/09 17:00:15 1.190.2.11 +++ loadparm.c 2000/02/11 18:50:30 @@ -787,7 +787,6 @@ {"Ldap Options", P_SEP, P_SEPARATOR}, {"ldap server", P_STRING, P_GLOBAL, &Globals.szLdapServer, NULL, NULL, 0}, - {"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0}, {"ldap suffix", P_STRING, P_GLOBAL, &Globals.szLdapSuffix, NULL, NULL, 0}, {"ldap bind as", P_STRING, P_GLOBAL, &Globals.szLdapBindAs, NULL, NULL, 0}, {"ldap passwd file", P_STRING, P_GLOBAL, &Globals.szLdapPasswdFile, NULL, NULL, 0}, @@ -795,6 +794,7 @@ #ifdef WITH_NT5LDAP {"ldap realm", P_STRING, P_GLOBAL, &Globals.szLdapRealm, NULL, NULL, 0}, + {"ldap port", P_INTEGER, P_GLOBAL, &Globals.ldap_port, NULL, NULL, 0}, {"ldap protocol version", P_INTEGER, P_GLOBAL, &Globals.ldap_protocol_version, NULL, NULL, 0}, {"ldap url", P_STRING, P_GLOBAL, &Globals.szLdapUrl, NULL, NULL, 0}, {"ldap users subcontext", P_STRING, P_GLOBAL, &Globals.szLdapComputersSubcontext, NULL, NULL, 0}, From Elrond at Wunder-Nett.org Fri Feb 11 18:57:12 2000 From: Elrond at Wunder-Nett.org (Elrond) Date: Tue Dec 2 02:28:30 2003 Subject: NT registry Permission problem In-Reply-To: <200002111658.IAA02358@chopin.cipic.ucdavis.edu>; from Zhi-Wei Lu on Sat, Feb 12, 2000 at 04:01:20AM +1100 References: <200002111658.IAA02358@chopin.cipic.ucdavis.edu> Message-ID: <20000211195712.B11756@baerbel.mug.maschinenbau.tu-darmstadt.de> On Sat, Feb 12, 2000 at 04:01:20AM +1100, Zhi-Wei Lu wrote: > I have tested the 2.0.6 PDC functionality many more times on a few > platforms since I sent my first post. Even with the same server and > configuration file, samba PDC will fail to grant NT user proper > registry right most of the time, but it will work once in a while. In these > tests, I always delete machine.sid file, restart the server, and rejoining > NT domain. I think that there are some instability/bug in samba/NT codes that > cause [...] You mean DOMAIN.SID? If so, that might be the problem. If you remove the SID-file for the domain, samba generates a new one and you have to rejoin all your workstations. But: The ACLs in your "old" registry still contain the SID for the "old" SID for that user (The sid for a User is generated by appending a RID to the domain-sid). You have two options here. 1) remove the complete old profile for that user 2) After they logged in, there's a local copy of the profile. You can "copy" this profile in system-control --> System --> User Profiles, there you can specify a user, who may access the new profile. Just guessing a bit around... Elrond From lkcl at samba.org Fri Feb 11 19:07:22 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:30 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A43D8A.2EC77839@cc.uit.no> Message-ID: ah! ok :) Function* typecast is something not specific to gnu readline or something. On Sat, 12 Feb 2000, Inge-H?vard Hunstad wrote: > When trying to compile today's TNG and the tng-alpha.0.2 from last night > under RH6.1 I got this error. Initially I tried to "configure > --with-ldap", but the same thing happened after doing a "make distclean" > and a configure without any flags. > > Compiling utils/testprns.c > Linking bin/testprns > Compiling utils/smbrun.c > Linking bin/smbrun > Compiling utils/status.c > Linking bin/smbstatus > Compiling lib/cmd_interp.c > lib/cmd_interp.c: In function `completion_fn': > lib/cmd_interp.c:926: `fn' undeclared (first use in this function) > lib/cmd_interp.c:926: (Each undeclared identifier is reported only once > lib/cmd_interp.c:926: for each function it appears in.) > lib/cmd_interp.c: At top level: > lib/cmd_interp.c:939: parse error before `return' > gmake: *** [lib/cmd_interp.o] Error 1 > zsh: 27441 exit 2 gmake > > > Then I tried to compile tng-alpha.0.1 with ldap support and I got this > error: > > > Compiling rpc_parse/parse_ntlmssp.c with libtool > Compiling rpc_parse/parse_prs.c with libtool > Compiling rpc_parse/parse_vuid.c with libtool > Compiling lib/vuser.c with libtool > Compiling lib/vuser_db.c with libtool > Compiling rpc_parse/parse_misc.c with libtool > Linking shared library bin/libsmb.la > Compiling libsmb/namequery.c with libtool > Compiling libsmb/nmblib.c with libtool > Linking shared library bin/libnmb.la > Compiling param/loadparm.c with libtool > param/loadparm.c:790: structure has no member named `szLdapRealm' > param/loadparm.c:790: initializer element for `parm_table[204].ptr' is > not const > ant > make: *** [param/loadparm.lo] Error 1 > > but compiling without ldap support was successful with tng-alpha.0.1 on > my RH6.1 box. > > Is the compiling with ldap support supposed to work? I've seen the > warnings about the introduction of a new ldap schema, but since this > support for NT5 ldap schema had it's own switch for configure, I thought > that the schema still works. > > Thanks for all your help. > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 11 19:25:57 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: <3.0.6.32.20000211190914.008f7c00@pop.muenster.de> Message-ID: On Sat, 12 Feb 2000, Martin Lorenz wrote: > i have an urgent problem: > > my boss wants me to get a NT domain-controller up and running by friday > next week and i definitely want to do this with samba under linux. > > the main problem is: he wants to have three different domains managed by > one server. and he wanted it to be done with NT? HA! lovely :) that tickles me, that does. use three ip addresses on the one samba server, use "bind interfaces" and all that jazz. it's been done before. three different smb.conf files. From p.grimmerink at home.nl Fri Feb 11 19:34:52 2000 From: p.grimmerink at home.nl (Pieter Grimmerink) Date: Tue Dec 2 02:28:31 2003 Subject: How to get the latest Samba PDC sources Message-ID: I have recently downloaded the latest Samba sources using CVS, but it seems like I did something wrong, cause I can no longer use userlevel sharing on my win98 client PC's (userlist can't be viewed 'at this time'). (I could before, also with the CVS sources) Are the PDC sources no longer in the same tree? Or should I use certain defines in order to enable the functionality? Best regards, Pieter From isyn at isi.wat.waw.pl Fri Feb 11 19:48:30 2000 From: isyn at isi.wat.waw.pl (isyn@isi.wat.waw.pl) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: > use three ip addresses on the one samba server, use "bind interfaces" and > all that jazz. it's been done before. three different smb.conf files. But how to this. When i start one smbd server another is being stoped... -- ROBERT MAGIER From lkcl at samba.org Fri Feb 11 19:48:30 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:31 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A43D8A.2EC77839@cc.uit.no> Message-ID: fixed, i hope. use [temprarily] the following patch: Index: lib/cmd_interp.c =================================================================== RCS file: /data/cvs/samba/source/lib/Attic/cmd_interp.c,v retrieving revision 1.1.2.1 diff -u -r1.1.2.1 cmd_interp.c --- cmd_interp.c 2000/02/11 08:16:43 1.1.2.1 +++ cmd_interp.c 2000/02/11 19:09:27 @@ -923,7 +923,7 @@ if (num_words == 2 || num_words == 3) { - (Function *)fn; + char* (*fn)(char*, int); fn = commands[cmd_index]->compl_args[num_words - 2]; if (fn != NULL) { On Sat, 12 Feb 2000, Inge-H?vard Hunstad wrote: > When trying to compile today's TNG and the tng-alpha.0.2 from last night > under RH6.1 I got this error. Initially I tried to "configure > --with-ldap", but the same thing happened after doing a "make distclean" > and a configure without any flags. > > Compiling utils/testprns.c > Linking bin/testprns > Compiling utils/smbrun.c > Linking bin/smbrun > Compiling utils/status.c > Linking bin/smbstatus > Compiling lib/cmd_interp.c > lib/cmd_interp.c: In function `completion_fn': > lib/cmd_interp.c:926: `fn' undeclared (first use in this function) > lib/cmd_interp.c:926: (Each undeclared identifier is reported only once > lib/cmd_interp.c:926: for each function it appears in.) > lib/cmd_interp.c: At top level: > lib/cmd_interp.c:939: parse error before `return' > gmake: *** [lib/cmd_interp.o] Error 1 > zsh: 27441 exit 2 gmake > > > Then I tried to compile tng-alpha.0.1 with ldap support and I got this > error: > > > Compiling rpc_parse/parse_ntlmssp.c with libtool > Compiling rpc_parse/parse_prs.c with libtool > Compiling rpc_parse/parse_vuid.c with libtool > Compiling lib/vuser.c with libtool > Compiling lib/vuser_db.c with libtool > Compiling rpc_parse/parse_misc.c with libtool > Linking shared library bin/libsmb.la > Compiling libsmb/namequery.c with libtool > Compiling libsmb/nmblib.c with libtool > Linking shared library bin/libnmb.la > Compiling param/loadparm.c with libtool > param/loadparm.c:790: structure has no member named `szLdapRealm' > param/loadparm.c:790: initializer element for `parm_table[204].ptr' is > not const > ant > make: *** [param/loadparm.lo] Error 1 > > but compiling without ldap support was successful with tng-alpha.0.1 on > my RH6.1 box. > > Is the compiling with ldap support supposed to work? I've seen the > warnings about the introduction of a new ldap schema, but since this > support for NT5 ldap schema had it's own switch for configure, I thought > that the schema still works. > > Thanks for all your help. > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 11 19:50:23 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:31 2003 Subject: rpctorture Message-ID: i'm going to rewrite it. i'll let you know what happens. i split rpcclient down in a big way so that i could do this. i'm going to create a nasty command-line based rpctorture, it's easier than trying to et the existing rpctorture to compile. luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From skvidal at phy.duke.edu Fri Feb 11 19:56:59 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: > > > use three ip addresses on the one samba server, use "bind interfaces" and > > all that jazz. it's been done before. three different smb.conf files. > > But how to this. When i start one smbd server another is being stoped... I'm sorry? What do you mean another is being stopped? -sv From isyn at isi.wat.waw.pl Fri Feb 11 20:03:00 2000 From: isyn at isi.wat.waw.pl (isyn@isi.wat.waw.pl) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: On Fri, 11 Feb 2000, Seth Vidal wrote: > > > > > use three ip addresses on the one samba server, use "bind interfaces" and > > > all that jazz. it's been done before. three different smb.conf files. > > > > But how to this. When i start one smbd server another is being stoped... > > I'm sorry? > What do you mean another is being stopped? Yes, my English...:) Well, I want to say that if I do smth like this * smbd -s smb1.conf ( Here is set the wins server ) * smbd -s smb2.conf * smbd -s smb3.conf * ps auxf then ps show me smth like root 3195 0.0 1.1 3160 548 ? S Feb 8 0:02 smbd root 3198 0.0 0.3 1364 156 ? S Feb 8 0:00 (nmbd) and if i try to check if the smbd is running on the other's ip doing smbclient -L dino -I 192.168.3(2).254 then it doesnt answer me. -- ROBERT MAGIER From skvidal at phy.duke.edu Fri Feb 11 20:04:51 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: > Yes, my English...:) > Well, I want to say that if I do smth like this > * smbd -s smb1.conf ( Here is set the wins server ) > * smbd -s smb2.conf > * smbd -s smb3.conf > * ps auxf are you starting nmbd processes too? what do each of those smb[123].conf files say? do they have the interfaces=interfacelist and the bind interfaces only = yes > then ps show me smth like > > root 3195 0.0 1.1 3160 548 ? S Feb 8 0:02 smbd > root 3198 0.0 0.3 1364 156 ? S Feb 8 0:00 (nmbd) > > and if i try to check if the smbd is running on the other's ip > doing smbclient -L dino -I 192.168.3(2).254 then it doesnt answer me. -sv From isyn at isi.wat.waw.pl Fri Feb 11 20:10:51 2000 From: isyn at isi.wat.waw.pl (isyn@isi.wat.waw.pl) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: > are you starting nmbd processes too? Yes of course. There is " wins support " in smb1.conf. and wins server = 192.168.2(3).254 in smb2(3).conf > what do each of those smb[123].conf files say? > do they have the interfaces=interfacelist Yes they have interfaces = 192.168.4(3)(2).254/255.255.255.0 > and the > bind interfaces only = yes Yes... -- ROBERT MAGIER From grahamj at virtue.cx Fri Feb 11 20:25:21 2000 From: grahamj at virtue.cx (Jonathan Graham) Date: Tue Dec 2 02:28:31 2003 Subject: rpctorture In-Reply-To: Message-ID: I was wondering if all these changes were going to affect my efforts. Let me know if you need any help. Jonathan On Sat, 12 Feb 2000, Luke Kenneth Casson Leighton wrote: > i'm going to rewrite it. i'll let you know what happens. i split > rpcclient down in a big way so that i could do this. i'm going to create > a nasty command-line based rpctorture, it's easier than trying to et the > existing rpctorture to compile. > > > luke > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > From lars at kneschke.de Fri Feb 11 20:23:46 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:31 2003 Subject: How to get the latest Samba PDC sources References: Message-ID: <38A46FD2.735B6DB7@kneschke.de> Pieter Grimmerink wrote: > > I have recently downloaded the latest Samba sources using CVS, but it seems > like I did something wrong, cause I can no longer use userlevel sharing on > my win98 client PC's (userlist can't be viewed 'at this time'). (I could > before, also with the CVS sources) > > Are the PDC sources no longer in the same tree? > > Or should I use certain defines in order to enable the functionality? Please have a look at http://www.kneschke.de/projekte/samba_tng/faq. There is a step by step description. Cu -- Do you like Samba? Do you know KSamba? Try http://www.kneschke.de/projekte/ksamba!! Or watch our other projects at http://www.kneschke.de/projekte! From skvidal at phy.duke.edu Fri Feb 11 20:38:39 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: > Yes of course. > There is " wins support " in smb1.conf. > and wins server = 192.168.2(3).254 in smb2(3).conf > > what do each of those smb[123].conf files say? > > do they have the interfaces=interfacelist > Yes they have > interfaces = 192.168.4(3)(2).254/255.255.255.0 > > and the > > bind interfaces only = yes > Yes... now the dumb questions: you do have those three ip's setup and routes to the networks that they are on correct? what do your logs say when you try to startup the second two samba's? -sv From zwluxx at chopin.cipic.ucdavis.edu Fri Feb 11 20:39:13 2000 From: zwluxx at chopin.cipic.ucdavis.edu (Zhi-Wei Lu) Date: Tue Dec 2 02:28:31 2003 Subject: NT registry Permission problem In-Reply-To: Message from Luke Kenneth Casson Leighton of "Sat, 12 Feb 2000 05:29:02 +1100." Message-ID: <200002112039.MAA07269@chopin.cipic.ucdavis.edu> I have finally figured out the problem. I think that it is due mainly to NT rather than the SAMBA server. I have to delete the local profile on each NT machine and the NTUSER.DAT on the roaming profile. After I rejoin the samba controlled domain (2.0.6), I have the proper registry permission now. Apparently that when you rejoin a domain or join a new domain (in my case, all samba controlled), the local profile and the roaming profile conflicts with each other, user ends up with crippled privilege. Thanks for all your help, especially Phil Mayers' post on NTuser.dat file which shed some light on my problem. -- Zhi-Wei Lu CIPIC (Center for Image Processing and Integrated Computing) UC Davis Phone: (530)-752-0494 Davis, CA 95616 Fax: (530)-752-8894 > *sigh* ok. i h ave some suspicions about where this is to be dealt with: > in the "Other SIDS" part of the NET_USER_INFO_3. > > ok. at line 824 of rpc_server/srV_netlog.c, there is an argument "other > sids" to init_net_user_ionfo3(). > > can you make this "S-1-1-0" -- the "everyone" SID, and see what happens. > please bear in mind that this may result in everyone being allowed access > to the logged-in-user's desktop, user-profile, whatever, i really don't > know. > > so be careful. > > On Sat, 12 Feb 2000, Burt Avery wrote: > > > That parallels the origin of the locked HKCU problem I have been seeing > > that causes the Tips and IE4Tour to run as if for the initial user startup. > > User account had no access to rewrite any component of HKCU. > > > > -ba- > > > > At 10:25 AM 2/11/2000 +1100, Thien Vu wrote: > > >I have confirmed that I have the same problem with non-admin users. Does > > >anyone know of a fix for this problem?? It prevents several of my users from > > >having any preferences saved, setting a default printer and other several > > >critical issues. > > > > > >Seems to be a very serious problem. I ran regedt32 and looked at the > > >permissions on HKEY_CURRENT_USERS hive, and Everyone has READ permission, > > >but only System and the Local Administrator has FULL CONTROL. I will try to > > >set this hive to allow Everyone to have FULL CONTROL because this hive gets > > >dumped back to the NTUSER.DAT file in the profiles right?? > > > > > >Thien Vu > > > > > > > > >>From: Zhi-Wei Lu > > >>Reply-To: zwluxx@chopin.cipic.ucdavis.edu > > >>To: Multiple recipients of list SAMBA-NTDOM > > >>Subject: NT registry Permission problem > > >>Date: Thu, 10 Feb 2000 11:42:32 +1100 > > >> > > >>Dear Samba gurus, > > >> > > >>I have been running samba Head-branch for over half year. I am running the > > >>PDC on an SGI IRIX 6.5.6m O2 macine. I downloaded and compiled the > > >>head-branch code on July 23, 1999. The samba PDC had been running just > > >>fine > > >>until recently, I noticed that the smbd leaks memory very quickly. > > >> > > >>I downloaded the latest CVS head-branch on Feb. 2 and compiled the code, > > >>the > > >>PDC will let NT domain users to log into the NT machine, but it failed to > > >>grant them the privilege to write to local user registry, such as adding > > >>a new key in HKEY_CURRENT_USER\Software. Therefore, many programs do not > > >>work right at all. I then switched to the main branch 2.0.6, > > >>the same problem happened too (Of course, I have to rejoin the samba domain > > >>for an NT worstation). I am using the same smb.conf file for all three > > >>cases. > > >> > > >>I have set up a test domain to test the 2.0.6 on SGI, digital UNIX, and > > >>on Linux machines. I have encountered similar problems consisntly. I > > >>still > > >>havn't tracked down to the root of the problem. Do anybody experience > > >>similar problem? > > >> > > >>Thank you for your help in advance. > > >> > > >>Zhi-Wei Lu > > >>CIPIC (Center for Image Processing and Integrated Computing) > > >>UC Davis Phone: (530)-752-0494 > > >>Davis, CA 95616 Fax: (530)-752-8894 > > > > > >______________________________________________________ > > >Get Your Private, Free Email at http://www.hotmail.com > > > > > > > > > > > > > > > Burt Avery > > Computer Systems Engineer > > LSP > > Department of Biomedical Engineering > > University of Virginia > > Charlottesville, VA 22908 > > 804-924-8065 (w) > > 804-245-5813 (h) > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From ceara at pmf.sc.gov.br Fri Feb 11 20:47:54 2000 From: ceara at pmf.sc.gov.br (Jose Weyne Nunes Marcelino) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: > * smbd -s smb1.conf ( Here is set the wins server ) > * smbd -s smb2.conf > * smbd -s smb3.conf > * ps auxf > > then ps show me smth like > > root 3195 0.0 1.1 3160 548 ? S Feb 8 0:02 smbd > root 3198 0.0 0.3 1364 156 ? S Feb 8 0:00 (nmbd) > Delete the files /var/lock/samba/nmbd.pid and smbd.pid before start the second daemon nmbd e smbd. Ceara From isyn at isi.wat.waw.pl Fri Feb 11 20:52:59 2000 From: isyn at isi.wat.waw.pl (isyn@isi.wat.waw.pl) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: -- On Fri, 11 Feb 2000, Jose Weyne Nunes Marcelino wrote: > Delete the files /var/lock/samba/nmbd.pid and smbd.pid before > start the second daemon nmbd e smbd. > Ceara Yes, thanks a lot. Now it works. It was so simple....ehh -- ROBERT MAGIER From s.striker at striker.nl Fri Feb 11 22:38:53 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: What you should do is specify the pid file on the command line. Look at the man page for the option. Sander Striker >On Fri, 11 Feb 2000, Jose Weyne Nunes Marcelino wrote: > >> Delete the files /var/lock/samba/nmbd.pid and smbd.pid before >> start the second daemon nmbd e smbd. >> Ceara >Yes, thanks a lot. Now it works. It was so simple....ehh > >-- >ROBERT MAGIER From duehr at id-pro.net Fri Feb 11 23:20:02 2000 From: duehr at id-pro.net (Stephan Duehr) Date: Tue Dec 2 02:28:31 2003 Subject: Samba LDAP In-Reply-To: <003301bf74b7$18d32070$12f066cf@tantalus>; from martin@tantalus.com on Sat, Feb 12, 2000 at 04:39:07AM +1100 References: <003301bf74b7$18d32070$12f066cf@tantalus> Message-ID: <20000212002002.A7113@qwerty.office.id-pro.net> Hi Martin, the question is: What do you want to do with that Samba-LDAP-PDC? If you want real users to use that server, then I think you should not use TNG, because it is just heavily changing, even the LDAP related stuff. My advice would be to check out the cvs of 1999/10/15-00:00 and follow Ignacio Coupeau's fine howto: http://www.unav.es/cti/ldap-smb-howto.html I saw that he added instructions on how to check out that that special version, that proved to be quite stable and usable. I found problems with printing from NT with that version. A good approach might be to use that as PDC and a 2.0.6 with security=server (or domain) for file and print services. If you want to take part in TNG-research, I am not the right person (at present;-) On Sat, Feb 12, 2000 at 04:39:07AM +1100, Martin Brown wrote: > > Does anyone know who is heading the Samba with LDAP project? I am using > Samba-TNG frmo a few days ago, after a few of my own modifications to the > code and Lukes help I have gotten it to compile successfully. And I can > even change passwords using smbpasswd in my LDAP database. But I get the > strangest error when I try to auth from NT against Samba as the PDC. Samba > should be referencing the LDAP server, but it's not. Here is what I get in > my log.smb > > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > Unknown parameter encountered: "ldap suffix" > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > Ignoring unknown parameter "ldap suffix" > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > Unknown parameter encountered: "ldap bind as" > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > Ignoring unknown parameter "ldap bind as" > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > Unknown parameter encountered: "ldap passwd file" > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > Ignoring unknown parameter "ldap passwd file" > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > Unknown parameter encountered: "ldap server" > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > Ignoring unknown parameter "ldap server" > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > Unknown parameter encountered: "ldap port" > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > Ignoring unknown parameter "ldap port" > [2000/02/10 12:51:01, 1] smbd/password.c:pass_check_smb(500) > Couldn't find user 'martin1' in smb_passwd file. > [2000/02/10 12:51:01, 1] smbd/password.c:pass_check_smb(500) > Couldn't find user 'martin1' in smb_passwd file. > [2000/02/10 12:51:21, 0] smbd/process.c:timeout_processing(795) > Reloading services after SIGHUP > > (Sorry for the huge paste, but I swear each line is different from the > next!! =) ) > > Any suggestions, or fingers pointing me in the right direction would be > grateful. Thanks. > -- Stephan Duehr * ID-PRO Deutschland GmbH * Tel +49 228 4 21 54 0 * Fax +49 228 4 21 54 29 * http://open-for-the-better.com/ From lkcl at samba.org Fri Feb 11 23:53:33 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: he's using the standard start-up scripts which of course can only do one smbd process (kill `cat smbd.pid`)... On Sat, 12 Feb 2000, Seth Vidal wrote: > > > > > use three ip addresses on the one samba server, use "bind interfaces" and > > > all that jazz. it's been done before. three different smb.conf files. > > > > But how to this. When i start one smbd server another is being stoped... > > I'm sorry? > What do you mean another is being stopped? > > -sv > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sat Feb 12 00:09:13 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:31 2003 Subject: rpctorture In-Reply-To: Message-ID: dunno. it was pretty simple to do, however i've not finished it. i did "logintest", "samhandles", "lsahandles" and that was all. there are a few more left, such as run_random_rpc (sends TOTAL garbage at you), pipe_gobbler() which are actually better off in smbtorture. On Fri, 11 Feb 2000, Jonathan Graham wrote: > I was wondering if all these changes were going to affect my efforts. > Let me know if you need any help. > > Jonathan > > > > On Sat, 12 Feb 2000, Luke Kenneth Casson Leighton wrote: > > > i'm going to rewrite it. i'll let you know what happens. i split > > rpcclient down in a big way so that i could do this. i'm going to create > > a nasty command-line based rpctorture, it's easier than trying to et the > > existing rpctorture to compile. > > > > > > luke > > > > Luke Kenneth Casson Leighton > > Samba and Network Development > > Samba Web site > > Internet Security Systems, Inc. > > Macmillan Technical Publishing > > > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From allen at driversoft.com Sat Feb 12 00:26:02 2000 From: allen at driversoft.com (Allen Reese) Date: Tue Dec 2 02:28:31 2003 Subject: more domains on one server In-Reply-To: Message-ID: I use killall smbd;killall nmbd, But then I have vagrant daemon problems with some other apps, and made my rc scripts off one of those apps. ;) Allen Reese VP Engineering Driversoft, Inc. allen@driversoft.com Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread Hi, I'm an evil mutated signature virus, put me in your .sig or I will bite your kneecaps! On Sat, 12 Feb 2000, Luke Kenneth Casson Leighton wrote: > he's using the standard start-up scripts which of course can only do one > smbd process (kill `cat smbd.pid`)... > > On Sat, 12 Feb 2000, Seth Vidal wrote: > > > > > > > > use three ip addresses on the one samba server, use "bind interfaces" and > > > > all that jazz. it's been done before. three different smb.conf files. > > > > > > But how to this. When i start one smbd server another is being stoped... > > > > I'm sorry? > > What do you mean another is being stopped? > > > > -sv > > > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > From lkcl at samba.org Sat Feb 12 00:33:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:31 2003 Subject: Samba LDAP In-Reply-To: <20000212002002.A7113@qwerty.office.id-pro.net> Message-ID: please bear in mind that all schemas are currently unsupported, so any decisions about putting samba-ldap-pdcs into production environments should probably be delayed. your call. thx, luke On Sat, 12 Feb 2000, Stephan Duehr wrote: > Hi Martin, > > the question is: What do you want to do with that Samba-LDAP-PDC? > If you want real users to use that server, then I think you > should not use TNG, because it is just heavily changing, even > the LDAP related stuff. My advice would be to check out the cvs > of 1999/10/15-00:00 and follow Ignacio Coupeau's fine howto: > > http://www.unav.es/cti/ldap-smb-howto.html > > I saw that he added instructions on how to check out that that > special version, that proved to be quite stable and usable. > I found problems with printing from NT with that version. > A good approach might be to use that as PDC and a 2.0.6 > with security=server (or domain) for file and print services. > > If you want to take part in TNG-research, I am not the right > person (at present;-) > > On Sat, Feb 12, 2000 at 04:39:07AM +1100, Martin Brown wrote: > > > > Does anyone know who is heading the Samba with LDAP project? I am using > > Samba-TNG frmo a few days ago, after a few of my own modifications to the > > code and Lukes help I have gotten it to compile successfully. And I can > > even change passwords using smbpasswd in my LDAP database. But I get the > > strangest error when I try to auth from NT against Samba as the PDC. Samba > > should be referencing the LDAP server, but it's not. Here is what I get in > > my log.smb > > > > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > > Unknown parameter encountered: "ldap suffix" > > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > > Ignoring unknown parameter "ldap suffix" > > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > > Unknown parameter encountered: "ldap bind as" > > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > > Ignoring unknown parameter "ldap bind as" > > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > > Unknown parameter encountered: "ldap passwd file" > > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > > Ignoring unknown parameter "ldap passwd file" > > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > > Unknown parameter encountered: "ldap server" > > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > > Ignoring unknown parameter "ldap server" > > [2000/02/10 12:51:01, 0] param/loadparm.c:map_parameter(1582) > > Unknown parameter encountered: "ldap port" > > [2000/02/10 12:51:01, 0] param/loadparm.c:lp_do_parameter(1954) > > Ignoring unknown parameter "ldap port" > > [2000/02/10 12:51:01, 1] smbd/password.c:pass_check_smb(500) > > Couldn't find user 'martin1' in smb_passwd file. > > [2000/02/10 12:51:01, 1] smbd/password.c:pass_check_smb(500) > > Couldn't find user 'martin1' in smb_passwd file. > > [2000/02/10 12:51:21, 0] smbd/process.c:timeout_processing(795) > > Reloading services after SIGHUP > > > > (Sorry for the huge paste, but I swear each line is different from the > > next!! =) ) > > > > Any suggestions, or fingers pointing me in the right direction would be > > grateful. Thanks. > > > > -- > Stephan Duehr > > * ID-PRO Deutschland GmbH > * Tel +49 228 4 21 54 0 > * Fax +49 228 4 21 54 29 > * http://open-for-the-better.com/ > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From inge at cc.uit.no Sat Feb 12 01:01:46 2000 From: inge at cc.uit.no (Inge-Haavard Hunstad) Date: Tue Dec 2 02:28:31 2003 Subject: Compiling error Samba_TNG References: Message-ID: <38A4B0FA.3B7B1AAB@cc.uit.no> Luke Kenneth Casson Leighton wrote: > > fixed, i hope. > I'm sorry after I added the patch I still got the same error: Compiling utils/status.c Linking bin/smbstatus Compiling lib/cmd_interp.c lib/cmd_interp.c:939: parse error before `return' make: *** [lib/cmd_interp.o] Error 1 zsh: 30453 exit 2 make So maybe the problem is that this RH linux 6.1 machine have been upgraded from RH5.2. I also tried the latest cvs and the compilation stopped at the same point. I also checked that your patch was in there and it was. One good thing is that we got rid of that warning before the error:) Thanks for a great program and all your help! inge From lkcl at samba.org Sat Feb 12 01:10:06 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:31 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A4B0FA.3B7B1AAB@cc.uit.no> Message-ID: delete and do a cvs co again. it would help if i had access to a system with readline on it, the debian install i have has it but configure fails to detect it. can someone please fix this and send me a patch? thx. i' refuse to wade through code i can't compile if it doesn't have decent indentation, this code is a mess ( { and } don't line up). On Sat, 12 Feb 2000, Inge-Haavard Hunstad wrote: > > > Luke Kenneth Casson Leighton wrote: > > > > fixed, i hope. > > > I'm sorry after I added the patch I still got the same error: > > Compiling utils/status.c > Linking bin/smbstatus > Compiling lib/cmd_interp.c > lib/cmd_interp.c:939: parse error before `return' > make: *** [lib/cmd_interp.o] Error 1 > zsh: 30453 exit 2 make > > So maybe the problem is that this RH linux 6.1 machine have been > upgraded from RH5.2. I also tried the latest cvs and the compilation > stopped at the same point. I also checked that your patch was in there > and it was. One good thing is that we got rid of that warning before the > error:) > > Thanks for a great program and all your help! > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From abrooks at css.tayloru.edu Sat Feb 12 03:21:33 2000 From: abrooks at css.tayloru.edu (Aaron D. Brooks) Date: Tue Dec 2 02:28:31 2003 Subject: NT registry Permission problem In-Reply-To: <200002112039.MAA07269@chopin.cipic.ucdavis.edu> Message-ID: > Date: Sat, 12 Feb 2000 07:46:33 +1100 > From: Zhi-Wei Lu > > I have finally figured out the problem. I think that it is due mainly > to NT rather than the SAMBA server. I have to delete the local profile > on each NT machine and the NTUSER.DAT on the roaming profile. After I > rejoin the samba controlled domain (2.0.6), I have the proper > registry permission now. Apparently that when you rejoin a domain or > join a new domain (in my case, all samba controlled), the local profile > and the roaming profile conflicts with each other, user ends up with > crippled privilege. Thanks for all your help, especially Phil Mayers' > post on NTuser.dat file which shed some light on my problem. There are other silly events which can corrupt NTUSER.DAT (like _using it_ for example (MSKB Q189061)) :( . Since we use a lot of reg files to alter peoples environments we run into this a fair ammount. The more obnixious thing is that our policy has NT deleting the NTUSER.DAT and rest of the profile on logout... IN THEORY!!! In actuallity the profile gets deleted less than 10% of the time. The DAT file stays locked too long and the logout just leaves the whole mess. This is particularly annoying since profile changes are non-peristent. Like that icon on my desktop that I deleted a week ago just reappeared again. Dang. Does any one have any insight on forcing profiles OFF on logout? :) Even the "at" (er,... cron? ;) job that tries to delete the profiles only works after the machine has been rebooted. The locks stay until you bounce the machine. -A. +-------> Aaron D. Brooks, 765 . 998 . 5168 Computing Systems Resource Manager Taylor University, CSS Department abrooks [SHIFT"2"] css.tayloru.edu From saberyo at home.com Sat Feb 12 05:05:48 2000 From: saberyo at home.com (Nate Childers) Date: Tue Dec 2 02:28:31 2003 Subject: Compiling error Samba_TNG References: Message-ID: <006301bf7516$d36e1340$0a01010a@fett> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 too many }'s .... take out the last one before lib/cmd_parm.c:939 and it'll build. - ----- Original Message ----- From: "Luke Kenneth Casson Leighton" To: "Multiple recipients of list SAMBA-NTDOM" Sent: Friday, February 11, 2000 8:11 PM Subject: Re: Compiling error Samba_TNG > delete and do a cvs co again. it would help if i had access to a > system with readline on it, the debian install i have has it but > configure fails to detect it. > > can someone please fix this and send me a patch? thx. > > i' refuse to wade through code i can't compile if it doesn't have > decent indentation, this code is a mess ( { and } don't line up). > > On Sat, 12 Feb 2000, Inge-Haavard Hunstad wrote: > > > > > > > Luke Kenneth Casson Leighton wrote: > > > > > > fixed, i hope. > > > > > I'm sorry after I added the patch I still got the same error: > > > > Compiling utils/status.c > > Linking bin/smbstatus > > Compiling lib/cmd_interp.c > > lib/cmd_interp.c:939: parse error before `return' > > make: *** [lib/cmd_interp.o] Error 1 > > zsh: 30453 exit 2 make > > > > So maybe the problem is that this RH linux 6.1 machine have been > > upgraded from RH5.2. I also tried the latest cvs and the > > compilation stopped at the same point. I also checked that your > > patch was in there and it was. One good thing is that we got rid > > of that warning before the error:) > > > > Thanks for a great program and all your help! > > > > inge > > > > Luke Kenneth Casson Leighton > Samba and Network > Development Samba Web site > Internet > Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain > Internals -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use iQA/AwUBOKTqKgY5cqt1X0VpEQKZnQCcCHduxrhvJDxKYbJPu38RDBtpIl0AoOAA Lcji+rbH6d7qL7+U8N2v/NRr =iThp -----END PGP SIGNATURE----- From lkcl at samba.org Sat Feb 12 05:14:36 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:31 2003 Subject: Compiling error Samba_TNG In-Reply-To: <006301bf7516$d36e1340$0a01010a@fett> Message-ID: got it - thanks! On Sat, 12 Feb 2000, Nate Childers wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > too many }'s .... take out the last one before lib/cmd_parm.c:939 > and it'll build. > - ----- Original Message ----- > From: "Luke Kenneth Casson Leighton" > To: "Multiple recipients of list SAMBA-NTDOM" > Sent: Friday, February 11, 2000 8:11 PM > Subject: Re: Compiling error Samba_TNG > > > > delete and do a cvs co again. it would help if i had access to a From eiben at busitec.de Fri Feb 11 10:39:17 2000 From: eiben at busitec.de (Henning Eiben) Date: Tue Dec 2 02:28:32 2003 Subject: Setting File Permissions Message-ID: Hi, I'm using 2.0.6 (out of my SuSE distribution) as PDC in our company lan. So far everything works just as expected, there are only a few issues ... 1. Unfortunatly when I create a file on a samba-share the file is created using my unix-uid/gid (or the gid I specified in the share configuration), but things would be easier if files could inherit permissions from the directory they are created in (just like NT does). Since all users on my linux-box are in gid '100' and files are created '770' everyone can read everything, but I want to restrict access based on directories (not on share, otherwise I would get a ton of shares). 2. Setting file permissions using my NT Workstations 3. Looking up user accounts. Whenever I look at my local User Manager (on NT Workstation), I always get unknown accounts instead of my useraccounts I added to my local administrator group. What features are going to be in newer releases of samba? -- Henning Eiben eiben@busitec.de busitec GmbH business information technology http://www.busitec.de From voc at fl.aec.at Sat Feb 12 12:55:16 2000 From: voc at fl.aec.at (Volker Christian) Date: Tue Dec 2 02:28:32 2003 Subject: Very strange problems with SAMBA_TNG Message-ID: Hello everybody, I don't want to mess up this list with stupid questions, so if this is one of these, please ignore it. I have a very strange problem when using one of the newer (and also the newest I get today via cvs) tng-code. A approximately two weeks old code works fine (I am sorry, I don't know exactly the day I checked the working code out from the repository). The problem is the following. Every time I want connect to the server as a user with a username longer then three characters smbd crashes. The effect is the same when I want to join the domain maintained by the samba-PDC with a WinNT box with a netbios-name longer then three characters. I really played around long with it - also I set up a second linux-box with a late tng-code - the effect is the same - smbd crashes if ... longer then three character. Here is a the part of the machine-logfile - anyone there who knows whats wrong? Volker voc@aec.at Ars Electronica Center http://www.aec.at lookupsmbpwntnam: nt user name TNGTEST\ name 'TNGTEST\' split into domain:TNGTEST and nt name:' authorise_login: TODO. split function, it's 6 levels! lookup user 7e44,65 000000 vuid_io_key key 0000 pid : 00007e44 0004 vuid: 0065 000000 vuid_io_user_struct usr 0000 uid: 006403e9 0004 gid: 6f680064 0008 name: hoho 0010 requested_name: ho 0014 real_name: 0018 guest: 6c75463c 001c n_groups: 614e206c Memory allocation error: failed to expand to -1029947176 bytes password_ok: check Unix auth ACCEPTED: guest account and guest ok Initialising default vfs hooks lookup user 7e44,65 000000 vuid_io_key key 0000 pid : 00007e44 0004 vuid: 0065 000000 vuid_io_user_struct usr 0000 uid: 006403e9 0004 gid: 6f680064 0008 name: hoho 0010 requested_name: ho 0014 real_name: 0018 guest: 6c75463c 001c n_groups: 614e206c Memory allocation error: failed to expand to -1029947176 bytes =============================================================== INTERNAL ERROR: Signal 11 in pid 32324 (TNG-prealpha) Please read the file BUGS.txt in the distribution =============================================================== PANIC: internal error From lkcl at samba.org Sat Feb 12 18:15:54 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Very strange problems with SAMBA_TNG In-Reply-To: Message-ID: On Sat, 12 Feb 2000, Volker Christian wrote: > > Hello everybody, > > I don't want to mess up this list with stupid questions, so if this is one > of these, please ignore it. > > I have a very strange problem when using one of the newer (and also the > newest I get today via cvs) tng-code. A approximately two weeks old code > works fine (I am sorry, I don't know exactly the day I checked the working > code out from the repository). > > The problem is the following. Every time I want connect to the server as a > user with a username longer then three characters smbd crashes. The effect > is the same when I want to join the domain maintained by the samba-PDC with > a WinNT box with a netbios-name longer then three characters. I really > played around long with it - also I set up a second linux-box with a late > tng-code - the effect is the same - smbd crashes if ... longer then three > character. really??? wierd! ok, try odd / even names, ok? From peter at cadcamlab.org Sat Feb 12 19:36:20 2000 From: peter at cadcamlab.org (Peter Samuelson) Date: Tue Dec 2 02:28:32 2003 Subject: From smbpasswd to passwd References: <3.0.3.32.20000209113440.00a2d590@pop.softeam.it> Message-ID: <14501.46530.811117.730689@wire.cadcamlab.org> [Luca Micheletti] > Now i have my text file smbpasswd style, but i need these users in > /etc/passwd not in smbpasswd. Can't be done. Unix passwd and NT smbpasswd formats are both one-way hashes and they are not compatible. The best you can do is change everyone's passwords (or ask them to) using a utility that changes both at once. Samba is one such utility, if you set "passwd chat" and friends to the right values. Peter From abrooks at css.tayloru.edu Sat Feb 12 19:59:45 2000 From: abrooks at css.tayloru.edu (Aaron D. Brooks) Date: Tue Dec 2 02:28:32 2003 Subject: From smbpasswd to passwd In-Reply-To: <14501.46530.811117.730689@wire.cadcamlab.org> Message-ID: > Date: Sun, 13 Feb 2000 06:38:45 +1100 > From: Peter Samuelson > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: From smbpasswd to passwd > > > [Luca Micheletti] > > Now i have my text file smbpasswd style, but i need these users in > > /etc/passwd not in smbpasswd. > > Can't be done. Unix passwd and NT smbpasswd formats are both one-way > hashes and they are not compatible. The best you can do is change > everyone's passwords (or ask them to) using a utility that changes both > at once. Samba is one such utility, if you set "passwd chat" and > friends to the right values. Actually, since you have the piss-poor LM hash you can run the smb.passwd file through something like L0phtCrack ("It sniffs through registry files [sic] like an anteater on dexadrene..." ;) even with a good password policy in place you will probably get most of the passwords in about half of a day on a beefy machine (PIII 500 Dual/512Mb). You can then use a perl script to back merge the smb.passwd data and the passwords into a unix passwd file. Then only a small percentage of the population needs to change their passwords. If you have a couple of days to spare, you could make that percentage pretty low. (The only bad thing is that L0phtCrack only runs on Win32.) We did something remotely like this here at TU. -A. +-------> Aaron D. Brooks, 765 . 998 . 5168 Computing Systems Resource Manager Taylor University, CSS Department abrooks [SHIFT"2"] css.tayloru.edu From peter at cadcamlab.org Sat Feb 12 20:17:31 2000 From: peter at cadcamlab.org (Peter Samuelson) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG References: <38A4B0FA.3B7B1AAB@cc.uit.no> Message-ID: <14501.48542.192885.46374@wire.cadcamlab.org> [Luke Kenneth Casson Leighton] > it would help if i had access to a system with readline on it, the > debian install i have has it but configure fails to detect it. apt-get install libreadlineg2-dev apt-get install libreadline4-dev ...depending on which version(s) of libreadline you have (i.e. whether you're running stable or unstable Debian). In general, you need *-dev packages to get header files etc. Peter From jasonjensen at home.com Sat Feb 12 23:08:07 2000 From: jasonjensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:32 2003 Subject: No subject Message-ID: <000f01bf75ae$05ed4ba0$0201a8c0@jason> SUBSCRIBE jasonjensen@home.com -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at samba.org Sat Feb 12 23:19:55 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: From smbpasswd to passwd In-Reply-To: Message-ID: the original source, available from l0pht's web site, contans samba source code. it compiles for unix, obviously. On Sun, 13 Feb 2000, Aaron D. Brooks wrote: > > > Date: Sun, 13 Feb 2000 06:38:45 +1100 > > From: Peter Samuelson > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Re: From smbpasswd to passwd > > > > > > [Luca Micheletti] > > > Now i have my text file smbpasswd style, but i need these users in > > > /etc/passwd not in smbpasswd. > > > > Can't be done. Unix passwd and NT smbpasswd formats are both one-way > > hashes and they are not compatible. The best you can do is change > > everyone's passwords (or ask them to) using a utility that changes both > > at once. Samba is one such utility, if you set "passwd chat" and > > friends to the right values. > > Actually, since you have the piss-poor LM hash you can run the smb.passwd > file through something like L0phtCrack ("It sniffs through registry files > [sic] like an anteater on dexadrene..." ;) even with a good password > policy in place you will probably get most of the passwords in about half > of a day on a beefy machine (PIII 500 Dual/512Mb). You can then use a perl > script to back merge the smb.passwd data and the passwords into a unix > passwd file. Then only a small percentage of the population needs to > change their passwords. If you have a couple of days to spare, you could > make that percentage pretty low. (The only bad thing is that L0phtCrack > only runs on Win32.) We did something remotely like this here at TU. > > -A. > > +-------> > Aaron D. Brooks, 765 . 998 . 5168 > Computing Systems Resource Manager > Taylor University, CSS Department > abrooks [SHIFT"2"] css.tayloru.edu > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From inge at cc.uit.no Sun Feb 13 00:12:18 2000 From: inge at cc.uit.no (Inge-Haavard Hunstad) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG References: Message-ID: <38A5F6E2.4D93493A@cc.uit.no> Luke Kenneth Casson Leighton wrote: > > delete and do a cvs co again. Ok I did and got the same error. Then I gave up and decided to start again this morning. This morning lib/cmd_interp.c compiled but then there was a linking problem with the lib/cmd_interp.o file. So I decided to give it a day to fix itself;-) So when I tried same tonight: a clean cvs checkout, "./configure --prefix=/opt/samba-tng --with-ldap" and "make" I got this error: Compiling rpc_parse/parse_lsa.c with libtool Compiling rpc_parse/parse_reg.c with libtool Compiling rpc_parse/parse_samr.c with libtool Compiling rpc_parse/parse_srv.c with libtool rpc_parse/parse_srv.c:1530: conflicting types for `make_srv_file_info3_str' include/rpc_parse_proto.h:1152: previous declaration of `make_srv_file_info3_str' rpc_parse/parse_srv.c:1572: conflicting types for `make_srv_file_info3' include/rpc_parse_proto.h:1154: previous declaration of `make_srv_file_info3' make: *** [rpc_parse/parse_srv.lo] Error 1 zsh: 32328 exit 2 make I hope I'm not getting too annoying but it would be very nice to get samba_TNG compiled so that I could start some testing of the ldap support:-) Thanks for all your help inge From lkcl at samba.org Sun Feb 13 00:21:22 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A5F6E2.4D93493A@cc.uit.no> Message-ID: yeah, i messed it up and i'm in the middle of something, right now. On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > Luke Kenneth Casson Leighton wrote: > > > > delete and do a cvs co again. > > Ok I did and got the same error. Then I gave up and decided to start > again this morning. This morning lib/cmd_interp.c compiled but then > there was a linking problem with the lib/cmd_interp.o file. So I decided > to give it a day to fix itself;-) So when I tried same tonight: > a clean cvs checkout, > "./configure --prefix=/opt/samba-tng --with-ldap" and "make" > > I got this error: > > Compiling rpc_parse/parse_lsa.c with libtool > Compiling rpc_parse/parse_reg.c with libtool > Compiling rpc_parse/parse_samr.c with libtool > Compiling rpc_parse/parse_srv.c with libtool > rpc_parse/parse_srv.c:1530: conflicting types for > `make_srv_file_info3_str' > include/rpc_parse_proto.h:1152: previous declaration of > `make_srv_file_info3_str' > rpc_parse/parse_srv.c:1572: conflicting types for `make_srv_file_info3' > include/rpc_parse_proto.h:1154: previous declaration of > `make_srv_file_info3' > make: *** [rpc_parse/parse_srv.lo] Error 1 > zsh: 32328 exit 2 make > > I hope I'm not getting too annoying but it would be very nice to get > samba_TNG compiled so that I could start some testing of the ldap > support:-) > > Thanks for all your help > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 13 00:22:09 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A5F6E2.4D93493A@cc.uit.no> Message-ID: do a make proto. From jasonjensen at home.com Sun Feb 13 02:26:55 2000 From: jasonjensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG References: <38A5F6E2.4D93493A@cc.uit.no> Message-ID: <001201bf75c9$cb6eb650$0201a8c0@jason> I also have had nothing but compile errors.. even without ANY options what so ever. just ./configure make MAKE="make -j4" altho i don't think the -j works ----- Original Message ----- From: "Inge-Haavard Hunstad" To: "Multiple recipients of list SAMBA-NTDOM" Sent: Saturday, February 12, 2000 4:13 PM Subject: Re: Compiling error Samba_TNG > > Luke Kenneth Casson Leighton wrote: > > > > delete and do a cvs co again. > > Ok I did and got the same error. Then I gave up and decided to start > again this morning. This morning lib/cmd_interp.c compiled but then > there was a linking problem with the lib/cmd_interp.o file. So I decided > to give it a day to fix itself;-) So when I tried same tonight: > a clean cvs checkout, > "./configure --prefix=/opt/samba-tng --with-ldap" and "make" > > I got this error: > > Compiling rpc_parse/parse_lsa.c with libtool > Compiling rpc_parse/parse_reg.c with libtool > Compiling rpc_parse/parse_samr.c with libtool > Compiling rpc_parse/parse_srv.c with libtool > rpc_parse/parse_srv.c:1530: conflicting types for > `make_srv_file_info3_str' > include/rpc_parse_proto.h:1152: previous declaration of > `make_srv_file_info3_str' > rpc_parse/parse_srv.c:1572: conflicting types for `make_srv_file_info3' > include/rpc_parse_proto.h:1154: previous declaration of > `make_srv_file_info3' > make: *** [rpc_parse/parse_srv.lo] Error 1 > zsh: 32328 exit 2 make > > I hope I'm not getting too annoying but it would be very nice to get > samba_TNG compiled so that I could start some testing of the ldap > support:-) > > Thanks for all your help > > inge From inge at cc.uit.no Sun Feb 13 00:34:06 2000 From: inge at cc.uit.no (Inge-Haavard Hunstad) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG References: Message-ID: <38A5FBFE.F389D2D4@cc.uit.no> Luke Kenneth Casson Leighton wrote: > > do a make proto. I did an then I tried make again. Now I got this error: Compiling rpc_parse/parse_srv.c with libtool In file included from include/includes.h:591, from rpc_parse/parse_srv.c:26: include/proto.h:535: conflicting types for `setbuffer' /usr/include/stdio.h:239: previous declaration of `setbuffer' make: *** [rpc_parse/parse_srv.lo] Error 1 zsh: 3286 exit 2 make Should I do a new cvs checkout? inge From neubyneu at twcny.rr.com Sun Feb 13 00:33:44 2000 From: neubyneu at twcny.rr.com (Michael P. Neuman) Date: Tue Dec 2 02:28:32 2003 Subject: Windows 2000 and TNG Message-ID: <000001bf75b9$fcc917a0$1600a8c0@inetcafe.com> Hello all: I just recieved Windows 2000 Professional Final Release. I am currently running Samba in order to serve my Windows 95 & Windows 98 Machines. From my understanding, I needed to get something called TNG. I read instructions on CVS and it downloaded TNG onto my computer. Then I went on and did "./configure", "./make", and am about to do "./make install". Once I have this TNG thing installed, what do I do to get my Win2K machine to join the samba controlled domain? I've succesfully got a Windows NT workstation joining the domain. Now I just need specific instructions to get the 2000 box on joined up. Any help would be greatly appreciated! Thanks in advance. Please CC any responses to neubyneu@twcny.rr.com so I don't have to keep checking the archives. Thanks. -- Michael P. Neuman - UNIX Admin CMSNet.net neubyneu@twcny.rr.com -- From jboschee at flashcom.net Sun Feb 13 00:47:32 2000 From: jboschee at flashcom.net (Jeff Boschee) Date: Tue Dec 2 02:28:32 2003 Subject: Windows 2000 disconnect drives on Samba In-Reply-To: Message-ID: I know on Windows 2000, drives disconnect after so many minutes of being idle. There is a setting for this is the local policies of Computer Manager. I connect to Samba 2.0.5a with win2000 and don't have any trouble. Hope that helps Jeff Boschee -----Original Message----- From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of Thoresen Otto Sent: Friday, February 11, 2000 4:59 AM To: Multiple recipients of list SAMBA-NTDOM Subject: Windows 2000 disconnect drives on Samba We use Samba 1.9.16p9 on Solaris 2.5 and 2.6 as a file server. Accessing the drives from a MS Advance Server 2000 with terminal services. It works properly. BUT Some applications has ini and other important files on this drives. After a while this applications crash, and we can se that the drive is disconnected in explorer and "net use". Usually we can go in and view the files on the mapped drive. But it use some time to get up again. Sometimes we also get the message of wrong username and password. If we try and wait long enough times, we will always get the drives up again, but we can loose them again at once or after 1/2 hour The server also disconnect the drive on a NT server. But this mappings comes up again wery fast. Please help me out! Best regards, Otto From lkcl at samba.org Sun Feb 13 00:49:55 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A5FBFE.F389D2D4@cc.uit.no> Message-ID: ngggh! things i came up against 10 hours ago, and i can't commit them dammit! ok, look in lib/util.c, find this: void setbuffer(...) make it this: void setbuffer(...) then do another make proto. On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > Luke Kenneth Casson Leighton wrote: > > > > do a make proto. > > I did an then I tried make again. Now I got this error: > > Compiling rpc_parse/parse_srv.c with libtool > In file included from include/includes.h:591, > from rpc_parse/parse_srv.c:26: > include/proto.h:535: conflicting types for `setbuffer' > /usr/include/stdio.h:239: previous declaration of `setbuffer' > make: *** [rpc_parse/parse_srv.lo] Error 1 > zsh: 3286 exit 2 make > > Should I do a new cvs checkout? > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 13 00:50:43 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Windows 2000 and TNG In-Reply-To: <000001bf75b9$fcc917a0$1600a8c0@inetcafe.com> Message-ID: michael, nt5rtm doesn't join domain proer right now, i have to install it and test it myself. On Sun, 13 Feb 2000, Michael P. Neuman wrote: > Hello all: > > I just recieved Windows 2000 Professional Final Release. I am currently > running Samba in order to serve my Windows 95 & Windows 98 Machines. From > my understanding, I needed to get something called TNG. I read instructions > on CVS and it downloaded TNG onto my computer. Then I went on and did > "./configure", "./make", and am about to do "./make install". Once I have > this TNG thing installed, what do I do to get my Win2K machine to join the > samba controlled domain? I've succesfully got a Windows NT workstation > joining the domain. Now I just need specific instructions to get the 2000 > box on joined up. Any help would be greatly appreciated! Thanks in > advance. Please CC any responses to neubyneu@twcny.rr.com so I don't have > to keep checking the archives. Thanks. > > -- > Michael P. Neuman - UNIX Admin CMSNet.net > neubyneu@twcny.rr.com > -- > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From jasonjensen at home.com Sun Feb 13 03:00:56 2000 From: jasonjensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG References: Message-ID: <003901bf75ce$8c039120$0201a8c0@jason> yes and find this and change it to this. umm.. i think you messed up.. those lines are the same ----- Original Message ----- From: "Luke Kenneth Casson Leighton" To: "Multiple recipients of list SAMBA-NTDOM" Sent: Saturday, February 12, 2000 4:52 PM Subject: Re: Compiling error Samba_TNG > ngggh! things i came up against 10 hours ago, and i can't commit them > dammit! > > ok, look in lib/util.c, find this: > > void setbuffer(...) > > make it this: > > void setbuffer(...) > > then do another make proto. > > On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > Luke Kenneth Casson Leighton wrote: > > > > > > do a make proto. > > > > I did an then I tried make again. Now I got this error: > > > > Compiling rpc_parse/parse_srv.c with libtool > > In file included from include/includes.h:591, > > from rpc_parse/parse_srv.c:26: > > include/proto.h:535: conflicting types for `setbuffer' > > /usr/include/stdio.h:239: previous declaration of `setbuffer' > > make: *** [rpc_parse/parse_srv.lo] Error 1 > > zsh: 3286 exit 2 make > > > > Should I do a new cvs checkout? > > > > inge > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From lkcl at samba.org Sun Feb 13 01:02:33 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <003901bf75ce$8c039120$0201a8c0@jason> Message-ID: On Sun, 13 Feb 2000, Jason Jensen wrote: > yes and find this and change it to this. umm.. i think you messed up.. those > lines are the same no, the change has a space in front of it. > ----- Original Message ----- > From: "Luke Kenneth Casson Leighton" > To: "Multiple recipients of list SAMBA-NTDOM" > Sent: Saturday, February 12, 2000 4:52 PM > Subject: Re: Compiling error Samba_TNG > > > > ngggh! things i came up against 10 hours ago, and i can't commit them > > dammit! > > > > ok, look in lib/util.c, find this: > > > > void setbuffer(...) > > > > make it this: > > > > void setbuffer(...) > > > > then do another make proto. > > > > On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > > > Luke Kenneth Casson Leighton wrote: > > > > > > > > do a make proto. > > > > > > I did an then I tried make again. Now I got this error: > > > > > > Compiling rpc_parse/parse_srv.c with libtool > > > In file included from include/includes.h:591, > > > from rpc_parse/parse_srv.c:26: > > > include/proto.h:535: conflicting types for `setbuffer' > > > /usr/include/stdio.h:239: previous declaration of `setbuffer' > > > make: *** [rpc_parse/parse_srv.lo] Error 1 > > > zsh: 3286 exit 2 make > > > > > > Should I do a new cvs checkout? > > > > > > inge > > > > > > > Luke Kenneth Casson Leighton > > Samba and Network Development > > Samba Web site > > Internet Security Systems, Inc. > > Macmillan Technical Publishing > > > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From inge at cc.uit.no Sun Feb 13 01:35:43 2000 From: inge at cc.uit.no (Inge-Haavard Hunstad) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG References: Message-ID: <38A60A6F.D89CC3DD@cc.uit.no> Luke Kenneth Casson Leighton wrote: > > ngggh! things i came up against 10 hours ago, and i can't commit them > dammit! > > ok, look in lib/util.c, find this: > > void setbuffer(...) > > make it this: > > void setbuffer(...) > > then do another make proto. Ok her is what I did: - edited the lib/util.c and put your change in it. - "make distclean" - "make proto" - "./configure --prefix=/opt/samba-tng --with-ldap" So to my big surprise I got what looks to me as the linking error from this morning: Linking bin/regedit lib/cmd_interp.o: In function `complete_svcenum': lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' lib/cmd_interp.o: In function `complete_printersenum': lib/cmd_interp.o(.text+0xe7c): undefined reference to `msrpc_spoolss_enum_printers' collect2: ld returned 1 exit status make: *** [bin/regedit] Error 1 zsh: 4055 exit 2 make Ok I think I give up. Need some sleep:) Could you predict when you're finished with these big changes you are doing right now or when I maybe with more luck would be able to compile samba_TNG on a RH6.1 box. I'm sorry I for giving you so much trouble:) inge From lkcl at samba.org Sun Feb 13 01:44:45 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A60A6F.D89CC3DD@cc.uit.no> Message-ID: managed to do a commit just now, got it compiled. On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > Luke Kenneth Casson Leighton wrote: > > > > ngggh! things i came up against 10 hours ago, and i can't commit them > > dammit! > > > > ok, look in lib/util.c, find this: > > > > void setbuffer(...) > > > > make it this: > > > > void setbuffer(...) > > > > then do another make proto. > > Ok her is what I did: > - edited the lib/util.c and put your change in it. > - "make distclean" > - "make proto" > - "./configure --prefix=/opt/samba-tng --with-ldap" > > So to my big surprise I got what looks to me as the linking error from > this morning: > > Linking bin/regedit > lib/cmd_interp.o: In function `complete_svcenum': > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > lib/cmd_interp.o: In function `complete_printersenum': > lib/cmd_interp.o(.text+0xe7c): undefined reference to > `msrpc_spoolss_enum_printers' > collect2: ld returned 1 exit status > make: *** [bin/regedit] Error 1 > zsh: 4055 exit 2 make > > Ok I think I give up. Need some sleep:) Could you predict when you're > finished with these big changes you are doing right now or when I maybe > with more luck would be able to compile samba_TNG on a RH6.1 box. I'm > sorry I for giving you so much trouble:) > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From jasonjensen at home.com Sun Feb 13 03:52:38 2000 From: jasonjensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG References: Message-ID: <00c401bf75d5$c55689d0$0201a8c0@jason> I'll believe it when I see it.. hehehhe j/k ----- Original Message ----- From: "Luke Kenneth Casson Leighton" To: "Multiple recipients of list SAMBA-NTDOM" Sent: Saturday, February 12, 2000 5:47 PM Subject: Re: Compiling error Samba_TNG > managed to do a commit just now, got it compiled. > > On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > Luke Kenneth Casson Leighton wrote: > > > > > > ngggh! things i came up against 10 hours ago, and i can't commit them > > > dammit! > > > > > > ok, look in lib/util.c, find this: > > > > > > void setbuffer(...) > > > > > > make it this: > > > > > > void setbuffer(...) > > > > > > then do another make proto. > > > > Ok her is what I did: > > - edited the lib/util.c and put your change in it. > > - "make distclean" > > - "make proto" > > - "./configure --prefix=/opt/samba-tng --with-ldap" > > > > So to my big surprise I got what looks to me as the linking error from > > this morning: > > > > Linking bin/regedit > > lib/cmd_interp.o: In function `complete_svcenum': > > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > > lib/cmd_interp.o: In function `complete_printersenum': > > lib/cmd_interp.o(.text+0xe7c): undefined reference to > > `msrpc_spoolss_enum_printers' > > collect2: ld returned 1 exit status > > make: *** [bin/regedit] Error 1 > > zsh: 4055 exit 2 make > > > > Ok I think I give up. Need some sleep:) Could you predict when you're > > finished with these big changes you are doing right now or when I maybe > > with more luck would be able to compile samba_TNG on a RH6.1 box. I'm > > sorry I for giving you so much trouble:) > > > > inge > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From lkcl at samba.org Sun Feb 13 01:54:36 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <00c401bf75d5$c55689d0$0201a8c0@jason> Message-ID: On Sun, 13 Feb 2000, Jason Jensen wrote: > I'll believe it when I see it.. hehehhe hmmm.... give me 15 mins. From martinja at ice-works.com Sun Feb 13 02:33:09 2000 From: martinja at ice-works.com (Joseph A. Martin) Date: Tue Dec 2 02:28:32 2003 Subject: Directory Replication and Other Message-ID: <20000212213309.A21858@gr8brdg.net> Hello, I have been lurking on this list for a while now. I would like to try setting up SambaTNG as a BDC in our office and maybe later move it up as the PDC. I have a couple of questions first. I have read through the SambaTNG FAQ (thanks Lars!) and understand how to configure Samba as a BDC and how to use cron for SAM replication. BUT can I do Directory Replication with samba? Also does Samba support NT style ACL's on shares? thanks, later, joseph -- the "LaterDude" ICQ: 52640402 martinja@ice-works.com http://www.ice-works.com/personal/LaterDude/ All opinions expressed are my own and not necessarily those of my employer unless otherwise noted. From inge at cc.uit.no Sun Feb 13 02:36:47 2000 From: inge at cc.uit.no (Inge-Haavard Hunstad) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG References: Message-ID: <38A618BF.EEB655D6@cc.uit.no> Luke Kenneth Casson Leighton wrote: > > managed to do a commit just now, got it compiled. > > On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > So to my big surprise I got what looks to me as the linking error from > > this morning: > > > > Linking bin/regedit > > lib/cmd_interp.o: In function `complete_svcenum': > > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > > lib/cmd_interp.o: In function `complete_printersenum': > > lib/cmd_interp.o(.text+0xe7c): undefined reference to > > `msrpc_spoolss_enum_printers' > > collect2: ld returned 1 exit status > > make: *** [bin/regedit] Error 1 > > zsh: 4055 exit 2 make > > > > Ok I think I give up. Need some sleep:) Could you predict when you're > > finished with these big changes you are doing right now or when I maybe > > with more luck would be able to compile samba_TNG on a RH6.1 box. I'm > > sorry I for giving you so much trouble:) OK I couldn't help my self so I deleted the samba source dir and did a fresh cvs checkout. But even if I don't have to do a "make proto" I have the same problem with the linking of regedit: Compiling utils/debug2html.c Linking bin/debug2html Compiling rpcclient/regedit.c Linking bin/regedit lib/cmd_interp.o: In function `complete_svcenum': lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' lib/cmd_interp.o: In function `complete_printersenum': lib/cmd_interp.o(.text+0xe7c): undefined reference to `msrpc_spoolss_enum_printers' collect2: ld returned 1 exit status make: *** [bin/regedit] Error 1 I just wanted to tell you:) Since you got it compiled maybe it's a problem with RedHat? inge From lkcl at samba.org Sun Feb 13 02:37:53 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A618BF.EEB655D6@cc.uit.no> Message-ID: no, it's probably cvs copy-sync problems. i'll see if i can force a re-copy by making some gratuitous mods. On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > Luke Kenneth Casson Leighton wrote: > > > > managed to do a commit just now, got it compiled. > > > > On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > > > So to my big surprise I got what looks to me as the linking error from > > > this morning: > > > > > > Linking bin/regedit > > > lib/cmd_interp.o: In function `complete_svcenum': > > > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > > > lib/cmd_interp.o: In function `complete_printersenum': > > > lib/cmd_interp.o(.text+0xe7c): undefined reference to > > > `msrpc_spoolss_enum_printers' > > > collect2: ld returned 1 exit status > > > make: *** [bin/regedit] Error 1 > > > zsh: 4055 exit 2 make > > > > > > Ok I think I give up. Need some sleep:) Could you predict when you're > > > finished with these big changes you are doing right now or when I maybe > > > with more luck would be able to compile samba_TNG on a RH6.1 box. I'm > > > sorry I for giving you so much trouble:) > > OK I couldn't help my self so I deleted the samba source dir and did a > fresh cvs checkout. But even if I don't have to do a "make proto" I have > the same problem with the linking of regedit: > > Compiling utils/debug2html.c > Linking bin/debug2html > Compiling rpcclient/regedit.c > Linking bin/regedit > lib/cmd_interp.o: In function `complete_svcenum': > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > lib/cmd_interp.o: In function `complete_printersenum': > lib/cmd_interp.o(.text+0xe7c): undefined reference to > `msrpc_spoolss_enum_printers' > collect2: ld returned 1 exit status > make: *** [bin/regedit] Error 1 > > I just wanted to tell you:) Since you got it compiled maybe it's a > problem with RedHat? > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 13 02:45:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A618BF.EEB655D6@cc.uit.no> Message-ID: ok, i don't get this on debian, it's undefined, and it stays that way, no link warnings, nothing. On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > Luke Kenneth Casson Leighton wrote: > > > > managed to do a commit just now, got it compiled. > > > > On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > > > So to my big surprise I got what looks to me as the linking error from > > > this morning: > > > > > > Linking bin/regedit > > > lib/cmd_interp.o: In function `complete_svcenum': > > > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > > > lib/cmd_interp.o: In function `complete_printersenum': > > > lib/cmd_interp.o(.text+0xe7c): undefined reference to > > > `msrpc_spoolss_enum_printers' > > > collect2: ld returned 1 exit status > > > make: *** [bin/regedit] Error 1 > > > zsh: 4055 exit 2 make > > > > > > Ok I think I give up. Need some sleep:) Could you predict when you're > > > finished with these big changes you are doing right now or when I maybe > > > with more luck would be able to compile samba_TNG on a RH6.1 box. I'm > > > sorry I for giving you so much trouble:) > > OK I couldn't help my self so I deleted the samba source dir and did a > fresh cvs checkout. But even if I don't have to do a "make proto" I have > the same problem with the linking of regedit: > > Compiling utils/debug2html.c > Linking bin/debug2html > Compiling rpcclient/regedit.c > Linking bin/regedit > lib/cmd_interp.o: In function `complete_svcenum': > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > lib/cmd_interp.o: In function `complete_printersenum': > lib/cmd_interp.o(.text+0xe7c): undefined reference to > `msrpc_spoolss_enum_printers' > collect2: ld returned 1 exit status > make: *** [bin/regedit] Error 1 > > I just wanted to tell you:) Since you got it compiled maybe it's a > problem with RedHat? > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 13 02:46:26 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <38A618BF.EEB655D6@cc.uit.no> Message-ID: ah. of course. i don't have readline. On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > Luke Kenneth Casson Leighton wrote: > > > > managed to do a commit just now, got it compiled. > > > > On Sun, 13 Feb 2000, Inge-Haavard Hunstad wrote: > > > > > So to my big surprise I got what looks to me as the linking error from > > > this morning: > > > > > > Linking bin/regedit > > > lib/cmd_interp.o: In function `complete_svcenum': > > > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > > > lib/cmd_interp.o: In function `complete_printersenum': > > > lib/cmd_interp.o(.text+0xe7c): undefined reference to > > > `msrpc_spoolss_enum_printers' > > > collect2: ld returned 1 exit status > > > make: *** [bin/regedit] Error 1 > > > zsh: 4055 exit 2 make > > > > > > Ok I think I give up. Need some sleep:) Could you predict when you're > > > finished with these big changes you are doing right now or when I maybe > > > with more luck would be able to compile samba_TNG on a RH6.1 box. I'm > > > sorry I for giving you so much trouble:) > > OK I couldn't help my self so I deleted the samba source dir and did a > fresh cvs checkout. But even if I don't have to do a "make proto" I have > the same problem with the linking of regedit: > > Compiling utils/debug2html.c > Linking bin/debug2html > Compiling rpcclient/regedit.c > Linking bin/regedit > lib/cmd_interp.o: In function `complete_svcenum': > lib/cmd_interp.o(.text+0xd63): undefined reference to `msrpc_svc_enum' > lib/cmd_interp.o: In function `complete_printersenum': > lib/cmd_interp.o(.text+0xe7c): undefined reference to > `msrpc_spoolss_enum_printers' > collect2: ld returned 1 exit status > make: *** [bin/regedit] Error 1 > > I just wanted to tell you:) Since you got it compiled maybe it's a > problem with RedHat? > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 13 03:18:22 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: Compiling error Samba_TNG In-Reply-To: <00c401bf75d5$c55689d0$0201a8c0@jason> Message-ID: On Sun, 13 Feb 2000, Jason Jensen wrote: > I'll believe it when I see it.. hehehhe see? :) -------------- next part -------------- Script started on Sun Feb 27 21:11:04 2000 $ make Using FLAGS = -O -Iinclude -I./include -I./ubiqx -I./smbwrapper -DLOGFILEBASE="/usr/local/samba/var" -DSMBLOGFILE="/usr/local/samba/var/log.smb" -DNMBLOGFILE="/usr/local/samba/var/log.nmb" -DCONFIGFILE="/usr/local/samba/lib/smb.conf" -DLMHOSTSFILE="/usr/local/samba/lib/lmhosts" -DSWATDIR="/usr/local/samba/swat" -DSBINDIR="/usr/local/samba/bin" -DLOCKDIR="/usr/local/samba/var/locks" -DSMBRUN="/usr/local/samba/bin/smbrun" -DCODEPAGEDIR="/usr/local/samba/lib/codepages" -DDRIVERFILE="/usr/local/samba/lib/printers.def" -DBINDIR="/usr/local/samba/bin" -DFORMSFILE="/usr/local/samba/lib/ntforms.def" -DNTDRIVERSDIR="/usr/local/samba/lib" -DHAVE_INCLUDES_H -DPASSWD_PROGRAM="/bin/passwd" -DSMB_PASSWD_PROGRAM="/usr/local/samba/bin/smbpasswd" -DSMB_PASSWD_FILE="/usr/local/samba/private/smbpasswd" -DSAM_DIR="/usr/local/samba/sam" -DSMB_PASSGRP_FILE="/usr/local/samba/private/smbpassgrp" -DSMB_GROUP_FILE="/usr/local/samba/private/smbgroup" -DSMB_ALIAS_FILE="/usr/local/samba/private/smbalias" Using LIBS = -lcrypt Compiling rpc_client/cli_login.c with libtool Compiling rpc_client/cli_netlogon.c with libtool Compiling rpc_client/cli_reg.c with libtool Compiling rpc_client/cli_pipe.c with libtool Compiling rpc_client/cli_pipe_ntlmssp.c with libtool Compiling rpc_client/cli_pipe_netsec.c with libtool Compiling rpc_client/cli_pipe_noauth.c with libtool Compiling rpc_client/cli_connect.c with libtool Compiling rpc_client/cli_use.c with libtool Compiling rpc_client/ncalrpc_l_use.c with libtool Compiling rpc_client/ncacn_np_use.c with libtool Compiling rpc_client/cli_spoolss.c with libtool Compiling rpc_client/cli_lsarpc.c with libtool Compiling rpc_client/cli_wkssvc.c with libtool Compiling rpc_client/cli_brs.c with libtool Compiling rpc_client/cli_srvsvc.c with libtool Compiling rpc_client/cli_svcctl.c with libtool Compiling rpc_client/cli_samr.c with libtool Compiling rpc_client/msrpc_samr.c with libtool rpc_client/msrpc_samr.c: In function `lookup_sam_names': rpc_client/msrpc_samr.c:118: warning: passing arg 4 of `samr_query_lookup_names' from incompatible pointer type Compiling rpc_client/msrpc_netlogon.c with libtool Compiling rpc_client/msrpc_lsarpc.c with libtool Compiling rpc_client/cli_atsvc.c with libtool Compiling rpc_client/cli_eventlog.c with libtool Compiling rpc_parse/parse_lsa.c with libtool Compiling rpc_parse/parse_reg.c with libtool Compiling rpc_parse/parse_samr.c with libtool Compiling rpc_parse/parse_srv.c with libtool Compiling rpc_parse/parse_wks.c with libtool Compiling rpc_parse/parse_svc.c with libtool Compiling rpc_parse/parse_at.c with libtool Compiling rpc_parse/parse_spoolss.c with libtool Compiling rpc_parse/parse_eventlog.c with libtool Compiling rpc_parse/parse_brs.c with libtool Compiling rpc_parse/parse_rpc.c with libtool Compiling rpc_parse/parse_netsec.c with libtool Compiling rpc_parse/parse_sec.c with libtool Compiling lib/msrpc-client.c with libtool Linking shared library bin/libmsrpc.la *** Warning: This library needs some functionality provided by -lc. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** The inter-library dependencies that have been dropped here will be *** automatically added whenever a program is linked with this library *** or is declared to -dlopen it. Compiling libsmb/clientgen.c with libtool Compiling libsmb/nterr.c with libtool Compiling libsmb/smbdes.c with libtool Compiling libsmb/smbencrypt.c with libtool Compiling libsmb/smberr.c with libtool Compiling libsmb/credentials.c with libtool Compiling libsmb/pwd_cache.c with libtool Compiling lib/crc32.c with libtool Compiling lib/md5.c with libtool Compiling lib/hmacmd5.c with libtool Compiling lib/util_hnd.c with libtool Compiling passdb/smbpassfile.c with libtool Compiling rpc_parse/parse_creds.c with libtool rpc_parse/parse_creds.c: In function `create_user_creds': rpc_parse/parse_creds.c:494: warning: assignment discards qualifiers from pointer target type Compiling rpc_parse/parse_net.c with libtool rpc_parse/parse_net.c: In function `make_dom_sid2s': rpc_parse/parse_net.c:543: warning: assignment discards qualifiers from pointer target type Compiling rpc_parse/parse_ntlmssp.c with libtool Compiling rpc_parse/parse_prs.c with libtool Compiling rpc_parse/parse_vuid.c with libtool Compiling lib/vuser.c with libtool Compiling lib/vuser_db.c with libtool Compiling rpc_parse/parse_misc.c with libtool Linking shared library bin/libsmb.la *** Warning: This library needs some functionality provided by -lc. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** The inter-library dependencies that have been dropped here will be *** automatically added whenever a program is linked with this library *** or is declared to -dlopen it. Compiling libsmb/namequery.c with libtool Compiling libsmb/nmblib.c with libtool Linking shared library bin/libnmb.la *** Warning: This library needs some functionality provided by -lc. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** The inter-library dependencies that have been dropped here will be *** automatically added whenever a program is linked with this library *** or is declared to -dlopen it. Compiling param/loadparm.c with libtool Compiling param/params.c with libtool Compiling lib/charcnv.c with libtool Compiling lib/charset.c with libtool Compiling lib/debug.c with libtool Compiling lib/fault.c with libtool Compiling lib/getsmbpass.c with libtool Compiling lib/interface.c with libtool Compiling lib/kanji.c with libtool Compiling lib/md4.c with libtool Compiling lib/netmask.c with libtool Compiling lib/pidfile.c with libtool Compiling lib/replace.c with libtool Compiling lib/signal.c with libtool Compiling lib/slprintf.c with libtool Compiling lib/system.c with libtool Compiling lib/doscalls.c with libtool Compiling lib/time.c with libtool Compiling lib/ufc.c with libtool Compiling lib/util.c with libtool lib/util.c: In function `standard_sub_vuser': lib/util.c:2004: warning: passing arg 1 of `Get_Pwnam' discards qualifiers from pointer target type lib/util.c:2018: warning: passing arg 1 of `automount_server' discards qualifiers from pointer target type lib/util.c: In function `nametouid': lib/util.c:2355: warning: passing arg 1 of `Get_Pwnam' discards qualifiers from pointer target type Compiling lib/genrand.c with libtool Compiling lib/username.c with libtool Compiling lib/access.c with libtool Compiling lib/smbrun.c with libtool Compiling lib/bitmap.c with libtool Compiling lib/util_sid.c with libtool Compiling lib/snprintf.c with libtool Compiling lib/util_str.c with libtool Compiling lib/util_unistr.c with libtool Compiling lib/util_file.c with libtool Compiling lib/util_sock.c with libtool Compiling lib/util_sec.c with libtool Compiling lib/util_array.c with libtool Compiling lib/vagent.c with libtool Compiling tdb/tdb.c with libtool Linking shared library bin/libsamba.la *** Warning: This library needs some functionality provided by -lc. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** The inter-library dependencies that have been dropped here will be *** automatically added whenever a program is linked with this library *** or is declared to -dlopen it. Compiling ubiqx/ubi_BinTree.c with libtool Compiling ubiqx/ubi_Cache.c with libtool Compiling ubiqx/ubi_SplayTree.c with libtool Compiling ubiqx/ubi_dLinkList.c with libtool Compiling ubiqx/ubi_sLinkList.c with libtool Linking shared library bin/libubiqx.la *** Warning: This library needs some functionality provided by -lc. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** The inter-library dependencies that have been dropped here will be *** automatically added whenever a program is linked with this library *** or is declared to -dlopen it. Compiling smbd/server.c Compiling smbd/files.c Compiling smbd/connection.c Compiling lib/set_uid.c Compiling smbd/dfree.c Compiling smbd/dir.c Compiling smbd/password.c Compiling smbd/conn.c Compiling smbd/fileio.c Compiling smbd/ipc.c Compiling smbd/lanman.c Compiling smbd/mangle.c Compiling smbd/negprot.c Compiling smbd/message.c Compiling smbd/nttrans.c Compiling smbd/pipes.c Compiling smbd/predict.c Compiling smbd/noquotas.c Compiling smbd/reply.c Compiling smbd/ssl.c Compiling smbd/trans2.c Compiling smbd/uid.c Compiling smbd/dosmode.c Compiling smbd/filename.c Compiling smbd/open.c Compiling smbd/close.c Compiling smbd/blocking.c Compiling smbd/process.c Compiling smbd/oplock.c Compiling smbd/service.c Compiling smbd/error.c Compiling smbd/vfs.c Compiling smbd/vfs-wrap.c Compiling smbd/dfs.c Compiling smbd/challenge.c Compiling lib/util_pwdb.c Compiling passdb/pass_check.c Compiling rpc_server/srv_pipe_hnd.c Compiling rpc_server/srv_pipe.c Compiling libsmb/clienttrust.c Compiling lib/domain_namemap.c lib/domain_namemap.c: In function `lookup_remote_ntname': lib/domain_namemap.c:913: warning: assignment discards qualifiers from pointer target type Compiling locking/locking.c Compiling lib/sids.c Compiling lib/util_status.c Compiling printing/pcap.c Compiling printing/print_svid.c Compiling printing/printing.c Compiling profile/profile.c Linking bin/smbd Compiling msrpc/msrpcd.c Compiling msrpc/msrpcd_process.c Compiling lib/set_vuid.c Compiling lsarpcd/lsarpcd.c Compiling lsarpcd/srv_lsa.c Compiling lsarpcd/secret_db.c Compiling lsarpcd/srv_lsa_samdb.c lsarpcd/srv_lsa_samdb.c: In function `set_tdbsecdb': lsarpcd/srv_lsa_samdb.c:42: warning: passing arg 3 of `set_policy_state' from incompatible pointer type Compiling rpc_server/srv_pipe_srv.c Compiling rpc_server/srv_pipe_noauth.c Linking bin/lsarpcd Compiling svcctld/svcctld.c Compiling svcctld/srv_svcctl_nt.c Compiling rpc_server/srv_svcctl.c Linking bin/svcctld Compiling spoolssd/spoolssd.c Compiling rpc_server/srv_spoolss.c Compiling spoolssd/srv_spoolss_nt.c Compiling printing/nt_printing.c Linking bin/spoolssd Compiling groupdb/groupdb.c with libtool Compiling groupdb/aliasdb.c with libtool Compiling groupdb/builtindb.c with libtool Compiling groupdb/groupfile.c with libtool Compiling groupdb/aliasfile.c with libtool Compiling groupdb/groupunix.c with libtool Compiling groupdb/aliasunix.c with libtool groupdb/aliasunix.c:317: warning: initialization from incompatible pointer type groupdb/aliasunix.c:318: warning: initialization from incompatible pointer type Compiling groupdb/builtinunix.c with libtool groupdb/builtinunix.c:310: warning: initialization from incompatible pointer type groupdb/builtinunix.c:311: warning: initialization from incompatible pointer type Compiling groupdb/groupldap.c with libtool Compiling groupdb/aliasldap.c with libtool Compiling groupdb/builtinldap.c with libtool Compiling groupdb/groupnt5ldap.c with libtool Compiling groupdb/aliasnt5ldap.c with libtool Compiling groupdb/builtinnt5ldap.c with libtool Compiling passdb/passgrp.c with libtool Compiling passdb/smbpassgroup.c with libtool Compiling passdb/smbpassgroupunix.c with libtool Compiling passdb/passgrpldap.c with libtool Compiling passdb/passgrpnt5ldap.c with libtool Compiling passdb/sampassdb.c with libtool Compiling passdb/sampass.c with libtool Compiling passdb/sampassldap.c with libtool Compiling passdb/mysqlsampass.c with libtool Compiling passdb/sampassnt5ldap.c with libtool Compiling passdb/passdb.c with libtool Compiling passdb/smbpass.c with libtool Compiling passdb/ldap.c with libtool Compiling passdb/ldapdb.c with libtool Compiling passdb/nt5ldap.c with libtool Compiling passdb/nispass.c with libtool Compiling passdb/smbpasschange.c with libtool Compiling passdb/mysqlpass.c with libtool Compiling passdb/smbpassnt5ldap.c with libtool Compiling lib/util_pwdb.c with libtool Compiling lib/domain_namemap.c with libtool lib/domain_namemap.c: In function `lookup_remote_ntname': lib/domain_namemap.c:913: warning: assignment discards qualifiers from pointer target type Linking shared library bin/libsmbpw.la *** Warning: This library needs some functionality provided by -lc. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** The inter-library dependencies that have been dropped here will be *** automatically added whenever a program is linked with this library *** or is declared to -dlopen it. Compiling rpc_server/srv_lookup.c with libtool Compiling samrd/srv_samr_passdb.c with libtool Compiling smbd/chgpasswd.c with libtool smbd/chgpasswd.c: In function `findpty': smbd/chgpasswd.c:72: warning: assignment makes pointer from integer without a cast Linking shared library bin/libsamrpass.la *** Warning: This library needs some functionality provided by -lc. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have. *** The inter-library dependencies that have been dropped here will be *** automatically added whenever a program is linked with this library *** or is declared to -dlopen it. Compiling samrd/samrd.c Compiling rpc_server/srv_pipe_ntlmssp.c Compiling rpc_server/srv_samr.c Linking bin/samrd Compiling srvsvcd/srvsvcd.c Compiling srvsvcd/srv_srvsvc_nt.c Compiling rpc_server/srv_srvsvc.c Linking bin/srvsvcd Compiling wkssvcd/wkssvcd.c Compiling rpc_server/srv_wkssvc.c Compiling wkssvcd/srv_wkssvc_nt.c Linking bin/wkssvcd Compiling browserd/browserd.c Compiling rpc_server/srv_brs.c Linking bin/browserd Compiling netlogond/netlogond.c Compiling netlogond/creds_db.c Compiling netlogond/srv_netlogon_nt.c Compiling rpc_server/srv_netlog.c Compiling rpc_server/srv_pipe_netsec.c Compiling lib/passcheck.c Linking bin/netlogond Compiling winregd/winregd.c Compiling winregd/srv_reg_nt.c Compiling rpc_server/srv_reg.c Linking bin/winregd Compiling nmbd/asyncdns.c Compiling nmbd/nmbd.c Compiling nmbd/nmbd_become_dmb.c Compiling nmbd/nmbd_become_lmb.c Compiling nmbd/nmbd_browserdb.c Compiling nmbd/nmbd_browsesync.c Compiling nmbd/nmbd_elections.c Compiling nmbd/nmbd_incomingdgrams.c Compiling nmbd/nmbd_incomingrequests.c Compiling nmbd/nmbd_lmhosts.c Compiling nmbd/nmbd_logonnames.c Compiling nmbd/nmbd_mynames.c Compiling nmbd/nmbd_namelistdb.c Compiling nmbd/nmbd_namequery.c Compiling nmbd/nmbd_nameregister.c Compiling nmbd/nmbd_namerelease.c Compiling nmbd/nmbd_nodestatus.c Compiling nmbd/nmbd_packets.c Compiling nmbd/nmbd_processlogon.c Compiling nmbd/nmbd_responserecordsdb.c Compiling nmbd/nmbd_sendannounce.c Compiling nmbd/nmbd_serverlistdb.c Compiling nmbd/nmbd_subnetdb.c Compiling nmbd/nmbd_winsproxy.c Compiling nmbd/nmbd_winsserver.c Compiling nmbd/nmbd_workgroupdb.c Compiling nmbd/nmbd_synclists.c Linking bin/nmbd Compiling web/cgi.c web/cgi.c: In function `cgi_handle_authorization': web/cgi.c:364: warning: assignment discards qualifiers from pointer target type Compiling web/diagnose.c Compiling web/startstop.c Compiling web/statuspage.c Compiling web/swat.c Compiling libsmb/passchange.c Compiling lib/stub_uid.c Linking bin/swat Compiling client/client.c Compiling client/clitar.c Linking bin/smbclient Compiling utils/testparm.c Linking bin/testparm Compiling utils/testprns.c Linking bin/testprns Compiling utils/smbrun.c Linking bin/smbrun Compiling utils/status.c Linking bin/smbstatus Compiling lib/cmd_interp.c Compiling rpcclient/rpcclient.c Compiling rpcclient/svcctrl_cmds.c Compiling rpcclient/samedit_cmds.c Compiling rpcclient/regedit_cmds.c Compiling rpcclient/lsa_cmds.c Compiling rpcclient/net_cmds.c Compiling rpcclient/eventlog_cmds.c Compiling rpcclient/netlogon_cmds.c Compiling rpcclient/cmdat_cmds.c Compiling rpcclient/spoolss_cmds.c Compiling rpcclient/display_at.c Compiling rpcclient/display_event.c Compiling rpcclient/display_reg.c Compiling rpcclient/display_sam.c Compiling rpcclient/display_sec.c Compiling rpcclient/display_spool.c Compiling rpcclient/display_srv.c Compiling rpcclient/display_svc.c Compiling rpcclient/display_sync.c Compiling rpcclient/cmd_lsarpc.c Compiling rpcclient/cmd_wkssvc.c Compiling rpcclient/cmd_brs.c Compiling rpcclient/cmd_samr.c Compiling rpcclient/cmd_reg.c Compiling rpcclient/cmd_srvsvc.c Compiling rpcclient/cmd_svcctl.c Compiling rpcclient/cmd_netlogon.c Compiling rpcclient/cmd_atsvc.c Compiling rpcclient/cmd_spoolss.c Compiling rpcclient/cmd_eventlog.c Linking bin/rpcclient Compiling utils/smbpasswd.c Compiling rpc_client/cli_netlogon_sync.c Linking bin/smbpasswd Compiling utils/make_smbcodepage.c Linking bin/make_smbcodepage Compiling utils/debug2html.c Linking bin/debug2html Compiling rpcclient/regedit.c Linking bin/regedit Compiling rpcclient/samedit.c Linking bin/samedit Compiling rpcclient/svcctrl.c Linking bin/svccontrol Compiling rpcclient/cmdat.c Linking bin/cmdat Compiling utils/nmblookup.c Linking bin/nmblookup Compiling utils/make_printerdef.c Linking bin/make_printerdef $ exit Script done on Sun Feb 27 21:42:16 2000 From lkcl at samba.org Sun Feb 13 05:02:34 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: [samba-tng] status Message-ID: ok. the results back from the very first rpctorture test, an ntlogin 100 times, showed that it was essential to reuse connections. the "logintest" command, tested like this: bin/rpctorture -S samba_thg-srv -U root%password -l log [root@samba-tng-srv$ ] logintest -o 100 DOMAINNAME\username password is quite a comprehensive test. it does: - a root%password-based connection to the local machine (which happens to also be samba-tng-srv) to \PIPE\lsarpc to obtain the local copy of the trust account password. this connection is then closed, because it's policy-handle-based. lsa_open_policy("\\samba-tng-srv",..), lpsa_open_secret(), lsa_query_secret(), lsa_close(secret_hnd), lsa_close(pconnection_hnd). the last close reduces the connection-count on \\samba-tng-srv and the connection is closed automatically. - a root%password-based connection to the remote machine to \PIPE\NETLOGON, over which the login - to samba-tng-srv - is carried out. netr_* - e.g NetrSamLogon - is _not_ policy-handle-based, therefore the connection is _not_ terminated, it is persistent. herein lies the problem. _each_ ntlogin test was carrying out a _new_ connection, from the same rpctorture process, to the target smbd process. _each_ \PIPE\NETLOGON was creating a new netlogond (through smbd). however, there is a hard limit of 64 pipes per smbd process, so the 65th and subsequent logins failed. now, i modified the code so that it reuses MSRPC connections. sounds simple, huh? in theory... yes :) the factors to be taken into ocnsideration are: 1) you can't reuse another user's connections. that's not on. if you do a "net use \\server /user:user1" and "net use \\server2 /user:user2", you don't expect on NT that the connection to \\server will suddenly use user2's password! 2) loop-back is distinguished with a name of "\\." from oher server names. the code must work regardless of the target name, though. 3) smbd and other msrpc daemons accept connections, however they must also be able to _make_ connections. if a connection is made as the result of servicing an _incoming_ connection, the credentials to use to make the _outgoing_ connection must be picked up from the _incoming_ connection. 4) if an msrpc loop-back connection is reused by multiple user-contexts from the same smbd process, the user contexts must also not be confused / reused / ignored. i am having a really hard time making sure that these user credentials are kept separate and are distinguished. it's not acceptable _not_ to reuse connections if the same user context exists, as shown by the logintest. the state i am in now is that i can issue msrpc calls that will reuse a connection. _however_, when they reach smbd and are redirected to the msrpc daemon, they cannot be distinguished by the target msrpc daemon from any other user contexts. i know what to do, i just really didn't want to have to do it at this stage. i basically have to add proper multi-user-context support between smbd and the msrpc daemons. it wil be based on the [pid, vuid] key. it will be a lookup table. hmm... you know... i think i don't need to, i think i just have a bug... this stuff isn't simple. and when it's not simple, it worries me. not-simple things have a habit of coming crashing down on your head by simply picking at one thread. i wonder if there's a way to _make_ it simple... Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 13 06:12:08 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: [samba-tng] status In-Reply-To: Message-ID: On Sun, 13 Feb 2000, Luke Kenneth Casson Leighton wrote: > ok. the results back from the very first rpctorture test, an ntlogin 100 > times, showed that it was essential to reuse connections. i got it! it was bugs. i now have connection reuse. the client-side code doesn't ask for a new msrpc connection for a user if one already exists. *whew*. so, rpctorture now shows 100 connections with a simpltaneous connection to NETLOGON and lsarpc pipes, each of which reuse the same SMB connection (oh, did i forget to mention that? the msrpc code has reuse which is IDEPENDENT of SMB connection reuse :-) :-) GOD this is so horrible! just wait till DCE/RPC over TCP gets added, if you think it's complicated now...) From lkcl at samba.org Sun Feb 13 07:26:40 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: [samba-tng] status rpctorture Message-ID: ok, i used rpctorture to hammer my little 64mb 200p2 a bit. logintest -N 50 -o 100 TEST\root test 50 simultaneous process, 100 sequential logins each process, domain TEST, user root, password test. it was managing fine, then i think some of the SMB connections timed out, not surprising with a load average of 6 to 9. once some of the connections failed, the loadvg went up to 11 to 15. which brings me on to the _other_ thing i was thinking of adding: connection retry on timeout / disconnect / fail. another thing i'm reluctant to add, but have to. i'll think about it. Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 13 07:54:24 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:32 2003 Subject: samba-tng-alpha-0.3.tar.gz Message-ID: ftp samba.org or mirror, pub/samba/alpha. first torture test (100 logins) showed that connection reuse was essential, which is now working properly. second torture test (5,000 logins) showed that connection retries is going to be be needed. luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From zen at uninet.net.id Sun Feb 13 13:04:51 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:32 2003 Subject: more domains on one server In-Reply-To: References: Message-ID: <00021320055400.00666@zen.sphenisci.or.id> On Sat, 12 Feb 2000, Luke Kenneth Casson Leighton wrote: > he's using the standard start-up scripts which of course can only do one > smbd process (kill `cat smbd.pid`)... > Suppose I have three IP and want this to happen, should I add another line in startup script to let Samba recognise all of three smb.conf ? Or is it enough that startup scripts will be read only one smb.conf. Or is it better to use TNG, with Cliff Meece startup scripts? ZEN From lynn at cis.usouthal.edu Sun Feb 13 19:06:38 2000 From: lynn at cis.usouthal.edu (Keith Lynn) Date: Tue Dec 2 02:28:32 2003 Subject: Domain groups Message-ID: Can someone tell me how to set up a group on a Samba machine so that an NT client can see the group when I click on the Add feature when trying to set Directory permissions? Thanks. Keith Lynn From martin at tantalus.com Sun Feb 13 22:34:56 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:32 2003 Subject: Funny Stuff Message-ID: <000801bf7672$8e287a70$12f066cf@tantalus> I'm sure not all of you run Linux.. There MUST be some die hard Solaris ppl on this list.. Have a look at Microsoft's view of Sun Microsystems http://www.microsoft.com/windows2000/news/dot-truth.asp ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From ed at schernau.com Sun Feb 13 23:05:50 2000 From: ed at schernau.com (Edward Schernau) Date: Tue Dec 2 02:28:32 2003 Subject: Funny Stuff References: <000801bf7672$8e287a70$12f066cf@tantalus> Message-ID: <38A738CE.9446CB80@schernau.com> Martin Brown wrote: > > I'm sure not all of you run Linux.. There MUST be some die hard Solaris ppl > on this list.. > > Have a look at Microsoft's view of Sun Microsystems > > http://www.microsoft.com/windows2000/news/dot-truth.asp Pretty childishly written, hmm? -- Edward Schernau http://www.schernau.com Network Architect mailto:ed@schernau.com Rational Computing Providence, RI, USA From rogan at sdsc.edu Sun Feb 13 22:54:44 2000 From: rogan at sdsc.edu (Rogan Lynch) Date: Tue Dec 2 02:28:32 2003 Subject: Funny Stuff In-Reply-To: <38A738CE.9446CB80@schernau.com> References: <000801bf7672$8e287a70$12f066cf@tantalus> Message-ID: <4.2.0.58.20000213145304.00ae94d8@postal.sdsc.edu> Pretty Arrogant... Now Microsoft has the corner on the REALITY market too... They're dispensing truth as if they were the Vatican. At 09:50 AM 02/14/2000 +1100, you wrote: >Martin Brown wrote: > > > > I'm sure not all of you run Linux.. There MUST be some die hard Solaris ppl > > on this list.. > > > > Have a look at Microsoft's view of Sun Microsystems > > > > http://www.microsoft.com/windows2000/news/dot-truth.asp > >Pretty childishly written, hmm? >-- >Edward Schernau http://www.schernau.com >Network Architect mailto:ed@schernau.com >Rational Computing Providence, RI, USA Rogan Lynch PC Consultant ICQ: 3929901 From lkcl at samba.org Sun Feb 13 23:01:01 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <38A738CE.9446CB80@schernau.com> Message-ID: On Mon, 14 Feb 2000, Edward Schernau wrote: > > Have a look at Microsoft's view of Sun Microsystems > > > > http://www.microsoft.com/windows2000/news/dot-truth.asp > > Pretty childishly written, hmm? i don't get it. microsoft is a major market-share company, and they let their employees... am i missing something, here? i mean, is it really the truth? i mean, if they _want_ to talk about reliability, i'm quite happy to join in, face-to-face. with a few demonstrations, they'd have me escorted off the premises in a _real_ big hurry. From lkcl at samba.org Sun Feb 13 23:03:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <4.2.0.58.20000213145304.00ae94d8@postal.sdsc.edu> Message-ID: On Mon, 14 Feb 2000, Rogan Lynch wrote: > > Pretty Arrogant... > > Now Microsoft has the corner on the REALITY market too... They're > dispensing truth as if they were the Vatican. no, wait - wait - what's the year? 1929? 1948/1984? NO! it's 2000! sorry, false alarm, i forgot, this is the 21st century. things like reality can't be cornered, we're in the information age, after all. From s.striker at striker.nl Sun Feb 13 23:15:37 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <000801bf7672$8e287a70$12f066cf@tantalus> Message-ID: >I'm sure not all of you run Linux.. There MUST be some die hard Solaris ppl >on this list.. > >Have a look at Microsoft's view of Sun Microsystems > >http://www.microsoft.com/windows2000/news/dot-truth.asp Heh heh, those guys keep making the same mistake over and over again. When will it come to mind that fixing the 65000+ bugs in w2k will lead to better availability. This is ofcourse a lot harder than telling people that the competitor's OS is a lot worse... Sander PS. Please don't start a M$ flame war over this. The list is busy enough as it is without it. :-) We wouldn't want Luke to have hit 'save' for half of the pile of mail he gets? ;-) From anders at aae.wisc.edu Sun Feb 13 23:16:23 2000 From: anders at aae.wisc.edu (Anders C. Thorsen) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <000801bf7672$8e287a70$12f066cf@tantalus> References: <000801bf7672$8e287a70$12f066cf@tantalus> Message-ID: <200002132316.RAA19858@pug.aae.wisc.edu> Funny.. if Windows is so stable.. why is it that hotmail.com is still using FreeBSD...? Personally I think these sites used a fast hack, as oposite to an implementation when they changed platform. --Anders Quoting Martin Brown : > > I'm sure not all of you run Linux.. There MUST be some die hard Solaris ppl > on this list.. > > Have a look at Microsoft's view of Sun Microsystems > > http://www.microsoft.com/windows2000/news/dot-truth.asp > > ___________________________________________ > Martin Brown, Unix Systems Administrator > Tantalus Communications Inc. > 500-1122 Mainland Street > Vancouver, BC, Canada V6B 5L1 > martin@tantalus.com > > Direct 604.721-0351 > Main 604.609.0700 > Fax 604.609.0705 > Toll Free 1.877.326.6776 > > http://www.tantalus.com > "When eBusiness experience counts." > From mml1000 at cam.ac.uk Sun Feb 13 23:39:22 2000 From: mml1000 at cam.ac.uk (Matthew M Lavy) Date: Tue Dec 2 02:28:33 2003 Subject: NT client auth lists etc Message-ID: Hi. Context: trying to get a workstation printer to be available to a specific user only in a Samba 2.0.6 Domain. Problem: can't successfully use the printer remotely Having been told about the limit to the length of the domain user list, I can now get the permissions->add dialog on a printer share on a workstation in my domain, and add the user MYDOMAIN\printuser as "Full Control". Unfortunately, this doesnt seem to let me actually USE the printer. The command: "smbclient \\\\computer-in-question\\printshare$ -U printuser%pass -P" authenticates successfully (I get a SMB:> prompt). The problem is that trying actually to print something: "print goose.ps" Produces an error; something along the lines of "cannot access remote document". One slight clue is that going back to the permissions->add dialog on the workstation no longer shows MYDOMAIN\printuser but MYDOMAIN\Account UNknown. Perhaps 2.0.6 does not support this sort of use? For me, another way around the problem would be to create a local workstaion account that can be accesssed remotely, but the problem here is that smbclient appears not to be able to authenticate locally. Is this valid syntax? "smbclient \\\\server\\printer$ -U 'WORKSTATION\user' -P Any comments would be appreciated... -- Matthew M Lavy BA MPhil ARCM LTCL Jesus College, Cambridge CB5 8BL Tel: +44 1223 511338 email: mml1000@jesus.cam.ac.uk From dominik.kubla at uni-mainz.de Sun Feb 13 23:44:44 2000 From: dominik.kubla at uni-mainz.de (Dominik Kubla) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <200002132316.RAA19858@pug.aae.wisc.edu>; from Anders C. Thorsen on Mon, Feb 14, 2000 at 10:18:59AM +1100 References: <000801bf7672$8e287a70$12f066cf@tantalus> <200002132316.RAA19858@pug.aae.wisc.edu> Message-ID: <20000214004444.D21993@uni-mainz.de> On Mon, Feb 14, 2000 at 10:18:59AM +1100, Anders C. Thorsen wrote: > Funny.. if Windows is so stable.. why is it that > hotmail.com is still using FreeBSD...? Which incidentally is only run on the FRONTENDS, the backends use... Solaris! Dominik From mhw at wittsend.com Sun Feb 13 23:51:07 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: ; from lkcl@samba.org on Mon, Feb 14, 2000 at 10:07:57AM +1100 References: <38A738CE.9446CB80@schernau.com> Message-ID: <20000213185107.C2444@alcove.wittsend.com> On Mon, Feb 14, 2000 at 10:07:57AM +1100, Luke Kenneth Casson Leighton wrote: > On Mon, 14 Feb 2000, Edward Schernau wrote: > > > Have a look at Microsoft's view of Sun Microsystems > > > http://www.microsoft.com/windows2000/news/dot-truth.asp > > Pretty childishly written, hmm? > i don't get it. microsoft is a major market-share company, and they let > their employees... > am i missing something, here? i mean, is it really the truth? > i mean, if they _want_ to talk about reliability, i'm quite happy to join > in, face-to-face. with a few demonstrations, they'd have me escorted off > the premises in a _real_ big hurry. Dude! I would pay GOOD MONEY to watch THAT show! :-) Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From lkcl at samba.org Mon Feb 14 00:04:16 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <20000214004444.D21993@uni-mainz.de> Message-ID: On Mon, 14 Feb 2000, Dominik Kubla wrote: > On Mon, Feb 14, 2000 at 10:18:59AM +1100, Anders C. Thorsen wrote: > > Funny.. if Windows is so stable.. why is it that > > hotmail.com is still using FreeBSD...? > > Which incidentally is only run on the FRONTENDS, the backends use... > Solaris! *giggle* that's funny. i like that. i heard that a couple of years ago, when microsoft bought hotmail, they tried to install exchange. From lkcl at samba.org Mon Feb 14 00:07:57 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <20000213185107.C2444@alcove.wittsend.com> Message-ID: > > i mean, if they _want_ to talk about reliability, i'm quite happy to join > > in, face-to-face. with a few demonstrations, they'd have me escorted off > > the premises in a _real_ big hurry. > > Dude! I would pay GOOD MONEY to watch THAT show! [picks self up off floor]. ah come on, mike, you _know_ it would be a one-sided err.. conversation. for the record, i have to say that i am as impressed by nt5's reliability (except from the black screen of death) as i am dismayed by nt4's ability to be shut down, terminated with extreme prejudice etc, in approximately... 200 different ways that i could code up, if i could be botherered do. From mgeddes at xavier.sa.edu.au Mon Feb 14 00:47:47 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff References: Message-ID: <38A750B3.27FDA566@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > > > i mean, if they _want_ to talk about reliability, i'm quite happy to join > > > in, face-to-face. with a few demonstrations, they'd have me escorted off > > > the premises in a _real_ big hurry. > > > > Dude! I would pay GOOD MONEY to watch THAT show! > > [picks self up off floor]. ah come on, mike, you _know_ it would be a > one-sided err.. conversation. > > for the record, i have to say that i am as impressed by nt5's reliability > (except from the black screen of death) as i am dismayed by nt4's ability > to be shut down, terminated with extreme prejudice etc, in > approximately... 200 different ways that i could code up, if i could be > botherered do. I'd just like to make it known just how *hard* I am trying not to add my comments and opinions of the matter (I agree with what's said so far). Like many people, I have strong (almost religous) beliefs and opinions on OSs and I'd just like everyone to know just how hard we are trying not to flood the list with (justified?) opinions (flames). ;-) Matt From lkcl at samba.org Mon Feb 14 00:47:01 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <38A750B3.27FDA566@xavier.sa.edu.au> Message-ID: > > for the record, i have to say that i am as impressed by nt5's reliability > > (except from the black screen of death) as i am dismayed by nt4's ability > > to be shut down, terminated with extreme prejudice etc, in > > approximately... 200 different ways that i could code up, if i could be > > botherered do. > > I'd just like to make it known just how *hard* I am trying not to add my the rules apply to me as well as anyone else. which is why i said what i said (above). my general ethic is, be honest and unreserved. if justifiable harrassement on a technical point porduces results, spend an equal amount of time praising the results. luke From mjwestkamper at weiinc.com Mon Feb 14 01:21:14 2000 From: mjwestkamper at weiinc.com (Mike) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff References: Message-ID: <38A7588A.7BCF4139@weiinc.com> How about we forment a shoot out. Something like the Winston Cup.. I provide identical hardware platforms. Leading proponents of Linux and Windows must gen up a system from CD's I purchase over-the-counter. They have one day to gen the system. We run a set of benchmarks. Publish the results. The systems must serve a relational database, print server, PDC, web server, mail server. All the tests will run via a multi-homed 100BaseT connection. Whatcha think? Luke Kenneth Casson Leighton wrote: > > > for the record, i have to say that i am as impressed by nt5's reliability > > > (except from the black screen of death) as i am dismayed by nt4's ability > > > to be shut down, terminated with extreme prejudice etc, in > > > approximately... 200 different ways that i could code up, if i could be > > > botherered do. > > > > I'd just like to make it known just how *hard* I am trying not to add my > > the rules apply to me as well as anyone else. which is why i said what i > said (above). my general ethic is, be honest and unreserved. if > justifiable harrassement on a technical point porduces results, spend an > equal amount of time praising the results. > > luke From lkcl at samba.org Mon Feb 14 01:39:04 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <38A7588A.7BCF4139@weiinc.com> Message-ID: can i write some programs to do a concerted attack against them at the same time as they're doing this? i promise to cut the network traffic to... one packet per second. hmm... *thinks*.... even so, it's going to be a _really_ short test. > I provide identical hardware platforms. > > Leading proponents of Linux and Windows must gen up a system from CD's I purchase > over-the-counter. They have one day to gen the system. We run a set of > benchmarks. Publish the results. > > The systems must serve a relational database, print server, PDC, web server, mail > server. All the tests will run via a multi-homed 100BaseT connection. > > Whatcha think? From mgeddes at xavier.sa.edu.au Mon Feb 14 01:57:53 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff References: Message-ID: <38A76121.16D289AE@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > can i write some programs to do a concerted attack against them at the > same time as they're doing this? > > i promise to cut the network traffic to... one packet per second. hmm... > *thinks*.... even so, it's going to be a _really_ short test. > > > I provide identical hardware platforms. > > > > Leading proponents of Linux and Windows must gen up a system from CD's I purchase > > over-the-counter. They have one day to gen the system. We run a set of > > benchmarks. Publish the results. > > > > The systems must serve a relational database, print server, PDC, web server, mail > > server. All the tests will run via a multi-homed 100BaseT connection. > > > > Whatcha think? Ooh! Ohh! Let me watch! Let me watch! I've already done some VERY inaccurate and basic tests copying data and things (general file serving) and Linux won hands down. Matt From mhw at wittsend.com Mon Feb 14 01:50:34 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: ; from lkcl@samba.org on Mon, Feb 14, 2000 at 12:41:24PM +1100 References: <38A7588A.7BCF4139@weiinc.com> Message-ID: <20000213205034.D2444@alcove.wittsend.com> On Mon, Feb 14, 2000 at 12:41:24PM +1100, Luke Kenneth Casson Leighton wrote: > can i write some programs to do a concerted attack against them at the > same time as they're doing this? > i promise to cut the network traffic to... one packet per second. hmm... > *thinks*.... even so, it's going to be a _really_ short test. > > I provide identical hardware platforms. > > > > Leading proponents of Linux and Windows must gen up a system from CD's I purchase > > over-the-counter. They have one day to gen the system. We run a set of > > benchmarks. Publish the results. > > > > The systems must serve a relational database, print server, PDC, web server, mail > > server. All the tests will run via a multi-homed 100BaseT connection. > > > > Whatcha think? Guys, guys, guys... I REALLY hate these things. Nobody wins them. Absolutely nobody. They can always be rigged and jiggered one way or the other and the loser always has grounds to cry foul. In the security business these sorts of shoot-outs and challenges are looked down on like scorpions because they are so meaningless, although it doesn't stop some of our lowlifes from trying. It's really a waste of time and effort. It won't serve our goals, just divert our energies. Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From lkcl at samba.org Mon Feb 14 01:59:59 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <38A76121.16D289AE@xavier.sa.edu.au> Message-ID: > Ooh! Ohh! Let me watch! Let me watch! > > I've already done some VERY inaccurate and basic tests copying data and things > (general file serving) and Linux won hands down. > did you have an nt performance-tuning scientist on-hand? you need one of those to be able to get nt to do 5 times better performacen than linux, you know. From lkcl at samba.org Mon Feb 14 02:01:34 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <20000213205034.D2444@alcove.wittsend.com> Message-ID: > > > Whatcha think? > > Guys, guys, guys... I REALLY hate these things. Nobody wins > them. Absolutely nobody. They can always be rigged and jiggered one > way or the other and the loser always has grounds to cry foul. In the > security business these sorts of shoot-outs and challenges are looked mmm. you have a point. From mgeddes at xavier.sa.edu.au Mon Feb 14 02:18:04 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff References: Message-ID: <38A765DC.1A262B87@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > > > > Whatcha think? > > > > Guys, guys, guys... I REALLY hate these things. Nobody wins > > them. Absolutely nobody. They can always be rigged and jiggered one > > way or the other and the loser always has grounds to cry foul. In the > > security business these sorts of shoot-outs and challenges are looked > > mmm. you have a point. I agree. And Luke, I didn't have any engineers, but that's 'cause I wasn't "sponsored" by either side ;-). Matt From jon at document-solutions.com Mon Feb 14 04:21:55 2000 From: jon at document-solutions.com (Jon Doyle) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff Message-ID: I see they mention all the site running NT, but what about the failure report? Petopia.com, AT&T and dozens of Security Breaches. The Army pulled IIS (for Apple) But more real why not concentrate on the Market they are good in? I know many will not like it, but I feel the Collocation, Big Oracle, E-commerce market is Sun, and increasingly Linux, whereas NT is big in the Office for Outlook-Exchange. Even with the problems there NT does rule in the GUI-Apps that "users" like. Where Unix (Solaris-Linux) are the only valid choices for your Colo. I mean look at the Big Switches from Lucent in Telecoms, or E-Commerce they say!; Blue Marini, ATG, and IPlanet are all Unix. Whatever, M$ has to tout their warez....Most are realizing the differeces in where to deploy however. I saw a report after the Linux show in NY that said 25% of Servers last year were Linux, while NT remained steady, it is clearly indication that the market will move into specialties. An example is funding here in the valley. Most Venture firms will look at the IT solutions and I have been told EXPECT to see Sun for security, reliability, and if NT is involved it is bad. Meaning Sun, Cisco, and Linux are "key" words they look for. Regards, Jon >>> Mike 02/13/00 17:23 PM >>> How about we forment a shoot out. Something like the Winston Cup.. I provide identical hardware platforms. Leading proponents of Linux and Windows must gen up a system from CD's I purchase over-the-counter. They have one day to gen the system. We run a set of benchmarks. Publish the results. The systems must serve a relational database, print server, PDC, web server, mail server. All the tests will run via a multi-homed 100BaseT connection. Whatcha think? Luke Kenneth Casso Leighton wrote: > > > for the record, i have to say that i am as impressed by nt5's reliability > > > (except from the black screen of death) as i am dismayed by nt4's ability > > > to be shut down, terminated with extreme prejudice etc, in > > > approximately... 200 different ways that i could code up, if i could be > > > botherered do. > > > > I'd just like to make it known just how *hard* I am trying not to add my > > the rules apply to me as well as anyone else. which is why i said what i > said (above). my general ethic is, be honest and unreserved. if > justifiable harrassement on a technical point porduces results, spend an > equal amount of time praising the results. > > luke From jon at document-solutions.com Mon Feb 14 04:26:00 2000 From: jon at document-solutions.com (Jon Doyle) Date: Tue Dec 2 02:28:33 2003 Subject: Samba and Deleted files Message-ID: I am looking to replace some Novell-NT Servers with Samba on Linux. The Shop is heavy Unix (on H/P) but for "office' use there are dozens of Aging Novell-NT Servers. We all would like to use Unix where possible. One issue we came up with is deletion of files. Does any one know how we might get a solution to this? I mean if there is a large Network share and someone deletes a file....we do not want to be called every day to grab the DLT. Regards, Jon From mjwestkamper at weiinc.com Mon Feb 14 04:31:20 2000 From: mjwestkamper at weiinc.com (Mike) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff References: Message-ID: <38A78518.CCDC2BC3@weiinc.com> Ok I give up. It was just an idea. No axe to grind here. I use NT and Linux. Both have their place. I must say though our customers are looking more toward Linux. The number of systems we are developing is about 50/50 now whereas it was 10% Linux to 90% NT just a year ago. Back on topic. I, for one, appreciate the work done here. We use SAMBA internally and have one big customer using it. More to come. The performance is excellent. Mike Luke Kenneth Casson Leighton wrote: > > > for the record, i have to say that i am as impressed by nt5's reliability > > > (except from the black screen of death) as i am dismayed by nt4's ability > > > to be shut down, terminated with extreme prejudice etc, in > > > approximately... 200 different ways that i could code up, if i could be > > > botherered do. > > > > I'd just like to make it known just how *hard* I am trying not to add my > > the rules apply to me as well as anyone else. which is why i said what i > said (above). my general ethic is, be honest and unreserved. if > justifiable harrassement on a technical point porduces results, spend an > equal amount of time praising the results. > > luke From jmeff at engsoc.queensu.ca Mon Feb 14 04:38:23 2000 From: jmeff at engsoc.queensu.ca (Jamie ffolliott) Date: Tue Dec 2 02:28:33 2003 Subject: [Samba-TNG] Diagnosis steps fail in latest CVS Message-ID: Hi All, I'm testing out the Samba PDC code once again (from CVS Feb 13 on Redhat 6.x) and hoping to update a server running some older Samba-2.1prealpha code from last March (which has been running very reliably, except for the occasional roaming profile problem). I ran into some 'connection refused' errors with smbpasswd -j SAMBA to join the domain (following the TNG faq), so I investigated my setup a bit more. Went through the DIAGNOSIS.txt steps and testparm, and found that steps four to six are broken (all the others, 1-3 and 7 work fine). Nothing seems to be wrong in my smb.conf, and I've checked that all the diagnosis steps work with samba-2.0.6 but not with TNG on this machine when using the same smb.conf (without PDC features enabled in smb.conf). The loopback adapter is working as well, if that helps. I figure I should wait to see these few tests working properly before reporting anything else on PDC support in TNG in case they're related. Output on those commands and my smb.conf pasted below. Can anyone tell me what might be wrong, or should I expect that a lot of things might be broken at the moment? Diagnosis steps: step 4: nmblookup -B DEGOBAH __SAMBA__ doing parameter timestamp logs = false pm_process() returned Yes lp_servicenumber: couldn't find homes Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 Sending queries to 192.168.69.2 socket open succeeded. file name: /tmp/.nmb/agent socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name __SAMBA__ step 5: nmblookup -B jason '*' doing parameter timestamp logs = false pm_process() returned Yes lp_servicenumber: couldn't find homes Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 Sending queries to 192.168.69.3 socket open succeeded. file name: /tmp/.nmb/agent socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name * step 6: nmblookup -d 2 '*' doing parameter timestamp logs = false pm_process() returned Yes lp_servicenumber: couldn't find homes Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 Sending queries to 192.168.69.255 socket open succeeded. file name: /tmp/.nmb/agent socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name * smb.conf [global] netbios name = DEGOBAH workgroup = SAMBA server string = Samba Server hosts allow = 127.0.0.1 192.168.69. load printers = yes log file = /var/log/samba/log.%m max log size = 5000 security = user password level = 8 username level = 8 encrypt passwords = yes smb passwd file = /etc/smbpasswd socket options = TCP_NODELAY interfaces = 192.168.69.2/24 local master = yes os level = 63 domain master = yes preferred master = yes domain logons = yes logon path = \\%L\Profiles\%U wins support = yes dns proxy = no debug level = 100 timestamp logs = false [homes] comment = Home Directories browseable = no writable = yes path = /home [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes locking = no writable = no share modes = no [Profiles] path = /home/profiles browseable = no guest ok = yes [tmp] comment = Temporary file space path = /tmp read only = no public = yes Jamie From skvidal at phy.duke.edu Mon Feb 14 04:49:53 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:33 2003 Subject: Samba and Deleted files In-Reply-To: Message-ID: > One issue we came up with is deletion of files. Does any one know how > we might get a solution to this? I mean if there is a large Network > share and someone deletes a file....we do not want to be called every > day to grab the DLT. are they currently using a trashcan or some-such nonsense? you should be able to create a network trashcan that saves files. - its an NT adjustment though. another option is to dump the last days backups to disk and then roll to tape at nite. that way you have 1 days worth on fast media. -sv From lkcl at samba.org Mon Feb 14 05:14:11 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: [Samba-TNG] Diagnosis steps fail in latest CVS In-Reply-To: Message-ID: jaime, follow the source/README instructions, particularly those of lars' FAQ. On Mon, 14 Feb 2000, Jamie ffolliott wrote: > Hi All, > > I'm testing out the Samba PDC code once again (from CVS Feb 13 on Redhat > 6.x) and hoping to update a server running some older Samba-2.1prealpha > code from last March (which has been running very reliably, except for the > occasional roaming profile problem). > > I ran into some 'connection refused' errors with > smbpasswd -j SAMBA to join the domain (following the TNG faq), so I > investigated my setup a bit more. Went through the DIAGNOSIS.txt steps > and testparm, and found that steps four to six are broken (all the others, > 1-3 and 7 work fine). Nothing seems to be wrong in my smb.conf, and I've > checked that all the diagnosis steps work with samba-2.0.6 but not with > TNG on this machine when using the same smb.conf (without PDC features > enabled in smb.conf). The loopback adapter is working as well, if that > helps. > > I figure I should wait to see these few tests working properly before > reporting anything else on PDC support in TNG in case they're related. > Output on those commands and my smb.conf pasted below. > > Can anyone tell me what might be wrong, or should I expect that a lot of > things might be broken at the moment? > > Diagnosis steps: > step 4: nmblookup -B DEGOBAH __SAMBA__ > doing parameter timestamp logs = false > pm_process() returned Yes > lp_servicenumber: couldn't find homes > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > Sending queries to 192.168.69.2 > socket open succeeded. file name: /tmp/.nmb/agent > socket connect to /tmp/.nmb/agent failed: Connection refused > name_query failed to find name __SAMBA__ > > step 5: nmblookup -B jason '*' > doing parameter timestamp logs = false > pm_process() returned Yes > lp_servicenumber: couldn't find homes > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > Sending queries to 192.168.69.3 > socket open succeeded. file name: /tmp/.nmb/agent > socket connect to /tmp/.nmb/agent failed: Connection refused > name_query failed to find name * > > step 6: nmblookup -d 2 '*' > doing parameter timestamp logs = false > pm_process() returned Yes > lp_servicenumber: couldn't find homes > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > Sending queries to 192.168.69.255 > socket open succeeded. file name: /tmp/.nmb/agent > socket connect to /tmp/.nmb/agent failed: Connection refused > name_query failed to find name * > > smb.conf > [global] > netbios name = DEGOBAH > workgroup = SAMBA > server string = Samba Server > hosts allow = 127.0.0.1 192.168.69. > load printers = yes > log file = /var/log/samba/log.%m > max log size = 5000 > security = user > password level = 8 > username level = 8 > encrypt passwords = yes > smb passwd file = /etc/smbpasswd > socket options = TCP_NODELAY > interfaces = 192.168.69.2/24 > local master = yes > os level = 63 > domain master = yes > preferred master = yes > domain logons = yes > logon path = \\%L\Profiles\%U > wins support = yes > dns proxy = no > debug level = 100 > timestamp logs = false > > [homes] > comment = Home Directories > browseable = no > writable = yes > path = /home > > [netlogon] > comment = Network Logon Service > path = /home/netlogon > guest ok = yes > locking = no > writable = no > share modes = no > > [Profiles] > path = /home/profiles > browseable = no > guest ok = yes > > [tmp] > comment = Temporary file space > path = /tmp > read only = no > public = yes > > Jamie > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From Jean-Francois.Micouleau at dalalu.fr Mon Feb 14 07:49:35 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:33 2003 Subject: Samba and Deleted files In-Reply-To: Message-ID: On Mon, 14 Feb 2000, Jon Doyle wrote: > One issue we came up with is deletion of files. Does any one know how we > might get a solution to this? I mean if there is a large Network share > and someone deletes a file....we do not want to be called every day to > grab the DLT. write a vfs module for samba 3.0 or TNG which does a sys_rename instead of sys_unlink in vfs_unlink. J.F. From snail_talk at yahoo.com Mon Feb 14 08:16:06 2000 From: snail_talk at yahoo.com (geoffrey lee) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: Message-ID: <000401bf76c3$bdb3a2f0$0200000a@workstation1> yo! oh ..i missed this wonderful conversation coz of the time zone difference i guess.. > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Luke Kenneth Casson Leighton > Sent: Monday, February 14, 2000 8:06 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: Funny Stuff > > > On Mon, 14 Feb 2000, Dominik Kubla wrote: > > > On Mon, Feb 14, 2000 at 10:18:59AM +1100, Anders C. Thorsen wrote: > > > Funny.. if Windows is so stable.. why is it that > > > hotmail.com is still using FreeBSD...? > > > > Which incidentally is only run on the FRONTENDS, the backends use... > > Solaris! no, it's freebsd. i'm pretty sure. if you do a netcraft.com on them http://www.netcraft.com/whats it's freebsd. > > *giggle* that's funny. i like that. i heard that a couple of years ago, > when microsoft bought hotmail, they tried to install exchange. yeh i know , i heard about that. if i remember correctly it was rumoured that they did a study about the feasibility to switch to exchange. well, of course, in the end we all know that they didn't, and we all know why, don't we? ;) > geoffrey lee (snail talk) snailtalk@linux-mandrake.com From lkcl at samba.org Mon Feb 14 08:16:45 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <000401bf76c3$bdb3a2f0$0200000a@workstation1> Message-ID: On Mon, 14 Feb 2000, geoffrey lee wrote: > yo! > > oh ..i missed this wonderful conversation coz of the time zone difference i > guess.. it being the weekend, i think we were bored, what with there being nothing doing. no usual 100 messages for the day, we thought we'd try hit that amount on our own :) From Christian.Duclou at eeigm.inpl-nancy.fr Mon Feb 14 10:49:47 2000 From: Christian.Duclou at eeigm.inpl-nancy.fr (Christian Duclou) Date: Tue Dec 2 02:28:33 2003 Subject: Trying to join domain with Samba TNG References: Message-ID: <38A7DDCA.D0669E71@eeigm.inpl-nancy.fr> I think it's strange to run nmbd twice isn't it? > 4542 ? S 0:00 ../bin/nmbd -D -d 10 > 4632 ? S 0:00 ../bin/nmbd -D -d 10 Perharps it'll be better to run "smbd" Christian Luke Kenneth Casson Leighton wrote: > richard, use the alternative: createuser in rpcclient (or the new! > samedit) command. > > On Fri, 11 Feb 2000, Richard Sharpe wrote: > > > Hi, > > > > I have Samba TNG from two days ago. I pulled it from the cvs tree, and it > > compiled cleanly. > > > > I have added accounts for the server and have tried to join the server to > > the domain: > > > > useradd linsrv1\$ > > smbpasswd -a -m linsrv1 > > smbpasswd -j samba1 > > > > But I get an error message back from the attempt to join the domain saying > > that it was unable to change the passwd ... CHANGE_TRUST_ACCOUNT_PASSWD or > > something like that. > > > > I have a trace but it is too large to include but it is available. > > > > Here are the daemons that are running: > > > > 4542 ? S 0:00 ../bin/nmbd -D -d 10 > > 4632 ? S 0:00 ../bin/nmbd -D -d 10 > > 4638 ? S 0:00 ../bin/browserd -D -d 100 > > 4640 ? S 0:00 ../bin/lsarpcd -D -d 100 > > 4642 ? S 0:00 ../bin/netlogond -D -d 100 > > 4644 ? S 0:00 ../bin/samrd -D -d 100 > > 4646 ? S 0:00 ../bin/srvsvcd -D -d 100 > > 4648 ? S 0:00 ../bin/svcctld -D -d 100 > > 4650 ? S 0:00 ../bin/winregd -D -d 100 > > 4652 ? S 0:00 ../bin/wkssvcd -D -d 100 > > > > What is going wrong? > > > > > > Regards > > ------- > > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > > Co-author, SAMS Teach Yourself Samba in 24 Hours > > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals -- _____________ EEIGM - Service Informatique _____________ 6, rue Bastien LEPAGE - 54010 NANCY - CEDEX - France Phone: (33) 383.36.83.27 - Fax: (33) 383.36.83.36 _______________ http://eeigm.inpl-nancy.fr _____________ From peter at cadcamlab.org Mon Feb 14 11:19:21 2000 From: peter at cadcamlab.org (Peter Samuelson) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff References: <000801bf7672$8e287a70$12f066cf@tantalus> Message-ID: <14503.58438.639147.425230@wire.cadcamlab.org> [Martin Brown] > http://www.microsoft.com/windows2000/news/dot-truth.asp Did ya'll notice those sites MS linked to with the NT reliability guarantees? The fact that nobody seems to be willing to commit to more than three 9's? Compaq said it best: Compaq offers you a choice in Uptime Guarantee support for your business-critical environments: * 99.99% Uptime Guarantee for Tru64 UNIX and OpenVMS * 99.5% or 99.9% Uptime Guarantee for Windows NT *grin* Peter From hanak at IRIS.osu.cz Mon Feb 14 13:21:15 2000 From: hanak at IRIS.osu.cz (Ondrej Hanak) Date: Tue Dec 2 02:28:33 2003 Subject: passwd chat Message-ID: Hi, can anybody explain this: [2000/02/14 13:43:42, 100] smbd/chgpasswd.c:talktochild(276) talktochild: chatbuf=[*successfull*] responsebuf=[] [2000/02/14 13:43:42, 3] smbd/chgpasswd.c:talktochild(279) response 3 incorrect sometimes everyting goes fine (responsebuf=[...successfully...]). But many times empty responsebuf i can find in log. I'll look to smbd/chgpasswd.c. My passwd chat looks like *password* %n\n *password* %n\n *successfull*. Samba 2.1.0-prealpha from 19990412 on RedHat6.1(2.2.13). I have also 2 small questions. Is there way how to see right disk space on quoted disk? For example homes. I mean on Win side when properties were selected. And second (last i promise) question. I tryed filename conversion to ISO8859-2 UNIX charset (of course with code page 852). But some pieces of profile did not transfer to samba server. Part of profile, which was transfered was converted fine, but what about missed files? Thanks for any tips and nice day. Hoj O.H. From johanh at fusion.kth.se Mon Feb 14 13:18:27 2000 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:28:33 2003 Subject: Links In-Reply-To: <000701bf6eae$7d498bc0$3405a8c0@gillnet.org> Message-ID: > --with-krb4=base-dir Use Kerberos V4 for password checking. Non US source and binaries at http://www.pdc.kth.se/kth-krb From johanh at fusion.kth.se Mon Feb 14 13:57:48 2000 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:28:33 2003 Subject: Problems starting the current CVS (MAIN branch) version Message-ID: I get the following in smbd.log on Solaris 2.6 in the current CVS version (updated Mon Feb 14 14:57:15 MET 2000). [2000/02/14 13:42:04, 0] lib/pidfile.c:pidfile_create(99) ERROR: smbd : fcntl lock of file /var/samba/locks/smbd.pid failed. Error was No such file or directory Any ideas? TIA Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ From Alan.Hourihane at pinacl.co.uk Mon Feb 14 14:13:20 2000 From: Alan.Hourihane at pinacl.co.uk (Alan Hourihane) Date: Tue Dec 2 02:28:33 2003 Subject: Printing in TNG Message-ID: <004f01bf76f5$a5624850$1ad120c1@pinacl.co.uk> I'm using multiple config files using the netbios aliases = .... and include = smb.conf.%L and one of these aliases is a printer server which has lots of printers defined, yet if I go through the 'Add Printer' it shows me a list of printers that's available on the primary 'netbios name'. Any clues ? Alan. -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 1628 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000214/ce247fc6/winmail.bin From Alan.Hourihane at pinacl.co.uk Mon Feb 14 14:21:45 2000 From: Alan.Hourihane at pinacl.co.uk (Alan Hourihane) Date: Tue Dec 2 02:28:33 2003 Subject: Printing in TNG In-Reply-To: <004f01bf76f5$a5624850$1ad120c1@pinacl.co.uk> Message-ID: <009001bf76f6$d23f7630$1ad120c1@pinacl.co.uk> In fact come to look a bit closer, and it appears as though it's ignoring the include line as all the shares that I define for the primary netbios name appears in all the netbios aliases too. So it's not just printing. Alan. > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org] > Sent: 14 February 2000 14:17 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Printing in TNG > > I'm using multiple config files using the > > netbios aliases = .... and > include = smb.conf.%L > > and one of these aliases is a printer server which > has lots of printers defined, > > yet if I go through the 'Add Printer' it shows me > a list of printers that's available on the primary > 'netbios name'. > > Any clues ? > > Alan. -------------- next part -------------- A non-text attachment was scrubbed... Name: winmail.dat Type: application/ms-tnef Size: 2096 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000214/49cbfb03/winmail.bin From johanh at fusion.kth.se Mon Feb 14 15:46:14 2000 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:28:33 2003 Subject: Problems starting the current CVS (MAIN branch) version In-Reply-To: Message-ID: On Tue, 15 Feb 2000, Johan Hedin wrote: > I get the following in smbd.log on Solaris 2.6 in the current CVS version > (updated Mon Feb 14 14:57:15 MET 2000). > > [2000/02/14 13:42:04, 0] lib/pidfile.c:pidfile_create(99) > ERROR: smbd : fcntl lock of file /var/samba/locks/smbd.pid failed. Error was No such file or directory > I think the problem is due to my present AFS ticket renewing hacking of Samba. Sorry about that. Johan Hedin From dominik.kubla at uni-mainz.de Mon Feb 14 17:30:32 2000 From: dominik.kubla at uni-mainz.de (Dominik Kubla) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff In-Reply-To: <000401bf76c3$bdb3a2f0$0200000a@workstation1>; from geoffrey lee on Mon, Feb 14, 2000 at 07:06:35PM +1100 References: <000401bf76c3$bdb3a2f0$0200000a@workstation1> Message-ID: <20000214183032.E28896@uni-mainz.de> On Mon, Feb 14, 2000 at 07:06:35PM +1100, geoffrey lee wrote: > > no, it's freebsd. i'm pretty sure. if you do a netcraft.com on them > No it's not: all you see are the web and mail frontends, you don't see the E10000's running the databases and filei servers. And i would be very surprised to see FreeBSD run on SPARC hardware... Dominik From Jon at document-solutions.com Mon Feb 14 17:30:45 2000 From: Jon at document-solutions.com (Jon Doyle) Date: Tue Dec 2 02:28:33 2003 Subject: Samba and Deleted files Message-ID: Not a programmer, but is there anyone interested in creating this? Seems like a feature that is almost necessary in a large corporate environment? Jon Jon R. Doyle Systems Administrator Document Solutions, Inc. 1611 Telegraph Avenue Ste. 1010 Oakland, Ca. 94612 510-986-0250 >>> Jean Francois Micouleau 02/13/00 11:51PM >>> On Mon, 14 Feb 2000, Jon Doyle wrote: > One issue we came up with is deletion of files. Does any one know how we > might get a solution to this? I mean if there is a large Network share > and someone deletes a file....we do not want to be called every day to > grab the DLT. write a vfs module for samba 3.0 or TNG which does a sys_rename instead of sys_unlink in vfs_unlink. J.F. From Jon at document-solutions.com Mon Feb 14 17:35:49 2000 From: Jon at document-solutions.com (Jon Doyle) Date: Tue Dec 2 02:28:33 2003 Subject: Samba and Deleted files Message-ID: A Network Trash Can? You mean do this On a second box (NT Server)? I could add a PDC that just sits there in this function as we have some old Servers, but I would prefer to have the Linux Servers do the work as I want to rid the old gear for reliability. Jon Jon R. Doyle Systems Administrator Document Solutions, Inc. 1611 Telegraph Avenue Ste. 1010 Oakland, Ca. 94612 510-986-0250 >>> Seth Vidal 02/13/00 08:51PM >>> > One issue we came up with is deletion of files. Does any one know how > we might get a solution to this? I mean if there is a large Network > share and someone deletes a file....we do not want to be called every > day to grab the DLT. are they currently using a trashcan or some-such nonsense? you should be able to create a network trashcan that saves files. - its an NT adjustment though. another option is to dump the last days backups to disk and then roll to tape at nite. that way you have 1 days worth on fast media. -sv From allen at driversoft.com Mon Feb 14 17:41:11 2000 From: allen at driversoft.com (Allen Reese) Date: Tue Dec 2 02:28:33 2003 Subject: Funny Stuff (fwd) Message-ID: This is the way it should be written. :) Allen Reese VP Engineering Driversoft, Inc. allen@driversoft.com Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread Hi, I'm an evil mutated signature virus, put me in your .sig or I will bite your kneecaps! ---------- Forwarded message ---------- Date: Sun, 13 Feb 2000 18:18:04 -0700 (MST) From: llewelly@198.dsl.xmission.com To: Allen Reese Cc: bman@198.dsl.xmission.com Subject: Re: Funny Stuff (fwd) In a world of hype, wouldn't it be nice to believe you were getting a refreshing dose of reality? The truth is out there for us to manipulate. It's what we bamboozled real businesses into doing every day. From now until February 17th, you can get your daily dose of Macro$loth Active Visual Reality(tm) about the Internet and business computing right here. And then, on February 17th, Windoze 2000 arrives and Macro$loth Active Visual Reality(tm) gets even better. Remember, Macro$loth Active Visual Reality(tm) is much, much better than any other reality ... especially for our investors. #2: The Hype Sun Microsystems claims to be a leader in system reliability and more reliable than Windoze. Macro$loth Active Visual Reality(tm): Major customers, such as Quote.com, are switching from Sun to the Macro$loth(R) Windoze(R) platform because it offers better propaganda. The Proof: * Despite Sun's claim that their high-end servers are highly reliable and built with redundant components, customers report that failures in Sun propaganda, advertising, pricing, and other marketing bullshit have caused entire coffee shops of managers to be kidnaped by the Macro$loth Active Visual Reality(tm) Bandwagon(tm). (Source: Macro$loth Active Visual Reality(tm) ) * Analyst reports have repeatedly raised the issue of reliability problems with Sun platforms, and have gone so far as to recommend that customers not use Sun servers in environments that require high availability. (Source (of bribes): Macro$loth Active Visual Reality(tm) ) * In one day alone, Dec. 7, 1999, a leading auction site suffered a system outage of more than three hours when both Sun E10000 servers running the site's back-end auction system failed.(0) Meanwhile, the company's Web site front-end, running on a Windoze NT(R)-based server farm, has provided continuous availability with no single point of failure. (Source: Macro$loth Active Visual Reality(tm) ) * Multiple vendors offer availability guarantees for Windoze platforms, including IBM, HP, Unisys, and Compaq. This doesn't make Windoze reliable, but gives you someone else to put the blame on, and best of all, some one to sue. Remember, lawsuits are much more fun than searching for competent system administrators. (Source: Macro$loth Active Visual Reality(tm) ) #1: The Hype Sun claims to be the leading provider of Internet technology "the dot in .com(TM)." Macro$loth Active Visual Reality(tm): Macro$loth is truly pissed that Sun trademarked this stupid logo before we did. I mean, we have about 3280 patents relating to stupid logos. But we are still better than them: Windoze platforms drive the Business Internet(1). For example, 6 of the top 10 shopping sites run Windoze and Macro$loth SQL Server TM. (Source: Macro$loth Active Visual Reality(tm) ) The Proof: * Windoze runs 25 percent of Web sites worldwide; Sun runs 19 percent(2). This is actually much better than it sounds. You see, 25+19==44, and 25 is 57% of 44, so Windoze really runs 57% of the Internet. No, wait, it's actually better still: Macro$loth Active Visual Percentage Doubling technology (Patent 666347666934666871666704) increases this to 114%!! That's right, only Macro$loth Active Visual Reality allows a percentage of a whole that is greater than the whole! (Source: Macro$loth Active Visual Reality(tm) ) * 45 percent of secure(3) Web sites run on Windoze; Sun runs 11 percent. (Source: Micro$loth Active Visual Reality(tm) 12/99) * 52 of the top 100 Internet shopping sites(4) run on Windoze. (Source: Macro$loth Active Visual Reality(tm) ) * 57 percent of top business-to-business marketplaces(5) run on Windoze. (Source: Macro$loth Active Visual Reality(tm) ) * Some of the biggest e-businesses and dot coms(6) run on Windoze: + Dell, the largest e-business on the Internet, runs on Windoze. + Other major sites include Barnes & Noble, InfoSpace, Data Return, buy.com, monster.com, reel.com, bigcharts.com, Hotbot.com, Nordstrom's, realtor.com, eHome, MarthaStewart.com, cooking.com, and Compaq, to name a few. + Electrolux, Accounting.com, Pro2Net and thousands of other companies have switched their web sites from Sun platforms to Windoze. (Source: Macro$loth Active Visual Reality(tm) ) + See? We really *do* have better propaganda! Remember, it's not quality that counts, it's propaganda!(13) Want more facts? Return to this page tomorrow for your daily dose of Macro$loth Active Visual Reality. Footnotes: (0) The rumor that our paid double agent removed all processor cards from said E10000 machines is false. (Damn those E10000s ... you have to remove *all* the processor cards to make them shutdown. Damn Sun!). We don't have any paid double agents. Besides, our paid double agent was actually at Sun on that day, trying to install Windoze and IIS (Incredibly Idiotic Server) on Sun's own E10000s, which run sun.com . However, for reasons we were unable to determine, these E10000s could not boot Windoze! That's right, SUN'S OWN HARDWARE CANNOT BOOT WINDOZE! It must suck much worse than we thought. (1) The Business Internet(tm) is defined as 'Those sites which run Macro$loth Windoze.'(666) (2) The 66% of sites that run GNU/Linux, FreeBSD, etc, do not count because they are bunch of evil hippie gnu-loving long hairs that consort with demons and support the takeover of the evil Finnish genius Linus Torvalds, who is also a communist. Besides, they keep whining whenever Macro$loth Active Visual Reality(tm) uses its Truth Manipulation(tm) and Outright Lie(tm) technologies.(666) (3) Secure(tm) is defined as 'Those sites which run Macro$loth Windoze'.(666) (4) Shopping Sites(tm) is defined as 'Those sites which run Macro$loth Windoze'.(666) (5) Business-to-Business Marketplaces(tm) is defined as 'Those sites which run Macro$loth Windoze'.(666) (6) E-Business(tm) is defined as 'Those sites which run Macro$loth Windoze'.(666) (13) Certain sources with the irreparable defect of honesty have been spreading the fact that Macro$loth owned Hotmail runs on FreeBSD servers, because FreeBSD is more reliable than Windoze. If you believe this, please download Macro$loth Active Mind Clouding Technology (Patents 66624234213421466, 666345234334424666, and other patents pending) so this dirty fact will be hidden from you. (666) It has been discovered that nefarious minions of RMS are running a diabolical virus known as 'SAMBA' on Linux, FreeBSD, Sun, IRIX, and other unices. This insidious Trojan horse allows these machines to imitate servers running Macro$loth Windoze. Thus, not all boxes running Macro$loth Windoze are actually running Macro$loth Windoze. Damn Alan Turing for proving that a superior computing system can always emulate an inferior computing system! Please don't let this bother you; soon Macro$loth will develop an new Active Deception(tm) technology that will hide this uncomfortable fact from you. (It's a parody. Laugh.) [snip] From skvidal at phy.duke.edu Mon Feb 14 17:59:08 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:34 2003 Subject: Samba and Deleted files In-Reply-To: Message-ID: > A Network Trash Can? You mean do this On a second box (NT Server)? I > could add a PDC that just sits there in this function as we have some > old Servers, but I would prefer to have the Linux Servers do the work as > I want to rid the old gear for reliability. I mean create a share that anyone can access - you should be able to create a network trash folder - its just an issue of telling NT where to put trashfiles. you can have the folder on a linux-samba machine but nt (the workstation) has to know where it goes. -sv From tavis at mahler.econ.columbia.edu Mon Feb 14 18:09:18 2000 From: tavis at mahler.econ.columbia.edu (Tavis Barr) Date: Tue Dec 2 02:28:34 2003 Subject: Funny Stuff (fwd) In-Reply-To: Message-ID: People, enough, please!!! It's not that your point isn't well-taken but this list is busy enough with genuine bona fide Samba discussion. There are Usenet groups where you can go bash Microsoft. Please remember that this list has about a thousand recipients and when people send out 20 M$-bashing messages in a day, we all get them. Thanks, Tavis On Tue, 15 Feb 2000, Allen Reese wrote: > This is the way it should be written. :) > > Allen Reese > VP Engineering > Driversoft, Inc. > allen@driversoft.com > Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread > Hi, I'm an evil mutated signature virus, put me in your .sig or I will > bite your kneecaps! > > ---------- Forwarded message ---------- > Date: Sun, 13 Feb 2000 18:18:04 -0700 (MST) > From: llewelly@198.dsl.xmission.com > To: Allen Reese > Cc: bman@198.dsl.xmission.com > Subject: Re: Funny Stuff (fwd) > > In a world of hype, wouldn't it be nice to believe you were getting a > refreshing dose of reality? The truth is out there for us to > manipulate. It's what we bamboozled real businesses into doing > every day. From now until February 17th, you can get your daily > dose of Macro$loth Active Visual Reality(tm) about the Internet and > business computing right here. And then, on February 17th, Windoze > 2000 arrives and Macro$loth Active Visual Reality(tm) gets even > better. Remember, Macro$loth Active Visual Reality(tm) is much, much > better than any other reality ... especially for our investors. > > #2: The Hype > Sun Microsystems claims to be a leader in system reliability and > more reliable than Windoze. Macro$loth Active Visual Reality(tm): > Major customers, such as Quote.com, are switching from Sun to the > Macro$loth(R) Windoze(R) platform because it offers better > propaganda. The Proof: > > * Despite Sun's claim that their high-end servers are highly > reliable and built with redundant components, customers report > that failures in Sun propaganda, advertising, pricing, > and other marketing bullshit have caused entire coffee shops > of managers to be kidnaped by the Macro$loth Active Visual > Reality(tm) Bandwagon(tm). (Source: Macro$loth Active Visual > Reality(tm) ) > > * Analyst reports have repeatedly raised the issue of reliability > problems with Sun platforms, and have gone so far as to > recommend that customers not use Sun servers in environments > that require high availability. > (Source (of bribes): Macro$loth Active Visual Reality(tm) ) > > * In one day alone, Dec. 7, 1999, a leading auction site suffered > a system outage of more than three hours when both Sun E10000 > servers running the site's back-end auction system failed.(0) > Meanwhile, the company's Web site front-end, running on > a Windoze NT(R)-based server farm, has provided continuous > availability with no single point of failure. (Source: > Macro$loth Active Visual Reality(tm) ) > > * Multiple vendors offer availability guarantees for Windoze > platforms, including IBM, HP, Unisys, and Compaq. This doesn't > make Windoze reliable, but gives you someone else to put the > blame on, and best of all, some one to sue. Remember, lawsuits > are much more fun than searching for competent system > administrators. (Source: Macro$loth Active Visual Reality(tm) ) > > #1: The Hype > Sun claims to be the leading provider of Internet technology "the > dot in .com(TM)." Macro$loth Active Visual Reality(tm): Macro$loth > is truly pissed that Sun trademarked this stupid logo before we > did. I mean, we have about 3280 patents relating to stupid > logos. But we are still better than them: Windoze platforms drive > the Business Internet(1). For example, 6 of the top 10 shopping sites > run Windoze and Macro$loth SQL Server TM. (Source: Macro$loth Active > Visual Reality(tm) ) The Proof: > > * Windoze runs 25 percent of Web sites worldwide; Sun runs 19 > percent(2). This is actually much better than it sounds. You see, > 25+19==44, and 25 is 57% of 44, so Windoze really runs 57% of > the Internet. No, wait, it's actually better still: Macro$loth > Active Visual Percentage Doubling technology (Patent > 666347666934666871666704) increases this to 114%!! That's > right, only Macro$loth Active Visual Reality allows a percentage > of a whole that is greater than the whole! (Source: > Macro$loth Active Visual Reality(tm) ) > > * 45 percent of secure(3) Web sites run on Windoze; Sun runs 11 > percent. (Source: Micro$loth Active Visual Reality(tm) 12/99) > > * 52 of the top 100 Internet shopping sites(4) run on > Windoze. (Source: Macro$loth Active Visual Reality(tm) ) > > * 57 percent of top business-to-business marketplaces(5) run on > Windoze. (Source: Macro$loth Active Visual Reality(tm) ) > > * Some of the biggest e-businesses and dot coms(6) run on Windoze: > > + Dell, the largest e-business on the Internet, runs on > Windoze. > > + Other major sites include Barnes & Noble, InfoSpace, Data > Return, buy.com, monster.com, reel.com, > bigcharts.com, Hotbot.com, Nordstrom's, realtor.com, > eHome, MarthaStewart.com, cooking.com, and > Compaq, to name a few. > > + Electrolux, Accounting.com, Pro2Net and thousands of other > companies have switched their web sites > from Sun platforms to Windoze. (Source: Macro$loth Active > Visual Reality(tm) ) > > + See? We really *do* have better propaganda! Remember, it's > not quality that counts, it's propaganda!(13) > > Want more facts? > > Return to this page tomorrow for your daily dose of Macro$loth > Active Visual Reality. > > Footnotes: > > (0) The rumor that our paid double agent removed all processor > cards from said E10000 machines is false. (Damn those E10000s > ... you have to remove *all* the processor cards to make them > shutdown. Damn Sun!). We don't have any paid double > agents. Besides, our paid double agent was actually at Sun on > that day, trying to install Windoze and IIS (Incredibly Idiotic > Server) on Sun's own E10000s, which run sun.com . However, for > reasons we were unable to determine, these E10000s could not > boot Windoze! That's right, SUN'S OWN HARDWARE CANNOT BOOT > WINDOZE! It must suck much worse than we thought. > > (1) The Business Internet(tm) is defined as 'Those sites which run > Macro$loth Windoze.'(666) > > (2) The 66% of sites that run GNU/Linux, FreeBSD, etc, do not count > because they are bunch of evil hippie gnu-loving long hairs > that consort with demons and support the takeover of the evil > Finnish genius Linus Torvalds, who is also a communist. Besides, > they keep whining whenever Macro$loth Active Visual Reality(tm) > uses its Truth Manipulation(tm) and Outright Lie(tm) > technologies.(666) > > (3) Secure(tm) is defined as 'Those sites which run Macro$loth > Windoze'.(666) > > (4) Shopping Sites(tm) is defined as 'Those sites which run > Macro$loth Windoze'.(666) > > (5) Business-to-Business Marketplaces(tm) is defined as 'Those > sites which run Macro$loth Windoze'.(666) > > (6) E-Business(tm) is defined as 'Those sites which run Macro$loth > Windoze'.(666) > > (13) Certain sources with the irreparable defect of honesty have > been spreading the fact that Macro$loth owned Hotmail runs on > FreeBSD servers, because FreeBSD is more reliable than > Windoze. If you believe this, please download Macro$loth > Active Mind Clouding Technology (Patents 66624234213421466, > 666345234334424666, and other patents pending) so this dirty > fact will be hidden from you. > > (666) It has been discovered that nefarious minions of RMS are > running a diabolical virus known as 'SAMBA' on Linux, > FreeBSD, Sun, IRIX, and other unices. This insidious Trojan > horse allows these machines to imitate servers running > Macro$loth Windoze. Thus, not all boxes running Macro$loth > Windoze are actually running Macro$loth Windoze. Damn Alan > Turing for proving that a superior computing system can > always emulate an inferior computing system! Please don't let > this bother you; soon Macro$loth will develop an new Active > Deception(tm) technology that will hide this uncomfortable > fact from you. > > (It's a parody. Laugh.) > > > [snip] > > > From martin at tantalus.com Mon Feb 14 18:18:41 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:34 2003 Subject: Unable to Authenticate on PDC Message-ID: <000e01bf7717$eccc5330$12f066cf@tantalus> For some reason I can't authenticate on my Samba PDC. The message I get in the log.smb is "password for USER is incorrect" I've used smbpasswd and changed it like 50 times.. and I've added the machine name that's trying to connect. Any ideas? ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From jmeff at engsoc.queensu.ca Mon Feb 14 18:25:22 2000 From: jmeff at engsoc.queensu.ca (Jamie ffolliott) Date: Tue Dec 2 02:28:34 2003 Subject: [Samba-TNG] Diagnosis steps fail in latest CVS In-Reply-To: Message-ID: I've tried that as well actually, but from reading some past messages on this list it looks like the loopback is just used by command-line utilities like smbpasswd to communicate with samba (and the loopback adapter just has to be 'up'). Anyhow, I want samba to listen on a network, and the docs have never suggested putting the loopback on the list of interfaces. I'm quite positive that these are bugs in TNG at the moment, but haven't heard anyone else report them (strange) ;) Jamie On Mon, 14 Feb 2000, Schlomo Schapiro wrote: > Perhaps you should add 127.0.0.1 to the interfaces ? Otherwise smbd won't > listen on the loopback (so it's strange that loopback worked :-) > > Schlomo > > On Mon, 14 Feb 2000, Jamie ffolliott wrote: > > > Hi All, > > > > I'm testing out the Samba PDC code once again (from CVS Feb 13 on Redhat > > 6.x) and hoping to update a server running some older Samba-2.1prealpha > > code from last March (which has been running very reliably, except for the > > occasional roaming profile problem). > > > > I ran into some 'connection refused' errors with > > smbpasswd -j SAMBA to join the domain (following the TNG faq), so I > > investigated my setup a bit more.Went through the DIAGNOSIS.txt steps > > and testparm, and found that steps four tosix are broken (all the others, > > 1-3 and 7 work fine). Nothing seems to be wrong in my smb.conf, and I've > > checked that all the diagnosis steps work with samba-2.0.6 but not with > > TNG on this machinewhen using the same smb.conf (without PDC features > > enabled in smb.conf).The loopback adapter is working as well, if that > > helps. > > > > I figure I should wait to see these few tests working properly before > > reporting anything else on PDC support in TNG in case they're related. > > Output on those commands and my smb.conf pasted below. > > > > Can anyone tell me what might be wrong, or should I expect that a lot of > > things might be broken at the moment? > > > > Diagnosis steps: > > step 4: nmblookup -B DEGOBAH __SAMBA__ > > doing parameter timestamp logs = false > > pm_process() returned Yes > > lp_servicenumber: couldn't find homes > > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > > Sending queries to 192.168.69.2 > > socket open succeeded.file name: /tmp/.nmb/agent > > socket connect to /tmp/.nmb/agent failed: Connection refused > > name_query failed to find name __SAMBA__ > > > > step 5: nmblookup -B jason '*' > > doing parameter timestamp logs = false > > pm_process() returned Yes > > lp_servicenumber: couldn't find homes > > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > > Sending queries to 192.168.69.3 > > socket open succeeded.file name: /tmp/.nmb/agent > > socket connect to /tmp/.nmb/agent failed: Connection refused > > name_query failed to find name * > > > > step 6: nmblookup -d 2 '*' > > doing parameter timestamplogs = false > > pm_process() returned Yes > > lp_servicenumber: couldn't find homes > > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > > Sending queries to 192.168.69.255 > > socket open succeeded.file name: /tmp/.nmb/agent > > socket connect to /tmp/.nmb/agent failed: Connection refused > > name_query failed to find name * > > > > smb.conf > > [global] > > netbios name = DEGOBAH > > workgroup = SAMBA > > server string = Samba Server > > hosts allow = 127.0.0.1 192.168.69. > > load printers = yes > > log file = /var/log/samba/log.%m > > max log size = 5000 > > security = user > > password level = 8 > > username level = 8 > > encrypt passwords = yes > > smb passwd file = /etc/smbpasswd > > socket options = TCP_NODELAY > > interfaces = 192.168.69.2/24 > > local master = yes > > os level = 63 > > domain master = yes > > preferred master = yes > > domain logons = yes > > logon path = \\%L\Profiles\%U > > wins support = yes > > dns proxy = no > > debug level = 100 > > timestamp logs = false > > > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > path = /home > > > > [netlogon] > > comment = Network Logon Service > > path = /home/netlogon > > guest ok = yes > > locking = no > > writable = no > > share modes = no > > > > [Profiles] > > path = /home/profiles > > browseable = no > > guest ok = yes > > > > [tmp] > > comment = Temporary file space > > path = /tmp > > read only = no > > public = yes > > > > Jamie > > > > -- > Schlomo Schapiro > Computation Authority > Hebrew University of Jerusalem > > Tel: ++972 / 2 / 65-84404 > email: schapiro@clerk.pi.huji.ac.il > From kevinc at grainsystems.com Mon Feb 14 18:36:41 2000 From: kevinc at grainsystems.com (Kevin Colby) Date: Tue Dec 2 02:28:34 2003 Subject: Samba and Deleted files References: Message-ID: <38A84B39.FC798734@grainsystems.com> Seth Vidal 02/13/00 08:51PM >>> > > One issue we came up with is deletion of files. Does any one know how > we might get a solution to this? I mean if there is a large Network > share and someone deletes a file....we do not want to be called every > day to grab the DLT. How does 'unrm' and such work? Perhaps Samba would cooperate (or could be made to) work with some such recovery setup? - Kevin Colby kevinc@grainsystems.com From GLeblanc at cu-portland.edu Mon Feb 14 18:44:55 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:34 2003 Subject: Unable to Authenticate on PDC Message-ID: > -----Original Message----- > From: Martin Brown [mailto:martin@tantalus.com] > Sent: Monday, February 14, 2000 10:35 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Unable to Authenticate on PDC > > > > For some reason I can't authenticate on my Samba PDC. The > message I get in > the log.smb is "password for USER is incorrect" > > I've used smbpasswd and changed it like 50 times.. and I've added the > machine name that's trying to connect. Any ideas? Not without a bunch more information, like what version of Samba you're running, and maybe the general section of smb.conf. Client machine type would also be helpful, and a description of how you're trying to use Samba. thnx Greg From martin at tantalus.com Mon Feb 14 19:01:20 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:34 2003 Subject: Unable to Authenticate on PDC Message-ID: <001801bf771d$e181f290$12f066cf@tantalus> Okay, NP. Samba TNG CVS from last week. Workstation trying to auth is NT 4.0 Workstation. My Global smb.conf config is below. I am setting up Samba as a PDC that uses LDAP to authenticate. The LDAP side of things is setup and working properly. I can add and change passwords in the LDAP DB. # Global parameters [global] ldap suffix = "dc=tantalus, dc=com" ldap bind as = "cn=root, dc=tantalus, dc=com" ldap passwd file = /etc/ldappasswd ldap server = localhost ldap port = 389 workgroup = TEST netbios name = PDC1 comment = Linux RedHat Samba Server security = user null passwords = Yes encrypt passwords = yes logon drive = U: domain master = yes domain logons = yes [netlogon] path = /usr/local/etc/samba/netlogon locking = no writeable = yes guest ok = no browseable = yes -----Original Message----- From: Gregory Leblanc [mailto:GLeblanc@cu-portland.edu] Sent: Monday, February 14, 2000 10:45 AM To: 'martin@tantalus.com'; Multiple recipients of list SAMBA-NTDOM Subject: RE: Unable to Authenticate on PDC > -----Original Message----- > From: Martin Brown [mailto:martin@tantalus.com] > Sent: Monday, February 14, 2000 10:35 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Unable to Authenticate on PDC > > > > For some reason I can't authenticate on my Samba PDC. The > message I get in > the log.smb is "password for USER is incorrect" > > I've used smbpasswd and changed it like 50 times.. and I've added the > machine name that's trying to connect. Any ideas? Not without a bunch more information, like what version of Samba you're running, and maybe the general section of smb.conf. Client machine type would also be helpful, and a description of how you're trying to use Samba. thnx Greg ___________________________________________ Martin Brown, Unix Systems Administrator Tantalus Communications Inc. 500-1122 Mainland Street Vancouver, BC, Canada V6B 5L1 martin@tantalus.com Direct 604.721-0351 Main 604.609.0700 Fax 604.609.0705 Toll Free 1.877.326.6776 http://www.tantalus.com "When eBusiness experience counts." From Brian_Keats at pch.gc.ca Mon Feb 14 19:30:19 2000 From: Brian_Keats at pch.gc.ca (Brian_Keats@pch.gc.ca) Date: Tue Dec 2 02:28:34 2003 Subject: Netlogon Service for Win 9x Clients Message-ID: <85256885.006B225A.00@pch.gc.ca> Hi, I currently have a few Win 95 machines residing on a private network being routed to a non-private network by a linux 2.2.12 kernel with IP_MASQ and IP_FORWARDING. Initially, I couldn't get NT DOMAIN logons to work through the masqueraded linux box so I decided to try using Samba. After alot of reading and configuring I've managed to have users validated on the NT DOMAIN whilst they are behind this 'firewall' ! (At this point, you might ask yourself why am I doing this ? The reason in a nutshell is these machines all belong in a separate group which from time to time change between being on the internal NT DOMAIN Lan and being on our external Public Internet connection) As I stated earlier, I can get users validated (i.e. can logon) but the problem is I can't get the Linux/Samba box to deliver the users logon batch file which resides on the domain PDC/BDC's. My Linux box has been added to the domain successfully and processes logon attempts correctly. The users batch files are administered by the NT administrator for each workgroup and there trying to use something like "logon path = \\%L\%U" or any other variable substitution will not work as the naming schemes are different for each person, possibly ! (In other words there is no standard being used to specifiy a path and batch file name to be passed to the client and executed upon logon) I believe the path and batch file name are entered on the NT side by adminstrator using User Manager for Domains, or whatever. I am wondering if there is a way I can get the Samba Server to look at the path and batch file name stored on the server and then pass them along to the client. I did manage to create a NETLOGON share and copy all the different batch files from the PDC to the Samba box but, short of finding out what the path and batch file name is for each user and then creating a local Samba account and then adding an smbpasswd entry to process the netlogon request and also keeping this up to date, I'm curious as to if this can be done ? I am using Samba ver. 2.05a and the smb.conf file is listed below, with network numbers and such changed to protect the innocent ;-} . Can anybody shed some light on how I can point the clients to use the [netlogon] service provided by the PDC and not involve Samba except in the role of say something like a proxy netlogon server ? If you feel like responding to this could you also send a copy to my e-mail address as well as I've not subscribed to the ntdom mailing list. Regards in advance Brian Keats # Samba config file created using SWAT # Date: 2000/02/14 09:42:13 # Global parameters [global] workgroup = ORG1 netbios name = MASQ-SERVER server string = Samba Server interfaces = 192.168.1.1/255.255.255.0 security = DOMAIN encrypt passwords = Yes password server = ORG1-INFO ORG1-INFO-01 ORG1-INFO-02 username map = /usr/lib/samba/private/usermap log level = 3 log file = /var/log/samba.%m max log size = 50 socket options = TCP_NODELAY logon path = logon home = domain logons = Yes os level = 55 preferred master = Yes wins proxy = Yes wins server = 129.15.60.62 remote announce = 129.15.45.255/ORG1 socket address = 192.168.1.1 guest ok = Yes hosts allow = 192.168.1. 129.15. [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba print ok = Yes browseable = No [CDROM] comment = Slow SCSI CDROM path = /cdrom #[NETLOGON] # comment = Netlogon Path # path = /usr/lib/samba/netlogon # I initially added this to test the determine if the path and filename info was being passed # along and the client was trying to find the netlogon batch file on the Samba server. From Jon at document-solutions.com Mon Feb 14 20:29:16 2000 From: Jon at document-solutions.com (Jon Doyle) Date: Tue Dec 2 02:28:34 2003 Subject: Samba and Deleted files Message-ID: Anyone know how to make a Network Trash can? Sorry, I am all Novell. Jon Jon R. Doyle Systems Administrator Document Solutions, Inc. 1611 Telegraph Avenue Ste. 1010 Oakland, Ca. 94612 510-986-0250 >>> Seth Vidal 02/14/00 10:30AM >>> > A Network Trash Can? You mean do this On a second box (NT Server)? I > could add a PDC that just sits there in this function as we have some > old Servers, but I would prefer to have the Linux Servers do the work as > I want to rid the old gear for reliability. I mean create a share that anyone can access - you should be able to create a network trash folder - its just an issue of telling NT where to put trashfiles. you can have the folder on a linux-samba machine but nt (the workstation) has to know where it goes. -sv From lynn at cis.usouthal.edu Mon Feb 14 20:40:55 2000 From: lynn at cis.usouthal.edu (Keith Lynn) Date: Tue Dec 2 02:28:34 2003 Subject: Unable to Authenticate on PDC In-Reply-To: <000e01bf7717$eccc5330$12f066cf@tantalus> Message-ID: I don't know if this is a solution to your problem or not, but I have run into similar problems, and found that Samba wouldn't authenticate if the uid in the smbpasswd and /etc/passwd didn't match. There were instances where I had changed a user, but there was an entry in smbpasswd. When I readded the user, the uid had changed. This caused Samba not to authenticate. Keith Lynn On Tue, 15 Feb 2000, Martin Brown wrote: > > For some reason I can't authenticate on my Samba PDC. The message I get in > the log.smb is "password for USER is incorrect" > > I've used smbpasswd and changed it like 50 times.. and I've added the > machine name that's trying to connect. Any ideas? > > ___________________________________________ > Martin Brown, Unix Systems Administrator > Tantalus Communications Inc. > 500-1122 Mainland Street > Vancouver, BC, Canada V6B 5L1 > martin@tantalus.com > > Direct 604.721-0351 > Main 604.609.0700 > Fax 604.609.0705 > Toll Free 1.877.326.6776 > > http://www.tantalus.com > "When eBusiness experience counts." > > From martin at tantalus.com Mon Feb 14 21:15:31 2000 From: martin at tantalus.com (Martin Brown) Date: Tue Dec 2 02:28:34 2003 Subject: Unable to Authenticate on PDC In-Reply-To: Message-ID: <002701bf7730$a06fcbc0$12f066cf@tantalus> Nope, that's not the case. The UID in the password file and in the smbpasswd file are the same. Thanks for the suggestion. -----Original Message----- From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of Keith Lynn Sent: Monday, February 14, 2000 12:51 PM To: Multiple recipients of list SAMBA-NTDOM Subject: Re: Unable to Authenticate on PDC I don't know if this is a solution to your problem or not, but I have run into similar problems, and found that Samba wouldn't authenticate if the uid in the smbpasswd and /etc/passwd didn't match. There were instances where I had changed a user, but there was an entry in smbpasswd. When I readded the user, the uid had changed. This caused Samba not to authenticate. Keith Lynn On Tue, 15 Feb 2000, Martin Brown wrote: > > For some reason I can't authenticate on my Samba PDC. The message I get in > the log.smb is "password for USER is incorrect" > > I've used smbpasswd and changed it like 50 times.. and I've added the > machine name that's trying to connect. Any ideas? > > ___________________________________________ > Martin Brown, Unix Systems Administrator > Tantalus Communications Inc. > 500-1122 Mainland Street > Vancouver, BC, Canada V6B 5L1 > martin@tantalus.com > > Direct 604.721-0351 > Main 604.609.0700 > Fax 604.609.0705 > Toll Free 1.877.326.6776 > > http://www.tantalus.com > "When eBusiness experience counts." > > From lkcl at samba.org Mon Feb 14 21:17:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:34 2003 Subject: Unable to Authenticate on PDC In-Reply-To: <001801bf771d$e181f290$12f066cf@tantalus> Message-ID: grab latest, don't use smbpasswd use samedit or rpcclient. issue a createuser username -p passwd or a samuserset username -p passwd. On Tue, 15 Feb 2000, Martin Brown wrote: > > Okay, NP. > > Samba TNG CVS from last week. > Workstation trying to auth is NT 4.0 Workstation. > My Global smb.conf config is below. > > I am setting up Samba as a PDC that uses LDAP to authenticate. The LDAP > side of things is setup and working properly. I can add and change > passwords in the LDAP DB. > > # Global parameters > > [global] > ldap suffix = "dc=tantalus, dc=com" > ldap bind as = "cn=root, dc=tantalus, dc=com" > ldap passwd file = /etc/ldappasswd > ldap server = localhost > ldap port = 389 > > workgroup = TEST > netbios name = PDC1 > comment = Linux RedHat Samba Server > security = user > null passwords = Yes > encrypt passwords = yes > > logon drive = U: > domain master = yes > domain logons = yes > > [netlogon] > path = /usr/local/etc/samba/netlogon > locking = no > writeable = yes > guest ok = no > browseable = yes > > -----Original Message----- > From: Gregory Leblanc [mailto:GLeblanc@cu-portland.edu] > Sent: Monday, February 14, 2000 10:45 AM > To: 'martin@tantalus.com'; Multiple recipients of list SAMBA-NTDOM > Subject: RE: Unable to Authenticate on PDC > > > > -----Original Message----- > > From: Martin Brown [mailto:martin@tantalus.com] > > Sent: Monday, February 14, 2000 10:35 AM > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Unable to Authenticate on PDC > > > > > > > > For some reason I can't authenticate on my Samba PDC. The > > message I get in > > the log.smb is "password for USER is incorrect" > > > > I've used smbpasswd and changed it like 50 times.. and I've added the > > machine name that's trying to connect. Any ideas? > > Not without a bunch more information, like what version of Samba you're > running, and maybe the general section of smb.conf. Client machine type > would also be helpful, and a description of how you're trying to use Samba. > thnx > Greg > > > > ___________________________________________ > Martin Brown, Unix Systems Administrator > Tantalus Communications Inc. > 500-1122 Mainland Street > Vancouver, BC, Canada V6B 5L1 > martin@tantalus.com > > Direct 604.721-0351 > Main 604.609.0700 > Fax 604.609.0705 > Toll Free 1.877.326.6776 > > http://www.tantalus.com > "When eBusiness experience counts." > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From skvidal at phy.duke.edu Mon Feb 14 21:50:10 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:34 2003 Subject: Samba and Deleted files In-Reply-To: Message-ID: > Anyone know how to make a Network Trash can? Sorry, I am all Novell. look through the registry - somewhere within there (sorry don't have the entry right now) it defines where the "trash can" is - you can define it so it sits on a network folder so in theory someone could restore from there. its not perfect but it might help. I'll have to look around to see if I can still find it. I did it a long time ago under 95 for user home dirs so its been a while. it should still work under 98/nt -sv From mgeddes at xavier.sa.edu.au Mon Feb 14 22:03:36 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:34 2003 Subject: TNG - alpha 0.2 Message-ID: <38A87BB8.7129F889@xavier.sa.edu.au> Hi Guys, I'm having a problem with samba tng alpha 0.2. The new daemons don't appear to do anything. I have debugging set to 10 on all processes and they all write a message in the logs to tell me that they have started, but smbd and nmbd are the only processes that write any further information to their respective logs. My Bad? Is 0.3 any better? Thanks guys, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft -------------- next part -------------- HTML attachment scrubbed and removed From JasonJensen at home.com Mon Feb 14 22:09:45 2000 From: JasonJensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:34 2003 Subject: Samba and Windows2000 References: Message-ID: <000601bf7738$335055c0$0201a8c0@jason> Problem with Samba; I can login fine win win2k.. i can browse everything.. except i cannot setup or even see the printer.. all i see is "printers" and ADD inside that.. and it don't even work.. out side of that is see a printer called printers.. but i can't use it.. it errors.. when even i get a listing of the user names.. or i goto the security properties of something with a Samba_domain user or group (anything with a samba sid or mac) it errors out.. i also don't have administrator rights on any account but the local admin even tho the group domain admins and my user is in the local administrator group... From lkcl at samba.org Mon Feb 14 22:13:32 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:34 2003 Subject: TNG - alpha 0.2 In-Reply-To: <38A87BB8.7129F889@xavier.sa.edu.au> Message-ID: > Is 0.3 any better? yes. always follow the latest unless it works for you and your environment. From mark.vidulich at richmond.co.nz Tue Feb 15 03:43:41 2000 From: mark.vidulich at richmond.co.nz (MARK VIDULICH) Date: Tue Dec 2 02:28:34 2003 Subject: Join Mailing List Message-ID: <81803C17EC40D21199DA0008C74C08D379A4F7@xchangent.richmond.co.nz> Hi Please add me to you mailing list. Regards Mark Vidulich Technical Support Analyst RICHMOND LIMITED 507w Eastbourne Street Hastings New Zealand Phone +64-6-878-6464 ext. 8056. FAX +64-6-878-0959 From anders at aae.wisc.edu Tue Feb 15 03:59:30 2000 From: anders at aae.wisc.edu (Anders C. Thorsen) Date: Tue Dec 2 02:28:34 2003 Subject: Join Mailing List In-Reply-To: <81803C17EC40D21199DA0008C74C08D379A4F7@xchangent.richmond.co.nz> from MARK VIDULICH at "Feb 15, 2000 02:47:14 pm" Message-ID: <200002150359.VAA14725@pug.aae.wisc.edu> Ok.. for n-th time! Look at samba.org for join info. Someone neeeed to fix this... 100 msgs a day + junk as this!!! argh!!!!!! BTW: Sorry for the off-topic Anders C. Thorsen [Charset iso-8859-1 unsupported, filtering to ASCII...] > Hi > > Please add me to you mailing list. > > > > Regards > > Mark Vidulich > Technical Support Analyst > > RICHMOND LIMITED > 507w Eastbourne Street > Hastings > New Zealand > Phone +64-6-878-6464 ext. 8056. > FAX +64-6-878-0959 > From tomek at is.fh-hamburg.de Tue Feb 15 08:31:41 2000 From: tomek at is.fh-hamburg.de (Tomek Jarosinski) Date: Tue Dec 2 02:28:34 2003 Subject: Samba TNG Message-ID: <38A90EED.C0C791D6@is.fh-hamburg.de> Why Samba TNG is called TNG ? What does TNG mean ? Tomek Jarosinski From Daniel.Sandmeier at HWK-DO.DE Tue Feb 15 08:56:49 2000 From: Daniel.Sandmeier at HWK-DO.DE (Daniel Sandmeier) Date: Tue Dec 2 02:28:34 2003 Subject: Samba TNG References: <38A90EED.C0C791D6@is.fh-hamburg.de> Message-ID: <38A914D1.F492133E@hwk-do.de> TNG means The Next Genration. It's the attempt to give Samba full PDC functionality For more information on this topic please reffere to http://www.kneschke.de/projekte/samba_tng/index.php3 It's all described there, even the difference between Main and TNG!!! MfG DerSandos Tomek Jarosinski schrieb: > Why Samba TNG is called TNG ? What does TNG mean ? > Tomek Jarosinski From informatique at cssf.lu Tue Feb 15 09:54:46 2000 From: informatique at cssf.lu (informatique) Date: Tue Dec 2 02:28:34 2003 Subject: Unable to see Samba server in Network Neighborhood Message-ID: <38A92266.9A2F4068@cssf.lu> Hello, I try to set up Samba (version 2.0.5a-12) on Redhat 6.1 and I don't succeed in seeing the Samba server (name INPDC) in Network Neighborhood on a NT Workstation (SP 6a). The Netbios Name resolution doesn't work either (no WINS Server used in the NT network, neither a domain controller): I need to give the IP address to make a "net view" for example. In fact, when I try to do: "ping inpdc", NT tries to ping localhost address (127.0.0.1). When I make then: "nbtstat -A 10.150.16.1" (IP address of Samba server), NT returns that Name INPDC is registered. When finally I do "nbtstat -c", he gives IP address 127.0.0.1 for INPDC NT finds INPDC when I do "Find Computer". For simle testing, I use a very simple configuration file, which I think, should be able at least to show me the Server in network neighborhood. I've tried with more complete configuration files, but the result was always the same. Here my smb.conf file: [Common] path = /home/common writeable = yes valid users = @internet Thanks for all help, Jean-Jacques From Alan.Hourihane at pinacl.co.uk Tue Feb 15 10:03:50 2000 From: Alan.Hourihane at pinacl.co.uk (Alan Hourihane) Date: Tue Dec 2 02:28:34 2003 Subject: Printing in TNG In-Reply-To: <3.0.6.32.20010214105931.0096a8d0@203.16.214.248> Message-ID: <004701bf779b$f51c92f0$1ad120c1@pinacl.co.uk> > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Richard Sharpe > Sent: 14 February 2000 20:32 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: Printing in TNG > > > At 01:17 AM 2/15/00 +1100, Alan Hourihane wrote: > >I'm using multiple config files using the > > > >netbios aliases = .... and > >include = smb.conf.%L > > I assume that the printer definitions are in the file included? > Correct. > This does not gell with your next message, which claims that the include > line is being ignored. Rather, it seems more like Samba is > pulling all the > include lines into the one server, but clients should start new tcp > connections for each virtual server, because the NetBIOS names > are different. > No. I said 'it appears as though' not that it 'is being' ignored. Let me explain more.... Primary NetBIOS name is 'LEEDS' NetBIOS aliases are 'LE-PRINTER' and 'DISTLEEDS' I have include files defined as smb.conf.leeds [netlogon] ..... [fax] .... smb.conf.le-printer [Services] .... [CableSales] ..... smb.conf.distleeds [os] .... Now, If I do a 'net view \\leeds' all is well and shows me the shares available in the smb.conf.leeds file. If I do a 'net view \\le-printer' it should show only the ones defined in smb.conf.le-printer, but doesn't show any. It only shows the same shares defined in smb.conf.leeds. And the same goes for 'net view \\distleeds' which shows on shares defined in smb.conf.leeds. Alan. From snail_talk at yahoo.com Tue Feb 15 10:15:04 2000 From: snail_talk at yahoo.com (geoffrey lee) Date: Tue Dec 2 02:28:34 2003 Subject: Funny Stuff In-Reply-To: <20000214183032.E28896@uni-mainz.de> Message-ID: <000301bf779d$86abcc80$0200000a@workstation1> hi, > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Dominik Kubla > Sent: Tuesday, February 15, 2000 1:33 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: Funny Stuff > > > On Mon, Feb 14, 2000 at 07:06:35PM +1100, geoffrey lee wrote: > > > > no, it's freebsd. i'm pretty sure. if you do a netcraft.com on them > > > > No it's not: all you see are the web and mail frontends, you don't see oh ...i almost forgot. client OS is mainly m$ ;) > the E10000's running the databases and filei servers. And i would be don't know. but someone went as far as to search fro all the IPs of hotmail (you can easily do that) and did a netcraft on them. result: it's freeBSD. > very surprised to see FreeBSD run on SPARC hardware... > > Dominik > From mg at plum.de Tue Feb 15 10:23:50 2000 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:28:34 2003 Subject: Funny Stuff References: <000301bf779d$86abcc80$0200000a@workstation1> Message-ID: <38A92936.729BC42A@plum.de> geoffrey lee wrote: > > > > > On Mon, Feb 14, 2000 at 07:06:35PM +1100, geoffrey lee wrote: > > > > > > no, it's freebsd. i'm pretty sure. if you do a netcraft.com on them > > > > > > > No it's not: all you see are the web and mail frontends, you don't see > > oh ...i almost forgot. client OS is mainly m$ ;) > > > the E10000's running the databases and filei servers. And i would be > > don't know. but someone went as far as to search fro all the IPs of hotmail > (you can easily do that) and did a netcraft on them. result: it's freeBSD. You could bet, that the database servers have no official IP ... I mean .. who would connect your database system directly to the internet ?? :) So, I suspect, that the sun servers are on some kind of VPN, with private IP adresses ... regards, Michael -- Samba NT-Domain howto (in german) http://www.sambahq.de From Olivier.Brousselle at univ-lehavre.fr Tue Feb 15 10:27:27 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:34 2003 Subject: TNG and WinFrame Message-ID: <38A92A0F.A125A638@univ-lehavre.fr> Hi all, I'm using Samba TNG as a PDC. I have NT 4.0 SP5 workstations and a Winframe 1.7 Server. When I try to log into the Winframe, it's very slow, and it's generate a lot of messages. In fact, the winframe server try to connect the network drive, but it can't, or the session is crashed. Any idea ? -- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Facult? des sciences Laboratoire de m?canique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From j.m.vanderneut at student.utwente.nl Tue Feb 15 10:41:03 2000 From: j.m.vanderneut at student.utwente.nl (Jasper van der Neut) Date: Tue Dec 2 02:28:34 2003 Subject: Very strange problems with SAMBA_TNG In-Reply-To: Message-ID: <3.0.3.32.20000215114103.00a46100@mail.student.utwente.nl> At 23:58 12-2-00 +1100, Volker Christian wrote: > >Hello everybody, > >I don't want to mess up this list with stupid questions, so if this is one >of these, please ignore it. > >I have a very strange problem when using one of the newer (and also the >newest I get today via cvs) tng-code. A approximately two weeks old code >works fine (I am sorry, I don't know exactly the day I checked the working >code out from the repository). > >The problem is the following. Every time I want connect to the server as a >user with a username longer then three characters smbd crashes. The effect >is the same when I want to join the domain maintained by the samba-PDC with >a WinNT box with a netbios-name longer then three characters. I really >played around long with it - also I set up a second linux-box with a late >tng-code - the effect is the same - smbd crashes if ... longer then three >character. > I think I have the same problem. With a username of 2 characters I can login, with a username of 6 characters in length it crashes. If I run the smbd in gdb it crashes with 'cannot access memory at 0x660065' Below is a piece from my log.smb. Jasper switch message SMBtconX (pid 14080) lookup user 3700,65 000000 vuid_io_key key 0000 pid : 00003700 0004 vuid: 0065 000000 vuid_io_user_struct usr 0000 uid: 00641f40 0004 gid: 616a0064 0008 name: jasper 0010 requested_name: ja 0014 real_name: er 0018 guest: 6c75463c 001c n_groups: 614e206c 0020 : 003e656d 0024 : 00000000 0028 : 00000004 002c : 00650064 0030 : 00660065 0034 : 00670066 0038 : 00000067 003c : 00000000 0040 : 00000000 0044 : 00000000 0048 : 00000000 004c : 00000000 0050 : 00000000 0054 : 00000000 0058 : 00000000 005c : 00000000 0060 : 00000000 0064 : 00000000 0068 : 00000000 006c : 00000000 0070 : 00000000 0074 : 00000000 0078 : 00000000 007c : 00000000 0080 : 00000000 0084 : 00000000 0088 : 00000000 008c : 00000000 0090 : 00000000 0094 : 00000000 0098 : 00000000 009c : 00000000 00a0 : 00000000 00a4 : 00000000 00a8 : 00000000 00ac : 00000000 00b0 : 00000000 00b4 : 00000000 00b8 : 00000000 00bc : 00000000 00c0 : 00000000 00c4 : 00000000 00c8 : 00000000 00cc : 00000000 00d0 : 00000000 00d4 : 00000000 00d8 : 00000000 00dc : 00000000 00e0 : 00000000 00e4 : 00000000 00e8 : 00000000 00ec : 00000000 00f0 : 00000000 00f4 : 00000000 00f8 : 00000000 00fc : 00000000 0100 : 00000000 0104 : 00000000 0108 : 00000000 010c : 00000000 0110 : 00000000 0114 : 00000000 0118 : 00000000 _prs_uint32 error () ps: io Yes align 4 offset 284 err 1 data 0x80c18c8 [000] 40 1F 64 00 64 00 6A 61 6A 61 73 70 65 72 00 00 @.d.d.ja jasper.. [010] 6A 61 73 70 65 72 00 00 3C 46 75 6C 6C 20 4E 61 jasper.. ..... ....d.e. [030] 65 00 66 00 66 00 67 00 67 00 00 00 00 00 00 00 e.f.f.g. g....... [040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [090] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0A0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0B0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0C0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0D0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0E0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0F0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [100] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [110] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got device type IPC lookupsmbpwntnam: nt user name WHISKY\ name 'WHISKY\' split into domain:WHISKY and nt name:' Allowed connection from lochnagar.cal5.nl (192.168.1.81) =============================================================== INTERNAL ERROR: Signal 11 in pid 14080 (TNG-prealpha) Please read the file BUGS.txt in the distribution =============================================================== PANIC: internal error From voc at fl.aec.at Tue Feb 15 11:16:47 2000 From: voc at fl.aec.at (Volker Christian) Date: Tue Dec 2 02:28:34 2003 Subject: AW: Very strange problems with SAMBA_TNG Message-ID: I still have the same problem. Could it be, that we use a wrong libc? I use Slackware 4.0 and libc5. The test, which Luke suggests, trying odd and even length names was not successful. A username shorter or equal than 3 characters works well but any username longer than 3 characters crashes smbd. Any ideas out? Voc -----Urspr?ngliche Nachricht----- Von: Jasper van der Neut [mailto:j.m.vanderneut@student.utwente.nl] Gesendet: Tuesday, February 15, 2000 11:46 AM An: Multiple recipients of list SAMBA-NTDOM Betreff: Re: Very strange problems with SAMBA_TNG At 23:58 12-2-00 +1100, Volker Christian wrote: > >Hello everybody, > >I don't want to mess up this list with stupid questions, so if this is one >of these, please ignore it. > >I have a very strange problem when using one of the newer (and also the >newest I get today via cvs) tng-code. A approximately two weeks old code >works fine (I am sorry, I don't know exactly the day I checked the working >code out from the repository). > >The problem is the following. Every time I want connect to the server as a >user with a username longer then three characters smbd crashes. The effect >is the same when I want to join the domain maintained by the samba-PDC with >a WinNT box with a netbios-name longer then three characters. I really >played around long with it - also I set up a second linux-box with a late >tng-code - the effect is the same - smbd crashes if ... longer then three >character. > I think I have the same problem. With a username of 2 characters I can login, with a username of 6 characters in length it crashes. If I run the smbd in gdb it crashes with 'cannot access memory at 0x660065' Below is a piece from my log.smb. Jasper switch message SMBtconX (pid 14080) lookup user 3700,65 000000 vuid_io_key key 0000 pid : 00003700 0004 vuid: 0065 000000 vuid_io_user_struct usr 0000 uid: 00641f40 0004 gid: 616a0064 0008 name: jasper 0010 requested_name: ja 0014 real_name: er 0018 guest: 6c75463c 001c n_groups: 614e206c 0020 : 003e656d 0024 : 00000000 0028 : 00000004 002c : 00650064 0030 : 00660065 0034 : 00670066 0038 : 00000067 003c : 00000000 0040 : 00000000 0044 : 00000000 0048 : 00000000 004c : 00000000 0050 : 00000000 0054 : 00000000 0058 : 00000000 005c : 00000000 0060 : 00000000 0064 : 00000000 0068 : 00000000 006c : 00000000 0070 : 00000000 0074 : 00000000 0078 : 00000000 007c : 00000000 0080 : 00000000 0084 : 00000000 0088 : 00000000 008c : 00000000 0090 : 00000000 0094 : 00000000 0098 : 00000000 009c : 00000000 00a0 : 00000000 00a4 : 00000000 00a8 : 00000000 00ac : 00000000 00b0 : 00000000 00b4 : 00000000 00b8 : 00000000 00bc : 00000000 00c0 : 00000000 00c4 : 00000000 00c8 : 00000000 00cc : 00000000 00d0 : 00000000 00d4 : 00000000 00d8 : 00000000 00dc : 00000000 00e0 : 00000000 00e4 : 00000000 00e8 : 00000000 00ec : 00000000 00f0 : 00000000 00f4 : 00000000 00f8 : 00000000 00fc : 00000000 0100 : 00000000 0104 : 00000000 0108 : 00000000 010c : 00000000 0110 : 00000000 0114 : 00000000 0118 : 00000000 _prs_uint32 error () ps: io Yes align 4 offset 284 err 1 data 0x80c18c8 [000] 40 1F 64 00 64 00 6A 61 6A 61 73 70 65 72 00 00 @.d.d.ja jasper.. [010] 6A 61 73 70 65 72 00 00 3C 46 75 6C 6C 20 4E 61 jasper.. ..... ....d.e. [030] 65 00 66 00 66 00 67 00 67 00 00 00 00 00 00 00 e.f.f.g. g....... [040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [090] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0A0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0B0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0C0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0D0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0E0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0F0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [100] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [110] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... Got device type IPC lookupsmbpwntnam: nt user name WHISKY\ name 'WHISKY\' split into domain:WHISKY and nt name:' Allowed connection from lochnagar.cal5.nl (192.168.1.81) =============================================================== INTERNAL ERROR: Signal 11 in pid 14080 (TNG-prealpha) Please read the file BUGS.txt in the distribution =============================================================== PANIC: internal error From j.m.vanderneut at student.utwente.nl Tue Feb 15 11:40:45 2000 From: j.m.vanderneut at student.utwente.nl (Jasper van der Neut) Date: Tue Dec 2 02:28:34 2003 Subject: AW: Very strange problems with SAMBA_TNG In-Reply-To: Message-ID: <3.0.3.32.20000215124045.00a46ac0@mail.student.utwente.nl> At 22:19 15-2-00 +1100, Volker Christian wrote: >I still have the same problem. Could it be, that we use a wrong libc? I use >Slackware 4.0 and libc5. I use Slackware with libc5 (version 5.4.33) too... >The test, which Luke suggests, trying odd and even length names was not >successful. >A username shorter or equal than 3 characters works well but any username >longer than 3 >characters crashes smbd. > >Any ideas out? I tried using another compiler (gcc-2.7.2.1 instead of pgcc-2.91.60) but that didn't make any difference. Jasper > -----Urspr?ngliche Nachricht----- >Von: Jasper van der Neut [mailto:j.m.vanderneut@student.utwente.nl] >Gesendet: Tuesday, February 15, 2000 11:46 AM >An: Multiple recipients of list SAMBA-NTDOM >Betreff: Re: Very strange problems with SAMBA_TNG > >At 23:58 12-2-00 +1100, Volker Christian wrote: >> >>Hello everybody, >> >>I don't want to mess up this list with stupid questions, so if this is one >>of these, please ignore it. >> >>I have a very strange problem when using one of the newer (and also the >>newest I get today via cvs) tng-code. A approximately two weeks old code >>works fine (I am sorry, I don't know exactly the day I checked the working >>code out from the repository). >> >>The problem is the following. Every time I want connect to the server as a >>user with a username longer then three characters smbd crashes. The effect >>is the same when I want to join the domain maintained by the samba-PDC with >>a WinNT box with a netbios-name longer then three characters. I really >>played around long with it - also I set up a second linux-box with a late >>tng-code - the effect is the same - smbd crashes if ... longer then three >>character. >> > >I think I have the same problem. With a username of 2 characters I can >login, >with a username of 6 characters in length it crashes. If I run the smbd in >gdb it crashes with 'cannot access memory at 0x660065' > > From hanak at IRIS.osu.cz Tue Feb 15 12:41:44 2000 From: hanak at IRIS.osu.cz (Ondrej Hanak) Date: Tue Dec 2 02:28:34 2003 Subject: UNIX passwd sync problem Message-ID: Hello everybody, i had problem with subject few days ago. I was looking for older mails in NTDOM and found that a lot of people had same problem. Many people reported that passwd program dies while smbd talks to. Or no response causes empty responsebuf in log file. Such like: [2000/02/14 13:43:42, 100] smbd/chgpasswd.c:talktochild(276) talktochild: chatbuf=[*successfull*] responsebuf=[] [2000/02/14 13:43:42, 3] smbd/chgpasswd.c:talktochild(279) response 3 incorrect I tried analyze smbd/chgpasswd.c. I found, that for IPC between smbd and passwd terminal pair was used. I must say that i don't understand why. I changed IPC from terminal pair to two pipes (standard IPC, well explained by W. R. Stevens in UNIX network programming). Now everything goes fine. UNIX password syncing works as expected. I am using RedHat Linux 6.1 (glibc2.1) with kernel 2.2.13 and samba2.1.0-prealpha. Anybody who is interested in this solution can mail me. And i'll send source code back. Nice day with great SAMBA software ;) O.H. From Peter.Mann at hrz.uni-kassel.de Tue Feb 15 14:50:46 2000 From: Peter.Mann at hrz.uni-kassel.de (Peter Mann) Date: Tue Dec 2 02:28:35 2003 Subject: compile error Message-ID: Hello, I have IBM RS6000 AIX 4.2 and try to compile (gcc) the latest version of samba. I have copied samba source-code via cvs. The make runs until this error: Compiling rpcclient/rpcclient.c rpcclient/rpcclient.c: In function `main': rpcclient/rpcclient.c:768: Internal compiler error in `build_insn_chain', at global.c:1756 Please submit a full bug report. See for instructions. make: 1254-004 The error code from the last command is 1. Best regards Peter Mann Tel. +49 0561/804-2465 GhK University of Kassel Computer-Center Secr. +49 0561/804-2287 Moenchebergstrasse 11 Telefax +49 0561/804-2297 D-34109 Kassel / Fed.Rep. Germany E-Mail Mann@HRZ.UNI-Kassel.DE PGP Public Key e-mail to: pgp-public-keys@keys.de.pgp.net Subject: get mann@hrz.uni-kassel.de From johanh at fusion.kth.se Tue Feb 15 16:28:41 2000 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:28:35 2003 Subject: Problems starting the current CVS (MAIN branch) version In-Reply-To: Message-ID: On Tue, 15 Feb 2000, Johan Hedin wrote: > I get the following in smbd.log on Solaris 2.6 in the current CVS version > (updated Mon Feb 14 14:57:15 MET 2000). > > [2000/02/14 13:42:04, 0] lib/pidfile.c:pidfile_create(99) > ERROR: smbd : fcntl lock of file /var/samba/locks/smbd.pid failed. Error was No such file or directory Aha, I found the reason, running configure in an AFS file system will trigger this. Compiling in /tmp works fine. From inge at cc.uit.no Tue Feb 15 20:40:43 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:35 2003 Subject: Problems with samba_TNG Message-ID: <38A9B9CB.B40B08D6@cc.uit.no> Hi, Here is some problems with samba_TNG from yesterday compiled with ldap support on a RH6.1 box: smbclient accepts any passwords rpcclient accepts any passwords but creating users and changing passwords doesn't work with any passwords. In rpcclient it is enough to press tab to get it to segfault. I haven't investigated how may ways I can get the rpcclient to segfault but it's not few. An example is to use the rpcclient to log in to a existing domain and do a enumusers, actually when I generated some more users in the TNG domain it segfaulted there too, at least it segfaulted with my setup. I'm happy to provide log files and such to help solving this. If I can, I suggest that you give the rpcclient defaults like if no -S flag is given then it defaults to localhost. And how about give some information about which flags you can give each command when you say "help " i.e.. "help enumusers" would give you info about the -g, -a and -u flags. I used smbpasswd to create a machine account and then when I tried to join the domain with a NT4WS then I got this error: Unable to connect to the domain controller for this domain. Have your administrator check your computer account on the domain If I tried to give an administrator account and a password. I got a DR. Watson because of a error in rundll32.exe: An application error has occurred and an application error log is being generated rundll32.exe Exception: access violation (0x0000005), Address: 0x77f7beed If I try to use the createuser command in rpcclient it looks like this: [ldap\inges@.]$ createuser jink$ createuser jink$ SAM Create Domain User Domain: LDAP Name: jink$ ACB: [W ] Create Domain User: FAILED Hope that it is possible to find a solution to my problems. inge From lkcl at samba.org Tue Feb 15 21:18:05 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: Samba TNG In-Reply-To: <38A90EED.C0C791D6@is.fh-hamburg.de> Message-ID: the next generation. On Tue, 15 Feb 2000, Tomek Jarosinski wrote: > Why Samba TNG is called TNG ? What does TNG mean ? > Tomek Jarosinski > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 15 21:19:40 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: TNG and WinFrame In-Reply-To: <38A92A0F.A125A638@univ-lehavre.fr> Message-ID: hi olivier, please update / report which date you have for tng. On Tue, 15 Feb 2000, Olivier Brousselle wrote: > Hi all, > > I'm using Samba TNG as a PDC. I have NT 4.0 SP5 workstations and > a Winframe 1.7 Server. > > When I try to log into the Winframe, it's very slow, and it's generate > a lot of messages. In fact, the winframe server try to connect the > network > drive, but it can't, or the session is crashed. > > Any idea ? > > -- > Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr > ================================================================== > Facult? des sciences Laboratoire de m?canique > du lundi au mercredi jeudi et vendredi > Tel : 02/32/74/43/37 02/32/74/49/67 > Fax : 02/32/74/43/14 02/32/74/49/60 > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 15 21:21:26 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: Very strange problems with SAMBA_TNG In-Reply-To: <3.0.3.32.20000215114103.00a46100@mail.student.utwente.nl> Message-ID: jasper, please describe your exact configuration, it also look like you have incompatible versions of smbd + msrpc daemons. please make sure you use smbd + msrpc daemons from the same cvs tree, thx. On Tue, 15 Feb 2000, Jasper van der Neut wrote: > At 23:58 12-2-00 +1100, Volker Christian wrote: > > > >Hello everybody, > > > >I don't want to mess up this list with stupid questions, so if this is one > >of these, please ignore it. > > > >I have a very strange problem when using one of the newer (and also the > >newest I get today via cvs) tng-code. A approximately two weeks old code > >works fine (I am sorry, I don't know exactly the day I checked the working > >code out from the repository). > > > >The problem is the following. Every time I want connect to the server as a > >user with a username longer then three characters smbd crashes. The effect > >is the same when I want to join the domain maintained by the samba-PDC with > >a WinNT box with a netbios-name longer then three characters. I really > >played around long with it - also I set up a second linux-box with a late > >tng-code - the effect is the same - smbd crashes if ... longer then three > >character. > > > > I think I have the same problem. With a username of 2 characters I can login, > with a username of 6 characters in length it crashes. If I run the smbd in > gdb it crashes with 'cannot access memory at 0x660065' > > Below is a piece from my log.smb. > > Jasper > > > switch message SMBtconX (pid 14080) > lookup user 3700,65 > 000000 vuid_io_key key > 0000 pid : 00003700 > 0004 vuid: 0065 > 000000 vuid_io_user_struct usr > 0000 uid: 00641f40 > 0004 gid: 616a0064 > 0008 name: jasper > 0010 requested_name: ja > 0014 real_name: er > 0018 guest: 6c75463c > 001c n_groups: 614e206c > 0020 : 003e656d > 0024 : 00000000 > 0028 : 00000004 > 002c : 00650064 > 0030 : 00660065 > 0034 : 00670066 > 0038 : 00000067 > 003c : 00000000 > 0040 : 00000000 > 0044 : 00000000 > 0048 : 00000000 > 004c : 00000000 > 0050 : 00000000 > 0054 : 00000000 > 0058 : 00000000 > 005c : 00000000 > 0060 : 00000000 > 0064 : 00000000 > 0068 : 00000000 > 006c : 00000000 > 0070 : 00000000 > 0074 : 00000000 > 0078 : 00000000 > 007c : 00000000 > 0080 : 00000000 > 0084 : 00000000 > 0088 : 00000000 > 008c : 00000000 > 0090 : 00000000 > 0094 : 00000000 > 0098 : 00000000 > 009c : 00000000 > 00a0 : 00000000 > 00a4 : 00000000 > 00a8 : 00000000 > 00ac : 00000000 > 00b0 : 00000000 > 00b4 : 00000000 > 00b8 : 00000000 > 00bc : 00000000 > 00c0 : 00000000 > 00c4 : 00000000 > 00c8 : 00000000 > 00cc : 00000000 > 00d0 : 00000000 > 00d4 : 00000000 > 00d8 : 00000000 > 00dc : 00000000 > 00e0 : 00000000 > 00e4 : 00000000 > 00e8 : 00000000 > 00ec : 00000000 > 00f0 : 00000000 > 00f4 : 00000000 > 00f8 : 00000000 > 00fc : 00000000 > 0100 : 00000000 > 0104 : 00000000 > 0108 : 00000000 > 010c : 00000000 > 0110 : 00000000 > 0114 : 00000000 > 0118 : 00000000 > _prs_uint32 error () ps: io Yes align 4 offset 284 err 1 data 0x80c18c8 > [000] 40 1F 64 00 64 00 6A 61 6A 61 73 70 65 72 00 00 @.d.d.ja jasper.. > [010] 6A 61 73 70 65 72 00 00 3C 46 75 6C 6C 20 4E 61 jasper.. [020] 6D 65 3E 00 00 00 00 00 04 00 00 00 64 00 65 00 me>..... ....d.e. > [030] 65 00 66 00 66 00 67 00 67 00 00 00 00 00 00 00 e.f.f.g. g....... > [040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [090] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0A0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0B0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0C0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0D0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0E0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0F0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [100] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [110] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... > Got device type IPC > lookupsmbpwntnam: nt user name WHISKY\ > name 'WHISKY\' split into domain:WHISKY and nt name:' > Allowed connection from lochnagar.cal5.nl (192.168.1.81) > =============================================================== > INTERNAL ERROR: Signal 11 in pid 14080 (TNG-prealpha) > Please read the file BUGS.txt in the distribution > =============================================================== > PANIC: internal error > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 15 21:23:15 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: AW: Very strange problems with SAMBA_TNG In-Reply-To: Message-ID: the log file shows that the vuid.tdb is corrupted. hmm. delete var/locks/vuid.tdb, ok? On Tue, 15 Feb 2000, Volker Christian wrote: > I still have the same problem. Could it be, that we use a wrong libc? I use > Slackware 4.0 and libc5. > > The test, which Luke suggests, trying odd and even length names was not > successful. > A username shorter or equal than 3 characters works well but any username > longer than 3 > characters crashes smbd. > > Any ideas out? > > Voc > > -----Urspr?ngliche Nachricht----- > Von: Jasper van der Neut [mailto:j.m.vanderneut@student.utwente.nl] > Gesendet: Tuesday, February 15, 2000 11:46 AM > An: Multiple recipients of list SAMBA-NTDOM > Betreff: Re: Very strange problems with SAMBA_TNG > > At 23:58 12-2-00 +1100, Volker Christian wrote: > > > >Hello everybody, > > > >I don't want to mess up this list with stupid questions, so if this is one > >of these, please ignore it. > > > >I have a very strange problem when using one of the newer (and also the > >newest I get today via cvs) tng-code. A approximately two weeks old code > >works fine (I am sorry, I don't know exactly the day I checked the working > >code out from the repository). > > > >The problem is the following. Every time I want connect to the server as a > >user with a username longer then three characters smbd crashes. The effect > >is the same when I want to join the domain maintained by the samba-PDC with > >a WinNT box with a netbios-name longer then three characters. I really > >played around long with it - also I set up a second linux-box with a late > >tng-code - the effect is the same - smbd crashes if ... longer then three > >character. > > > > I think I have the same problem. With a username of 2 characters I can > login, > with a username of 6 characters in length it crashes. If I run the smbd in > gdb it crashes with 'cannot access memory at 0x660065' > > Below is a piece from my log.smb. > > Jasper > > > switch message SMBtconX (pid 14080) > lookup user 3700,65 > 000000 vuid_io_key key > 0000 pid : 00003700 > 0004 vuid: 0065 > 000000 vuid_io_user_struct usr > 0000 uid: 00641f40 > 0004 gid: 616a0064 > 0008 name: jasper > 0010 requested_name: ja > 0014 real_name: er > 0018 guest: 6c75463c > 001c n_groups: 614e206c > 0020 : 003e656d > 0024 : 00000000 > 0028 : 00000004 > 002c : 00650064 > 0030 : 00660065 > 0034 : 00670066 > 0038 : 00000067 > 003c : 00000000 > 0040 : 00000000 > 0044 : 00000000 > 0048 : 00000000 > 004c : 00000000 > 0050 : 00000000 > 0054 : 00000000 > 0058 : 00000000 > 005c : 00000000 > 0060 : 00000000 > 0064 : 00000000 > 0068 : 00000000 > 006c : 00000000 > 0070 : 00000000 > 0074 : 00000000 > 0078 : 00000000 > 007c : 00000000 > 0080 : 00000000 > 0084 : 00000000 > 0088 : 00000000 > 008c : 00000000 > 0090 : 00000000 > 0094 : 00000000 > 0098 : 00000000 > 009c : 00000000 > 00a0 : 00000000 > 00a4 : 00000000 > 00a8 : 00000000 > 00ac : 00000000 > 00b0 : 00000000 > 00b4 : 00000000 > 00b8 : 00000000 > 00bc : 00000000 > 00c0 : 00000000 > 00c4 : 00000000 > 00c8 : 00000000 > 00cc : 00000000 > 00d0 : 00000000 > 00d4 : 00000000 > 00d8 : 00000000 > 00dc : 00000000 > 00e0 : 00000000 > 00e4 : 00000000 > 00e8 : 00000000 > 00ec : 00000000 > 00f0 : 00000000 > 00f4 : 00000000 > 00f8 : 00000000 > 00fc : 00000000 > 0100 : 00000000 > 0104 : 00000000 > 0108 : 00000000 > 010c : 00000000 > 0110 : 00000000 > 0114 : 00000000 > 0118 : 00000000 > _prs_uint32 error () ps: io Yes align 4 offset 284 err 1 data 0x80c18c8 > [000] 40 1F 64 00 64 00 6A 61 6A 61 73 70 65 72 00 00 @.d.d.ja jasper.. > [010] 6A 61 73 70 65 72 00 00 3C 46 75 6C 6C 20 4E 61 jasper.. [020] 6D 65 3E 00 00 00 00 00 04 00 00 00 64 00 65 00 me>..... ....d.e. > [030] 65 00 66 00 66 00 67 00 67 00 00 00 00 00 00 00 e.f.f.g. g....... > [040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [050] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [060] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [070] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [080] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [090] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0A0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0B0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0C0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0D0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0E0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [0F0] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [100] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ > [110] 00 00 00 00 00 00 00 00 00 00 00 00 ........ .... > Got device type IPC > lookupsmbpwntnam: nt user name WHISKY\ > name 'WHISKY\' split into domain:WHISKY and nt name:' > Allowed connection from lochnagar.cal5.nl (192.168.1.81) > =============================================================== > INTERNAL ERROR: Signal 11 in pid 14080 (TNG-prealpha) > Please read the file BUGS.txt in the distribution > =============================================================== > PANIC: internal error > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From inge at cc.uit.no Tue Feb 15 23:32:35 2000 From: inge at cc.uit.no (Inge-Haavard Hunstad) Date: Tue Dec 2 02:28:35 2003 Subject: Problems with samba_TNG References: <38A9B9CB.B40B08D6@cc.uit.no> Message-ID: <38A9E213.280A801@cc.uit.no> Now I remember what was new in TNG; trusting your self. I think that could be the reason why I couldn't get the NT4WS to join my domain. Sorry!! inge From lkcl at samba.org Tue Feb 15 23:40:40 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: Problems with samba_TNG In-Reply-To: <38A9B9CB.B40B08D6@cc.uit.no> Message-ID: > If I can, I suggest that you give the rpcclient defaults like if no -S > flag is given then it defaults to localhost. And how about give some been thinking about that. > information about which flags you can give each command when you say > "help " i.e.. "help enumusers" would give you info about the > -g, -a and -u flags. haven't got round to it. > I used smbpasswd to create a machine account and then when I tried to > join the domain with a NT4WS then I got this error: > > Unable to connect to the domain controller for this domain. Have your > administrator check your computer account on the domain > > If I tried to give an administrator account and a password. I got a DR. > Watson because > of a error in rundll32.exe: > > An application error has occurred and an application error log is being > generated > > rundll32.exe > Exception: access violation (0x0000005), Address: 0x77f7beed > > If I try to use the createuser command in rpcclient it looks like this: > > [ldap\inges@.]$ createuser jink$ > createuser jink$ > SAM Create Domain User > Domain: LDAP Name: jink$ ACB: [W ] > Create Domain User: FAILED > > Hope that it is possible to find a solution to my problems. > > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From robert at dbservice.com Wed Feb 16 00:13:04 2000 From: robert at dbservice.com (Robert Carnecky) Date: Tue Dec 2 02:28:35 2003 Subject: Create Domain Group fails Message-ID: <001201bf7812$9be6c580$0a00a8c0@emmen.dbservice.com> Hello I have some troubles to create domain groups. I can logon domain as Administrator (mapped to root) but I still don't have any local admin rights. 1. my unix map files exist and looks like this (BTW - what is the meaning of the parameter 'builtin group map' ?) matterhorn:~ # cat /opt/samba/lib/*.map # domain group map smbadmin="Domain Admins" smbuser="Domain Users" # domain user map root=Administrator # local user map wksadmin=BUILTIN\Administrators wksuser="BUILTIN\Power Users" 2. rpcclient's creategroup returns : Create Domain Group: FAILED (no matter what group name I pass as parameter) 3. rpcclient's enumgroups reports Domain Admins and Domain Users with RID 200/201 (as expected) 4. rpcclient's samgroupmem "Domain Admins" returns members of the unix group smbadmin (as expected - BTW what does it mean Type : User in the samgroupmem list ? ) What's wrong ? My configuration Samba TNG (checkout 13.2.) on Linux, clients WinNT4.0 and Win2K. Regards Robert -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at samba.org Wed Feb 16 01:24:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: Problems with samba_TNG In-Reply-To: <38A9E213.280A801@cc.uit.no> Message-ID: :) On Wed, 16 Feb 2000, Inge-Haavard Hunstad wrote: > Now I remember what was new in TNG; trusting your self. I think that > could be the reason why I couldn't get the NT4WS to join my domain. > > Sorry!! > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 16 02:17:39 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: rpcquery etc ... In-Reply-To: <3.0.6.32.20010215094557.009f4430@203.16.214.248> Message-ID: On Wed, 16 Feb 2000, Richard Sharpe wrote: > Hi, > > I noticed that when I do lsaquery I get back two SIDS, one for Domain > Member and the other for Domain Controller, and they are the same. correct. that tell me you made the query against a PDC. > Does this mean that I have managed to join the domain, or not? no. you have only obtained the SID. > Actually, what is the canonical sequence of actions when one is setting up > Samba TNG? > > Can you use rpcclient before you have joined the domain? urr... actually... only on loop-back at the moment, as root :) a bit like running smbpasswd as root. rpcclient -S . -U root% -l log > I have just deleted my server's trust account, hoping to use rpcclient to > add the account and join the domain, but now lsaquery no longer works :-( oops, you deleted your means to verify through SMB :-) :-) smbd now _uses_ MSRPC to verify users. that means, if you don't have a trusta account for itself, you can't even access anything via smbd, _including_ using rpcclient -S servername. therefore, you will have to use rpcclient -S . which onlky works as root. by the way, i removed the requirement to do an lasquery command prior to any SAM commands. i added code that automatically does a SAM-equivalent to lsaquery, _fr_ you. it does a sam_enum_domains followed by a sam_lookup_domain, which obtains the Domain SID, and you're done. From lkcl at samba.org Wed Feb 16 02:31:28 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: Samba TNG In-Reply-To: <3.0.6.32.20010215095904.0099c210@203.16.214.248> Message-ID: literally. On Wed, 16 Feb 2000, Richard Sharpe wrote: > As I wrote somewhere else, > > Samba TNG is a version of Samba where total rewrites are frequently done, > often overnight :-) > > > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 16 02:41:43 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: [samba-tng] status Message-ID: just added a deluser command to rpcclient and samedit. i am thinking of removing the need to join-the-samba-server-to-its-own-domain, by making it read the $MACHINE.ACC (trust account password) from the local security authority, when connection over loop-back. this means that both client and server will use the same trust account password for verification of users. Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 16 02:50:54 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: [samba-tng] deluser Message-ID: ok, i got it. it was a permissions problem. i was opening the user with the wrong SEC_ACCES_xxxx mask, so permission to delete was denied. From JasonJensen at home.com Wed Feb 16 04:26:39 2000 From: JasonJensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:35 2003 Subject: Win2k and Samba TNG Message-ID: <008e01bf7836$04da5d90$0201a8c0@jason> I cannot get the domain user to have local administartor rights.. when ever i add DOMAIN\DOMAIN ADMINS to LOCAL\Administrator group.. it changes nothing.. i also cannot add my samba server to the domain cause smbpasswd -j DOMAIN errors twice on connection refused and then it says it cannot change the trust account password. Another problem i am having is when i go into win2k and get a listing of users in any way.. or look at a security tab with a sid from the DOMAIN.. mmc.exe or explorer.exe crashes.. i cannot explain this one. -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at samba.org Wed Feb 16 04:36:38 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: Win2k and Samba TNG In-Reply-To: <008e01bf7836$04da5d90$0201a8c0@jason> Message-ID: On Wed, 16 Feb 2000, Jason Jensen wrote: > I cannot get the domain user to have local administartor rights.. when > ever i add DOMAIN\DOMAIN ADMINS to LOCAL\Administrator group.. it you'll need to set this up on the unix side, manually. you cannot do this at all with samrd --with-sam-pwdb=passdb or --with-sam-pwdb=nt5ldap, and i stalled on the samrd --with-sam-pwdb=tdb project, i have bugs to hunt. > changes nothing.. i also cannot add my samba server to the domain > it says it cannot change the trust account password. Another problem i that's not the case, here. exactly what are you doing. > am having is when i go into win2k and get a listing of users in any > way.. or look at a security tab with a sid from the DOMAIN.. mmc.exe > or explorer.exe crashes.. i cannot explain this one. yep. From lkcl at samba.org Wed Feb 16 04:44:38 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: Win2k and Samba TNG In-Reply-To: <008e01bf7836$04da5d90$0201a8c0@jason> Message-ID: On Wed, 16 Feb 2000, Jason Jensen wrote: > it says it cannot change the trust account password. Another problem i > am having is when i go into win2k and get a listing of users in any > way.. or look at a security tab with a sid from the DOMAIN.. mmc.exe > or explorer.exe crashes.. i cannot explain this one. nt5's explorer.exe crashes? damn, they were supposed to have made the nt5 code more robust. well, it's client-side, so that means we got things to fix. however [and this goes to the bcc recipients], problems client-side aren't critical, except there is the possibility of some third party, not-quite-developed server being added to a network, in some fashion, and nt clients (and maybe servers) fall over because some user-action or just general network browsing. if that happens in LSASS.EXE because, say, the response back from the LsaLookupSids or LsaLookupNames is badly-formed, then a user viewing security permissions of a file on the not-quite-developed server could cause some damage. plus. other people are using LsaLookupids and LsaLookupNames to look at accounts on, say, 2.0.2 samba servers, and your code [the bcc recipients are at microsoft] is causing memory exceptions in those third-party programs, causing the program to become unstable (particularly if it's a threaded app) or even take out the box the application is running on! it's not a high priority, but it _does_ need to be fixed. best regards, luke From jffolliott at home.com Wed Feb 16 05:34:27 2000 From: jffolliott at home.com (Jamie ffolliott) Date: Tue Dec 2 02:28:35 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) Message-ID: Hi.. I'm reposting this again because I couldn't receive any mail from the samba lists at my other address. Sorry, if anyone had responded to the list, please do again ;) I'm testing out the Samba PDC code (from CVS Feb 13 on Redhat 6.x) and hoping to update a server running some older Samba-2.1prealpha code from last March (which has been running very reliably, except for the occasional roaming profile problem). I ran into some 'connection refused' errors on with smbpasswd -j SAMBA to join the domain (following the TNG faq), so I investigated my setup a bit more. Went through the DIAGNOSIS.txt steps and testparm, and found that steps four to six are broken (all the others, 1-3 and 7 work fine). Nothing seems to be wrong in my smb.conf, and I've checked that all the diagnosis steps work with samba-2.0.6 but not with TNG on this machine (using the same smb.conf without PDC features enabled). Essentially all connections to /tmp/.nmb/agent (nmbd socket?) fail. I figure I should wait to see these few tests working before reporting too much else on TNG. Output on those tests and my smb.conf is pasted below. Can anyone tell me what might be wrong, or explain what the effect is of these errors? Let me know if I can send you more debug info, but I'm sure these are easily reproducable. Diagnosis steps: step 4: nmblookup -B DEGOBAH __SAMBA__ doing parameter timestamp logs = false pm_process() returned Yes lp_servicenumber: couldn't find homes Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 Sending queries to 192.168.69.2 socket open succeeded. file name: /tmp/.nmb/agent socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name __SAMBA__ step 5: nmblookup -B jason '*' doing parameter timestamp logs = false pm_process() returned Yes lp_servicenumber: couldn't find homes Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 Sending queries to 192.168.69.3 socket open succeeded. file name: /tmp/.nmb/agent socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name * step 6: nmblookup -d 2 '*' doing parameter timestamp logs = false pm_process() returned Yes lp_servicenumber: couldn't find homes Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 Sending queries to 192.168.69.255 socket open succeeded. file name: /tmp/.nmb/agent socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name * smb.conf [global] netbios name = DEGOBAH workgroup = SAMBA server string = Samba Server hosts allow = 127.0.0.1 192.168.69. load printers = yes log file = /var/log/samba/log.%m max log size = 5000 security = user password level = 8 username level = 8 encrypt passwords = yes smb passwd file = /etc/smbpasswd socket options = TCP_NODELAY interfaces = 192.168.69.2/24 local master = yes os level = 63 domain master = yes preferred master = yes domain logons = yes logon path = \\%L\Profiles\%U wins support = yes dns proxy = no debug level = 100 timestamp logs = false [homes] comment = Home Directories browseable = no writable = yes path = /home [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes locking = no writable = no share modes = no [Profiles] path = /home/profiles browseable = no guest ok = yes [tmp] comment = Temporary file space path = /tmp read only = no public = yes cheers, Jamie From lkcl at samba.org Wed Feb 16 05:47:52 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: jaime, please try using rpcclient -S . -U root% -l log or samedit -S . -U root% -l log (as root) and let me know if createuser yourownsambaservername$ -j works. remember to add yourownsambaervername$ to /etc/passwd. thx, luke On Wed, 16 Feb 2000, Jamie ffolliott wrote: > Hi.. I'm reposting this again because I couldn't receive any mail from the > samba lists at my other address. Sorry, if anyone had responded to the > list, please do again ;) > > I'm testing out the Samba PDC code (from CVS Feb 13 on Redhat > 6.x) and hoping to update a server running some older Samba-2.1prealpha > code from last March (which has been running very reliably, except for the > occasional roaming profile problem). > > I ran into some 'connection refused' errors on with > smbpasswd -j SAMBA to join the domain (following the TNG faq), so I > investigated my setup a bit more. Went through the DIAGNOSIS.txt steps > and testparm, and found that steps four to six are broken (all the others, > 1-3 and 7 work fine). Nothing seems to be wrong in my smb.conf, and I've > checked that all the diagnosis steps work with samba-2.0.6 but not with > TNG on this machine (using the same smb.conf without PDC features > enabled). > > Essentially all connections to /tmp/.nmb/agent (nmbd socket?) fail. > > I figure I should wait to see these few tests working before > reporting too much else on TNG. > > Output on those tests and my smb.conf is pasted below. > > Can anyone tell me what might be wrong, or explain what the effect is > of these errors? Let me know if I can send you more debug info, but I'm > sure these are easily reproducable. > > Diagnosis steps: > step 4: nmblookup -B DEGOBAH __SAMBA__ > doing parameter timestamp logs = false > pm_process() returned Yes > lp_servicenumber: couldn't find homes > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > Sending queries to 192.168.69.2 > socket open succeeded. file name: /tmp/.nmb/agent > socket connect to /tmp/.nmb/agent failed: Connection refused > name_query failed to find name __SAMBA__ > > step 5: nmblookup -B jason '*' > doing parameter timestamp logs = false > pm_process() returned Yes > lp_servicenumber: couldn't find homes > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > Sending queries to 192.168.69.3 > socket open succeeded. file name: /tmp/.nmb/agent > socket connect to /tmp/.nmb/agent failed: Connection refused > name_query failed to find name * > > step 6: nmblookup -d 2 '*' > doing parameter timestamp logs = false > pm_process() returned Yes > lp_servicenumber: couldn't find homes > Added interface ip=192.168.69.2 bcast=192.168.69.255 nmask=255.255.255.0 > Sending queries to 192.168.69.255 > socket open succeeded. file name: /tmp/.nmb/agent > socket connect to /tmp/.nmb/agent failed: Connection refused > name_query failed to find name * > > smb.conf > [global] > netbios name = DEGOBAH > workgroup = SAMBA > server string = Samba Server > hosts allow = 127.0.0.1 192.168.69. > load printers = yes > log file = /var/log/samba/log.%m > max log size = 5000 > security = user > password level = 8 > username level = 8 > encrypt passwords = yes > smb passwd file = /etc/smbpasswd > socket options = TCP_NODELAY > interfaces = 192.168.69.2/24 > local master = yes > os level = 63 > domain master = yes > preferred master = yes > domain logons = yes > logon path = \\%L\Profiles\%U > wins support = yes > dns proxy = no > debug level = 100 > timestamp logs = false > > [homes] > comment = Home Directories > browseable = no > writable = yes > path = /home > > [netlogon] > comment = Network Logon Service > path = /home/netlogon > guest ok = yes > locking = no > writable = no > share modes = no > > [Profiles] > path = /home/profiles > browseable = no > guest ok = yes > > [tmp] > comment = Temporary file space > path = /tmp > read only = no > public = yes > > cheers, > Jamie > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From Olivier.Brousselle at univ-lehavre.fr Wed Feb 16 06:49:01 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:35 2003 Subject: TNG and Winframe Message-ID: <38AA485D.346D752F@univ-lehavre.fr> > hi olivier, please update / report which date you have for tng. Sorry for this mistake, I have download TNG on february 7. I will test with another version of TNG today. > On Tue, 15 Feb 2000, Olivier Brousselle wrote: > Hi all, > > I'm using Samba TNG as a PDC. I have NT 4.0 SP5 workstations and > a Winframe 1.7 Server. > > When I try to log into the Winframe, it's very slow, and it's generate > a lot of messages. In fact, the winframe server try to connect the > network > drive, but it can't, or the session is crashed. > > Any idea ? -- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Facult? des sciences Laboratoire de m?canique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From lkcl at samba.org Wed Feb 16 06:56:32 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: TNG and Winframe In-Reply-To: <38AA485D.346D752F@univ-lehavre.fr> Message-ID: On Wed, 16 Feb 2000, Olivier Brousselle wrote: > > hi olivier, please update / report which date you have for tng. > Sorry for this mistake, I have download TNG on february 7. I will test > with another version of TNG today. de rien. merci. From jffolliott at home.com Wed Feb 16 07:12:12 2000 From: jffolliott at home.com (Jamie ffolliott) Date: Tue Dec 2 02:28:35 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: The results weren't so good... On the createuser command, it had a segmentation fault. Here's the log it generated: socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused socket connect to /tmp/.smb.0/agent failed: Connection refused error connecting to 192.168.69.1:445 (Connection refused) failed session setup cli_net_use_add: connection failed ncacn_np_use_add: connection failed There's also a 2nd log called rpcclient which has this msg: lib/charset.c:load_client_codepage(215) load_client_codepage: filename /etc/codepages/codepage.000 does not exist. But no codepage.000 exists in CVS. cheers, Jamie > -----Original Message----- > From: Luke Leighton [mailto:lkcl@samba.org] > Sent: February 16, 2000 12:48 AM > To: Jamie ffolliott > Cc: Multiple recipients of list SAMBA-NTDOM > Subject: Re: [Samba-TNG] Diagnosis steps fail (repost) > > > jaime, please try using rpcclient -S . -U root% -l log or samedit -S . -U > root% -l log (as root) and let me know if createuser > yourownsambaservername$ -j works. > > remember to add yourownsambaervername$ to /etc/passwd. > > thx, > > luke > From lkcl at samba.org Wed Feb 16 07:17:07 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: connection failed usually means you didn't soecify the right command-line arguments to make a valid connection. On Wed, 16 Feb 2000, Jamie ffolliott wrote: > The results weren't so good... > > On the createuser command, it had a segmentation fault. > > Here's the log it generated: > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > socket connect to /tmp/.smb.0/agent failed: Connection refused > error connecting to 192.168.69.1:445 (Connection refused) > failed session setup > cli_net_use_add: connection failed > ncacn_np_use_add: connection failed > > There's also a 2nd log called rpcclient which has this msg: > lib/charset.c:load_client_codepage(215) > load_client_codepage: filename /etc/codepages/codepage.000 does not exist. > > But no codepage.000 exists in CVS. > > cheers, > Jamie > > > -----Original Message----- > > From: Luke Leighton [mailto:lkcl@samba.org] > > Sent: February 16, 2000 12:48 AM > > To: Jamie ffolliott > > Cc: Multiple recipients of list SAMBA-NTDOM > > Subject: Re: [Samba-TNG] Diagnosis steps fail (repost) > > > > > > jaime, please try using rpcclient -S . -U root% -l log or samedit -S . -U > > root% -l log (as root) and let me know if createuser > > yourownsambaservername$ -j works. > > > > remember to add yourownsambaervername$ to /etc/passwd. > > > > thx, > > > > luke > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 16 07:18:17 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:35 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: oh, and at this stage, you have to use -S . because you can't connect to th remote server using smb, yet. i explained this on samba-technical to richard's post, just a few hours ago. On Wed, 16 Feb 2000, Jamie ffolliott wrote: > The results weren't so good... > > On the createuser command, it had a segmentation fault. > > Here's the log it generated: > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > socket connect to /tmp/.smb.0/agent failed: Connection refused > error connecting to 192.168.69.1:445 (Connection refused) > failed session setup > cli_net_use_add: connection failed > ncacn_np_use_add: connection failed > > There's also a 2nd log called rpcclient which has this msg: > lib/charset.c:load_client_codepage(215) > load_client_codepage: filename /etc/codepages/codepage.000 does not exist. > > But no codepage.000 exists in CVS. > > cheers, > Jamie > > > -----Original Message----- > > From: Luke Leighton [mailto:lkcl@samba.org] > > Sent: February 16, 2000 12:48 AM > > To: Jamie ffolliott > > Cc: Multiple recipients of list SAMBA-NTDOM > > Subject: Re: [Samba-TNG] Diagnosis steps fail (repost) > > > > > > jaime, please try using rpcclient -S . -U root% -l log or samedit -S . -U > > root% -l log (as root) and let me know if createuser > > yourownsambaservername$ -j works. > > > > remember to add yourownsambaervername$ to /etc/passwd. > > > > thx, > > > > luke > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 16 07:20:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: > On the createuser command, it had a segmentation fault. > > Here's the log it generated: > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > socket connect to /tmp/.smb.0/agent failed: Connection refused > error connecting to 192.168.69.1:445 (Connection refused) > failed session setup > cli_net_use_add: connection failed ^^^^^^^^^^^^^^^ see? you're using smb, which means you didn't specify -S like i said you had to. please read messages when i send them, i have rs.i i don't want to have to type any more than i have to. the only reason i am responding to messages isbecause you are very kindly helping me track down bugs, which i appreciate very much. thanks. From lkcl at samba.org Wed Feb 16 07:35:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: > > cli_net_use_add: connection failed > ^^^^^^^^^^^^^^^ > see? you're using smb, which means you didn't specify -S like i said you > had to. > -S . :) > please read messages when i send them, i have rs.i i don't want to have to except you have to work out which ones i have the deliberate mistakes in from the ones with the typos (i don't correct htem any more except for formal messages, it's too much typing) from the correct messages :) From jffolliott at home.com Wed Feb 16 07:50:41 2000 From: jffolliott at home.com (Jamie ffolliott) Date: Tue Dec 2 02:28:36 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: Actually I am using the -S . It's there in my command history, and I've run it again a few more times to be sure. rpcclient -S . -U root% -l log createuser servername$ -j Same results. I wondered if adding 127.0.0.1 as an interface in smb.conf would make a difference. Now rpcclient segfaults AND core dumps. Here's a backtrace from gdb: #0 0x4002f183 in cli_con_get () #1 0x4002f5ec in cli_connection_init_auth () #2 0x4002f56e in cli_connection_init () #3 0x40032ff7 in lsa_open_policy2 () #4 0x80542c6 in cmd_sam_create_dom_user () #5 0x804c837 in do_command () #6 0x804cafa in process () #7 0x804e2af in command_main () #8 0x804e323 in main () #9 0x40157cb3 in __libc_start_main (main=0x804e2e4
, argc=7, argv=0xbffffc64, init=0x804b54c <_init>, fini=0x805d2cc <_fini>, rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffffc5c) at ../sysdeps/generic/libc-start.c:78 > > cli_net_use_add: connection failed > ^^^^^^^^^^^^^^^ > see? you're using smb, which means you didn't specify -S like i said you > had to. Well what's happening...? It's using smb even when I specify -S . I updated from CVS in the last hour. > please read messages when i send them, i have rs.i i don't want to have to > type any more than i have to. the only reason i am responding to messages > isbecause you are very kindly helping me track down bugs, which i > appreciate very much. Oh I definitely read your messages Luke. The reason I'm helping track down bugs is because I appreciate the work you're doing on PDC support ;) Jamie From lkcl at samba.org Wed Feb 16 08:05:35 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: On Wed, 16 Feb 2000, Jamie ffolliott wrote: > Actually I am using the -S . > It's there in my command history, and I've run it again a few more times to > be sure. > rpcclient -S . -U root% -l log > createuser servername$ -j > Same results. weird. it should'n't be doing that. you do have lsarpcd and samrd running, yes? > I wondered if adding 127.0.0.1 as an interface in smb.conf would make a > difference. > Now rpcclient segfaults AND core dumps. :) > Here's a backtrace from gdb: follow the instructions in lars' FAQ for this process, thx. > #0 0x4002f183 in cli_con_get () > #1 0x4002f5ec in cli_connection_init_auth () > #2 0x4002f56e in cli_connection_init () > #3 0x40032ff7 in lsa_open_policy2 () > #4 0x80542c6 in cmd_sam_create_dom_user () > #5 0x804c837 in do_command () > #6 0x804cafa in process () > #7 0x804e2af in command_main () > #8 0x804e323 in main () > #9 0x40157cb3 in __libc_start_main (main=0x804e2e4
, argc=7, > argv=0xbffffc64, init=0x804b54c <_init>, fini=0x805d2cc <_fini>, > rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffffc5c) > at ../sysdeps/generic/libc-start.c:78 > > > > cli_net_use_add: connection failed > > ^^^^^^^^^^^^^^^ > > see? you're using smb, which means you didn't specify -S like i said you > > had to. > > Well what's happening...? It's using smb even when I specify -S . > > I updated from CVS in the last hour. > > > please read messages when i send them, i have rs.i i don't want to have to > > type any more than i have to. the only reason i am responding to messages > > isbecause you are very kindly helping me track down bugs, which i > > appreciate very much. > > Oh I definitely read your messages Luke. The reason I'm helping track down > bugs is because I appreciate the work you're doing on PDC support ;) > > Jamie > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 16 08:06:34 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: *oh. hang on.... are you using this for samba as pdc or samba as domain-member? please send smb.conf file. On Wed, 16 Feb 2000, Jamie ffolliott wrote: > Actually I am using the -S . > It's there in my command history, and I've run it again a few more times to > be sure. > rpcclient -S . -U root% -l log > createuser servername$ -j > Same results. > > I wondered if adding 127.0.0.1 as an interface in smb.conf would make a > difference. > Now rpcclient segfaults AND core dumps. > > Here's a backtrace from gdb: > #0 0x4002f183 in cli_con_get () > #1 0x4002f5ec in cli_connection_init_auth () > #2 0x4002f56e in cli_connection_init () > #3 0x40032ff7 in lsa_open_policy2 () > #4 0x80542c6 in cmd_sam_create_dom_user () > #5 0x804c837 in do_command () > #6 0x804cafa in process () > #7 0x804e2af in command_main () > #8 0x804e323 in main () > #9 0x40157cb3 in __libc_start_main (main=0x804e2e4
, argc=7, > argv=0xbffffc64, init=0x804b54c <_init>, fini=0x805d2cc <_fini>, > rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffffc5c) > at ../sysdeps/generic/libc-start.c:78 > > > > cli_net_use_add: connection failed > > ^^^^^^^^^^^^^^^ > > see? you're using smb, which means you didn't specify -S like i said you > > had to. > > Well what's happening...? It's using smb even when I specify -S . > > I updated from CVS in the last hour. > > > please read messages when i send them, i have rs.i i don't want to have to > > type any more than i have to. the only reason i am responding to messages > > isbecause you are very kindly helping me track down bugs, which i > > appreciate very much. > > Oh I definitely read your messages Luke. The reason I'm helping track down > bugs is because I appreciate the work you're doing on PDC support ;) > > Jamie > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From jffolliott at home.com Wed Feb 16 08:37:30 2000 From: jffolliott at home.com (Jamie ffolliott) Date: Tue Dec 2 02:28:36 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: > > Same results. > > weird. it should'n't be doing that. you do have lsarpcd and samrd > running, yes? Yes. I'm using samba as a PDC (not domain member). Smb.conf is below. > > I wondered if adding 127.0.0.1 as an interface in smb.conf would make a > > difference. > > Now rpcclient segfaults AND core dumps. > > :) Oh wait.. forget the core dump. Sorry, that was a Sig 11 error, very rarely happens (one of my linux machines has a small bit of bad memory, yet has a 60 day uptime with no errors) > > Here's a backtrace from gdb: > > follow the instructions in lars' FAQ for this process, thx. Yup - that's what I meant by a backtrace (bt same as where command) There's the info below that Lars mentions. > > #0 0x4002f183 in cli_con_get () > > #1 0x4002f5ec in cli_connection_init_auth () > > #2 0x4002f56e in cli_connection_init () > > #3 0x40032ff7 in lsa_open_policy2 () > > #4 0x80542c6 in cmd_sam_create_dom_user () > > #5 0x804c837 in do_command () > > #6 0x804cafa in process () > > #7 0x804e2af in command_main () > > #8 0x804e323 in main () > > #9 0x40157cb3 in __libc_start_main (main=0x804e2e4
, argc=7, > > argv=0xbffffc64, init=0x804b54c <_init>, fini=0x805d2cc <_fini>, > > rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffffc5c) > > at ../sysdeps/generic/libc-start.c:78 > > Here's smb.conf [global] netbios name = FIREWALL workgroup = HOUSE server string = Samba Server hosts allow = 127.0.0.1 192.168.69. printcap name = /etc/printcap load printers = yes print command = lpr -P%p %s; rm %s log file = /var/log/samba/log.%m max log size = 500 security = user password level = 8 username level = 8 encrypt passwords = yes smb passwd file = /etc/smbpasswd unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *password* %n\n *password* %n\n *successfull* domain group map = /etc/smbdomaingroup.map local group map = /etc/smblocalgroup.map domain user map = /etc/smbdomainuser.map socket options = TCP_NODELAY getwd cache = yes read prediction = True wide links = True interfaces = 192.168.69.1/24 127.0.0.1/255.0.0.0 bind interfaces only = False local master = yes os level = 63 domain master = yes preferred master = yes domain logons = yes logon script = logon.bat logon drive = u: logon path = \\%L\profiles\%U logon home = \\%L\home\%U wins support = yes dns proxy = no lock directory = /var/lock/samba locking = yes strict locking = yes time server = True debug level = 100 timestamp logs = no [home] comment = Home Directories browseable = yes writeable = yes preserve case = yes short preserve case = yes create mode = 0755 hide dot files = yes public = no [netlogon] comment = Network Logon Service path = /home/netlogon public = no locking = no writeable = no share modes = no [profiles] path = /home/profiles browseable = no guest ok = yes writeable = yes comment = Roaming Profiles directory mask = 0700 create mode = 0700 [tmp] comment = Temporary file space path = /tmp read only = no public = yes From lkcl at samba.org Wed Feb 16 09:05:09 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: [Samba-TNG] Diagnosis steps fail (repost) In-Reply-To: Message-ID: > > follow the instructions in lars' FAQ for this process, thx. > > Yup - that's what I meant by a backtrace (bt same as where command) > There's the info below that Lars mentions. recompile with ./configure.developer, this bt is no use. > > > #0 0x4002f183 in cli_con_get () > > > #1 0x4002f5ec in cli_connection_init_auth () > > > #2 0x4002f56e in cli_connection_init () > > > #3 0x40032ff7 in lsa_open_policy2 () > > > #4 0x80542c6 in cmd_sam_create_dom_user () > > > #5 0x804c837 in do_command () > > > #6 0x804cafa in process () > > > #7 0x804e2af in command_main () > > > #8 0x804e323 in main () > > > #9 0x40157cb3 in __libc_start_main (main=0x804e2e4
, argc=7, > > > argv=0xbffffc64, init=0x804b54c <_init>, fini=0x805d2cc <_fini>, > > > rtld_fini=0x4000a350 <_dl_fini>, stack_end=0xbffffc5c) > > > at ../sysdeps/generic/libc-start.c:78 > > > > > Here's smb.conf > > [global] > netbios name = FIREWALL > workgroup = HOUSE > server string = Samba Server > hosts allow = 127.0.0.1 192.168.69. > printcap name = /etc/printcap > load printers = yes > print command = lpr -P%p %s; rm %s > log file = /var/log/samba/log.%m > max log size = 500 > security = user > password level = 8 > username level = 8 > encrypt passwords = yes > smb passwd file = /etc/smbpasswd > unix password sync = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *password* %n\n *password* %n\n *successfull* > domain group map = /etc/smbdomaingroup.map > local group map = /etc/smblocalgroup.map > domain user map = /etc/smbdomainuser.map > socket options = TCP_NODELAY > getwd cache = yes > read prediction = True > wide links = True > interfaces = 192.168.69.1/24 127.0.0.1/255.0.0.0 > bind interfaces only = False > local master = yes > os level = 63 > domain master = yes > preferred master = yes > domain logons = yes > logon script = logon.bat > logon drive = u: > logon path = \\%L\profiles\%U > logon home = \\%L\home\%U > wins support = yes > dns proxy = no > lock directory = /var/lock/samba > locking = yes > strict locking = yes > time server = True > debug level = 100 > timestamp logs = no > > [home] > comment = Home Directories > browseable = yes > writeable = yes > preserve case = yes > short preserve case = yes > create mode = 0755 > hide dot files = yes > public = no > > [netlogon] > comment = Network Logon Service > path = /home/netlogon > public = no > locking = no > writeable = no > share modes = no > > [profiles] > path = /home/profiles > browseable = no > guest ok = yes > writeable = yes > comment = Roaming Profiles > directory mask = 0700 > create mode = 0700 > > [tmp] > comment = Temporary file space > path = /tmp > read only = no > public = yes > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From Olivier.Brousselle at univ-lehavre.fr Wed Feb 16 09:21:53 2000 From: Olivier.Brousselle at univ-lehavre.fr (Olivier Brousselle) Date: Tue Dec 2 02:28:36 2003 Subject: [TNG] samr, lsarpc, srvsvc, wkssvc Message-ID: <38AA6C31.EE109985@univ-lehavre.fr> Hello, I download and install TNG and samba-main with CVS this morning. And when I start the differents services, just smbd and nmbd are launched. In the logs, I have theses errors : [2000/02/16 09:53:59, 1] msrpc/msrpcd.c:main(465) samrd version TNG-prealpha started. Copyright Andrew Tridgell 1992-1999 Can't create or use IPC area. Error was File exists. ERROR: failed to setup profiling After this error, I delete the file samba/var/locks/.msrpc/ and restart samba. The message disappear but the service isn't launched. Regards. --- Olivier Brousselle mailto:Olivier.Brousselle@univ-lehavre.fr ================================================================== Facult? des sciences Laboratoire de m?canique du lundi au mercredi jeudi et vendredi Tel : 02/32/74/43/37 02/32/74/49/67 Fax : 02/32/74/43/14 02/32/74/49/60 From johanh at fusion.kth.se Wed Feb 16 09:27:23 2000 From: johanh at fusion.kth.se (Johan Hedin) Date: Tue Dec 2 02:28:36 2003 Subject: Patch for using AFS with Samba encrypted passwords Message-ID: I submitted a small patch for using local srvtabs in order to obtain AFS tockens for Samba using encrypted passwords. This is not as secure as schemes suggested by among others Allan Bjorklund, but it works without having to modify the clients. It's sufficient for us with mainly Solaris workstations and a few NT clients. I think it is as secure as Samba serving files on a local file system (correct me if I'm wrong here). The patch is tested on Solaris 2.6 with KTH-krb and AFS 3.5. Comments for futher development is appreciated. Johan Hedin /---------------------------------------------------------------------\ | Johan Hedin | johanh@fusion.kth.se | | Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh | \---------------------------------------------------------------------/ From hanak at IRIS.osu.cz Wed Feb 16 10:10:52 2000 From: hanak at IRIS.osu.cz (Ondrej Hanak) Date: Tue Dec 2 02:28:36 2003 Subject: Browsing from other workgroup problem Message-ID: Hi all, can anybody explain why win9x (or i think also NT) from other workgoup than samba can not see shares through network neighbourhood? Guest account exists and when i win9x reconnect to same workgroup everything is o.k. Else win client wants password to IPC$. Same problem from one NT works to other. I'm logged in on local and i can not see shares from other NT works. After i fill dialog for login -> access denied. But i gave that user to user list for this share. What's wrong? I can not understand this M$ "great ideas"! When i know username and password, so i'm THAT user. Why does not this work as smbclient??? madness is coming... O.H. From giovanni.affuso at almaitalia.it Wed Feb 16 10:49:41 2000 From: giovanni.affuso at almaitalia.it (Affuso Giovanni) Date: Tue Dec 2 02:28:36 2003 Subject: Problem with MASK in samba In-Reply-To: Message-ID: <4.2.0.58.20000216114348.00b9c2f0@10.0.0.1> Hi all, I have a little problem with the export of resourse with samba. I export a directory pubblic but all files o directory made have the with autorizzation 755, why? Thanks for help PS: my smb.conf [scambio] path = /intranet/almaitalia/server/scambio create mask = 0775 create mode = 0777 group = almaitalia comment = Scambio browseable = yes public = yes writable = yes write list = @almaitalia Giovanni Affuso Responsabile E.D.P. Alma Italia S.r.l. c.so Vercelli 387, Torino tel. 0112620388 fax. 0112624308 mailto:giovanni.affuso@almaitalia.it From mg at plum.de Wed Feb 16 11:00:43 2000 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:28:36 2003 Subject: Problem with MASK in samba References: <4.2.0.58.20000216114348.00b9c2f0@10.0.0.1> Message-ID: <38AA835B.D5B0198@plum.de> Affuso Giovanni wrote: > > Hi all, > I have a little problem with the export of resourse with samba. > I export a directory pubblic but all files o directory made have the with > autorizzation 755, why? > Thanks for help > PS: my smb.conf > [scambio] > path = /intranet/almaitalia/server/scambio > create mask = 0775 > create mode = 0777 1) create mask = create mode 2) they are "BITMASKS", means they are some kind of "maximum" setting. What you problably want is force create mode = 0775 > group = almaitalia > comment = Scambio > browseable = yes > public = yes > writable = yes > write list = @almaitalia > regards, Michael -- Samba NT-Domain howto (in german) http://www.sambahq.de From teemu.junnila at era.ericsson.se Wed Feb 16 14:16:35 2000 From: teemu.junnila at era.ericsson.se (Teemu Junnila) Date: Tue Dec 2 02:28:36 2003 Subject: [Fwd: Map to guest and NT user validation] Message-ID: <38AAB143.500CB708@era.ericsson.se> > Anybody got any idea how to fix this? > > 1) I must validate the userid/passwd against NT-Domain > 2) Users with both UNIX and NT-Domain accounts shall have the > access-rights defined in UNIX > 3) Users with NT-Domain account but without UNIX account shall be GUESTS > > I have no problems if I just apply 1 and 2, but, if I apply 1, 2 and 3 > then something strange happens and > almost all users will be mapped as GUESTS. Even if they do have valid > accounts on both UNIX and NT-Domain. > > The grand total number of users defined in NT-Domain (there is actually > a few of them) is about 100000, > but only a few thousands of these need the GUEST access to my site. > > The number of users having UNIX accounts is about 2000. > > Here is the head of my smb.conf: > [global] > > netbios name = ESEKIUX06 > workgroup = ERSE51 > server string = KI/ERA/LV/ET Samba Server Home dir a-k > wins server = 147.214.10.124 > announce version = 6.0 > password server = ESEKINT351, SEKINT58, SEKINT59 > security = domain > encrypt passwords = yes > browseable = yes > public = yes > remote announce = 147.214.192.255/24 > max log size = 2048 > interfaces = 147.214.44.4/24 > socket options = TCP_NODELAY > socket address = 147.214.44.4 > remote browse sync = 147.214.192.37 > remote announce = 147.214.192.255 147.214.225.255 > directory mask = 2700 > create mask = 2700 > character set = ISO8859-1 > client code page = 850 > veto files = /lost+found/ > admin users = qrapeka qravila qrasern qratorm qramize > username map = /home1/samba/private/users.map > #deadtime = 15 > #map to guest = Bad User > guest account = smbguest > #read only = no > > -- > Best Regards, > > Teemu Junnila/ Ericsson Radio Systems From scrappy at hub.org Wed Feb 16 14:39:29 2000 From: scrappy at hub.org (The Hermit Hacker) Date: Tue Dec 2 02:28:36 2003 Subject: Samba TNG In-Reply-To: Message-ID: I hate to ask, but "the next generation" tells me nothing ... is this sa seperate "strain" that is being worked on, or is this pretty much 'Samba 3'? the impression, possibly falsely, that I've been getting is that some ppl are working on TNG, seperate from the one that eeryone is using righ tnow, so are there "two samba efforts", or is TNG effectly the "development version"? On Wed, 16 Feb 2000, Luke Kenneth Casson Leighton wrote: > the next generation. > > On Tue, 15 Feb 2000, Tomek Jarosinski wrote: > > > Why Samba TNG is called TNG ? What does TNG mean ? > > Tomek Jarosinski > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: scrappy@hub.org secondary: scrappy@{freebsd|postgresql}.org From anthony.johnson at langley.af.mil Wed Feb 16 15:16:13 2000 From: anthony.johnson at langley.af.mil (Johnson Anthony E Civ 27 IS/INYN) Date: Tue Dec 2 02:28:36 2003 Subject: SAMBA server crashing Message-ID: <8544DBEBBF6DD2118DF500204804EF1901DCBF2A@lfi-ms-025-02.langley.af.mil> Hello all, I am a novice at best when it comes to SAMBA and UNIX, I am an NT administrator at heart and could use some help. We are running Windows Terminal Server in a Solaris environment and using SAMBA to map the users home directories on UNIX and for printing. We are constantly having to restart the SAMBA services because they are always crashing 2-3 times a day at least. We have no more than 50 simultaneous users at any given time so it seems that something is not right. Our SAMBA server is an Ultra 10 running on Fore ATM. Our network uses a combo of ATM, FDDI, and 10mb/ethernet. We have tried Version 2.5, 2.6, and we currently have 2.3 set up. All three had the same results, we have changed servers as well as switched to Ethernet and FDDI. Nothing seems to work. I have been looking into different settings for TCP_NODELAY. I was going to experiment with setting SO_RCVBUF and SO_SNDBUF but, do not know what to set the integer values to. Could anyone give me some advice on how to get SAMBA running reliable? We would love to have it stay up all day and not worry about it. I have attached a copy of my smb.conf file for anyone's input. Pay no attention to the Print command, I know it looks bad, but we have a weird requirement. Thanks in advance for any help! Anthony Johnson Network Administrator SAIC <> -------------- next part -------------- # Samba config file created using SWAT # from col22 (144.235.204.22) # Date: 2000/02/16 09:14:18 # Global parameters workgroup = WINIG480 netbios name = PROD159 server string = NT Server (2.6) interfaces = 144.235.200.103/255.255.0.0 security = SERVER encrypt passwords = Yes password server = wtsprod180 winprod167 winprod169 username map = /usr/local/samba/lib/users.map log file = /usr/local/samba/var/log.%m nt acl support = Yes socket options = TCP_NODELAY printcap name = /usr/local/samba/printcap dns proxy = No revalidate = Yes hosts allow = 144.235. 127. 144.235.204.84 print command = DISPLAY=`cat /home/users/prod250/%U/.winddhostname` ; export DISPLAY; XFILESEARCHPATH=/opt/cse/config/prod250/%N:/opt/cse/config/%N:/usr/lib/X11/app-defaults/%N; export XFILESEARCHPATH;/opt/cse/bin/Print_Utility -P`cat /home/users/prod250/%U/.winddprinter` %s ; rm -f %s [unixhome] path = /home/users/prod250/%U read only = No [printers] comment = All Printers path = /home/users/prod250/%U/spool print ok = Yes browseable = No From s.striker at striker.nl Wed Feb 16 15:24:00 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:36 2003 Subject: Samba TNG In-Reply-To: Message-ID: TNG is a seperate development branch. It is the branch in which domain controller ocde is developped. In the HEAD branch, people are working on stabilizing existing code and improving file and print services. Since the TNG branch is often instable due to major rewrites, development takes place in a seperate branch. Check out http://www.kneschke.de/projekte/samba_tng/index.php3 for details. Sander Striker >I hate to ask, but "the next generation" tells me nothing ... is this sa >seperate "strain" that is being worked on, or is this pretty much 'Samba >3'? the impression, possibly falsely, that I've been getting is that some >ppl are working on TNG, seperate from the one that eeryone is using righ >tnow, so are there "two samba efforts", or is TNG effectly the >"development version"? > >On Wed, 16 Feb 2000, Luke Kenneth Casson Leighton wrote: > >> the next generation. >> >> On Tue, 15 Feb 2000, Tomek Jarosinski wrote: >> >> > Why Samba TNG is called TNG ? What does TNG mean ? >> > Tomek Jarosinski >> > >> >> Luke Kenneth Casson Leighton >> Samba and Network Development >> Samba Web site >> Internet Security Systems, Inc. >> Macmillan Technical Publishing >> >> ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals >> > >Marc G. Fournier ICQ#7615664 IRC >Nick: Scrappy >Systems Administrator @ hub.org >primary: scrappy@hub.org secondary: >scrappy@{freebsd|postgresql}.org > > From alex at Javad.Ru Wed Feb 16 18:32:51 2000 From: alex at Javad.Ru (Alexander Davydenko) Date: Tue Dec 2 02:28:36 2003 Subject: libs Message-ID: <38AAED53.3FDE545B@Javad.Ru> the first of at all I'll want to know what libs (libc and libreadline) are u have to compile SAMBA_TNG ? second one, where is samedit command? I can't see it while run commands from rpcclient. Your's alex -- Alexander Davydenko | alex@javad.ru, mba_69@chat.ru | Moscow, USSR ------------------------------------------------------------------------- <<<<< Powered by Linux & 220V >>>>> From lkcl at samba.org Wed Feb 16 18:57:32 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: libs In-Reply-To: <38AAED53.3FDE545B@Javad.Ru> Message-ID: samedit is a program not a command. On Thu, 17 Feb 2000, Alexander Davydenko wrote: > the first of at all I'll want to know what libs (libc and libreadline) are u > have > to compile SAMBA_TNG ? > second one, where is samedit command? I can't see it while run commands from > rpcclient. > > Your's alex > > -- > Alexander Davydenko | > alex@javad.ru, mba_69@chat.ru | Moscow, USSR > ------------------------------------------------------------------------- > <<<<< Powered by Linux & 220V >>>>> > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From jffolliott at home.com Wed Feb 16 19:16:27 2000 From: jffolliott at home.com (Jamie ffolliott) Date: Tue Dec 2 02:28:36 2003 Subject: libs In-Reply-To: Message-ID: Alex, samedit doesn't compile by default. You have to uncomment it from Makefile.in on the line "PROGS3 = ", then do configure again and recompile. That'll give you a bunch of new programs - regedit, samedit, svccontrol, cmdat, and spoolss. Jamie > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Luke Kenneth Casson Leighton > > samedit is a program not a command. > > On Thu, 17 Feb 2000, Alexander Davydenko wrote: > > > the first of at all I'll want to know what libs (libc and > libreadline) are u > > have > > to compile SAMBA_TNG ? > > second one, where is samedit command? I can't see it while run > commands from > > rpcclient. > > > > Your's alex > > > > -- > > Alexander Davydenko | > > alex@javad.ru, mba_69@chat.ru | Moscow, USSR > > > ------------------------------------------------------------------------- > > <<<<< Powered by Linux & 220V >>>>> > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From cigor at EUnet.yu Wed Feb 16 18:23:30 2000 From: cigor at EUnet.yu (=?ISO-8859-2?Q?=C8olovi=E6_Igor?=) Date: Tue Dec 2 02:28:36 2003 Subject: Browsing from other workgroup problem In-Reply-To: Message-ID: ------------------------------------------------------ "Unibus timeout fatal trap program lost sorry" - An error message printed by DEC's RSTS operating system for the PDP-11 On Wed, 16 Feb 2000, Ondrej Hanak wrote: > Else win client wants password to IPC$. This problem is solved when you force win9x to user encripted passwords. Look in /samba/docs/*.reg files for "reg path". Set "EnablePlainTextPassword"=dword:00000000 not 1. This will solve your problem. You have to set encrypt passwords = yes From alex at Javad.Ru Wed Feb 16 20:48:58 2000 From: alex at Javad.Ru (Alexander Davydenko) Date: Tue Dec 2 02:28:36 2003 Subject: OFF: ICR channel Message-ID: <38AB0D3A.79C8447D@Javad.Ru> Is it any IRC channel for discussion on samba-ntdom? -- Alexander Davydenko | alex@javad.ru, mba_69@chat.ru | Moscow, USSR ------------------------------------------------------------------------- <<<<< Powered by Linux & 220V >>>>> From mgeddes at xavier.sa.edu.au Wed Feb 16 22:12:51 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:36 2003 Subject: SAMBA server crashing References: <8544DBEBBF6DD2118DF500204804EF1901DCBF2A@lfi-ms-025-02.langley.af.mil> Message-ID: <38AB20E3.A23FCBA6@xavier.sa.edu.au> Try turning the debug level up a couple of notches and check the log files (probably in the /whereversambalives/var/log.nmb and log.smb). Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From mgeddes at xavier.sa.edu.au Thu Feb 17 01:22:10 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:36 2003 Subject: PRE ALPHA 0.3 Message-ID: <38AB4D41.6C0E2F67@xavier.sa.edu.au> Hi guys, This is a really strange thing for me to ask, but does the configure script for TNG 0.3 deliberately alter the time? It has reset the clock to the BIOS start date on every machine I have tried it on. This has been under RedHat 5.2, RedHat 6.0 and SuSE 6.2 (all with default kernel versions). It causes it to reconfigure when you type make. resetting the date before typing make seems to fix it. Thanks, Matt P.S. The only configure options I gave were --with-quotas and --prefix=..... -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Thu Feb 17 01:20:08 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: PRE ALPHA 0.3 In-Reply-To: <38AB4D41.6C0E2F67@xavier.sa.edu.au> Message-ID: whoa, that's _really_ weird. not that i'm aware of. On Thu, 17 Feb 2000, Matthew Geddes wrote: > Hi guys, > > This is a really strange thing for me to ask, but does the configure > script for TNG 0.3 deliberately alter the time? It has reset the clock > to the BIOS start date on every machine I have tried it on. This has > been under RedHat 5.2, RedHat 6.0 and SuSE 6.2 (all with default kernel > versions). It causes it to reconfigure when you type make. resetting the > date before typing make seems to fix it. > > Thanks, > Matt > > P.S. The only configure options I gave were --with-quotas and > --prefix=..... > > > -- > "Our goal for the next release of Windows 2000 is to have zero bugs." > - Lucovsky, Microsoft > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mgeddes at xavier.sa.edu.au Thu Feb 17 01:37:13 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:36 2003 Subject: PRE ALPHA 0.3 References: Message-ID: <38AB50C9.A61244B@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > whoa, that's _really_ weird. not that i'm aware of. > I *promise*. There are no strange background processes running at the time. Not a huge issue, resetting the date fixes it. The good news is that I can create trust accounts now using rpcclient ;-). Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Thu Feb 17 01:29:48 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: nt5rtm joining domain sends password of length 0xf0 uni-chars Message-ID: nt5 sends a random password of 0xf0 UNICODE characters in length when joining a domain (SamrSetUserInfo - opcode 0x3a, info level 0x18). i'm not sure if this is a problem, but it is fairly extreme, and i'd heard somewhere that there was _supposed_ to be a limit of 128 [UNICODE] chars on NT passwords? anyway, for those people who are supporting NT5 wkstas joining to domains, check your NT# / LM# generation code, make sure it can do _at least_ 256-unicode-chars-length passwords. luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 01:30:12 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: PRE ALPHA 0.3 In-Reply-To: <38AB50C9.A61244B@xavier.sa.edu.au> Message-ID: On Thu, 17 Feb 2000, Matthew Geddes wrote: > Luke Kenneth Casson Leighton wrote: > > > whoa, that's _really_ weird. not that i'm aware of. > > > > I *promise*. There are no strange background processes running at the time. > Not a huge issue, resetting the date fixes it. The good news is that I can > create trust accounts now using rpcclient ;-). excellent! From mgeddes at xavier.sa.edu.au Thu Feb 17 04:08:20 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:36 2003 Subject: Works like a bought one! Message-ID: <38AB7434.E170FFA3@xavier.sa.edu.au> Just thought I'd let people know that Samba TNG alpha 0.3 works on my machines. I have a PDC set up, I managed to join the domain from the NT workstation using NT's pretty little domain-joiny box (I sooo wanted to send a grab of the 'welcome to the...' message, but figured you didn't really need your mailbox clogged up with crap). Now all I need to do is the whole PDC -> BDC thing happening. Does the abovementioned tarball contain the hybrid or just TNG? Anyway, just thought I'd let you people (The O'Mighty Samba Team) know just how much you rock. Mostly thanks to Luke and Lars. I will also be E-Mailing a pizza as an attachment. ;-) Thanks heaps, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From mgeddes at xavier.sa.edu.au Thu Feb 17 05:11:58 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:36 2003 Subject: rpcclient / BDC joining domain Message-ID: <38AB831E.CF49A462@xavier.sa.edu.au> rpcclient segfaults whenever I try the createuser BDCNAME$ -s -j command. Is this a known thing or am I broken? Any ideas? Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Thu Feb 17 05:26:56 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: Works like a bought one! In-Reply-To: <38AB7434.E170FFA3@xavier.sa.edu.au> Message-ID: On Thu, 17 Feb 2000, Matthew Geddes wrote: > Just thought I'd let people know that Samba TNG alpha 0.3 works on my cool! > machines. I have a PDC set up, I managed to join the domain from the NT > workstation using NT's pretty little domain-joiny box (I sooo wanted to > send a grab of the 'welcome to the...' message, but figured you didn't paul ashton's signatrure was "welcome to the samba domain " for a while :) > really need your mailbox clogged up with crap). Now all I need to do is > the whole PDC -> BDC thing happening. > > Does the abovementioned tarball contain the hybrid or just TNG? just tng. From lkcl at samba.org Thu Feb 17 05:33:11 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:36 2003 Subject: rpcclient / BDC joining domain In-Reply-To: <38AB831E.CF49A462@xavier.sa.edu.au> Message-ID: i added some checking so it shouldn't segfault, just say "error" or not do anything. On Thu, 17 Feb 2000, Matthew Geddes wrote: > rpcclient segfaults whenever I try the createuser BDCNAME$ -s -j > command. Is this a known thing or am I broken? > > Any ideas? > > Thanks, > Matt > > > -- > "Our goal for the next release of Windows 2000 is to have zero bugs." > - Lucovsky, Microsoft > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mgeddes at xavier.sa.edu.au Thu Feb 17 05:43:18 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:36 2003 Subject: rpcclient / BDC joining domain References: <38AB831E.CF49A462@xavier.sa.edu.au> Message-ID: <38AB8A76.55375637@xavier.sa.edu.au> Matthew Geddes wrote: > > rpcclient segfaults whenever I try the createuser BDCNAME$ -s -j > command. Is this a known thing or am I broken? > > Any ideas? > > Thanks, > Matt It tells me it's trying to join as a PDC. Is that the problem? -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From jxm533 at psu.edu Thu Feb 17 06:41:09 2000 From: jxm533 at psu.edu (Joe Manojlovich) Date: Tue Dec 2 02:28:37 2003 Subject: Strange Socket Errors With Latest TNG Message-ID: <38AB9805.4D40EF9A@psu.edu> Though I've actually been getting this for some time now. Anyway, on my redhat 6 server I daily update with the latest cvs of TNG. However, whenever I try to connect from my NT workstation, I get "server service not started" or similar errors, and "domain controller cannot be found" errors when I try to join the domain. The only thing that sticks out is the error messages I see when running rpcclient. Here's a snippet: socket open succeeded. file name: /tmp/.smb.0/agent socket connect to /tmp/.smb.0/agent failed: Connection refused redirect FAILED, make direct connection Connecting to 255.255.255.255 at port 445 error connecting to 255.255.255.255:445 (Network is unreachable) Connecting to 255.255.255.255 at port 139 error connecting to 255.255.255.255:139 (Network is unreachable) cli_establish_connection: failed to connect to ATHENE<00> (255.255.255.255) cli_net_use_add: connection failed ncacn_np_use_add: connection failed cli_connection_free: 199 cli_connection_free: closed: No cmd_wks_query_info: query failed I know that the server is working, obviously, because my linux client can connect, and even the server can connect to itself. I attached my smb.conf file for good measure. -- Joe Manojlovich jxm533@psu.edu -------------- next part -------------- # I HOPE THIS WORKS!!! # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not many any basic syntactic errors. # #======================= Global Settings ===================================== [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = MYGROUP netbios name = ATHENE # server string is the equivalent of the NT Description field server string = Samba Server # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see # the smb.conf man page hosts allow = 192.168.10. 127. # What to do with winpopup messages # message command = /usr/bin/linpopup "%f" "%m" %s; rm %s& # if you want to automatically load your printer list rather # than setting them up individually then you'll need this ; printcap name = /etc/printcap ; load printers = yes # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx ; printing = bsd # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user "nobody" is used ; guest account = pcguest # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m log level = 20 # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case. ; password level = 8 ; username level = 8 # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents encrypt passwords = yes smb passwd file = /usr/local/samba/lib/smbpasswd # The following are needed to allow password changing from Windows to # update the Linux sytsem password also. # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. # NOTE2: You do NOT need these to allow workstations to change only # the encrypted SMB passwords. They allow the Unix password # to be kept in sync with the SMB password. unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # Unix users can map to different SMB User names # username map = /private/smbusers username map = /usr/local/samba/lib/user.map domain user map = /usr/local/samba/lib/domainuser.map admin users = root, Adminstrator # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /etc/smb.conf.%m # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY # Configure Samba to use multiple interfaces # If you have multiple network interfaces then you must list them # here. See the man page for details. # interfaces = eth0 # Configure remote browse list synchronisation here # request announcement to, or browse list sync from: # a specific host or from / to a whole subnet (see below) ; remote browse sync = 192.168.3.25 192.168.5.255 # Cause this host to announce itself to local subnets here remote announce = 192.168.10.255 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable os level = 64 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job domain master = yes # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election preferred master = yes # Enable this if you want Samba to be a domain logon server for # Windows95 workstations. domain logons = yes # if you enable domain logons then you may want a per-machine or # per user logon script # run a specific logon batch file per workstation (machine) ; logon script = %m.bat # run a specific logon batch file per username ; logon script = %U.bat # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name, %U is username # You must uncomment the [Profiles] share below ; logon path = \\%L\Profiles\%U logon drive = h: logon path = \\%L\homes # All NetBIOS names must be resolved to IP Addresses # 'Name Resolve Order' allows the named resolution mechanism to be specified # the default order is "host lmhosts wins bcast". "host" means use the unix # system gethostbyname() function call that will use either /etc/hosts OR # DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf # and the /etc/resolv.conf file. "host" therefore is system configuration # dependant. This parameter is most often of use to prevent DNS lookups # in order to resolve NetBIOS names to IP Addresses. Use with care! # The example below excludes use of name resolution for machines that are NOT # on the local network segment # - OR - are not deliberately to be known via lmhosts or via WINS. name resolve order = host lmhosts bcast # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server ;wins support = yes # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # WINS Proxy - Tells Samba to answer name resolution queries on # behalf of a non WINS capable client, for this to work there must be # at least one WINS Server on the network. The default is NO. ; wins proxy = yes time server = yes # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no # Case Preservation can be handy - system default is _no_ # NOTE: These can be set on a per share basis ; preserve case = no ; short preserve case = no # Default case is normally upper case for all DOS files ; default case = lower # Be very careful with case sensitivity - it can break things! ; case sensitive = no #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes create mode = 0600 directory mode = 0700 locking = no browseable = yes public = yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /home/netlogon locking = no browseable = yes public = no writable = yes case sensitive = no ;case preserve = yes default case = yes # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory #[Profiles] # path = /home/profiles # browseable = no # writable = yes # read only = no # This one is useful for people to share files ;[tmp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes From lmyatt at ozemail.com.au Thu Feb 17 06:42:00 2000 From: lmyatt at ozemail.com.au (lmyatt@ozemail.com.au) Date: Tue Dec 2 02:28:37 2003 Subject: Roaming Profiles Message-ID: <200002170642.RAA13523@fep7.mail.ozemail.net> Is it possible to disable roaming profiles in Samba? NT wants to store two profiles - one locally on the client box, the other in the users /home dir on the server. I have tried disabling roaming profiles on the clients but this won't work without destroying my existing profiles. __________________________________________________________ Message sent by MyMail http://www.mymail.com.au/ From lkcl at samba.org Thu Feb 17 06:45:01 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: Using rpcclient or samedit to randomise trust account passwords Message-ID: when an nt 4.0 workstation or backup domain controller is joined to a domain, the trust account password is set to a well-known initial value. if you are concerned about internal network security, this is not really an acceptable risk: any captured network traffic can be decoded simply from knowing the name of the workstation, which is contained in the network traffic itself. the initial value _is_ changed to a random value... using the initial value as the key to obfuscate the new value. this _has_ been fixed in nt5: the initial value is *totally* random. i can only confirm this for workstations-joining-domains, i haven't set up an nt5 BDC in an nt4 domain to check if that uses a totally random password or a well-known one. [for details on the algorithm used, please see Paul Ashton and Luke Leighton's "NT Domain Member to Domain Controller protocol" posting of august 1997, in the NTBUGTRAQ archives. A copy of the algorithm is also avaliable in the appendix of the book at the end of this message.] the shared secret (trust account password) is stored in two places. one is on the workstation or backup domain controller, in the lsa secret named "$MACHINE.ACC". the other location is in the SAM database of the PDC. the workstation uses $MACHINE.ACC, the PDC uses the SAM database copy. i understand that there is a tool available, written, i believe, by mark russovitch or possible dominique brezhinski, that runs on NT and changes _both_ the workstation trust account password _and_ the PDC's copy of the same trust account password in the SAM. recent additions to samba's "rpcclient" and "samedit" tools also allow the same to be done -- from a unix command-prompt. once the workstation has been joined to the domain and rebooted, follow these instructions _prior_ to logging in at the console: unix$ samedit \\ntpdc -U administrator%administratorpassword [administrator@ntpdc$ ] use \\ntworkstation -U localadminuser%localpwd [wait for the following message:] Net Use \\ntworksation User: localadmin: Domain: - OK [administrator@ntpdc$ ] createuser ntworkstation$ -j [you should see the followoing messages:] Create Workstatino Trust Account ntworkstation$: OK Join Worksation to Domain: OK [administrator@ntpdc$ ] quit unix$ You _will_ need to know -- and use -- the workstation's local admin password _and_ the pdc's admin password because rpcclient (or samedit) make two separate connections, one to change $MACHINE.ACC, the other to store the same password on the PDC. don't worry: if rpcclient (or samedit) cannot connect to BOTH machines, it will NOT attempt to change EITHER of the passwords. It is not possible, however, to obtain the _original_ passwords, for security reasons (well done microsoft for removing LsaQuerySecret from NT 4.0 SP4 by the way! :) so if this procedure fails half-way, i'm afraid that you're going to need to rejoin the workstation to the domain. You will probably find that there is some other serious problem that caused this to fail (unrelated to rpcclient / samedit's use, misuse or lack of use) which will _also_ cause the rejoin to fail, so fix that first (for example, someone switched off or disconnected the PDC whilst rpcclient / samedit was in use!) and then reissue the createuser command to re-join the workstation, or go back to basics and use the network control panel. The source code to rpcclient can be obtained by following the instructions at http://samba.org/cvs.html, and using a tag of SAMBA_TNG. I am also releasing alpha tng tarballs from the alpha/ directory of a samba mirror site of ftp://samba.org/pub/samba/alpha. For the above functionality, you will need a minimum of samba-tng-alpha-0.4.tar.gz. Once you have obtained the source, you will need to do this: ./configure make bin/rpcclient or make bin/samedit Regarding the createuser command, it issues an LsarSetSecret function and a SamrSetInformationUser function with info level 0x18 to set the $MACHINE.ACC and the trust account's password, respectively. *BOTH* these functions use the User Session Key of the user's connection (localadmin to the workstation, domainadmin to the pdc). If you recall my previous posting, when using NTLMv1, this is MD4(NT#), which is MD4(MD4(Unicode(plaintext password))). You SHOULD, therefore, either: - add "client ntlmv2 = yes" to the smb.conf file used by rpcclient and samedit. The default is /usr/local/samba/lib/smb.conf. Set "LmCompatibilityLevel=0x4 or 0x5" on the PDC, and "LmCompatibilityLevel=0x2 or 0x3" on the workstations. See previous posting to NTBUGTRAQ for details and warnings about doing this. - after ANY usage of an administrator account to either change a user's password or create account using SRVMGR.EXE or USRMGR.EXE, ALSO change the administrator's password. this is, of course, totally impractical and ridiculous but it is the only way to ensure that new account passwords are secure when using NTLMv1 (the default for all versions of Windows NT). see previous posting to NTBUGTRAQ for details and procedures on secure network alternatives to this stupid, necessary approach. Please remember that all bugs in rpcclient and samedit are my responsibilty. Please remembr that the source code _is_ available, so if you don't trust these programs, you can examine it yourself. Start in rpcclient/cmd_samr.c with the cmd_sam_create_dom_user() function. @begin-disclaimer-similar-to-the-usual-regedit-warning Please also remember that any problems, direct or indirect, consequential or inconsequential, due to the use, misuse, failure to use, failure to use correctly or the general stupidity, of any samba-related programs, most certainly are your own responsibility. The operations carried out by samedit and rpcclient are NOT reversible. It is assumed, like using regedit.exe and usrmgr.exe, that you REALLY know what you are doing. If you mess this up, you must have wanted to mess it up, so you are on your own. @end-disclaimer-similar-to-the-usual-regedit-warning there _is_ an alternative procedure to follow to ensure that the workstation or backup domain controller trust account passwords are securely made random, assuming that microsoft used a trustworthy random nnumber generator to produce the trust account passwords: 1) take the PDC off-line, or have a private (second?) network card added, in order to create a small, physically secure, network. 2) connect the workstation(s) / BDC(s) to the PDC, either off-line or to the private network. the workstation / BDC should be the ONLY host connection to the PDC (or to the private network). it is assumed that the PDC has not been compromised, and neither has the workstation or the BDC (because you are installing it from fresh, perhaps? :) and that you trust the installation CD not to have been compromised [not as stupid as it sounds: some people produce ghost installs of NT, from their own custom CDs]. 3) join the workstatino / BDC to the Domain. DO NOT use srvmgr.exe to do this, type in the administrator's username and password when requested. reboot the workstation /BDC. 4) at the login prompt (when you get one), press ctrl-alt-delete and log in SUCCESSFULLY, one time, as any Domain User in the PDC's Domain. 5) Log off and shut down the workstation / BDC, disconnect it from the private network. reconnect the PDC to the network if you removed it :) of course, this procedure is only suitable for circumstances where workstations / BDCs are physically close to thePDC, or the private network is KNOWN to be secure (e.g a VPN). happy network-securing, luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 06:45:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: rpcclient / BDC joining domain In-Reply-To: <38AB8A76.55375637@xavier.sa.edu.au> Message-ID: ? send me a log file, level 100. On Thu, 17 Feb 2000, Matthew Geddes wrote: > Matthew Geddes wrote: > > > > rpcclient segfaults whenever I try the createuser BDCNAME$ -s -j > > command. Is this a known thing or am I broken? > > > > Any ideas? > > > > Thanks, > > Matt > > It tells me it's trying to join as a PDC. Is that the problem? > > -- > "Our goal for the next release of Windows 2000 is to have zero bugs." > - Lucovsky, Microsoft > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 06:47:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: Strange Socket Errors With Latest TNG In-Reply-To: <38AB9805.4D40EF9A@psu.edu> Message-ID: ATHENE<00>. 00 is a group name. are you attempting to connect to a domain instead of a server, by any chance? :) hmm... On Thu, 17 Feb 2000, Joe Manojlovich wrote: > Though I've actually been getting this for some time now. Anyway, on my > redhat 6 server I daily update with the latest cvs of TNG. However, > whenever I try to connect from my NT workstation, I get "server service > not started" or similar errors, and "domain controller cannot be found" > errors when I try to join the domain. The only thing that sticks out is > the error messages I see when running rpcclient. Here's a snippet: > > socket open succeeded. file name: /tmp/.smb.0/agent > socket connect to /tmp/.smb.0/agent failed: Connection refused > redirect FAILED, make direct connection > Connecting to 255.255.255.255 at port 445 > error connecting to 255.255.255.255:445 (Network is unreachable) > Connecting to 255.255.255.255 at port 139 > error connecting to 255.255.255.255:139 (Network is unreachable) > cli_establish_connection: failed to connect to ATHENE<00> > (255.255.255.255) > cli_net_use_add: connection failed > ncacn_np_use_add: connection failed > cli_connection_free: 199 > cli_connection_free: closed: No > cmd_wks_query_info: query failed > > I know that the server is working, obviously, because my linux client > can connect, and even the server can connect to itself. I attached my > smb.conf file for good measure. > > -- > Joe Manojlovich > jxm533@psu.edu Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals -------------- next part -------------- # I HOPE THIS WORKS!!! # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options (perhaps too # many!) most of which are not shown in this example # # Any line which starts with a ; (semi-colon) or a # (hash) # is a comment and is ignored. In this example we will use a # # for commentry and a ; for parts of the config file that you # may wish to enable # # NOTE: Whenever you modify this file you should run the command "testparm" # to check that you have not many any basic syntactic errors. # #======================= Global Settings ===================================== [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = MYGROUP netbios name = ATHENE # server string is the equivalent of the NT Description field server string = Samba Server # This option is important for security. It allows you to restrict # connections to machines which are on your local network. The # following example restricts access to two C class networks and # the "loopback" interface. For more examples of the syntax see # the smb.conf man page hosts allow = 192.168.10. 127. # What to do with winpopup messages # message command = /usr/bin/linpopup "%f" "%m" %s; rm %s& # if you want to automatically load your printer list rather # than setting them up individually then you'll need this ; printcap name = /etc/printcap ; load printers = yes # It should not be necessary to spell out the print system type unless # yours is non-standard. Currently supported print systems include: # bsd, sysv, plp, lprng, aix, hpux, qnx ; printing = bsd # Uncomment this if you want a guest account, you must add this to /etc/passwd # otherwise the user "nobody" is used ; guest account = pcguest # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m log level = 20 # Put a capping on the size of the log files (in Kb). max log size = 50 # Security mode. Most people will want user level security. See # security_level.txt for details. security = user # Password Level allows matching of _n_ characters of the password for # all combinations of upper and lower case. ; password level = 8 ; username level = 8 # You may wish to use password encryption. Please read # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation. # Do not enable this option unless you have read those documents encrypt passwords = yes smb passwd file = /usr/local/samba/lib/smbpasswd # The following are needed to allow password changing from Windows to # update the Linux sytsem password also. # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above. # NOTE2: You do NOT need these to allow workstations to change only # the encrypted SMB passwords. They allow the Unix password # to be kept in sync with the SMB password. unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # Unix users can map to different SMB User names # username map = /private/smbusers username map = /usr/local/samba/lib/user.map domain user map = /usr/local/samba/lib/domainuser.map admin users = root, Adminstrator # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /etc/smb.conf.%m # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_NODELAY # Configure Samba to use multiple interfaces # If you have multiple network interfaces then you must list them # here. See the man page for details. # interfaces = eth0 # Configure remote browse list synchronisation here # request announcement to, or browse list sync from: # a specific host or from / to a whole subnet (see below) ; remote browse sync = 192.168.3.25 192.168.5.255 # Cause this host to announce itself to local subnets here remote announce = 192.168.10.255 # Browser Control Options: # set local master to no if you don't want Samba to become a master # browser on your network. Otherwise the normal election rules apply local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable os level = 64 # Domain Master specifies Samba to be the Domain Master Browser. This # allows Samba to collate browse lists between subnets. Don't use this # if you already have a Windows NT domain controller doing this job domain master = yes # Preferred Master causes Samba to force a local browser election on startup # and gives it a slightly higher chance of winning the election preferred master = yes # Enable this if you want Samba to be a domain logon server for # Windows95 workstations. domain logons = yes # if you enable domain logons then you may want a per-machine or # per user logon script # run a specific logon batch file per workstation (machine) ; logon script = %m.bat # run a specific logon batch file per username ; logon script = %U.bat # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name, %U is username # You must uncomment the [Profiles] share below ; logon path = \\%L\Profiles\%U logon drive = h: logon path = \\%L\homes # All NetBIOS names must be resolved to IP Addresses # 'Name Resolve Order' allows the named resolution mechanism to be specified # the default order is "host lmhosts wins bcast". "host" means use the unix # system gethostbyname() function call that will use either /etc/hosts OR # DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf # and the /etc/resolv.conf file. "host" therefore is system configuration # dependant. This parameter is most often of use to prevent DNS lookups # in order to resolve NetBIOS names to IP Addresses. Use with care! # The example below excludes use of name resolution for machines that are NOT # on the local network segment # - OR - are not deliberately to be known via lmhosts or via WINS. name resolve order = host lmhosts bcast # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server ;wins support = yes # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # WINS Proxy - Tells Samba to answer name resolution queries on # behalf of a non WINS capable client, for this to work there must be # at least one WINS Server on the network. The default is NO. ; wins proxy = yes time server = yes # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no # Case Preservation can be handy - system default is _no_ # NOTE: These can be set on a per share basis ; preserve case = no ; short preserve case = no # Default case is normally upper case for all DOS files ; default case = lower # Be very careful with case sensitivity - it can break things! ; case sensitive = no #============================ Share Definitions ============================== [homes] comment = Home Directories browseable = no writable = yes create mode = 0600 directory mode = 0700 locking = no browseable = yes public = yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /home/netlogon locking = no browseable = yes public = no writable = yes case sensitive = no ;case preserve = yes default case = yes # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory #[Profiles] # path = /home/profiles # browseable = no # writable = yes # read only = no # This one is useful for people to share files ;[tmp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes From jfhunez at oceanes.fr Thu Feb 17 08:59:49 2000 From: jfhunez at oceanes.fr (JF HUNEZ) Date: Tue Dec 2 02:28:37 2003 Subject: Roaming profiles with W98 clients Message-ID: <200002170857.MAA13085@ns1.guetali.fr> Hello, I run Samba 2.06 as PDC and the clients are Win98 machines only. Roaming profiles don't work, there is no user.dat in the profiles share, only the START folder. I have read the doc in /usr/doc and the NTDOM faq too ; my smb.conf meets the recommendations. Roaming profiles need a NT server on the network ?? Thanks JF HUNEZ Reunion Island From nord at cdt.luth.se Thu Feb 17 13:33:44 2000 From: nord at cdt.luth.se (James Nord) Date: Tue Dec 2 02:28:37 2003 Subject: Non domain machines accessing shares. Message-ID: <38ABF8B8.64F6272A@cdt.luth.se> Hi all, I was just about to setup TNG when I thought I'ld ask this (hopefully stupid) question. If samba is set up as a PDC can non domain PCs still access (& browse) its shares or does the PC machine need to be a member of the domain? Thanks, /James -- Technology is a word that describes something that doesn't work yet. Douglas Adams From bkeats at spiff.chin.gc.ca Thu Feb 17 14:21:43 2000 From: bkeats at spiff.chin.gc.ca (Brian Keats) Date: Tue Dec 2 02:28:37 2003 Subject: Netlogon Service for Win 9x Clients Message-ID: Hi, I currently have a few Win 95 machines residing on a private network being routed to a non-private network by a linux 2.2.12 kernel with IP_MASQ and IP_FORWARDING. Initially, I couldn't get NT DOMAIN logons to work through the masqueraded linux box so I decided to try using Samba. After alot of reading and configuring I've managed to have users validated on the NT DOMAIN whilst they are behind this 'firewall' ! (At this point, you might ask yourself why am I doing this ? The reason in a nutshell is these machines all belong in a separate group which from time to time change between being on the internal NT DOMAIN Lan and being on our external Public Internet connection) As I stated earlier, I can get users validated (i.e. can logon) but the problem is I can't get the Linux/Samba box to deliver the users logon batch file which resides on the domain PDC/BDC's. My Linux box has been added to the domain successfully and processes logon attempts correctly. The users batch files are administered by the NT administrator for each workgroup and there trying to use something like "logon path = \\%L\%U" or any other variable substitution will not work as the naming schemes are different for each person, possibly ! (In other words there is no standard being used to specifiy a path and batch file name to be passed to the client and executed upon logon) I believe the path and batch file name are entered on the NT side by adminstrator using User Manager for Domains, or whatever. I am wondering if there is a way I can get the Samba Server to look at the path and batch file name stored on the server and then pass them along to the client. I did manage to create a NETLOGON share and copy all the different batch files from the PDC to the Samba box but, short of finding out what the path and batch file name is for each user and then creating a local Samba account and then adding an smbpasswd entry to process the netlogon request and also keeping this up to date, I'm curious as to if this can be done ? I am using Samba ver. 2.05a and the smb.conf file is listed below, with network numbers and such changed to protect the innocent ;-} . Can anybody shed some light on how I can point the clients to use the [netlogon] service provided by the PDC and not involve Samba except in the role of say something like a proxy netlogon server ? If you feel like responding to this any insight would be appreciated. Regards in advance Brian Keats # Samba config file created using SWAT # Date: 2000/02/14 09:42:13 # Global parameters [global] workgroup = ORG1 netbios name = MASQ-SERVER server string = Samba Server interfaces = 192.168.1.1/255.255.255.0 security = DOMAIN encrypt passwords = Yes password server = ORG1-INFO ORG1-INFO-01 ORG1-INFO-02 username map = /usr/lib/samba/private/usermap log level = 3 log file = /var/log/samba.%m max log size = 50 socket options = TCP_NODELAY logon path = logon home = domain logons = Yes os level = 55 preferred master = Yes wins proxy = Yes wins server = 129.15.60.62 remote announce = 129.15.45.255/ORG1 socket address = 192.168.1.1 guest ok = Yes hosts allow = 192.168.1. 129.15. [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba print ok = Yes browseable = No [CDROM] comment = Slow SCSI CDROM path = /cdrom #[NETLOGON] # comment = Netlogon Path # path = /usr/lib/samba/netlogon # I initially added this to test the determine if the path and filename info was being passed # along and the client was trying to find the netlogon batch file on the Samba server. ----- End of forwarded message from Brian_Keats@pch.gc.ca ----- From plussier at ne.arris-i.com Thu Feb 17 14:34:37 2000 From: plussier at ne.arris-i.com (Paul Lussier) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? Message-ID: <200002171434.JAA25831@coda.docd-east> Hi all, Unfortunately, due to the fact that Samba can't yet handle domain trust relationships with other NT domains, I'm forced to use an NT PDC for now. However, since I've recently moved my entire user base over to Unix accounts for e-mail purposes, I'd really rather not have to deal with creating new accounts for them all. Does anyone know if it is possible to have NT authenticate against an NIS server, and if so, how? Any information or pointers is greatly appreciated, Thanks, -- Seeya, Paul ---- Doing something stupid always costs less (up front) than doing something intelligent. Bean counters are *always* wrong! A conclusion is simply the place where you got tired of thinking. If you're not having fun, you're not doing it right! From cartegw at Eng.Auburn.EDU Thu Feb 17 14:45:38 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? References: <200002171434.JAA25831@coda.docd-east> Message-ID: <38AC0992.2E8D03F3@eng.auburn.edu> Paul Lussier wrote: > > Does anyone know if it is possible to have NT authenticate > against an NIS server, and if so, how? For interactive logons, yes there is a GINA replacement that will authenticate against NIS. However, this is not what you need to get a NT DC to validate against NIS. Cheers, jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From plussier at ne.arris-i.com Thu Feb 17 14:49:47 2000 From: plussier at ne.arris-i.com (Paul Lussier) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: Your message of "Thu, 17 Feb 2000 08:45:38 CST." <38AC0992.2E8D03F3@eng.auburn.edu> References: <200002171434.JAA25831@coda.docd-east> <38AC0992.2E8D03F3@eng.auburn.edu> Message-ID: <200002171449.JAA25954@coda.docd-east> In a message dated: Thu, 17 Feb 2000 08:45:38 CST Gerald Carter said: >For interactive logons, yes there is a GINA replacement >that will authenticate against NIS. However, this is not >what you need to get a NT DC to validate against NIS. What do I need then, any idea? What I had hoped to do was set up a Samba file/print server that used server authentication pointing to this NT PDC, which in turn, authenticated against the NIS server. Can this be done? Is there a better way? Thanks, -- Seeya, Paul ---- Doing something stupid always costs less (up front) than doing something intelligent. Bean counters are *always* wrong! A conclusion is simply the place where you got tired of thinking. If you're not having fun, you're not doing it right! From cartegw at Eng.Auburn.EDU Thu Feb 17 14:50:11 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? References: <200002171434.JAA25831@coda.docd-east> Message-ID: <38AC0AA3.CF41FD26@eng.auburn.edu> Forgot to include the link to the NISgina stuff if you want it. Here's one for general information. http://www.eng.auburn.edu/users/cartegw/win32/tools.html However Gernot's site was offline last I checked so you can get anything of his from ftp://ftp.eng.auburn.edu/pub/cartegw/nisgina/ Cheers, jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From skvidal at phy.duke.edu Thu Feb 17 15:23:35 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: <38AC0AA3.CF41FD26@eng.auburn.edu> Message-ID: > Forgot to include the link to the NISgina stuff if you want it. > Here's one for general information. > http://www.eng.auburn.edu/users/cartegw/win32/tools.html > > However Gernot's site was offline last I checked so you can > get anything of his from > > ftp://ftp.eng.auburn.edu/pub/cartegw/nisgina/ I think the question that he has is similar to mine: I have about 50-60 linux/unix users and about 20-40 winnt users on my network - currently the NT folks are using nisgina and the plaintext reg patch to access a samba 2.0.6 system. - this works ok but its not very graceful and doesn't give me much in the way of profiles etc etc. I'd like to make all the NT users authenticate against a samba PDC (TNG) and use/set the same password as the nis passwd file has. I know it will take two password files (b/c it has two different 1-way hashes) but has anyone setup and had good tests on a system like this? I'm worried about the password updating (both from unix passwd change-> to NT and vice-versa) any suggestions or pointers? -sv From iainr at civ.hw.ac.uk Thu Feb 17 16:01:03 2000 From: iainr at civ.hw.ac.uk (Iain Rae) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: On Fri, 18 Feb 2000, Seth Vidal wrote: > > Forgot to include the link to the NISgina stuff if you want it. > > Here's one for general information. > > http://www.eng.auburn.edu/users/cartegw/win32/tools.html > > > > However Gernot's site was offline last I checked so you can > > get anything of his from > > > > ftp://ftp.eng.auburn.edu/pub/cartegw/nisgina/ > > I think the question that he has is similar to mine: > > I have about 50-60 linux/unix users and about 20-40 winnt users on my > network - currently the NT folks are using nisgina and the plaintext reg > patch to access a samba 2.0.6 system. - this works ok but its not very > graceful and doesn't give me much in the way of profiles etc etc. > > I'd like to make all the NT users authenticate against a samba PDC (TNG) > and use/set the same password as the nis passwd file has. > > I know it will take two password files (b/c it has two different 1-way > hashes) but has anyone setup and had good tests on a system like this? > > I'm worried about the password updating (both from unix passwd change-> to > NT and vice-versa) We do this, I'm not sure if it's much help :) NIS master is on Solaris x86 {lion} Samba PDC (HEAD branch cvs from about this time last year) on Solaris x86 {barham} PC's have Humminbird's NFS Maestro installed and are registered to the samba PDC controller. lion has a perl script which does the following (for admins only) get password & verify it will work with passwd and smbpasswd update NIS via passwd fire up ssh session to barham set smbpasswd via smbpasswd (creating account if it doesn't exist) This is used to set up acounts and to fix "I've forgotten my password " type problems. NT boxes will update both NT (Samba) and NIS passwords (Maestro) off the Ctrl-Alt-Del box. There is^h will be a perl script (civpasswd) on the suns which wraps passwd and smbpasswd and a couple of other things[1] in a similar fashion to the one on lion but I really need to get ssh working for everyone on everything, including NT, first of all. I say will be because the unix folks use unix and most of the students just do the Ctrl-Alt-Del thing. What you want, to keep the passwords synched is the ypbind part of NISgina and a copy of yppasswd that will work with NT (which ought to be possible) and a program or wrapper script which would allow your users to do foopasswd on unix or NT and change both passwords. Or there's always kerberos :) [1] like LDAP, kerberos, ssh whatever, all coming RSN. :) ------------------------------------------------------------------------------- | Iain Rae | Tel: 0131 449 5111 Ext 4406 (Day)(but I'm never in)| | Computing Officer. | Any Opinions I am able to form are my own and in no| | Civil & Offshore Eng. | way reflect those of my employers. | | Heriot-Watt University.| Well that's my opinion anyway. | ------------------------------------------------------------------------------- From skvidal at phy.duke.edu Thu Feb 17 16:20:42 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: > There is^h will be a perl script (civpasswd) on the suns which wraps > passwd and smbpasswd and a couple of other things[1] in a similar fashion > to the one on lion but I really need to get ssh working for everyone on > everything, including NT, first of all. try ssh32 (lookup on google.com will find it) it works well. > What you want, to keep the passwords synched is the ypbind part of NISgina > and a copy of yppasswd that will work with NT (which ought to be possible) > and a program or wrapper script which would allow your users to do > > foopasswd > > on unix or NT and change both passwords. > > Or there's always kerberos :) thats not funny. not even a little. :) the way I figure it I can get passwd change from the samba server to the nis server working correctly. - that shouldn't be a problem. I'm worried about people changing their pw in unix. I guess its workable. Can I get pam_ntdom to change pws on a samba domain or do I have to install smbpasswd everywhere and write an expect wrapper to passwd? -sv From brandon at inetevents.com Thu Feb 17 16:15:20 2000 From: brandon at inetevents.com (Brandon Stauber) Date: Tue Dec 2 02:28:37 2003 Subject: SMB/NMBD configuration troubles. Message-ID: <000001bf7962$32c28cf0$0bfea8c0@HAVANA> Folks, I am stumped! I have followed every tech tip I could find and I am still unable to complete my SMB installation. Specifically, I fail Test 4 and Tests 9 and 10. I believe the problem has something to do with the NMBD configuration. Below are the parameters of our system. Any help is greatly appreciated. Brandon Stauber brandon@inetevents.com 310-889-9264 [Please respond directly to brandon@inetevents.com. Thanks.] System Details -------------- LOPEZ = RH Linux 6.1 192.168.254.15 HAVANA = NT Domain 192.168.254.0/24 PUNCH = NT PDC 192.168.254.3 smb startup ----------- As standalone daemon using rc.local running the following script: #!/bin/sh /usr/sbin/smbd -D /usr/sbin/nmbd -H /etc/lmhosts -D smb.conf file: -------------- # Samba config file created using SWAT # from cohiba (192.168.254.11) # Date: 2000/02/16 18:12:14 # Global parameters [global] workgroup = HAVANA netbios name = LOPEZ password server = PUNCH log file = /var/log/samba/log.%m max log size = 50 wins server = 192.168.254.3 [homes] comment = Home Directories read only = No browseable = No [netlogin] comment = Network Login Service path = /home/netlogin guest ok = Yes share modes = No [brandon] comment = Brandon Stauber's Share path = /home/brandon valid users = brandon administrator root read only = No [printers] comment = All Printers path = /var/spool/samba print ok = Yes browseable = No [public] comment = Public Share path = /tmp read only = No guest ok = Yes lmhosts file ------------ 127.0.0.1 localhost 192.168.254.3 punch ... 192.168.254.15 lopez ... TEST 1: testparm smb.conf ------- [root@Lopez /etc]# testparm smb.conf Load smb config files from smb.conf Processing section "[homes]" Processing section "[netlogin]" Processing section "[brandon]" Processing section "[printers]" Processing section "[public]" Loaded services file OK. Press enter to see a dump of your service definitions TEST 2: ping ------- [root@Lopez /etc]# ping 192.168.254.11 PING 192.168.254.11 (192.168.254.11) from 192.168.254.15 : 56(84) bytes of data.64 bytes from 192.168.254.11: icmp_seq=0 ttl=255 time=1.5 ms 64 bytes from 192.168.254.11: icmp_seq=1 ttl=255 time=1.3 ms 64 bytes from 192.168.254.11: icmp_seq=2 ttl=255 time=1.2 ms [root@cohiba /etc]# ping 192.168.254.15 PING 192.168.254.15 (192.168.254.15) from 192.168.254.11 : 56(84) bytes of data.64 bytes from 192.168.254.15: icmp_seq=0 ttl=255 time=0.9 ms 64 bytes from 192.168.254.15: icmp_seq=1 ttl=255 time=0.9 ms 64 bytes from 192.168.254.15: icmp_seq=2 ttl=255 time=0.9 ms TEST 3: smbclient -L lopez ------- [root@Lopez /etc]# smbclient -L lopez Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Password: Domain=[HAVANA] OS=[Unix] Server=[Samba 2.0.5a] Sharename Type Comment --------- ---- ------- netlogin Disk Network Login Service brandon Disk Brandon Stauber's Share public Disk Public Share IPC$ IPC IPC Service (Samba 2.0.5a) Server Comment --------- ------- LOPEZ Samba 2.0.5a Workgroup Master --------- ------- HAVANA TEST 4: nmblookup -B lopez _SAMBA_ ------- [root@Lopez /etc]# nmblookup -B lopez _SAMBA_ Sending queries to 127.0.0.1 name_query failed to find name _SAMBA_ TEST 5: nmblookup -B lopez '*' ------- [root@Lopez /etc]# nmblookup -B lopez '*' Sending queries to 127.0.0.1 127.0.0.1 *<00> TEST 6: nmblookup -d 2 '*' ------- [root@Lopez /etc]# nmblookup -d 2 '*' Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Sending queries to 127.255.255.255 Got a positive name query response from 127.0.0.1 ( 127.0.0.1 ) 127.0.0.1 *<00> TEST 7: smbclient //lopez/brandon ------- [root@Lopez /etc]# smbclient //lopez/brandon Added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 Password: Domain=[HAVANA] OS=[Unix] Server=[Samba 2.0.5a] smb: \> TEST 8: net view \\lopez ------- >net view \\lopez System error 53 has occured The network path was not found TEST 9: net use x: \\lopez\brandon ------- >net use x: \\lopez\brandon System error 53 has occured smbtest The network path was not found TEST 10: -------- File manager = FAILED (see above) From jxm533 at psu.edu Thu Feb 17 16:28:51 2000 From: jxm533 at psu.edu (Joe Manojlovich) Date: Tue Dec 2 02:28:37 2003 Subject: Strange Socket Errors With Latest TNG Message-ID: <38AC21C3.534433EF@psu.edu> Ummm, I use "rpcclient -S ." I've even tried setting the workgroup by using the -W flag But even if I reset everything to a workgroup and not a domain, NT still can't even browse the samba server. -- Joe Manojlovich jxm533@psu.edu From aperrin at demog.berkeley.edu Thu Feb 17 16:50:26 2000 From: aperrin at demog.berkeley.edu (Andrew Perrin - Demography) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: Seth - I wrote an (admittedly rather kludgy) system to do exactly that, and it's been in use and functional for about 3 years now. In addition, it enforces a second, 'insecure' password for use in checking e-mail from off campus. It's online at http://demog.berkeley.edu/~aperrin/tips/mchp.html Hope this helps. --------------------------------------------------------------------- Andrew J. Perrin - aperrin@demog.berkeley.edu - NT/Unix Admin/Support Department of Demography - University of California at Berkeley 2232 Piedmont Avenue #2120 - Berkeley, California, 94720-2120 USA http://demog.berkeley.edu/~aperrin --------------------------SEIU1199 On Fri, 18 Feb 2000, Seth Vidal wrote: > > Forgot to include the link to the NISgina stuff if you want it. > > Here's one for general information. > > http://www.eng.auburn.edu/users/cartegw/win32/tools.html > > > > However Gernot's site was offline last I checked so you can > > get anything of his from > > > > ftp://ftp.eng.auburn.edu/pub/cartegw/nisgina/ > > I think the question that he has is similar to mine: > > I have about 50-60 linux/unix users and about 20-40 winnt users on my > network - currently the NT folks are using nisgina and the plaintext reg > patch to access a samba 2.0.6 system. - this works ok but its not very > graceful and doesn't give me much in the way of profiles etc etc. > > I'd like to make all the NT users authenticate against a samba PDC (TNG) > and use/set the same password as the nis passwd file has. > > I know it will take two password files (b/c it has two different 1-way > hashes) but has anyone setup and had good tests on a system like this? > > I'm worried about the password updating (both from unix passwd change-> to > NT and vice-versa) > > any suggestions or pointers? > > -sv > > From inge at cc.uit.no Thu Feb 17 17:27:04 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:37 2003 Subject: libs References: Message-ID: <38AC2F68.AB3F2475@cc.uit.no> Jamie ffolliott wrote: > > Alex, > > samedit doesn't compile by default. You have to uncomment it from > Makefile.in on the line "PROGS3 = ", then do configure again and recompile. > > That'll give you a bunch of new programs - regedit, samedit, svccontrol, > cmdat, and spoolss. > > Jamie > Hi I get this linking error when trying to compile today's TNG with these new programs and with support for ldap. I have a RH linux 6.1. with configure.developer: Linking bin/debug2html Compiling rpcclient/regedit.c Linking bin/regedit Compiling rpcclient/samedit.c Linking bin/samedit lib/cmd_interp.o: In function `complete_regenum': /usr/src/samba/source/lib/cmd_interp.c:582: undefined reference to `split_server_keyname' /usr/src/samba/source/lib/cmd_interp.c:593: undefined reference to `msrpc_reg_enum_key' collect2: ld returned 1 exit status make: *** [bin/samedit] Error 1 with configure Linking bin/debug2html Compiling rpcclient/regedit.c Linking bin/regedit Compiling rpcclient/samedit.c Linking bin/samedit lib/cmd_interp.o: In function `complete_regenum': lib/cmd_interp.o(.text+0x83c): undefined reference to `split_server_keyname' lib/cmd_interp.o(.text+0x874): undefined reference to `msrpc_reg_enum_key' collect2: ld returned 1 exit status make: *** [bin/samedit] Error 1 By the way, my problems with the rpcclient segfaulting when I pressed tab seems to be fixed. In general the rpcclient dosen't segfault as much as it did. One other thing changing printing system dosen't seem to change the values to the printing commands. inge From Elrond at Wunder-Nett.org Thu Feb 17 17:52:21 2000 From: Elrond at Wunder-Nett.org (Elrond) Date: Tue Dec 2 02:28:37 2003 Subject: PRE ALPHA 0.3 In-Reply-To: <38AB4D41.6C0E2F67@xavier.sa.edu.au>; from Matthew Geddes on Thu, Feb 17, 2000 at 12:14:21PM +1100 References: <38AB4D41.6C0E2F67@xavier.sa.edu.au> Message-ID: <20000217185221.A14146@baerbel.mug.maschinenbau.tu-darmstadt.de> On Thu, Feb 17, 2000 at 12:14:21PM +1100, Matthew Geddes wrote: > Hi guys, > > This is a really strange thing for me to ask, but does the configure > script for TNG 0.3 deliberately alter the time? It has reset the clock > to the BIOS start date on every machine I have tried it on. This has > been under RedHat 5.2, RedHat 6.0 and SuSE 6.2 (all with default kernel > versions). It causes it to reconfigure when you type make. resetting the > date before typing make seems to fix it. Hmm... I always configure samba as a normal user... to avoid things like this... Oh: And TNG nearly always reconfigures, when you get it off cvs (or doing a lot of cvs update -r SAMBA_TNG, like me), cause some timestamps get wrong that way. Elrond From Skripi at hrzpub.tu-darmstadt.de Thu Feb 17 11:49:48 2000 From: Skripi at hrzpub.tu-darmstadt.de (Jens Skripczynski) Date: Tue Dec 2 02:28:37 2003 Subject: 3.0pre and tng Message-ID: <20000217124948.A1476@shadowland.sc> Hi, I wanted to ask, wether it should still be possible to combine 3.0pre and the TNG Branch. I downloaded both tree's on 15.02.2000. But if i run smbd and nmbd from 3.0 and the rest from TNG. The smbd keeps crashing (read BUG.txt) If i want to access my Home directory. (31.01.2000 combination works perfect). So my question is: a) Should it still be possible to combine those two trees ? b) If not, how far (%) is the code freeze and the convertion of tng ? c) When is the aproximate date for the adding of the fileserving abilities from the main branch ? Ciao Jens Skripczynski -- E-Mail: skripi@hrzpub.tu-darmstadt.de Computers are like airconditioners: They stop working properly if you open windows. From lkcl at samba.org Thu Feb 17 18:30:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: <38AC0992.2E8D03F3@eng.auburn.edu> Message-ID: the correct approach is to have someone write a replacement LSA plug-in. of course, microsoft doen't really want people to do this, so they kept the LSA server api quiet for years. it's now documetned on their site. search for the function LsaApInitializePackage and go from there. On Fri, 18 Feb 2000, Gerald Carter wrote: > Paul Lussier wrote: > > > > Does anyone know if it is possible to have NT authenticate > > against an NIS server, and if so, how? > > For interactive logons, yes there is a GINA replacement > that will authenticate against NIS. However, this is not > what you need to get a NT DC to validate against NIS. > > > > > > > Cheers, > jerry > ________________________________________________________________________ > Gerald ( Jerry ) Carter > Engineering Network Services Auburn University > jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw > > "...a hundred billion castaways looking for a home." > - Sting "Message in a Bottle" ( 1979 ) > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 18:42:36 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: > Can I get pam_ntdom to change pws on a samba domain or do I have to > install smbpasswd everywhere and write an expect wrapper to passwd? anyone want to write pam_ntpass from pam_smbpass? it's one function call --- literally. From lkcl at samba.org Thu Feb 17 18:44:16 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: SMB/NMBD configuration troubles. In-Reply-To: <000001bf7962$32c28cf0$0bfea8c0@HAVANA> Message-ID: it's netlogon not netlogin. On Fri, 18 Feb 2000, Brandon Stauber wrote: > Folks, > > I am stumped! > > I have followed every tech tip I could find and I am still > unable to complete my SMB installation. Specifically, I fail > Test 4 and Tests 9 and 10. I believe the problem has > something to do with the NMBD configuration. Below are the > parameters of our system. > > Any help is greatly appreciated. > > Brandon Stauber > brandon@inetevents.com > 310-889-9264 > > > [Please respond directly to brandon@inetevents.com. Thanks.] > > > > System Details > -------------- > > LOPEZ = RH Linux 6.1 192.168.254.15 > HAVANA = NT Domain 192.168.254.0/24 > PUNCH = NT PDC 192.168.254.3 > > smb startup > ----------- > As standalone daemon using rc.local running the following > script: > > #!/bin/sh > /usr/sbin/smbd -D > /usr/sbin/nmbd -H /etc/lmhosts -D > > > > smb.conf file: > -------------- > > # Samba config file created using SWAT > # from cohiba (192.168.254.11) > # Date: 2000/02/16 18:12:14 > > # Global parameters > [global] > workgroup = HAVANA > netbios name = LOPEZ > password server = PUNCH > log file = /var/log/samba/log.%m > max log size = 50 > wins server = 192.168.254.3 > > [homes] > comment = Home Directories > read only = No > browseable = No > > [netlogin] > comment = Network Login Service > path = /home/netlogin > guest ok = Yes > share modes = No > > [brandon] > comment = Brandon Stauber's Share > path = /home/brandon > valid users = brandon administrator root > read only = No > > [printers] > comment = All Printers > path = /var/spool/samba > print ok = Yes > browseable = No > > [public] > comment = Public Share > path = /tmp > read only = No > guest ok = Yes > > lmhosts file > ------------ > > 127.0.0.1 localhost > 192.168.254.3 punch > .. > 192.168.254.15 lopez > .. > > > > TEST 1: testparm smb.conf > ------- > > [root@Lopez /etc]# testparm smb.conf > Load smb config files from smb.conf > Processing section "[homes]" > Processing section "[netlogin]" > Processing section "[brandon]" > Processing section "[printers]" > Processing section "[public]" > Loaded services file OK. > Press enter to see a dump of your service definitions > > > > TEST 2: ping > ------- > > [root@Lopez /etc]# ping 192.168.254.11 > PING 192.168.254.11 (192.168.254.11) from 192.168.254.15 : > 56(84) bytes of data.64 bytes from 192.168.254.11: icmp_seq=0 > ttl=255 time=1.5 ms > 64 bytes from 192.168.254.11: icmp_seq=1 ttl=255 time=1.3 ms > 64 bytes from 192.168.254.11: icmp_seq=2 ttl=255 time=1.2 ms > > > [root@cohiba /etc]# ping 192.168.254.15 > PING 192.168.254.15 (192.168.254.15) from 192.168.254.11 : > 56(84) bytes of data.64 bytes from 192.168.254.15: icmp_seq=0 > ttl=255 time=0.9 ms > 64 bytes from 192.168.254.15: icmp_seq=1 ttl=255 time=0.9 ms > 64 bytes from 192.168.254.15: icmp_seq=2 ttl=255 time=0.9 ms > > > > TEST 3: smbclient -L lopez > ------- > > [root@Lopez /etc]# smbclient -L lopez > Added interface ip=127.0.0.1 bcast=127.255.255.255 > nmask=255.0.0.0 > Password: > Domain=[HAVANA] OS=[Unix] Server=[Samba 2.0.5a] > > Sharename Type Comment > --------- ---- ------- > netlogin Disk Network Login Service > brandon Disk Brandon Stauber's Share > public Disk Public Share > IPC$ IPC IPC Service (Samba 2.0.5a) > > Server Comment > --------- ------- > LOPEZ Samba 2.0.5a > > Workgroup Master > --------- ------- > HAVANA > > > > TEST 4: nmblookup -B lopez _SAMBA_ > ------- > > [root@Lopez /etc]# nmblookup -B lopez _SAMBA_ > Sending queries to 127.0.0.1 > name_query failed to find name _SAMBA_ > > > > > TEST 5: nmblookup -B lopez '*' > ------- > [root@Lopez /etc]# nmblookup -B lopez '*' > Sending queries to 127.0.0.1 > 127.0.0.1 *<00> > > > > > TEST 6: nmblookup -d 2 '*' > ------- > [root@Lopez /etc]# nmblookup -d 2 '*' > Added interface ip=127.0.0.1 bcast=127.255.255.255 > nmask=255.0.0.0 > Sending queries to 127.255.255.255 > Got a positive name query response from 127.0.0.1 ( 127.0.0.1 > ) > 127.0.0.1 *<00> > > > TEST 7: smbclient //lopez/brandon > ------- > [root@Lopez /etc]# smbclient //lopez/brandon > Added interface ip=127.0.0.1 bcast=127.255.255.255 > nmask=255.0.0.0 > Password: > Domain=[HAVANA] OS=[Unix] Server=[Samba 2.0.5a] > smb: \> > > > > TEST 8: net view \\lopez > ------- > > >net view \\lopez > > System error 53 has occured > > The network path was not found > > > TEST 9: net use x: \\lopez\brandon > ------- > > >net use x: \\lopez\brandon > > System error 53 has occured > smbtest > The network path was not found > > > > TEST 10: > -------- > > File manager = FAILED (see above) > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 18:45:16 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: Strange Socket Errors With Latest TNG In-Reply-To: <38AC21C3.534433EF@psu.edu> Message-ID: joe, insufficient info. drastically more details needed. On Fri, 18 Feb 2000, Joe Manojlovich wrote: > Ummm, I use "rpcclient -S ." I've even tried setting the workgroup by > using the -W flag > > But even if I reset everything to a workgroup and not a domain, NT still > can't even browse the samba server. > > -- > Joe Manojlovich > jxm533@psu.edu > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 18:46:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: libs In-Reply-To: <38AC2F68.AB3F2475@cc.uit.no> Message-ID: oh dear :) i'll sort it out later this afternoon :) On Fri, 18 Feb 2000, Inge-H?vard Hunstad wrote: > Jamie ffolliott wrote: > > > > Alex, > > > > samedit doesn't compile by default. You have to uncomment it from > > Makefile.in on the line "PROGS3 = ", then do configure again and recompile. > > > > That'll give you a bunch of new programs - regedit, samedit, svccontrol, > > cmdat, and spoolss. > > > > Jamie > > > > Hi > > I get this linking error when trying to compile today's TNG with these > new programs and with support for ldap. I have a RH linux 6.1. > > with configure.developer: > > Linking bin/debug2html > Compiling rpcclient/regedit.c > Linking bin/regedit > Compiling rpcclient/samedit.c > Linking bin/samedit > lib/cmd_interp.o: In function `complete_regenum': > /usr/src/samba/source/lib/cmd_interp.c:582: undefined reference to > `split_server_keyname' > /usr/src/samba/source/lib/cmd_interp.c:593: undefined reference to > `msrpc_reg_enum_key' > collect2: ld returned 1 exit status > make: *** [bin/samedit] Error 1 > > with configure > > Linking bin/debug2html > Compiling rpcclient/regedit.c > Linking bin/regedit > Compiling rpcclient/samedit.c > Linking bin/samedit > lib/cmd_interp.o: In function `complete_regenum': > lib/cmd_interp.o(.text+0x83c): undefined reference to > `split_server_keyname' > lib/cmd_interp.o(.text+0x874): undefined reference to > `msrpc_reg_enum_key' > collect2: ld returned 1 exit status > make: *** [bin/samedit] Error 1 > > By the way, my problems with the rpcclient segfaulting when I pressed > tab seems to be fixed. In general the rpcclient dosen't segfault as much > as it did. > > One other thing changing printing system dosen't seem to change the > values to the printing > commands. > > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 18:47:39 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: 3.0pre and tng In-Reply-To: <20000217124948.A1476@shadowland.sc> Message-ID: no, nto at the moment because i now send minimalist info across from tng. i send the smbd pid and the smb vuid across to 3.0, which it doesn't understand. actually, the other way round :) On Fri, 18 Feb 2000, Jens Skripczynski wrote: > > Hi, > > I wanted to ask, wether it should still be possible to combine 3.0pre > and the TNG Branch. > > I downloaded both tree's on 15.02.2000. > But if i run smbd and nmbd from 3.0 and the rest from TNG. > The smbd keeps crashing (read BUG.txt) If i want to > access my Home directory. > > (31.01.2000 combination works perfect). > > So my question is: > a) Should it still be possible to combine those two trees ? > b) If not, how far (%) is the code freeze and the convertion of tng ? > c) When is the aproximate date for the adding of the fileserving > abilities from the main branch ? > > Ciao > > Jens Skripczynski > -- > E-Mail: skripi@hrzpub.tu-darmstadt.de > > Computers are like airconditioners: They stop working > properly if you open windows. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From skvidal at phy.duke.edu Thu Feb 17 18:48:33 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: > > Can I get pam_ntdom to change pws on a samba domain or do I have to > > install smbpasswd everywhere and write an expect wrapper to passwd? > > anyone want to write pam_ntpass from pam_smbpass? it's one function call > --- literally. if someone does I'll gladly send you whatever pizza you want. I would but I really wouldn't know where to start. (and I'm not kidding.) (not even a little) -sv From lkcl at samba.org Thu Feb 17 18:53:03 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:37 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: 1) download pam_smbpass from mr vorlon@express.net. the version that uses tng libraries. 2) find the function that does an smb password change 3) replace this function with msrpc_sam_ntchange_pwd() which is a bit of a botch-job at the mo, it takes old-pwd as a hash and new-pwd as a char* (stupid of me :) On Thu, 17 Feb 2000, Seth Vidal wrote: > > > Can I get pam_ntdom to change pws on a samba domain or do I have to > > > install smbpasswd everywhere and write an expect wrapper to passwd? > > > > anyone want to write pam_ntpass from pam_smbpass? it's one function call > > --- literally. > > if someone does I'll gladly send you whatever pizza you want. > I would but I really wouldn't know where to start. > > (and I'm not kidding.) > (not even a little) > > -sv > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mbreuer at siac.com Thu Feb 17 19:24:31 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:38 2003 Subject: PRE Alpha 0.3 on IRIX (diffs attached) Message-ID: <38AC4AEE.745C7B58@siac.com> Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2028 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000217/c05fc84e/smime.bin From mbreuer at siac.com Thu Feb 17 20:19:04 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:38 2003 Subject: Prealpha 0.3/W2K problem joining domain... Message-ID: <38AC57B7.7FFF7DA9@siac.com> When I attempt to join my Samba domain from a W2K workstation I get the following error reported on Windows: The following error occured attempting to join the domain ""; The credentials supplied conflict with an existing set of credentials. This message is consistent regardless of the ID/password supplied. I've supplied proper domain administrator password, domain user, etc. I even tried a non-existing id/password. All attempts result in the same windows error. Configuration notes: Windows 2000 WS build 2195 (currently member of W2K server domain with a different name). On same subnet with Samba server. Can mount files, printers, etc. Samba: Prealpha 0.3 on IRIX. The error logs don't seem to show any evidence of a connection attempt (log level 99). From eirvine at tpgi.com.au Thu Feb 17 20:23:14 2000 From: eirvine at tpgi.com.au (eirvine) Date: Tue Dec 2 02:28:38 2003 Subject: Roaming profiles with W98 clients References: <200002170857.MAA13085@ns1.guetali.fr> Message-ID: <38AC58B2.70BEDD85@tpgi.com.au> Hi, Roaming profiles are *broken* in 2.06. They work just fine on 2.05a. Eddie. JF HUNEZ wrote: > > Hello, > I run Samba 2.06 as PDC and the clients are Win98 machines > only. > Roaming profiles don't work, there is no user.dat in the profiles > share, only the START folder. > I have read the doc in /usr/doc and the NTDOM faq too ; my > smb.conf meets the recommendations. > Roaming profiles need a NT server on the network ?? > > Thanks > > JF HUNEZ > Reunion Island From lkcl at samba.org Thu Feb 17 20:41:51 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: Prealpha 0.3/W2K problem joining domain... In-Reply-To: <38AC57B7.7FFF7DA9@siac.com> Message-ID: do a net use from cmd.exe if there is a preexisting connection to, say \\samba-server\ipc$, or any other shares, then delete them: net use \\sambaserver\ipc$ /del close any "Explorer" windows opened on the samba server too. you alredy have a connection open, you see, and this is a *standard*, non-samba-related procedure that you have to follow, even if you are joining to an NT PDC. On Fri, 18 Feb 2000, Michael Breuer wrote: > When I attempt to join my Samba domain from a W2K workstation I get the following error reported on Windows: > The following error occured attempting to join the domain ""; > The credentials supplied conflict with an existing set of credentials. > > This message is consistent regardless of the ID/password supplied. I've supplied proper domain administrator password, domain user, > etc. I even tried a non-existing id/password. All attempts result in the same windows error. > > Configuration notes: > > Windows 2000 WS build 2195 (currently member of W2K server domain with a different name). > On same subnet with Samba server. > Can mount files, printers, etc. > > Samba: Prealpha 0.3 on IRIX. > > The error logs don't seem to show any evidence of a connection attempt (log level 99). > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From p.grimmerink at home.nl Thu Feb 17 20:50:43 2000 From: p.grimmerink at home.nl (Pieter Grimmerink) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC Message-ID: I use the CVS SAMBA-TNG sources of a few weeks ago, I can't join the domain (as Samba PDC) with smbpasswd -j SAMBA, so I tried to do this with rpcclient -S . -U root% -l log or samedit -S . -U root% -l log and then useradd But I need to use lparpc first somehow. How do I join the domain? Best regards, Pieter From lkcl at samba.org Thu Feb 17 21:00:52 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC In-Reply-To: Message-ID: do a createuser yourownsambaserver$ -j. On Fri, 18 Feb 2000, Pieter Grimmerink wrote: > I use the CVS SAMBA-TNG sources of a few weeks ago, I can't join the domain > (as Samba PDC) with smbpasswd -j SAMBA, so I tried to do this with > > rpcclient -S . -U root% -l log or samedit -S . -U > root% -l log > > and then useradd > > But I need to use lparpc first somehow. > How do I join the domain? > > Best regards, > > Pieter > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mbreuer at siac.com Thu Feb 17 21:12:16 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:38 2003 Subject: Prealpha 0.3/W2K problem joining domain... References: Message-ID: <38AC6430.FCA2708F@siac.com> Luke, Thanks... this solved *one* problem... Now... I get, The following error occurred attempting to join the domain "NEWTECH": a remote procedure call (RPC) protocol error occured. Again... no log messages on samba side. However, this time if I enter a bad password or bad userid, I *do* get messages on the samba side as well as an appropriate W2K error. My apologies if I'm hitting more "basic" stuff, but I guess it's newer to me than I thought. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2028 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000217/aa3964a4/smime.bin From lkcl at samba.org Thu Feb 17 21:18:22 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: Prealpha 0.3/W2K problem joining domain... In-Reply-To: <38AC6430.FCA2708F@siac.com> Message-ID: On Thu, 17 Feb 2000, Michael Breuer wrote: > Luke, > > Thanks... this solved *one* problem... Now... I get, > The following error occurred attempting to join the domain "NEWTECH": > a remote procedure call (RPC) protocol error occured. oh dear. > Again... no log messages on samba side. However, this time if I enter > a bad password or bad userid, I *do* get messages on the samba side as > well as an appropriate W2K error. ok, this is on cvs latest, right? if not, let me do an alpha 0.4, ok? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2028 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000218/07cf5811/smime.bin From mbreuer at siac.com Thu Feb 17 21:20:04 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:38 2003 Subject: Prealpha 0.3/W2K problem joining domain... References: Message-ID: <38AC6604.466E3B77@siac.com> Nope... I don't have CVS access... it's alpha 0.3. Luke Kenneth Casson Leighton wrote: > On Thu, 17 Feb 2000, Michael Breuer wrote: > > > Luke, > > > > Thanks... this solved *one* problem... Now... I get, > > The following error occurred attempting to join the domain "NEWTECH": > > a remote procedure call (RPC) protocol error occured. > > oh dear. > > > Again... no log messages on samba side. However, this time if I enter > > a bad password or bad userid, I *do* get messages on the samba side as > > well as an appropriate W2K error. > > ok, this is on cvs latest, right? > > if not, let me do an alpha 0.4, ok? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2028 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000217/5d1fbc35/smime.bin From p.grimmerink at home.nl Thu Feb 17 21:23:43 2000 From: p.grimmerink at home.nl (Pieter Grimmerink) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC In-Reply-To: Message-ID: > > I use the CVS SAMBA-TNG sources of a few weeks ago, I can't > join the domain > > (as Samba PDC) with smbpasswd -j SAMBA, so I tried to do this with > > > > rpcclient -S . -U root% -l log or samedit -S . -U > > root% -l log > do a createuser yourownsambaserver$ -j. That's what I tried, but I got the response: "please use 'lsaquery' first, to ascertain the SID" What do I need to do? Best regards, Pieter From skvidal at phy.duke.edu Thu Feb 17 21:34:03 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:38 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: > 1) download pam_smbpass from mr vorlon@express.net. the version that uses > tng libraries. who is mr vorlon? From mgeddes at xavier.sa.edu.au Thu Feb 17 22:08:29 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:38 2003 Subject: Roaming Profiles References: <200002170642.RAA13523@fep7.mail.ozemail.net> Message-ID: <38AC715D.9188A423@xavier.sa.edu.au> "lmyatt@ozemail.com.au" wrote: > > Is it possible to disable roaming profiles in Samba? NT wants to store two profiles - one locally on the client box, the other in the users /home dir on the server. I have tried disabling roaming profiles on the clients but this won't work without destroying my existing profiles. > > __________________________________________________________ > Message sent by MyMail http://www.mymail.com.au/ Same as you do with NT I think, try setting the profile path to somewhere on the local (workstation) drive (eg, c:\users\profiles\%U). Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From jblyberg at marco.com Thu Feb 17 22:01:57 2000 From: jblyberg at marco.com (John F. Blyberg) Date: Tue Dec 2 02:28:38 2003 Subject: act as OS privilege under samba Message-ID: <001501bf7992$9cfc26a0$eb0b170a@johnb.marco.com> Hi, we are running samba 2.0.5a-12. Several of our NT 4.0 clients run software that requires the "act as OS privilege" enabled. However, in the policy editor, no such policy can be found. The only place I can find it is in the user manager or user manager for domains in NT but that does little good for the clients that log into the samba controlled domain as they get their policies from the samba netlogon share. The software we are running has its internal security implementation, yet it uses NT permissions in order to access key features, ie. only the administrator may change security parameters within the software. The security aspect of this software is very poorly designed and so I am having a hard time finding a work-around. --------- John Blyberg Michigan Automotive Research Corp. 734/995-2544 ext. 227 jblyberg@marco.com From mml1000 at cam.ac.uk Thu Feb 17 22:12:03 2000 From: mml1000 at cam.ac.uk (Matthew M Lavy) Date: Tue Dec 2 02:28:38 2003 Subject: Roaming profiles with W98 clients In-Reply-To: <38AC58B2.70BEDD85@tpgi.com.au> Message-ID: > > Roaming profiles are *broken* in 2.06. They work just fine on 2.05a. Just for the record, NT roaming profiles work fine in 2.0.6. -- Matthew M Lavy BA MPhil ARCM LTCL Jesus College, Cambridge CB5 8BL Tel: +44 1223 511338 email: mml1000@jesus.cam.ac.uk From mgeddes at xavier.sa.edu.au Thu Feb 17 22:26:38 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC References: Message-ID: <38AC759E.50A6EFF4@xavier.sa.edu.au> Pieter Grimmerink wrote: > > > > I use the CVS SAMBA-TNG sources of a few weeks ago, I can't > > join the domain > > > (as Samba PDC) with smbpasswd -j SAMBA, so I tried to do this with > > > > > > rpcclient -S . -U root% -l log or samedit -S . -U > > > root% -l log > > > do a createuser yourownsambaserver$ -j. > > That's what I tried, but I got the response: > > "please use 'lsaquery' first, to ascertain the SID" > > What do I need to do? > > Best regards, > > Pieter use lsaquery first to ascertain the SID. When you first start rpcclient, just type lsaquery. It'll hopefully print 2 lines of crud. Then you can use the createuser ..... bit matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From mgeddes at xavier.sa.edu.au Thu Feb 17 22:29:01 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:38 2003 Subject: act as OS privilege under samba References: <001501bf7992$9cfc26a0$eb0b170a@johnb.marco.com> Message-ID: <38AC762D.D38C9D6F@xavier.sa.edu.au> "John F. Blyberg" wrote: > > Hi, we are running samba 2.0.5a-12. Several of our NT 4.0 clients run > software that requires the "act as OS privilege" enabled. However, in the > policy editor, no such policy can be found. The only place I can find it is > in the user manager or user manager for domains in NT but that does little > good for the clients that log into the samba controlled domain as they get > their policies from the samba netlogon share. > > The software we are running has its internal security implementation, yet it > uses NT permissions in order to access key features, ie. only the > administrator may change security parameters within the software. The > security aspect of this software is very poorly designed and so I am having > a hard time finding a work-around. > > --------- > John Blyberg > Michigan Automotive Research Corp. > 734/995-2544 ext. 227 > jblyberg@marco.com There was apparently a tool that worked with Samba TNG that did User Manager's job. Maybe someone can confirm this and let you know where to get it? Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Thu Feb 17 22:22:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC In-Reply-To: Message-ID: you have an old version of rpcclient, then. update. On Fri, 18 Feb 2000, Pieter Grimmerink wrote: > > > > I use the CVS SAMBA-TNG sources of a few weeks ago, I can't > > join the domain > > > (as Samba PDC) with smbpasswd -j SAMBA, so I tried to do this with > > > > > > rpcclient -S . -U root% -l log or samedit -S . -U > > > root% -l log > > > do a createuser yourownsambaserver$ -j. > > That's what I tried, but I got the response: > > "please use 'lsaquery' first, to ascertain the SID" > > What do I need to do? > > Best regards, > > Pieter > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 22:23:05 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: steve langasek. On Thu, 17 Feb 2000, Seth Vidal wrote: > > 1) download pam_smbpass from mr vorlon@express.net. the version that uses > > tng libraries. > who is mr vorlon? > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Thu Feb 17 22:24:48 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC In-Reply-To: <38AC759E.50A6EFF4@xavier.sa.edu.au> Message-ID: > use lsaquery first to ascertain the SID. When you first start rpcclient, > just type lsaquery. It'll hopefully print 2 lines of crud. > Then you can use the createuser ..... bit i dealt with this recently, when i created samedit, because i didn't want samedit to have lsa commands in it. so i automatically ascertain the SID, now. From skvidal at phy.duke.edu Thu Feb 17 22:32:39 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:38 2003 Subject: NIS and NT PDCs? In-Reply-To: Message-ID: > steve langasek. mr vorlon: are you out there? Can I get the pam_smbpass from you? -sv From lkcl at samba.org Thu Feb 17 22:37:30 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: act as OS privilege under samba In-Reply-To: <38AC762D.D38C9D6F@xavier.sa.edu.au> Message-ID: > There was apparently a tool that worked with Samba TNG that did User > Manager's job. Maybe someone can confirm this and let you know where to > get it? was??? is. rpcclient or preferably samedit. From lkcl at samba.org Thu Feb 17 22:41:21 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: [samba-tng] status Message-ID: ok, i just removed the requirement that the samba tng server must be joined to its own domain. i did this by checking, at the server-side-login code in srv_netlogon_nt.c: if (trust_account_name == global_myname) { read_trust_account_password("$MACHINE.ACC") } else { obtain_trust_acount_from_SAM_DATABASE(trust_account_name); } lars, can you update the FAQ accordingly. createuser mysambaserver$ -j will still work: it will overwrite the $MACHINE.ACC secret; it's just that the trust account mysambaserver$ will never be used. luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From pkennedy at loudcloud.com Thu Feb 17 22:48:10 2000 From: pkennedy at loudcloud.com (Paul Kennedy) Date: Tue Dec 2 02:28:38 2003 Subject: NT/UNIX password synchronization, using LDAP for pasword store. Message-ID: <38AC7AAA.BEAAFFF4@loudcloud.com> I am trying to implement a single sign-on solution for NT/Solaris/Linux. Linux/Solaris is easy, I use nssswitch and pam_ldap to cause the authentication client tools to compare against the same userPassword attribute value of a single user entry in an LDAP directory. I intend for the same LDAP directory subtree to be used for authentication store by Samba-TNG running on Linux, so that eventually each entry should have these LDAP attributeTypes lmPassword ntPassword userPassword Is there some feature of Samba which will cause it to synchronize lmPassword/ntPassword to the the userPassword attribute when an NT password changes ? If not, does anyone have any suggestions for how I might proceed ? Thanks, Pk. From lkcl at samba.org Thu Feb 17 23:05:39 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: samba-tng-alpha-0.4.tar.gz Message-ID: in ftp://samba.org/pub/samba/alpha. please use mirrors if you can. thx. From bj at mcs.uts.edu.au Thu Feb 17 23:21:10 2000 From: bj at mcs.uts.edu.au (Benjamin Kuit) Date: Tue Dec 2 02:28:38 2003 Subject: Profiles/Policies: Beware the Registry Size Message-ID: <200002172321.KAA29432@thing.socs.uts.EDU.AU> Disclaimer: This is not a problem or feature of Samba as a PDC, but is of interest to people setting up domains. A couple of weeks ago I asked samba-ntdom for help/information. I'm back again to say that one of our NT people may have solved the problem and this finding should be shared amoungst others. The problem was that we had the strange phenomenon whereby a particular profile would inhibit the inforcement of policy settings, eg the 'shut down' menu option would show, control panel was accessable, regedit was able to be run etc, and it was unclear why a profile could disable the effects of the policy. The problem seems to fall to a registry size limit on the NT workstation, which can be accessed by Control Panel -> System -> Performance -> (Virt. Mem)Change This brings up the Virtual Memory properties dialog box, and at the bottom of it shows current and maximum registry sizes. The problem was the maximum registry size was set to the same value as the current registry size, so once the profile was loaded, there simply wasn't any more room for the policy to be loaded into the registry, so the policies dont take any effect, and because it doesn't give any warning messages for not having enough room, it remains a mystery to most people. This could be a source of alot of 'my policies dont work' type problems. The moral of the story is: Check the maximum registry size. Just trying to help =) caio Bj +-------------------------------+--------------------------------------+ | Benjamin (Bj) Kuit | Faculty of Mathematical | | Systems Programmer | and Computing Sciences. | | Phone: 02 9514 1841 | University of Technology, Sydney | | Mobile: 0412 182 972 | bj@mcs.uts.edu.au | +-------------------------------+--------------------------------------+ From p.grimmerink at home.nl Thu Feb 17 23:32:23 2000 From: p.grimmerink at home.nl (Pieter Grimmerink) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC In-Reply-To: Message-ID: > > > > I use the CVS SAMBA-TNG sources of a few weeks ago, I can't > > > join the domain > > > > (as Samba PDC) with smbpasswd -j SAMBA, so I tried to do this with > > > > > > > > rpcclient -S . -U root% -l log or samedit -S . -U > > > > root% -l log > > > > > do a createuser yourownsambaserver$ -j. > > > > That's what I tried, but I got the response: > > > > "please use 'lsaquery' first, to ascertain the SID" > > > > What do I need to do? > you have an old version of rpcclient, then. > > update. OK, it's just that I have a server with only 8 MB of RAM, so recompiling takes quite a while. (this server still runs on old libs, recompiling the sources on one of my other (updated) systems does not provide me with the right executables) Anyway, I will update this server, so that I can recompile the sources on a faster machine. Should have done this anyway, but I was just hoping that I could get a nice version running at once. Thanks for the help, Best regards, Pieter From lkcl at samba.org Fri Feb 18 00:00:27 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC In-Reply-To: Message-ID: > > OK, it's just that I have a server with only 8 MB of RAM, so recompiling > takes quite a while. hey, 2 years ago, i used to run on 486 sx25s with 8mb ram, don't knock 8mb, man! :) From patrickpaul at home.com Fri Feb 18 00:21:05 2000 From: patrickpaul at home.com (Patrick Paul) Date: Tue Dec 2 02:28:38 2003 Subject: join a SAMBA domain as a PDC In-Reply-To: References: Message-ID: <200002180021.TAA04362@cx317233-a.lncln1.ri.home.com> Quoting Luke Kenneth Casson Leighton : > > > > OK, it's just that I have a server with only 8 MB of RAM, so recompiling > > takes quite a while. > > hey, 2 years ago, i used to run on 486 sx25s with 8mb ram, don't knock > 8mb, man! :) > 2 years ago, i used a 386sx-33 w/ 8 megs ram. it was great. the hard drive, on the other hand... Patrick Paul Consultant patrickpaul@home.com From godfrey at hattaway-associates.com Fri Feb 18 00:28:08 2000 From: godfrey at hattaway-associates.com (Godfrey Livingstone) Date: Tue Dec 2 02:28:38 2003 Subject: Roaming profiles with W98 clients References: Message-ID: <38AC9217.A65027B7@hattaway-associates.com> Roaming profiles are not broken totally in 2.06 if you read earlier discussion to this group the change between 2.05a and 2.06 means that in the on win9x machines you need to put "net use h: /home" in the user.bat script and enable "login home = \\%L\Profiles\U%" in the smb.conf file rather than using "login profile = \\%L\Profiles\%U". On my network 3 x 95 and 2 x 98 the h drive does not show up when the user explore of this I am pleased so that no tampering is done but profiles do work in 2.06 admittedly differently than in 2.05a. Godfrey Matthew M Lavy wrote: > > > > Roaming profiles are *broken* in 2.06. They work just fine on 2.05a. > > Just for the record, NT roaming profiles work fine in 2.0.6. > > -- > Matthew M Lavy BA MPhil ARCM LTCL > Jesus College, Cambridge CB5 8BL > Tel: +44 1223 511338 > email: mml1000@jesus.cam.ac.uk From sjs at bstage.com Fri Feb 18 02:35:24 2000 From: sjs at bstage.com (Steve Schow) Date: Tue Dec 2 02:28:38 2003 Subject: Help, Samba dissappeared with NT domain.... Message-ID: I have a complicated situation and I need some help to make it work. I started out with 2 PC's in a home network. One is a laptop running NT 4.0SP5 and the other is a PC running Redhat Linux 6.1. I was quickly able to get Samba running in that configuration and use it as both a print server and file server. My NT laptop was able to send print jobs and access shared directories on the Linux/Samba machine..... So far so good. But the plot thickens..... My laptop is setup so that when I am at work, I can connect to the company NT domain and have full access to their NT domain services. For sake of argument, this NT domain is called "IOU". whenever I login to this NT laptop, I always use my NT domain login and password, even if I am not at work connected on their network. For example, let's say my login name is "jon". Then I always login to the NT laptop as "IOU/jon". That way I always have the same user profile, etc.. When I am on the road, I can dial in from a hotel and as soon as I connect to the network, it recognizes me as part of the IOU NT domain and gives me all the NT domain services.... So far so good... We also have VPN system in place. We use some software called "Securemote", which allows us to dial in to *ANY* ISP, establish an internet connection and then be able to get through to our internal network, through the firewall. With this system we can dial in to any ISP and actually connect to the IOU NT domain and use all the NT domain services.... Good so far, but here is where the problem lies..... I got DSL at home, which means that when I plug the laptop in at home, it connects to the internet, stays on the internet, has a static IP address, etc.... and because of the VPN (which is a good thing) gets access to all my company's internal NT domain services on the IOU NT domain. However, since getting the DSL line and getting this access to IOU, I can no longer seem to access my local Samba server (which is *NOT* part of the IOU NT domain). I am guessing this is because my Samba machine is not registered on the real IOU NT domain controller, and since I now have good access the the real IOU NT domain controller, when I try to map a drive to the samba machine, or setup a remote printer on the samba machine....my laptop is looking to the IOU domain controller to tell me if that's ok and its saying "no Way". That's just a guess......and I have absolutely no idea what I can do to get around this problem. I am hoping that one of you NTDOM experts out there will know exactly what I need to do..... Please Oh Please....!!!!!!! Thanks in advance -steve From jxm533 at psu.edu Fri Feb 18 03:26:51 2000 From: jxm533 at psu.edu (Joe Manojlovich) Date: Tue Dec 2 02:28:38 2003 Subject: Strange socket errors continued Message-ID: <38ACBBFB.9E575FDD@psu.edu> More detail, huh? Well, what exactly are you looking for? I set the log level to 10 and captured the attached file from a log generated by running on the server "rpcclient -S . -U joe -l log" and running lsaquery from within. The computer is a pentium 133 running RedHat 6.0. I'll resend my smb.conf if necessary. -- Joe Manojlovich jxm533@psu.edu -------------- next part -------------- doing parameter max log size = 50 doing parameter security = user doing parameter encrypt passwords = yes doing parameter smb passwd file = /usr/local/samba/lib/smbpasswd doing parameter unix password sync = Yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* doing parameter username map = /usr/local/samba/lib/user.map doing parameter domain user map = /usr/local/samba/lib/domainuser.map doing parameter admin users = root, Adminstrator doing parameter socket options = TCP_NODELAY doing parameter remote announce = 192.168.10.255 doing parameter local master = yes doing parameter os level = 64 doing parameter domain master = yes doing parameter preferred master = yes doing parameter domain logons = yes doing parameter logon drive = h: doing parameter logon path = \\%L\homes doing parameter name resolve order = lmhosts hosts bcast doing parameter time server = yes doing parameter dns proxy = no [2000/02/17 22:24:30, 3] param/loadparm.c:lp_load(2794) pm_process() returned Yes [2000/02/17 22:24:30, 7] param/loadparm.c:lp_servicenumber(2873) lp_servicenumber: couldn't find homes Derived broadcast address 192.168.10.255 Added interface ip=192.168.10.20 bcast=192.168.10.255 nmask=255.255.255.0 cmd_set: options: fffffeaf set_user_password: read 2000/02/17 22:24:33 client started (version TNG-prealpha) cmd_lsa_query_info: server:\\. cli_connection_init_auth: \\. \PIPE\lsarpc copy_nt_creds: null creds ncalrpc_l_use_add ncalrpc_l_find: lsarpc [29525,0] uid 500 registered to name joe Clearing default real name uid 500 vuid 100 registered to unix name joe vuid_init_db: failed ncalrpc_l_establish_connection: connecting to lsarpc socket open succeeded. file name: /tmp/.msrpc/.lsarpc/agent socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused redirect failed, attempt direct connection socket open succeeded. file name: /usr/local/samba/var/locks/.msrpc/lsarpc socket connect to /usr/local/samba/var/locks/.msrpc/lsarpc failed: Connection refused ncalrpc_l_establish_connection: failed lsarpc) ncalrpc_l_use_add: connection failed cli_connection_free: 199 cli_connection_free: closed: No cmd_lsa_query_info: query failed free_connections: closing all MSRPC connections From lkcl at samba.org Fri Feb 18 03:41:46 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: Strange socket errors continued In-Reply-To: <38ACBBFB.9E575FDD@psu.edu> Message-ID: if this fails, you're either not rinning lsarpcd or you're not running rpcclient as root. rpcclient \\. ... or rpcclient -S . only works as root. On Fri, 18 Feb 2000, Joe Manojlovich wrote: > More detail, huh? Well, what exactly are you looking for? I set the log > level to 10 and captured the attached file from a log generated by > running on the server "rpcclient -S . -U joe -l log" and running > lsaquery from within. > > The computer is a pentium 133 running RedHat 6.0. I'll resend my > smb.conf if necessary. > > -- > Joe Manojlovich > jxm533@psu.edu Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals -------------- next part -------------- doing parameter max log size = 50 doing parameter security = user doing parameter encrypt passwords = yes doing parameter smb passwd file = /usr/local/samba/lib/smbpasswd doing parameter unix password sync = Yes doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* doing parameter username map = /usr/local/samba/lib/user.map doing parameter domain user map = /usr/local/samba/lib/domainuser.map doing parameter admin users = root, Adminstrator doing parameter socket options = TCP_NODELAY doing parameter remote announce = 192.168.10.255 doing parameter local master = yes doing parameter os level = 64 doing parameter domain master = yes doing parameter preferred master = yes doing parameter domain logons = yes doing parameter logon drive = h: doing parameter logon path = \\%L\homes doing parameter name resolve order = lmhosts hosts bcast doing parameter time server = yes doing parameter dns proxy = no [2000/02/17 22:24:30, 3] param/loadparm.c:lp_load(2794) pm_process() returned Yes [2000/02/17 22:24:30, 7] param/loadparm.c:lp_servicenumber(2873) lp_servicenumber: couldn't find homes Derived broadcast address 192.168.10.255 Added interface ip=192.168.10.20 bcast=192.168.10.255 nmask=255.255.255.0 cmd_set: options: fffffeaf set_user_password: read 2000/02/17 22:24:33 client started (version TNG-prealpha) cmd_lsa_query_info: server:\\. cli_connection_init_auth: \\. \PIPE\lsarpc copy_nt_creds: null creds ncalrpc_l_use_add ncalrpc_l_find: lsarpc [29525,0] uid 500 registered to name joe Clearing default real name uid 500 vuid 100 registered to unix name joe vuid_init_db: failed ncalrpc_l_establish_connection: connecting to lsarpc socket open succeeded. file name: /tmp/.msrpc/.lsarpc/agent socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused redirect failed, attempt direct connection socket open succeeded. file name: /usr/local/samba/var/locks/.msrpc/lsarpc socket connect to /usr/local/samba/var/locks/.msrpc/lsarpc failed: Connection refused ncalrpc_l_establish_connection: failed lsarpc) ncalrpc_l_use_add: connection failed cli_connection_free: 199 cli_connection_free: closed: No cmd_lsa_query_info: query failed free_connections: closing all MSRPC connections From jxm533 at psu.edu Fri Feb 18 04:08:32 2000 From: jxm533 at psu.edu (Joe Manojlovich) Date: Tue Dec 2 02:28:38 2003 Subject: Problem Solved Message-ID: <38ACC5C0.283C1EB@psu.edu> Yeah, running lsarpcd fixed everything. Did I miss the faq about making sure that was running? Anyway, thanks for being patient with all this. -- Joe Manojlovich jxm533@psu.edu From lkcl at samba.org Fri Feb 18 04:19:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: Problem Solved In-Reply-To: <38ACC5C0.283C1EB@psu.edu> Message-ID: :) no problem joe. remember to run all the other ones, too, if you want pdc support. On Fri, 18 Feb 2000, Joe Manojlovich wrote: > Yeah, running lsarpcd fixed everything. Did I miss the faq about making > sure that was running? Anyway, thanks for being patient with all this. > > -- > Joe Manojlovich > jxm533@psu.edu > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lars at kneschke.de Fri Feb 18 04:49:28 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:38 2003 Subject: [samba-tng] status References: Message-ID: <38ACCF58.6174B770@kneschke.de> Luke Kenneth Casson Leighton wrote: > > ok, i just removed the requirement that the samba tng server must be > joined to its own domain. > > i did this by checking, at the server-side-login code in > srv_netlogon_nt.c: > > if (trust_account_name == global_myname) > { > read_trust_account_password("$MACHINE.ACC") > } > else > { > obtain_trust_acount_from_SAM_DATABASE(trust_account_name); > } > > lars, can you update the FAQ accordingly. Yes, i can't sleep anymore. My cildren waked me up, and fall in sleep again in my bed, but i can't sleep anymore. Did i know this earlier! :-) Now i try to create a PDC here at home with the new code and the rpcclient command. If i get this, i'll update the FAQ. Cu -- Watch our projects at http://www.kneschke.de/projekte! ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer From mgeddes at xavier.sa.edu.au Fri Feb 18 05:26:45 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:38 2003 Subject: [samba-tng] status References: Message-ID: <38ACD815.F4AF29B1@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > > ok, i just removed the requirement that the samba tng server must be > joined to its own domain. > > i did this by checking, at the server-side-login code in > srv_netlogon_nt.c: > > if (trust_account_name == global_myname) > { > read_trust_account_password("$MACHINE.ACC") > } > else > { > obtain_trust_acount_from_SAM_DATABASE(trust_account_name); > } > > lars, can you update the FAQ accordingly. > > createuser mysambaserver$ -j > > will still work: it will overwrite the $MACHINE.ACC secret; it's just that > the trust account mysambaserver$ will never be used. > Was that changed in the alpha-0.4 tarball or just the CVS? I cannot get an NTW to join a TNG domain with 0.4. It appears to be a permissions problem. Has anything changed in regards to configuring TNG-0.4? Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Fri Feb 18 05:27:29 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: [samba-tng] status In-Reply-To: <38ACCF58.6174B770@kneschke.de> Message-ID: > > lars, can you update the FAQ accordingly. > Yes, i can't sleep anymore. My cildren waked me up, and fall in sleep > again in my bed, but i can't sleep anymore. Did i know this earlier! :-) last time i got woken up at 4:30 am was mmonday, i stormed out the house. good morning, lars! > Now i try to create a PDC here at home with the new code and the > rpcclient command. If i get this, i'll update the FAQ. if you want to create "from scratch", then delete var/locks/DOMAIN.SERVERNAME.tdb, ok? night :) From lkcl at samba.org Fri Feb 18 05:29:37 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: [samba-tng] status In-Reply-To: <38ACD815.F4AF29B1@xavier.sa.edu.au> Message-ID: > > will still work: it will overwrite the $MACHINE.ACC secret; it's just that > > the trust account mysambaserver$ will never be used. > > > > Was that changed in the alpha-0.4 tarball or just the CVS? both. > I cannot get an NTW to join a TNG domain with 0.4. It appears to be a > permissions problem. Has anything changed in regards to configuring > TNG-0.4? yes, you don't need to add the server to its own domain any more, this was getting irritationg. plus, the only way to bootstrap the server (read, beat it into submission) was to use rpcclient -S . -U root% -l log and do a createuser sambaserver$ -j, and _then_ you could add other accounts and d all the tests. this is too much to expect people to have to do. From lkcl at samba.org Fri Feb 18 05:30:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:38 2003 Subject: [samba-tng] status In-Reply-To: <38ACD815.F4AF29B1@xavier.sa.edu.au> Message-ID: matthew, please try to track it down, let me know what the problem is, i fix it and do a nother tar. On Fri, 18 Feb 2000, Matthew Geddes wrote: > Luke Kenneth Casson Leighton wrote: > > > > ok, i just removed the requirement that the samba tng server must be > > joined to its own domain. > > > > i did this by checking, at the server-side-login code in > > srv_netlogon_nt.c: > > > > if (trust_account_name == global_myname) > > { > > read_trust_account_password("$MACHINE.ACC") > > } > > else > > { > > obtain_trust_acount_from_SAM_DATABASE(trust_account_name); > > } > > > > lars, can you update the FAQ accordingly. > > > > createuser mysambaserver$ -j > > > > will still work: it will overwrite the $MACHINE.ACC secret; it's just that > > the trust account mysambaserver$ will never be used. > > > > Was that changed in the alpha-0.4 tarball or just the CVS? > > I cannot get an NTW to join a TNG domain with 0.4. It appears to be a > permissions problem. Has anything changed in regards to configuring > TNG-0.4? > > Thanks, > Matt > > -- > "Our goal for the next release of Windows 2000 is to have zero bugs." > - Lucovsky, Microsoft > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From tnel at active3.com Fri Feb 18 06:35:05 2000 From: tnel at active3.com (Tirone Nel) Date: Tue Dec 2 02:28:38 2003 Subject: No subject Message-ID: <005d01bf79da$4dec5ab0$0900000a@TIRONE> subscribe From aejaz at dgcc.org.pk Fri Feb 18 04:11:18 2000 From: aejaz at dgcc.org.pk (Asim Ejaz Butt) Date: Tue Dec 2 02:28:39 2003 Subject: neighbour table overflow Message-ID: <38ACC666.BB0F55B3@dgcc.org.pk> Hello everyone, I am using Red Hat 6.0. After the setup of SAMBA, I continuously receiving the following messages on console: RPC: sendmsg return error 105 neighbour table overflow and I am unable to do anything on the console Pl. guide me in this regard. Asim Butt aejaz@dgcc.org.pk From sam at topic.com.au Fri Feb 18 08:04:47 2000 From: sam at topic.com.au (Sam Couter) Date: Tue Dec 2 02:28:39 2003 Subject: neighbour table overflow In-Reply-To: <38ACC666.BB0F55B3@dgcc.org.pk>; from aejaz@dgcc.org.pk on Fri, Feb 18, 2000 at 06:57:59PM +1100 References: <38ACC666.BB0F55B3@dgcc.org.pk> Message-ID: <20000218190447.J847@beethoven.tsa> Asim Ejaz Butt wrote: > Hello everyone, > I am using Red Hat 6.0. After the setup of SAMBA, > I continuously receiving the following messages on console: > > RPC: sendmsg return error 105 > neighbour table overflow > > and I am unable to do anything on the console I saw this message on one of my machines yesterday, for the first time in my 5 years or so of using Linux. In my case it turned out to be bad routing tables. Circular routes or something. I was messing with addresses and hardware and stuff. :) Anyway, it's not samba causing the problem, it's any network activity. Check your routing tables and network setup. Check that your network driver detects your card correctly. -- Sam Couter sam@topic.com.au Internet Engineer http://www.topic.com.au/ tSA Consulting -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000218/1bb74e0a/attachment.bin From lonnie at borntreger.com Fri Feb 18 09:51:38 2000 From: lonnie at borntreger.com (Lonnie J. Borntreger) Date: Tue Dec 2 02:28:39 2003 Subject: Latest TNG problems Message-ID: <003901bf79f5$c0e5d760$0500000a@borntreger.com> 1 - the install (with libtool) no longer creates a .old file. This makes so that "make revert" no longer reverts to the previous version. 2 - non-NT authentication (i.e. win9x) is broken again. It had started to work a couple of weeks ago, now it doesn't work again, and I can't revert. -sigh- here goes a full check-out from a couple of weeks ago, hopefully I'll get the one that works with win9x clients -- I can't remember the exact date. Maybe I'll just switch to pre-3.0. When is the big freeze/merge happening? TTFN, Lonnie Borntreger lonnie@borntreger.com http://www.borntreger.com/ From david at kalifornia.com Fri Feb 18 10:57:17 2000 From: david at kalifornia.com (David Ford) Date: Tue Dec 2 02:28:39 2003 Subject: neighbour table overflow References: <38ACC666.BB0F55B3@dgcc.org.pk> Message-ID: <38AD258D.E28D7F7E@kalifornia.com> The problem is you do not have "lo" setup correctly. ifconfig lo up and if you are running a 2.0 kernel, ensure routing is established manually. -d Asim Ejaz Butt wrote: > Hello everyone, > I am using Red Hat 6.0. After the setup of SAMBA, > I continuously receiving the following messages on console: > > RPC: sendmsg return error 105 > neighbour table overflow > > and I am unable to do anything on the console > > Pl. guide me in this regard. > > Asim Butt > aejaz@dgcc.org.pk -- 99 little bugs in the code, 99 bugs in the code, fix one bug, compile it again... 101 little bugs in the code.... From sharpe at ns.aus.com Fri Feb 18 10:36:08 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:39 2003 Subject: Roaming profiles with W98 clients In-Reply-To: <38AC58B2.70BEDD85@tpgi.com.au> References: <200002170857.MAA13085@ns1.guetali.fr> Message-ID: <3.0.6.32.20000218203608.0097fe00@203.16.214.248> At 07:27 AM 2/18/00 +1100, eirvine wrote: >Hi, > >Roaming profiles are *broken* in 2.06. They work just fine on 2.05a. Sigh, ... This is just not true. I wrote at depth about roaming profiles, Win 9X and Samba 2.0.6 versus 2.0.5a some time only about three weeks ago. Under Windows 9X, roaming profiles go in the home share! The 2.0.5a behaviour breaks net use /home, which is wrong. There is a kludge that you can use to get roaming profiles out of the home directory, but they can only go into a subdirectory of the home share. Dredge up my postings in samba-technical or samba-ntdom on this subject, as after giving Australia's first commercial two-day Samba course, I an very tired and noticed many problems in 2.0.6. I have however, added documentation to 2.0.7 to explain how to use logon home for Win9X and that logon path has nothing to do with Win9X. >Eddie. > >JF HUNEZ wrote: >> >> Hello, >> I run Samba 2.06 as PDC and the clients are Win98 machines >> only. >> Roaming profiles don't work, there is no user.dat in the profiles >> share, only the START folder. >> I have read the doc in /usr/doc and the NTDOM faq too ; my >> smb.conf meets the recommendations. >> Roaming profiles need a NT server on the network ?? >> >> Thanks >> >> JF HUNEZ >> Reunion Island > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From gosha at arvid.ee Fri Feb 18 11:54:08 2000 From: gosha at arvid.ee (Dmitri B.Gofmekler) Date: Tue Dec 2 02:28:39 2003 Subject: Roaming profiles again... Message-ID: <4.3.0.40.0.20000218134840.00b38910@mail> Hi, About the roaming profiles... I saw about five instructions how to get it work, and it was diametrically opposite each other. Is there a some smart person that says, step-by-step how to configure samba PDC (and WinNT, 9x clients, if necessary) to work with the roaming profiles? In my case profiles works well with Win98, but NT says about error 240 every login... Best, ---- Dmitri B. Gofmekler , ICQ: 8168758 GSM: (+37 25) 027705 ---- "http://www.sill.ee/~gosha/gosha.asc" - for PGP Encrypted messages. ===================================== Phone/Fax: (+372 6) 775681 A-Arvid Computers Ltd. < http://www.arvid.ee > From sharpe at ns.aus.com Fri Feb 18 11:01:24 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:39 2003 Subject: Roaming profiles with W98 clients In-Reply-To: <38AC9217.A65027B7@hattaway-associates.com> References: Message-ID: <3.0.6.32.20000218210124.0092f9e0@203.16.214.248> At 11:32 AM 2/18/00 +1100, Godfrey Livingstone wrote: >Roaming profiles are not broken totally in 2.06 if you read earlier >discussion to this group the change between 2.05a and 2.06 means that in >the on win9x machines you need to put "net use h: /home" in the user.bat >script and enable "login home = \\%L\Profiles\U%" in the smb.conf file >rather than using "login profile = \\%L\Profiles\%U". Ummm, no! Roaming profiles are not broken in 2.0.6. They were broken in 2.0.5a. Support for roaming profiles is different for Win9X than for WinNT. For WinNT you set logon path, for Win9X the best you can do is set logon home. That is, you can do: logon home = \\%L\%U\.profiles And net use/home works and profiles go in the .profiles directory! After having given Australia's first two-day, commercial, Samba course, I can say that hod dot files appears to be broken in Samba 2.0.6. >On my network 3 x 95 and 2 x 98 the h drive does not show up when the user >explore of this I am pleased so that no tampering is done but profiles do >work in 2.06 admittedly differently than in 2.05a. > >Godfrey > > >Matthew M Lavy wrote: > >> > >> > Roaming profiles are *broken* in 2.06. They work just fine on 2.05a. >> >> Just for the record, NT roaming profiles work fine in 2.0.6. >> >> -- >> Matthew M Lavy BA MPhil ARCM LTCL >> Jesus College, Cambridge CB5 8BL >> Tel: +44 1223 511338 >> email: mml1000@jesus.cam.ac.uk > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course From anthony.johnson at langley.af.mil Fri Feb 18 13:57:08 2000 From: anthony.johnson at langley.af.mil (Johnson Anthony E Civ 27 IS/INYN) Date: Tue Dec 2 02:28:39 2003 Subject: No subject Message-ID: <8544DBEBBF6DD2118DF500204804EF1901DCBF31@lfi-ms-025-02.langley.af.mil> <> Hello all, I am a novice at best when it comes to SAMBA and UNIX, I am an NT administrator at heart and could use some help. We are running Windows Terminal Server in a Solaris environment and using SAMBA to map the users home directories on UNIX and for printing. We are constantly having to restart the SAMBA services because they are always crashing 2-3 times a day at least. We have no more than 50 simultaneous users at any given time so it seems that something is not right. Our SAMBA server is an Ultra 10 running on Fore ATM. Our network uses a combo of ATM, FDDI, and 10mb/ethernet. We have tried Version 2.5, 2.6, and we currently have 2.3 set up. All three had the same results, we have changed servers as well as switched to Ethernet and FDDI. Nothing seems to work. I have been looking into different settings for TCP_NODELAY. I was going to experiment with setting SO_RCVBUF and SO_SNDBUF but, do not know what to set the integer values to. Could anyone give me some advice on how to get SAMBA running reliable? We would love to have it stay up all day and not worry about it. I have attached a copy of my smb.conf file for anyone's input. Pay no attention to the Print command, I know it looks bad, but we have a weird requirement. Thanks in advance for any help! Anthony Johnson Network Administrator SAIC -------------- next part -------------- # Samba config file created using SWAT # from col22 (144.235.204.22) # Date: 2000/02/16 09:14:18 # Global parameters workgroup = WINIG480 netbios name = PROD159 server string = NT Server (2.6) interfaces = 144.235.200.103/255.255.0.0 security = SERVER encrypt passwords = Yes password server = wtsprod180 winprod167 winprod169 username map = /usr/local/samba/lib/users.map log file = /usr/local/samba/var/log.%m nt acl support = Yes socket options = TCP_NODELAY printcap name = /usr/local/samba/printcap dns proxy = No revalidate = Yes hosts allow = 144.235. 127. 144.235.204.84 print command = DISPLAY=`cat /home/users/prod250/%U/.winddhostname` ; export DISPLAY; XFILESEARCHPATH=/opt/cse/config/prod250/%N:/opt/cse/config/%N:/usr/lib/X11/app-defaults/%N; export XFILESEARCHPATH;/opt/cse/bin/Print_Utility -P`cat /home/users/prod250/%U/.winddprinter` %s ; rm -f %s [unixhome] path = /home/users/prod250/%U read only = No [printers] comment = All Printers path = /home/users/prod250/%U/spool print ok = Yes browseable = No From bkeats at spiff.chin.gc.ca Fri Feb 18 14:11:17 2000 From: bkeats at spiff.chin.gc.ca (Brian Keats) Date: Tue Dec 2 02:28:39 2003 Subject: SMB/NMBD configuration troubles. In-Reply-To: <000001bf7962$32c28cf0$0bfea8c0@HAVANA> Message-ID: On Fri, 18 Feb 2000, Brandon Stauber wrote: > System Details > -------------- > > LOPEZ = RH Linux 6.1 192.168.254.15 > HAVANA = NT Domain 192.168.254.0/24 > PUNCH = NT PDC 192.168.254.3 > > smb startup > ----------- > As standalone daemon using rc.local running the following > script: > > #!/bin/sh > /usr/sbin/smbd -D > /usr/sbin/nmbd -H /etc/lmhosts -D > > > > smb.conf file: > -------------- > > # Samba config file created using SWAT > # from cohiba (192.168.254.11) > # Date: 2000/02/16 18:12:14 > > # Global parameters > [global] > workgroup = HAVANA > netbios name = LOPEZ > password server = PUNCH > log file = /var/log/samba/log.%m > max log size = 50 > wins server = 192.168.254.3 > > [homes] > comment = Home Directories > read only = No > browseable = No > > [netlogin] > comment = Network Login Service > path = /home/netlogin > guest ok = Yes > share modes = No > > [brandon] > comment = Brandon Stauber's Share > path = /home/brandon > valid users = brandon administrator root > read only = No > > [printers] > comment = All Printers > path = /var/spool/samba > print ok = Yes > browseable = No > > [public] > comment = Public Share > path = /tmp > read only = No > guest ok = Yes > > lmhosts file > ------------ > > 127.0.0.1 localhost > 192.168.254.3 punch > .. > 192.168.254.15 lopez > .. > > > > TEST 1: testparm smb.conf > ------- > > [root@Lopez /etc]# testparm smb.conf > Load smb config files from smb.conf > Processing section "[homes]" > Processing section "[netlogin]" > Processing section "[brandon]" > Processing section "[printers]" > Processing section "[public]" > Loaded services file OK. > Press enter to see a dump of your service definitions > > > > TEST 2: ping > ------- > > [root@Lopez /etc]# ping 192.168.254.11 > PING 192.168.254.11 (192.168.254.11) from 192.168.254.15 : > 56(84) bytes of data.64 bytes from 192.168.254.11: icmp_seq=0 > ttl=255 time=1.5 ms > 64 bytes from 192.168.254.11: icmp_seq=1 ttl=255 time=1.3 ms > 64 bytes from 192.168.254.11: icmp_seq=2 ttl=255 time=1.2 ms > > > [root@cohiba /etc]# ping 192.168.254.15 > PING 192.168.254.15 (192.168.254.15) from 192.168.254.11 : > 56(84) bytes of data.64 bytes from 192.168.254.15: icmp_seq=0 > ttl=255 time=0.9 ms > 64 bytes from 192.168.254.15: icmp_seq=1 ttl=255 time=0.9 ms > 64 bytes from 192.168.254.15: icmp_seq=2 ttl=255 time=0.9 ms > > > > TEST 3: smbclient -L lopez > ------- > > [root@Lopez /etc]# smbclient -L lopez > Added interface ip=127.0.0.1 bcast=127.255.255.255 > nmask=255.0.0.0 > Password: > Domain=[HAVANA] OS=[Unix] Server=[Samba 2.0.5a] > > Sharename Type Comment > --------- ---- ------- > netlogin Disk Network Login Service > brandon Disk Brandon Stauber's Share > public Disk Public Share > IPC$ IPC IPC Service (Samba 2.0.5a) > > Server Comment > --------- ------- > LOPEZ Samba 2.0.5a > > Workgroup Master > --------- ------- > HAVANA > > > > TEST 4: nmblookup -B lopez _SAMBA_ > ------- > > [root@Lopez /etc]# nmblookup -B lopez _SAMBA_ > Sending queries to 127.0.0.1 > name_query failed to find name _SAMBA_ > > > > > TEST 5: nmblookup -B lopez '*' > ------- > [root@Lopez /etc]# nmblookup -B lopez '*' > Sending queries to 127.0.0.1 > 127.0.0.1 *<00> > > > > > TEST 6: nmblookup -d 2 '*' > ------- > [root@Lopez /etc]# nmblookup -d 2 '*' > Added interface ip=127.0.0.1 bcast=127.255.255.255 > nmask=255.0.0.0 > Sending queries to 127.255.255.255 > Got a positive name query response from 127.0.0.1 ( 127.0.0.1 > ) > 127.0.0.1 *<00> > > > TEST 7: smbclient //lopez/brandon > ------- > [root@Lopez /etc]# smbclient //lopez/brandon > Added interface ip=127.0.0.1 bcast=127.255.255.255 > nmask=255.0.0.0 > Password: > Domain=[HAVANA] OS=[Unix] Server=[Samba 2.0.5a] > smb: \> > > > > TEST 8: net view \\lopez > ------- > > >net view \\lopez > > System error 53 has occured > > The network path was not found > > > TEST 9: net use x: \\lopez\brandon > ------- > > >net use x: \\lopez\brandon > > System error 53 has occured > smbtest > The network path was not found > > > > TEST 10: > -------- > > File manager = FAILED (see above) > > > > Just a guess but maybe you might want to include an 'interfaces' parameter in your global section ? From holm at informatik.umu.se Fri Feb 18 14:12:33 2000 From: holm at informatik.umu.se (=?ISO-8859-1?Q?=C5ke?= Holmlund) Date: Tue Dec 2 02:28:39 2003 Subject: samba-tng-alpha.0.4, LDAP, Solaris 7 and Sun cc 5.0 Message-ID: <200002181412.PAA15674@jupiter.informatik.umu.se> Hi, I'm trying to compile samba-tng-alpha.0.4 with no luck. I'm using Sun:s Workshop cc 5.0 (with recent patches) och a sparc running Solaris 7. My configure command looks like this: env \ CFLAGS="-O" \ ./configure \ --prefix=/local/opt/Samba \ --sysconfdir=/var/conf/Samba \ --localstatedir=/var/conf/Samba \ --libdir=/var/conf/Samba \ --with-privatedir=/var/conf/Samba/private \ --with-lockdir=/var/conf/Samba/locks \ --with-swatdir=/var/conf/Samba/swat \ --with-pam=no \ --with-sam-pwdb=nt5ldap \ --with-nt5ldap \ --with-profile \ --with-quotas Running with these options configure eventually breaks with the message: checking configure summary configure: error: summary failure. Aborting config Cause: configure sets LIBS="$LIBS -lldap -llber" when using ldap but I THINK libldap and liblber is merged into libldap in Solaris 7. Removing all references to -llber solves the problem. This should probably be tested by configure. It also seems like there is a duplication of ldap-tests in configure. with/without-nt5ldap occures twice. After fixing this I run make and gets: make: Fatal error in reader: Makefile, line 989: Macro assignment on dependency line Using gmake works around this problem. Cause unknown, maybe buffer overflows in make. Ok, running gmake everything runs fine (exept for loads of warnings :-) until rpc_parse/parse_creds.c: "rpc_parse/parse_creds.c", line 290: warning: syntax error: empty declaration "rpc_parse/parse_creds.c", line 318: warning: syntax error: empty declaration "rpc_parse/parse_creds.c", line 340: warning: syntax error: empty declaration "rpc_parse/parse_creds.c", line 389: warning: syntax error: empty declaration param/loadparm.c: "param/loadparm.c", line 1327: warning: syntax error: empty declaration "param/loadparm.c", line 1328: warning: syntax error: empty declaration "param/loadparm.c", line 1329: warning: syntax error: empty declaration "param/loadparm.c", line 1330: warning: syntax error: empty declaration "param/loadparm.c", line 1334: warning: syntax error: empty declaration "param/loadparm.c", line 1335: warning: syntax error: empty declaration "param/loadparm.c", line 1336: warning: syntax error: empty declaration "param/loadparm.c", line 1337: warning: syntax error: empty declaration "param/loadparm.c", line 1338: warning: syntax error: empty declaration These files compile but Sun cc does NOT seem like the combination }; Finally it all brakes at samrd/srv_samr_usr_nt5ldap.c with: Compiling samrd/srv_samr_usr_nt5ldap.c with libtool "samrd/srv_samr_usr_nt5ldap.c", line 200: undefined symbol: user_pol "samrd/srv_samr_usr_nt5ldap.c", line 200: warning: improper pointer/integer combination: arg #2 "samrd/srv_samr_usr_nt5ldap.c", line 364: warning: statement not reached "samrd/srv_samr_usr_nt5ldap.c", line 395: prototype mismatch: 6 args passed, 4 expected "samrd/srv_samr_usr_nt5ldap.c", line 445: warning: argument #1 is incompatible with prototype: prototype: pointer to const char : "include/proto.h", line 1076 argument : pointer to const uchar "samrd/srv_samr_usr_nt5ldap.c", line 475: warning: argument #1 is incompatible with prototype: prototype: pointer to const char : "include/proto.h", line 1076 argument : pointer to const uchar "samrd/srv_samr_usr_nt5ldap.c", line 561: syntax error before or at: * "samrd/srv_samr_usr_nt5ldap.c", line 563: undefined symbol: id16 "samrd/srv_samr_usr_nt5ldap.c", line 563: non-unique member requires struct/union pointer: acb_info "samrd/srv_samr_usr_nt5ldap.c", line 563: left operand of "->" must be pointer to struct/union "samrd/srv_samr_usr_nt5ldap.c", line 596: undefined symbol: SAM_USER_INFO_16 "samrd/srv_samr_usr_nt5ldap.c", line 596: undefined symbol: id16 "samrd/srv_samr_usr_nt5ldap.c", line 596: syntax error before or at: = "samrd/srv_samr_usr_nt5ldap.c", line 684: prototype mismatch: 6 args passed, 4 expected "samrd/srv_samr_usr_nt5ldap.c", line 716: warning: assignment type mismatch: pointer to struct passwd {pointer to char pw_name, pointer to char pw_passwd, long pw_uid, long pw_gid, pointer to char pw_a... "=" pointer to const struct passwd {pointer to char pw_name, pointer to char pw_passwd, long pw_uid, long pw_gid, pointer to cha... cc: acomp failed for samrd/srv_samr_usr_nt5ldap.c gmake: *** [samrd/srv_samr_usr_nt5ldap.lo] Error 1 The user_pol is probably a typo (the parameter is called pol) but SAM_USER_INFO_16 and id16 is a bit harder for me to fix :-) Regards, ----------------------------------------------------------------------------- ?ke Holmlund Tel: +46 - 90 786 57 16 Ume? University Fax: +46 - 90 786 65 50 Dept of informatics Email: holm@informatik.umu.se SE-901 87 Ume? Sweden Ps. The archives doesn't seem do be working. No messages newer than feb 2. From mbreuer at siac.com Fri Feb 18 15:08:29 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:39 2003 Subject: TNG 0.4 - Still can't join W2K WS to domain... Message-ID: <38AD606C.B67491DE@siac.com> OK... with Alpha 0.4 installed when I attempt to join the domain I get, "The network name cannot be found" after I enter my ID and password. The samba logs indicate a successful login (NETLOGON of type 18), followed by a "GETDC" request from the W2K workstation. The response correctly indicates dns name of the Samba PDC (not fully qualified, but both machines are in the same DNS domain and DNS search is correctly set). From lkcl at samba.org Fri Feb 18 17:30:23 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:39 2003 Subject: TNG 0.4 - Still can't join W2K WS to domain... In-Reply-To: <38AD606C.B67491DE@siac.com> Message-ID: michael, i will be getting to this once i have a working samrtdb with which to test it. On Sat, 19 Feb 2000, Michael Breuer wrote: > OK... with Alpha 0.4 installed when I attempt to join the domain I get, "The network name cannot be found" after I enter my ID and > password. The samba logs indicate a successful login (NETLOGON of type 18), followed by a "GETDC" request from the W2K > workstation. The response correctly indicates dns name of the Samba PDC (not fully qualified, but both machines are in the same DNS > domain and DNS search is correctly set). > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mbreuer at siac.com Fri Feb 18 17:31:30 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:39 2003 Subject: Problems with dmb/lmb on alpha 0.4 Message-ID: <38AD81F1.61E5FE3@siac.com> TNG alpha 0.4 reports that the current master browser for its domian is "UNKNOWN." More info: 1) in logs(edited) : nmbd/nmbd_workgroupdb.c:(307) dump_workgroups() dump(workgroup on subnet : netmask=255.255.255.240 ... reports correct master browswer Then... immediately following this... dump_workgroups() dump(workgroup on subnet UNICAST_SUBNET: netmask= (1) current master browser = UNKNOWN 2) All attempts mount shares on this domain fail... netlogon requests succeed. 3) smb.conf contains: os level = 65 preferred master = True domain master = True wins support = Yes From SC4211 at email.mot.com Fri Feb 18 18:13:28 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:39 2003 Subject: Different Domain Login. Message-ID: <38AD8BC8.CE4BE966@email.mot.com> Here at motorola we are doing a 'TEST' implementation of samba. Hopefully we will be able to replace our Novell servers with some UltraEnterprise 4500's running Solaris/Samba instead of what Corporate wants to go with (20+ NT Boxes.. AHHHH..). Everything is working great, samba is working awesome, it's very fast, etc.. Our setup is as follows. The domain the samba server is on is called 'NA2R1' and the USERDOMAIN where the PDC and BDCs sit is called 'NA2'. There is a trust relationship between the two domains. I have the samba server setup to do security=domain, password server = *. That is working great. Our ONLY complaint so far is when people connect to it they have to connect with 'na2\username' instead of just 'username'. Is there a way in the smb.conf to specify a default domain to authenticate with?? Like say something like "default authentication domain = NA2" so when a user puts in for username 'username' it will automaticly throw the 'na2\username' on there first, and if that does not authenticate then try the 'na2r1\username'. Any suggestions would help. Thanks. -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From David.Bear at asu.edu Fri Feb 18 18:43:52 2000 From: David.Bear at asu.edu (David Bear) Date: Tue Dec 2 02:28:39 2003 Subject: caldera make file changes Message-ID: I would like to upgrade my current samba on the caldera dist (samba v 2.0.5) to the latest cvs head (which reports a version pre-3.0) Are there any pointers as to how caldera modified the make files to change locations? ie logs go to /var/log/samba.d and config is /etc/samba.d -- I would like to first, save my current samba config and executable, then get the new pre3 version, make and install it over the top of my v2. ergo, i need to know what caldera did to the make files. Any pointers on do an upgrade like this would be helpfull. thx. David Bear College of Public Programs/ASU A word is just two nibbles and a byte... From lk at netuse.de Fri Feb 18 18:59:06 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:39 2003 Subject: caldera make file changes References: Message-ID: <38AD967A.7DCFB66F@netuse.de> David Bear wrote: > > I would like to upgrade my current samba on the caldera dist (samba v > 2.0.5) to the latest cvs head (which reports a version pre-3.0) Are there > any pointers as to how caldera modified the make files to change > locations? ie logs go to /var/log/samba.d and config is /etc/samba.d -- > > I would like to first, save my current samba config and executable, then > get the new pre3 version, make and install it over the top of my v2. > ergo, i need to know what caldera did to the make files. Any pointers on > do an upgrade like this would be helpfull. I would use ./configure --prefix=/opt/samba-tng. This will install all new Samba files under /opt/samba-tng. Then you can simply stop the old samba processes and the start the new ones from /opt/samba-tng/bin. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lkcl at samba.org Fri Feb 18 19:17:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:39 2003 Subject: Different Domain Login. In-Reply-To: <38AD8BC8.CE4BE966@email.mot.com> Message-ID: hmm, a starting point is in smbd/reply.c's reply_sesssetup_x function. using that many nt boxes will be severely expensive, and not really scalable. maybe nt5... > Here at motorola we are doing a 'TEST' implementation of samba. > Hopefully we will be able to replace our Novell servers with some > UltraEnterprise 4500's running Solaris/Samba instead of what Corporate > wants to go with (20+ NT Boxes.. AHHHH..). > > Everything is working great, samba is working awesome, it's very fast, > etc.. Our setup is as follows. The domain the samba server is on is > called 'NA2R1' and the USERDOMAIN where the PDC and BDCs sit is called > 'NA2'. There is a trust relationship between the two domains. > > I have the samba server setup to do security=domain, password server = > *. That is working great. Our ONLY complaint so far is when people > connect to it they have to connect with 'na2\username' instead of just > 'username'. Is there a way in the smb.conf to specify a default domain > to authenticate with?? > > Like say something like "default authentication domain = NA2" so when a > user puts in for username 'username' it will automaticly throw the > 'na2\username' on there first, and if that does not authenticate then > try the 'na2r1\username'. > > Any suggestions would help. Thanks. > > > -- > > Ryan Wyler > SC4211@email.mot.com Voice: (480) 732-4318 > Motorola ITSS Pager: ryan.page@monitor.sat.mot.com > U N I X > > [ Unix is very Friendly ... > ... just pickier about who it makes friends with. ] > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From pkennedy at loudcloud.com Fri Feb 18 19:35:00 2000 From: pkennedy at loudcloud.com (Paul Kennedy) Date: Tue Dec 2 02:28:39 2003 Subject: NT/UNIX password synchronization, using LDAP for pasword store. References: <38AC7AAA.BEAAFFF4@loudcloud.com> Message-ID: <38AD9EE4.C7DBCFF2@loudcloud.com> I'm going to try use the "unix password sync" and "passwd program" smb.conf file directives to effect password synchronization from NT to UNIX. Paul Kennedy wrote: > I am trying to implement a single sign-on solution for NT/Solaris/Linux. > Linux/Solaris is easy, I use nssswitch and pam_ldap to cause the > authentication client tools to compare against the same userPassword > attribute value of a single user entry in an LDAP directory. > > I intend for the same LDAP directory subtree to be used for > authentication store by Samba-TNG running on Linux, so that eventually > each entry should have these LDAP attributeTypes > > lmPassword > ntPassword > userPassword > > Is there some feature of Samba which will cause it to synchronize > lmPassword/ntPassword to the the userPassword attribute when an NT > password changes ? If not, does anyone have any suggestions for how I > might proceed ? > > Thanks, > > Pk. From slitt at troubleshooters.com Fri Feb 18 19:42:20 2000 From: slitt at troubleshooters.com (Steve Litt) Date: Tue Dec 2 02:28:39 2003 Subject: Roaming profiles with W98 clients In-Reply-To: <38AC58B2.70BEDD85@tpgi.com.au> References: <200002170857.MAA13085@ns1.guetali.fr> Message-ID: <3.0.6.32.20000218144220.00edf100@pop.pacificnet.net> I wouldn't call them broken -- they got changed from 2.0.5a. If you'd like to restore the 2.0.5a behavior (I like that behavior better), change these two source/smbd/ipc.c calls from: pstrcpy(p2, lp_logon_home()); to pstrcpy(p2, lp_logon_path()); This will revert to the 2.0.5a behavior that gets profile location right but has been reported to get home directory wrong. Also, it's been reported that the following workaround places both profiles and the home directory where they belong (without the source code reversion) logon home = \\%L\%U\profile Steve Litt At 07:27 AM 02/18/2000 +1100, eirvine wrote: >Hi, > >Roaming profiles are *broken* in 2.06. They work just fine on 2.05a. > >Eddie. > >JF HUNEZ wrote: >> >> Hello, >> I run Samba 2.06 as PDC and the clients are Win98 machines >> only. >> Roaming profiles don't work, there is no user.dat in the profiles >> share, only the START folder. >> I have read the doc in /usr/doc and the NTDOM faq too ; my >> smb.conf meets the recommendations. >> Roaming profiles need a NT server on the network ?? >> >> Thanks >> >> JF HUNEZ >> Reunion Island > From scottf at scs.unr.edu Fri Feb 18 19:45:46 2000 From: scottf at scs.unr.edu (Scott.) Date: Tue Dec 2 02:28:39 2003 Subject: Radius Authentication? (smb-related :) In-Reply-To: <38AD8BC8.CE4BE966@email.mot.com> Message-ID: I tried this on the regular samba list but got no answer :( I would like smb clients to my samba server to be authenticated against a radius server (they won't have home directories on the machine. just access to the printers) can i set up the samba server to be: security = share and then change the /etc/pam.d/samba file to use a pam radius authentication module? just curious how this can/should be done. any help is greatly appreciated, and i'm really sorry if this is off-topic. i couldn't find an answer in other places. Thank you! ====---- - - - - - - - - - ____ __ Scott Fritzinger | \ | |/\ /\ Computing Helpdesk Specialist | \| < O O > Helpdesk: (775) 784.4320 | |\ | \o/ Office: (775) 784.6500 x338 |__| \ ___|evada WolfPack From slitt at troubleshooters.com Fri Feb 18 19:55:49 2000 From: slitt at troubleshooters.com (Steve Litt) Date: Tue Dec 2 02:28:39 2003 Subject: caldera make file changes In-Reply-To: Message-ID: <3.0.6.32.20000218145549.00ed7d40@pop.pacificnet.net> David, I don't know if this helps, but on my RH60 setup I did the following: * back up smb.conf * back up /etc/rc.d/init.d/smb (it would be /etc/rc.d/init.d/samba on Caldera) * Completely deinstall Samba using rpm * ./configure, make and make install, allowing everything to go into /usr/local/samba tree * Tweak /etc/rc.d/init.d/samba for the new locations * Tweak other init files for the new path and manpath The advantage I now see is I can toggle between different versions simply by switching symbolic link /usr/local/samba between version specific directories, and stopping and restarting the daemons. Like I say, this might not be appropriate for your situation, but I like it. Steve Litt At 05:51 AM 02/19/2000 +1100, David Bear wrote: >I would like to upgrade my current samba on the caldera dist (samba v >2.0.5) to the latest cvs head (which reports a version pre-3.0) Are there >any pointers as to how caldera modified the make files to change >locations? ie logs go to /var/log/samba.d and config is /etc/samba.d -- > >I would like to first, save my current samba config and executable, then >get the new pre3 version, make and install it over the top of my v2. >ergo, i need to know what caldera did to the make files. Any pointers on >do an upgrade like this would be helpfull. > >thx. > >David Bear >College of Public Programs/ASU >A word is just two nibbles and a byte... > > From giulioo at pobox.com Fri Feb 18 19:45:25 2000 From: giulioo at pobox.com (Giulio Orsero) Date: Tue Dec 2 02:28:39 2003 Subject: Roaming profiles with W98 clients In-Reply-To: <3.0.6.32.20000218210124.0092f9e0@203.16.214.248> References: <38AC9217.A65027B7@hattaway-associates.com> <3.0.6.32.20000218210124.0092f9e0@203.16.214.248> Message-ID: <20000218194522.A7DD22AE82@i3.golden.dom> On Fri, 18 Feb 2000 23:06:06 +1100, hai scritto: >For WinNT you set logon path, for Win9X the best you can do is set logon >home. That is, you can do: > logon home = \\%L\%U\.profiles >And net use/home works and profiles go in the .profiles directory! There is even the option of using logon home = \\%L\profile\%U breaking net use /home, but keeping profiles outside the homedir. -- giulioo@pobox.com From SC4211 at email.mot.com Fri Feb 18 20:17:27 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:39 2003 Subject: Different Domain Login. References: <38AD8BC8.CE4BE966@email.mot.com> Message-ID: <38ADA8D7.A7FBC11E@email.mot.com> Well, I haven't received anything from the LIST as far as replys yet.. but I went through the source code and added what I needed. If you know which list is better to submit these changes to let me know. I added a option in the smb.conf: Default Authenticaion Domain What it does is if you have that option specified, it will do a comparision to see if the Domain specified by the user is the same domain as the WORKGROUP of the sambaserver. If it is then it will change the domain to be lp_defaultauthdomain (which is the Default Authentication Domain). Below are my DIFFS, please review them and help me impliment this better if you see anything that needs to be changed, thanks! WAYBELOW is my origional post to samba-ntdom@samba.org FOLLOWING ARE MY DIFFS: -- smbd/reply.c -- # diff smbd/reply.c.orig smbd/reply.c 787a788,794 > /* Added by Ryan Wyler (ryan@nhorizon.net) */ > if(*lp_defaultauthdomain) { > if(strequal(lp_workgroup(), domain)) { > fstrcpy(domain,lp_defaultauthdomain()); > } > } > -- param/loadparm.c -- # diff param/loadparm.c.orig param/loadparm.c 122a123 > char *szDefaultAuthDomain; 540a542 > {"default authentication domain", P_USTRING, P_GLOBAL, &Globals.szDefaultAuthDomain, NULL, NULL, FLAG_BASIC|FLAG_DOS_STRING}, 1182a1185 > FN_GLOBAL_STRING(lp_defaultauthdomain,&Globals.szDefaultAuthDomain) -- include/proto.h -- # diff include/proto.h.orig include/proto.h 1006a1007 > char *lp_defaultauthdomain(void); Ryan Wyler wrote: > > Here at motorola we are doing a 'TEST' implementation of samba. > Hopefully we will be able to replace our Novell servers with some > UltraEnterprise 4500's running Solaris/Samba instead of what Corporate > wants to go with (20+ NT Boxes.. AHHHH..). > > Everything is working great, samba is working awesome, it's very fast, > etc.. Our setup is as follows. The domain the samba server is on is > called 'NA2R1' and the USERDOMAIN where the PDC and BDCs sit is called > 'NA2'. There is a trust relationship between the two domains. > > I have the samba server setup to do security=domain, password server = > *. That is working great. Our ONLY complaint so far is when people > connect to it they have to connect with 'na2\username' instead of just > 'username'. Is there a way in the smb.conf to specify a default domain > to authenticate with?? > > Like say something like "default authentication domain = NA2" so when a > user puts in for username 'username' it will automaticly throw the > 'na2\username' on there first, and if that does not authenticate then > try the 'na2r1\username'. > > Any suggestions would help. Thanks. > > -- > > Ryan Wyler > SC4211@email.mot.com Voice: (480) 732-4318 > Motorola ITSS Pager: ryan.page@monitor.sat.mot.com > U N I X > > [ Unix is very Friendly ... > ... just pickier about who it makes friends with. ] -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From SC4211 at email.mot.com Fri Feb 18 20:24:12 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:39 2003 Subject: Different Domain Login. UPDATED References: <38AD8BC8.CE4BE966@email.mot.com> Message-ID: <38ADAA6C.E9D11E77@email.mot.com> UPDATED: Sorry, I didn't specify, my diffs are based off the samba-2.0.6.tar.gz (end of update) ---- Well, I haven't received anything from the LIST as far as replys yet.. but I went through the source code and added what I needed. If you know which list is better to submit these changes to let me know. I added a option in the smb.conf: Default Authenticaion Domain What it does is if you have that option specified, it will do a comparision to see if the Domain specified by the user is the same domain as the WORKGROUP of the sambaserver. If it is then it will change the domain to be lp_defaultauthdomain (which is the Default Authentication Domain). Below are my DIFFS, please review them and help me impliment this better if you see anything that needs to be changed, thanks! WAYBELOW is my origional post to samba-ntdom@samba.org FOLLOWING ARE MY DIFFS: -- smbd/reply.c -- # diff smbd/reply.c.orig smbd/reply.c 787a788,794 > /* Added by Ryan Wyler (ryan@nhorizon.net) */ > if(*lp_defaultauthdomain) { > if(strequal(lp_workgroup(), domain)) { > fstrcpy(domain,lp_defaultauthdomain()); > } > } > -- param/loadparm.c -- # diff param/loadparm.c.orig param/loadparm.c 122a123 > char *szDefaultAuthDomain; 540a542 > {"default authentication domain", P_USTRING, P_GLOBAL, &Globals.szDefaultAuthDomain, NULL, NULL, FLAG_BASIC|FLAG_DOS_STRING}, 1182a1185 > FN_GLOBAL_STRING(lp_defaultauthdomain,&Globals.szDefaultAuthDomain) -- include/proto.h -- # diff include/proto.h.orig include/proto.h 1006a1007 > char *lp_defaultauthdomain(void); Ryan Wyler wrote: > > Here at motorola we are doing a 'TEST' implementation of samba. > Hopefully we will be able to replace our Novell servers with some > UltraEnterprise 4500's running Solaris/Samba instead of what Corporate > wants to go with (20+ NT Boxes.. AHHHH..). > > Everything is working great, samba is working awesome, it's very fast, > etc.. Our setup is as follows. The domain the samba server is on is > called 'NA2R1' and the USERDOMAIN where the PDC and BDCs sit is called > 'NA2'. There is a trust relationship between the two domains. > > I have the samba server setup to do security=domain, password server = > *. That is working great. Our ONLY complaint so far is when people > connect to it they have to connect with 'na2\username' instead of just > 'username'. Is there a way in the smb.conf to specify a default domain > to authenticate with?? > > Like say something like "default authentication domain = NA2" so when a > user puts in for username 'username' it will automaticly throw the > 'na2\username' on there first, and if that does not authenticate then > try the 'na2r1\username'. > > Any suggestions would help. Thanks. > > -- > > Ryan Wyler > SC4211@email.mot.com Voice: (480) 732-4318 > Motorola ITSS Pager: ryan.page@monitor.sat.mot.com > U N I X > > [ Unix is very Friendly ... > ... just pickier about who it makes friends with. ] -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From lkcl at samba.org Fri Feb 18 20:25:01 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:39 2003 Subject: Different Domain Login. In-Reply-To: <38ADA8D7.A7FBC11E@email.mot.com> Message-ID: ryan, it should not be necessary to do _exactly_ this, you should be able to detect it. i.e 2.0.x should _automatically_ substitute the correct domain. On Sat, 19 Feb 2000, Ryan Wyler wrote: > Well, I haven't received anything from the LIST as far as replys yet.. > but I went through the source code and added what I needed. If you know > which list is better to submit these changes to let me know. > > I added a option in the smb.conf: > Default Authenticaion Domain > > What it does is if you have that option specified, it will do a > comparision to see if the Domain specified by the user is the same > domain as the WORKGROUP of the sambaserver. If it is then it will > change the domain to be lp_defaultauthdomain (which is the Default > Authentication Domain). Below are my DIFFS, please review them and help > me impliment this better if you see anything that needs to be changed, > thanks! > > WAYBELOW is my origional post to samba-ntdom@samba.org > > > FOLLOWING ARE MY DIFFS: > > -- smbd/reply.c -- > # diff smbd/reply.c.orig smbd/reply.c > 787a788,794 > > /* Added by Ryan Wyler (ryan@nhorizon.net) */ > > if(*lp_defaultauthdomain) { > > if(strequal(lp_workgroup(), domain)) { > > fstrcpy(domain,lp_defaultauthdomain()); > > } > > } > > > > -- param/loadparm.c -- > > # diff param/loadparm.c.orig param/loadparm.c > 122a123 > > char *szDefaultAuthDomain; > 540a542 > > {"default authentication domain", P_USTRING, P_GLOBAL, &Globals.szDefaultAuthDomain, NULL, NULL, FLAG_BASIC|FLAG_DOS_STRING}, > 1182a1185 > > FN_GLOBAL_STRING(lp_defaultauthdomain,&Globals.szDefaultAuthDomain) > > > -- include/proto.h -- > > # diff include/proto.h.orig include/proto.h > 1006a1007 > > char *lp_defaultauthdomain(void); > > > > Ryan Wyler wrote: > > > > Here at motorola we are doing a 'TEST' implementation of samba. > > Hopefully we will be able to replace our Novell servers with some > > UltraEnterprise 4500's running Solaris/Samba instead of what Corporate > > wants to go with (20+ NT Boxes.. AHHHH..). > > > > Everything is working great, samba is working awesome, it's very fast, > > etc.. Our setup is as follows. The domain the samba server is on is > > called 'NA2R1' and the USERDOMAIN where the PDC and BDCs sit is called > > 'NA2'. There is a trust relationship between the two domains. > > > > I have the samba server setup to do security=domain, password server = > > *. That is working great. Our ONLY complaint so far is when people > > connect to it they have to connect with 'na2\username' instead of just > > 'username'. Is there a way in the smb.conf to specify a default domain > > to authenticate with?? > > > > Like say something like "default authentication domain = NA2" so when a > > user puts in for username 'username' it will automaticly throw the > > 'na2\username' on there first, and if that does not authenticate then > > try the 'na2r1\username'. > > > > Any suggestions would help. Thanks. > > > > -- > > > > Ryan Wyler > > SC4211@email.mot.com Voice: (480) 732-4318 > > Motorola ITSS Pager: ryan.page@monitor.sat.mot.com > > U N I X > > > > [ Unix is very Friendly ... > > ... just pickier about who it makes friends with. ] > > -- > > Ryan Wyler > SC4211@email.mot.com Voice: (480) 732-4318 > Motorola ITSS Pager: ryan.page@monitor.sat.mot.com > U N I X > > [ Unix is very Friendly ... > ... just pickier about who it makes friends with. ] > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From jhutchins at kc.rr.com Fri Feb 18 20:36:14 2000 From: jhutchins at kc.rr.com (Jonathan Hutchins) Date: Tue Dec 2 02:28:39 2003 Subject: Linux as an NT CLIENT Message-ID: <003501bf7a4f$ce6a20d0$39950c0a@uhc.com> Since most of the documentation assumes that the Samba box will be a server, it's not explicitly clear how one would get a Samba/Linux CLIENT to join an NT domain and rely on NT authentication for log-ins. Can this actually be done? What are the critical steps in getting a Samba machine to join the domain and access shares? From jphollan at earthlink.net Fri Feb 18 20:45:59 2000 From: jphollan at earthlink.net (jason holland) Date: Tue Dec 2 02:28:39 2003 Subject: Linux as an NT CLIENT In-Reply-To: <003501bf7a4f$ce6a20d0$39950c0a@uhc.com> Message-ID: <000201bf7a51$292cba40$0264a8c0@mickey.earthlink.net> This document is a great place to start. I have several samba boxes joined and authenticating to NT PDC's. http://us2.samba.org/samba/docs/ntdom_faq/samba_ntdom_faq.html Jason P. Holland Sprint Paranet - Unix Administrator jphollan@sprintparanet.com ]- ]- Since most of the documentation assumes that the Samba box will ]- be a server, ]- it's not explicitly clear how one would get a Samba/Linux CLIENT ]- to join an ]- NT domain and rely on NT authentication for log-ins. Can this ]- actually be ]- done? ]- ]- What are the critical steps in getting a Samba machine to join the domain ]- and access shares? ]- ]- From lkcl at samba.org Fri Feb 18 20:53:33 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:39 2003 Subject: Linux as an NT CLIENT In-Reply-To: <003501bf7a4f$ce6a20d0$39950c0a@uhc.com> Message-ID: pam_ntdom. On Sat, 19 Feb 2000, Jonathan Hutchins wrote: > Since most of the documentation assumes that the Samba box will be a server, > it's not explicitly clear how one would get a Samba/Linux CLIENT to join an > NT domain and rely on NT authentication for log-ins. Can this actually be > done? > > What are the critical steps in getting a Samba machine to join the domain > and access shares? > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From kmuska at clementsmfg.com Fri Feb 18 20:54:05 2000 From: kmuska at clementsmfg.com (Keith Muska) Date: Tue Dec 2 02:28:39 2003 Subject: Domain Logon Problem Message-ID: I am having a problem with Domain Logons. I am running RedHat 6.1 and Samba 2.0.6. This machine is acting as a File/Print and Mail Server. My problem is this: The Domain Logons work excellent most of the time. However, if the internet connection goes down the Domain Logons stop working. When someone tries to logon their computer will do nothing for about 15 Seconds and then return an error stating: "The domain password you supplied is not correct, or access to your logon server has been denied." This only happens when the internet connection goes down so it seems like Samba is trying to use the DNS server listed in the resolv.conf file. I tested this theory by removing the nameserver line from the resolv.conf file and this fixed the Domain Logon problem but it killed Sendmail. I have tried different "name resolve order" settings with no luck. I don't have a DNS server on the LAN and if I need one I wouldn't know how to set it up. Any suggestions on this matter would be greatly appreciated. please reply to mailto:kmuska@clementsmfg.com Thank You, Keith Muska Clements Manufacturing, L.L.C. From computec at bigfoot.com Fri Feb 18 21:19:49 2000 From: computec at bigfoot.com (Kevin Murphy) Date: Tue Dec 2 02:28:39 2003 Subject: Difficulties with smbmount Message-ID: I'm having some problems using smbmount 2.0.6 to mount my NT shares... It connects ok, and I can in fact see and use all the files just fine, but it insists on spewing debug messages out to me. They don't seem to be errors, but if they are not, I cannot determine their purpose, or how to turn them off. Can someone possibly help me with this? The messages look like this: smb_receive_trans2: copied, parm=4079 of 4079, data=220 of 4079 smb_receive_trans2: copied, parm=4079 of 4079, data=4079 of 4079 And this gets repeated for every single action I perform on a mounted share. Any thoughts? Thanks! -Kevin Murphy From karl at Denninger.Net Fri Feb 18 21:46:32 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:39 2003 Subject: Secrets to Domain logins with 2.0.6 and Windows 2000? Message-ID: <20000218154632.A89160@Denninger.Net> Can it be made to work? Doing the NT4 things failed. - -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! From SC4211 at email.mot.com Fri Feb 18 22:44:30 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:39 2003 Subject: Secrets to Domain logins with 2.0.6 and Windows 2000? References: <20000218154632.A89160@Denninger.Net> Message-ID: <38ADCB4E.CA672B64@email.mot.com> Karl Denninger wrote: > > Can it be made to work? > > Doing the NT4 things failed. > Hum, well, I don't know what your problem is exactly, but I have Samba 2.0.6 with security=domain, password server = *, and everything is working fine even for Windows 2000 clients. -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From karl at Denninger.Net Fri Feb 18 22:44:12 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:39 2003 Subject: Secrets to Domain logins with 2.0.6 and Windows 2000? In-Reply-To: <38ADCB4E.CA672B64@email.mot.com>; from Ryan Wyler on Fri, Feb 18, 2000 at 03:44:30PM -0700 References: <20000218154632.A89160@Denninger.Net> <38ADCB4E.CA672B64@email.mot.com> Message-ID: <20000218164412.A89947@Denninger.Net> I reset the computer's password, but get an error 12 in /var/log/nmb.log when I try to join the domain, and the system says it can't find the domain. It was working with NT4 (as a PDC) before the "upgrade" (yeah, right :-) This is what I'm getting when I try to join the domain: [2000/02/18 14:35:50, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69) process_logon_packet: Logon from 192.168.3.1: code = 12 -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Fri, Feb 18, 2000 at 03:44:30PM -0700, Ryan Wyler wrote: > Karl Denninger wrote: > > > > Can it be made to work? > > > > Doing the NT4 things failed. > > > > Hum, well, I don't know what your problem is exactly, but I have Samba > 2.0.6 with security=domain, password server = *, and everything is > working fine even for Windows 2000 clients. > > > -- > > Ryan Wyler > SC4211@email.mot.com Voice: (480) 732-4318 > Motorola ITSS Pager: ryan.page@monitor.sat.mot.com > U N I X > > [ Unix is very Friendly ... > ... just pickier about who it makes friends with. ] From patl at cag.lcs.mit.edu Sat Feb 19 01:04:36 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:39 2003 Subject: TNG works with Win2k, fails with Win98 Message-ID: We have been authenticating Win98 users against Samba 2.0.5a for a long time, but I need a real PDC by next week (ahem) or the Powers That Be just might start imposing a real NT infrastructure. So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built it on a test machine, hacked up a smb.conf file to make it Domain Controller for a domain named "TEST", and copied smbpasswd from our existing installation. The result is that a Windows 2000 box can join the domain and authenticate users. Nice work! The native Win2k user admin tools tend to crash, but some command-line thingamys in the Resource Kit provide enough functionality (specifically, adding a domain account to the local Administrators group) that we can live with it. The only problem is that I can no longer authenticate Windows 98. It says "your password is invalid or your logon share is inaccessible" or somesuch. Note that this is the same TEST domain and user login which worked on Windows 2000, so I do not think my configuration is the problem. But who knows. I have a 55K level 10 debug log of the entire failed effort; I would be glad to send that and my smb.conf to any interested parties. I am also a reasonably competent C hacker with lots of spare time available this weekend... - Pat From lukeh at PADL.COM Sat Feb 19 01:34:31 2000 From: lukeh at PADL.COM (Luke Howard) Date: Tue Dec 2 02:28:39 2003 Subject: NT/UNIX password synchronization, using LDAP for pasword store. Message-ID: <200002190134.MAA41277@au.padl.com> >I intend for the same LDAP directory subtree to be used for >authentication store by Samba-TNG running on Linux, so that eventually >each entry should have these LDAP attributeTypes > > lmPassword > ntPassword > userPassword For TNG, that will _probably_ be dBCSPwd and unicodePwd, instead of lmPassword and ntPassword. >Is there some feature of Samba which will cause it to synchronize >lmPassword/ntPassword to the the userPassword attribute when an NT >password changes ? If not, does anyone have any suggestions for how I >might proceed ? Good question. I don't expect that SAMBA gets the new password in the clear, but I may be wrong; this is just a guess. If it doesn't, then there's no way SAMBA can update the crypt() hashed password in the userPassword attribute. One soultion then would be to modify the ldappasswd program that comes with OpenLDAP to update the NTLM hashes. If SAMBA (when acting as a PDC) does get the cleartext password, then perhaps all you need is a conversation with the ldappasswd program (included with OpenLDAP). -- Luke -- Luke Howard PADL Software Pty Ltd http://www.padl.com From GLeblanc at cu-portland.edu Sat Feb 19 03:22:10 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:39 2003 Subject: Fileserving with TNG? Message-ID: So, is this a good idea? I've been reading the list for a long time, but I still don't have a good feel for what people are running. I just cvs'd TNG an hour or so ago, and I'm waiting for the compile to finish (2x SPARC 40MHz procs, a bit on the slow side since I forgot the pass the parallel make parameter), but I was wondering if I should be running 2.06/7 or HEAD as well. Advice? Greg From cartegw at Eng.Auburn.EDU Sat Feb 19 03:39:09 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:39 2003 Subject: NT/UNIX password synchronization, using LDAP for pasword store. References: <200002190134.MAA41277@au.padl.com> Message-ID: <38AE105D.5CC4A3F1@eng.auburn.edu> Luke Howard wrote: > > Good question. I don't expect that SAMBA gets the new password in the > clear, but I may be wrong; this is just a guess. If it doesn't, then > there's no way SAMBA can update the crypt() hashed password in the > userPassword attribute. One soultion then would be to modify the > ldappasswd program that comes with OpenLDAP to update the NTLM hashes. This is fundamentally the same issue as the unix passwd sync parameter. The new password is receiv4ed in the clear (actually not, but it is decrytable). The old password is not available. You can probably just use a custom "password program" setting and get it to work. Cheers, jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From lukeh at PADL.COM Sat Feb 19 04:21:15 2000 From: lukeh at PADL.COM (Luke Howard) Date: Tue Dec 2 02:28:39 2003 Subject: NT/UNIX password synchronization, using LDAP for pasword store. References: <200002190134.MAA41277@au.padl.com> <38AE105D.5CC4A3F1@eng.auburn.edu> Message-ID: <200002190421.PAA42518@au.padl.com> >This is fundamentally the same issue as the unix passwd sync >parameter. The new password is receiv4ed in the clear (actually >not, but it is decrytable). The old password is not available. >You can probably just use a custom "password program" setting >and get it to work. That should work with OpenLDAP's ldappasswd, a matter of setting the bind DN correctly. It would be less of a hack to have the ldapdb code in nt5ldap update this itself, though. -- Luke -- Luke Howard PADL Software Pty Ltd http://www.padl.com From cartegw at Eng.Auburn.EDU Sat Feb 19 04:29:54 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:39 2003 Subject: NT/UNIX password synchronization, using LDAP for pasword store. References: <200002190134.MAA41277@au.padl.com> <38AE105D.5CC4A3F1@eng.auburn.edu> <200002190421.PAA42518@au.padl.com> Message-ID: <38AE1C42.C8F41A16@eng.auburn.edu> Luke Howard wrote: > > That should work with OpenLDAP's ldappasswd, a matter of > setting the bind DN correctly. It would be less of a hack > to have the ldapdb code in nt5ldap update this itself, > though. Definely. This should be configurable so that it will of course work even if someone is not storing the crypt() password in LDAP though. But I certainly agree that the ldapdb code would be a good place to synchronize. Cheers, jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From JasonJensen at home.com Sat Feb 19 06:23:18 2000 From: JasonJensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:40 2003 Subject: Samba 2.0.6 and Win2k/NT/win98 Message-ID: <00e101bf7aa1$d0033e20$0201a8c0@jason> So i can do domains with Samba 2.0.6 and they will work with win2k/NT? -------------- next part -------------- HTML attachment scrubbed and removed From aejaz at dgcc.org.pk Sat Feb 19 06:52:20 2000 From: aejaz at dgcc.org.pk (Asim Ejaz Butt) Date: Tue Dec 2 02:28:40 2003 Subject: "lo" Problem Message-ID: <38AE3DA4.B99498BF@dgcc.org.pk> Hello everyone, I am using Red Hat 6.0. The eth1 working fine but the loopback interface "lo" does not work at boot time and i have to set it up manually. I would like it to be set and up at boot time. pl. help me in this regard. Asim Butt aejaz@dgcc.org.pk From snail_talk at yahoo.com Sat Feb 19 07:50:03 2000 From: snail_talk at yahoo.com (geoffrey lee) Date: Tue Dec 2 02:28:40 2003 Subject: Samba 2.0.6 and Win2k/NT/win98 In-Reply-To: <00e101bf7aa1$d0033e20$0201a8c0@jason> Message-ID: <000301bf7aad$ee4d7dd0$0200000a@workstation1> hi, i'd really cut out the html if i were you but to reply your question.. samba 2.0.6 supports nt pdc, limited though. if you want some better pdc support try tng. it's alpha though. domain logons for win9x is supported of course. no, samba 2.0.6 will not give win2k domain support, but yuou can still use it as a file server. geoffrey lee (snail talk) snailtalk@linux-mandrake.com -----Original Message----- From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of Jason Jensen Sent: Saturday, February 19, 2000 2:22 PM To: Multiple recipients of list SAMBA-NTDOM Subject: Samba 2.0.6 and Win2k/NT/win98 So i can do domains with Samba 2.0.6 and they will work with win2k/NT? From p.grimmerink at home.nl Sat Feb 19 10:32:37 2000 From: p.grimmerink at home.nl (Pieter Grimmerink) Date: Tue Dec 2 02:28:40 2003 Subject: Samba-tng.0.4pre & win95 Message-ID: I'm trying to replace an old samba CVS-compiled PDC with one of the most recent TNG ones. I tried the 0.4pre tarball, from the NT servers/workstations I already have more user/group functionality than before, which is great, but from the win95 workstations, domainmembers can no longer login?! I'm probably forgetting something. I'm not 100% sure about my procedure to start samba, for instance, in order to get NT to join the domain, I just manually started all daemons in samba/bin. I believe there must be some sample startup script, since the old script which only starts smbd and nmbd does not do the trick? Best regards, Pieter From jfhunez at oceanes.fr Sat Feb 19 11:03:55 2000 From: jfhunez at oceanes.fr (JF HUNEZ) Date: Tue Dec 2 02:28:40 2003 Subject: Roaming profiles with W98 clients In-Reply-To: <38AC9217.A65027B7@hattaway-associates.com> Message-ID: <200002191101.PAA29086@ns1.guetali.fr> Godfrey Livingstone wrote : > Roaming profiles are not broken totally in 2.06 if you read earlier > discussion to this group the change between 2.05a and 2.06 means that in > the on win9x machines you need to put "net use h: /home" in the user.bat > script and enable "login home = \\%L\Profiles\U%" in the smb.conf file > rather than using "login profile = \\%L\Profiles\%U". Thank you everybody for your help, it works now !! As I read in "profiles.txt", it seems that "net use /home" is not essential because roaming profiles work without it. How could I disable profile caching on W98 clients to preserve space on local disk ? (registry hack for NT doesn't work with W98) Thanks JF HUNEZ Reunion Island From alex at javad.ru Sat Feb 19 11:33:44 2000 From: alex at javad.ru (Alexander Davydenko) Date: Tue Dec 2 02:28:40 2003 Subject: Samba-TNG PDC <- Samba pre-3.0.0 join failed Message-ID: <38AE7F98.8AF36338@gis.org> it may be known problem, but I couldn't join samba server to samba-tng controlled domain. root@rover:/usr/local/samba/bin# samedit -S rover -U root%lala -l ../var/sameditlog -d 100 -W ORG [ORG\root@ROVER]$ use \\gisgate -U root%fafa use \\gisgate -U root%fafa --------------------------------------------------------------- Server: \\GISGATE: User: root Domain: Connection: OK [ORG\root@ROVER]$ createuser gisgate$ -j createuser gisgate$ -j SAM Create Domain User Domain: ORG Name: gisgate$ ACB: [W ] Create Domain User: OK Join GISGATE to Domain ORG Set $MACHINE.ACC: FAILED [ORG\root@ROVER]$ use \\irene -U Administrator%lala use \\irene -U Administrator%lala Server: \\IRENE: User: Administrator Domain: Connection: OK [ORG\root@ROVER]$ createuser irene$ -j createuser irene$ -j SAM Create Domain User Domain: ORG Name: irene$ ACB: [W ] Create Domain User: OK Join IRENE to Domain ORG Create $MACHINE.ACC: OK Set $MACHINE.ACC: OK [ORG\root@ROVER]$ quit ----------------------------------------------------------------- GISGATE is running Samba pre-3.0.0, and IRENE running NT4. after that, I got a 512k log from samedit. On the GISGATE side there is a big log too with : [2000/02/19 14:15:35, 0] passdb/smbpassfile.c:trust_password_lock(119) trust_password_lock: cannot open file /usr/local/samba/private/WORKGROUP.GISGATE.mac - Error was No such file or directory. [2000/02/19 14:15:35, 0] passdb/smbpassfile.c:trust_get_passwd(288) domain_client_validate: unable to open the machine account password file for machine GISGATE in domain WORKGROUP. -- Alexander Davydenko | alex@javad.ru, mba_69@chat.ru | Moscow, USSR ------------------------------------------------------------------------- <<<<< Powered by Linux & 220V >>>>> From p.grimmerink at home.nl Sat Feb 19 12:08:52 2000 From: p.grimmerink at home.nl (Pieter Grimmerink) Date: Tue Dec 2 02:28:40 2003 Subject: Samba-tng.0.4pre & win95 In-Reply-To: Message-ID: > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Pieter Grimmerink > Sent: zaterdag 19 februari 2000 11:33 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Samba-tng.0.4pre & win95 > > > I'm trying to replace an old samba CVS-compiled PDC with one of the most > recent TNG ones. > I tried the 0.4pre tarball, from the NT servers/workstations I > already have > more user/group functionality than before, which is great, but from the > win95 workstations, domainmembers can no longer login?! I replaced the smb daemon with the CVS HEAD branch one, win9x can login now. But in win9x I can't view the userlist when using userlevel sharing?! (I could in the old head branch CVS version, of app. 6 months ago) > I'm probably forgetting something. > I'm not 100% sure about my procedure to start samba, for > instance, in order > to get NT to join the domain, I just manually started all daemons in > samba/bin. OK, I just found the description of the various daemons in the /source/README file. So, the remaining problem is: -userlevel sharing from win9x workstations "the userlist can't be viewed right now" Did anyone allready work around this problem? Best regards, Pieter From p.mayers at ic.ac.uk Sat Feb 19 12:49:34 2000 From: p.mayers at ic.ac.uk (Phil Mayers) Date: Tue Dec 2 02:28:40 2003 Subject: NT/UNIX password synchronization, using LDAP for pasword store. References: <200002190134.MAA41277@au.padl.com> <38AE105D.5CC4A3F1@eng.auburn.edu> <200002190421.PAA42518@au.padl.com> Message-ID: <38AE915E.48275933@ic.ac.uk> A caveat - then the passwd program string (including the bind DN command line argument and password) will be in the smb.conf file (which is world readable). It's best to have a simple root-only access shell script which does it... Unfortunately, I then couldn't get ldappasswd to take the password on stdin - it always tried to open a terminal. I ended up hacking this together: #!/usr/bin/perl -w $user=$ARGV[0]; $pass=; chomp $pass; $salt=join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64]; $pass=crypt($pass,$salt); $FILE="|ldapmodify -D 'cn=root, dc=house, dc=net' -w R1ch26"; open FILE or die; print FILE < > >This is fundamentally the same issue as the unix passwd sync > >parameter. The new password is receiv4ed in the clear (actually > >not, but it is decrytable). The old password is not available. > >You can probably just use a custom "password program" setting > >and get it to work. > > That should work with OpenLDAP's ldappasswd, a matter of > setting the bind DN correctly. It would be less of a hack > to have the ldapdb code in nt5ldap update this itself, > though. > > -- Luke > -- > Luke Howard > PADL Software Pty Ltd > http://www.padl.com From p.grimmerink at home.nl Sat Feb 19 13:03:13 2000 From: p.grimmerink at home.nl (Pieter Grimmerink) Date: Tue Dec 2 02:28:40 2003 Subject: Samba-tng.0.4pre & win95 In-Reply-To: Message-ID: Bit more info on the following: > > -----Original Message----- > > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > > Pieter Grimmerink > > Sent: zaterdag 19 februari 2000 11:33 > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Samba-tng.0.4pre & win95 > > > > > > I'm trying to replace an old samba CVS-compiled PDC with one of the most > > recent TNG ones. > > I tried the alpha 0.4 tar.gz, from the NT servers/workstations I > > already have > > more user/group functionality than before, which is great, but from the > > win95 workstations, domainmembers can no longer login?! While attempting to login on a win9x machine, the following errors occur in the log.smb file: error connecting to 192.168.13.4:445 (Connection refused) socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused socket connect to /tmp/.smb.0/agent failed: Connection refused socket connect to /tmp/.msrpc/NETLOGON/agent failed: Connection refused I have the corresponding daemons running. Similar errors occur when I replace the smb daemon with the HEAD branch one, and I try to view the userlist for sharing. (in that case, I am able to log in, but viewing this userlist fails) Does anyone have a clue? Best regards, Pieter From karl at Denninger.Net Sat Feb 19 15:12:31 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:40 2003 Subject: Samba 2.0.6 and Win2k/NT/win98 In-Reply-To: <00e101bf7aa1$d0033e20$0201a8c0@jason>; from Jason Jensen on Sat, Feb 19, 2000 at 05:23:08PM +1100 References: <00e101bf7aa1$d0033e20$0201a8c0@jason> Message-ID: <20000219091231.A14234@Denninger.Net> The instructions in the FAQ work for NT. They DO NOT work for Win2K. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Sat, Feb 19, 2000 at 05:23:08PM +1100, Jason Jensen wrote: > So i can do domains with Samba 2.0.6 and they will work with win2k/NT? From lonnie at borntreger.com Sat Feb 19 16:13:12 2000 From: lonnie at borntreger.com (Lonnie J. Borntreger) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: <004f01bf7af4$38fee120$0500000a@borntreger.com> Finally. I'm no longer the only one talking about this problem. STATUS: Samba TNG does not support Win9x authentication. I ONLY works for users on NT or 2000. SOLUTION: Somebody with access to an NT PDC based domain needs to do a netmon trace of a successful domain login and a successful GETDC request from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he has that, he will fix the implementation. CAVEAT: I've asked for someone to do that trace several times in the last 4-6 months, and no-one has stepped forward and done it. TTFN, Lonnie Borntreger > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Patrick J. LoPresti > Sent: Friday, February 18, 2000 7:09 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: TNG works with Win2k, fails with Win98 > > > We have been authenticating Win98 users against Samba 2.0.5a for a > long time, but I need a real PDC by next week (ahem) or the Powers > That Be just might start imposing a real NT infrastructure. > > So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built > it on a test machine, hacked up a smb.conf file to make it Domain > Controller for a domain named "TEST", and copied smbpasswd from our > existing installation. > > The result is that a Windows 2000 box can join the domain and > authenticate users. Nice work! The native Win2k user admin tools > tend to crash, but some command-line thingamys in the Resource Kit > provide enough functionality (specifically, adding a domain account to > the local Administrators group) that we can live with it. > > The only problem is that I can no longer authenticate Windows 98. It > says "your password is invalid or your logon share is inaccessible" or > somesuch. Note that this is the same TEST domain and user login which > worked on Windows 2000, so I do not think my configuration is the > problem. But who knows. > > I have a 55K level 10 debug log of the entire failed effort; I would > be glad to send that and my smb.conf to any interested parties. I am > also a reasonably competent C hacker with lots of spare time available > this weekend... > > - Pat > From lonnie at borntreger.com Sat Feb 19 16:13:41 2000 From: lonnie at borntreger.com (Lonnie J. Borntreger) Date: Tue Dec 2 02:28:40 2003 Subject: Samba-tng.0.4pre & win95 In-Reply-To: Message-ID: <005001bf7af4$49fd2900$0500000a@borntreger.com> Finally. I'm no longer the only one talking about this problem. STATUS: Samba TNG does not support Win9x authentication. I ONLY works for users on NT or 2000. SOLUTION: Somebody with access to an NT PDC based domain needs to do a netmon trace of a successful domain login and a successful GETDC request from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he has that, he will fix the implementation. CAVEAT: I've asked for someone to do that trace several times in the last 4-6 months, and no-one has stepped forward and done it. TTFN, Lonnie Borntreger PS: For those watching the list, yes I DID cut and paste the exact same reply into two messages. ;) > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Pieter Grimmerink > Sent: Saturday, February 19, 2000 4:34 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Samba-tng.0.4pre & win95 > > > I'm trying to replace an old samba CVS-compiled PDC with one > of the most > recent TNG ones. > I tried the 0.4pre tarball, from the NT servers/workstations > I already have > more user/group functionality than before, which is great, > but from the > win95 workstations, domainmembers can no longer login?! > > I'm probably forgetting something. > I'm not 100% sure about my procedure to start samba, for > instance, in order > to get NT to join the domain, I just manually started all daemons in > samba/bin. > I believe there must be some sample startup script, since the > old script > which only starts smbd and nmbd does not do the trick? > > Best regards, > > Pieter > From karl at Denninger.Net Sat Feb 19 16:37:00 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:40 2003 Subject: Samba-tng.0.4pre & win95 In-Reply-To: <005001bf7af4$49fd2900$0500000a@borntreger.com>; from Lonnie J. Borntreger on Sun, Feb 20, 2000 at 03:32:08AM +1100 References: <005001bf7af4$49fd2900$0500000a@borntreger.com> Message-ID: <20000219103700.A15873@Denninger.Net> And 2.0.6 only works for 95/98 and NT - and NOT for Win2k. Since I have both 98 and Win2K on my network now I guess I stay with "workgroup" authentication for Win2K right now - even though this REALLY screws up some things (specifically, WHFC (fax link to Hylafax) in that environment thinks its "SYSTEM" instead of the user and thus you have to store phonebooks and cover pages on a PUBLIC share or it blows sky-high. That's a kinda serious problem - but one I'll deal with for now) -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Sun, Feb 20, 2000 at 03:32:08AM +1100, Lonnie J. Borntreger wrote: > Finally. I'm no longer the only one talking about this problem. > > STATUS: Samba TNG does not support Win9x authentication. I ONLY works for > users on NT or 2000. > > SOLUTION: Somebody with access to an NT PDC based domain needs to do a > netmon trace of a successful domain login and a successful GETDC request > from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he > has that, he will fix the implementation. > > CAVEAT: I've asked for someone to do that trace several times in the last > 4-6 months, and no-one has stepped forward and done it. > > TTFN, > Lonnie Borntreger > PS: For those watching the list, yes I DID cut and paste the exact same > reply into two messages. ;) > > > -----Original Message----- > > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > > Pieter Grimmerink > > Sent: Saturday, February 19, 2000 4:34 AM > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Samba-tng.0.4pre & win95 > > > > > > I'm trying to replace an old samba CVS-compiled PDC with one > > of the most > > recent TNG ones. > > I tried the 0.4pre tarball, from the NT servers/workstations > > I already have > > more user/group functionality than before, which is great, > > but from the > > win95 workstations, domainmembers can no longer login?! > > > > I'm probably forgetting something. > > I'm not 100% sure about my procedure to start samba, for > > instance, in order > > to get NT to join the domain, I just manually started all daemons in > > samba/bin. > > I believe there must be some sample startup script, since the > > old script > > which only starts smbd and nmbd does not do the trick? > > > > Best regards, > > > > Pieter > > > From patl at cag.lcs.mit.edu Sat Feb 19 16:35:50 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: "Lonnie J. Borntreger"'s message of "Sat, 19 Feb 2000 10:13:12 -0600" References: <004f01bf7af4$38fee120$0500000a@borntreger.com> Message-ID: "Lonnie J. Borntreger" writes: > Finally. I'm no longer the only one talking about this problem. > > STATUS: Samba TNG does not support Win9x authentication. I ONLY > works for users on NT or 2000. Yes. I am not sure everyone believe this, since there are so many ways you can botch your configuration... I have already received a couple of Emails suggesting that this is my problem. But I have two machines, side-by-side, and the same login which works on Win2k fails on Win98. And I have been authenticating Win98 machines against earlier Samba versions (with "encrypt passwords = yes") for years. So I am pretty sure this really is a problem with TNG. > SOLUTION: Somebody with access to an NT PDC based domain needs to do > a netmon trace of a successful domain login and a successful GETDC > request from a Win9x machine and send it to Luke Leighton > (lkcl@samba.org). Once he has that, he will fix the implementation. Why is this necessary? I can authenticate 98 against Samba 2.0.x just fine; why is a netmon trace of *that* process not sufficient? Or, why can't TNG authenticate 98 machines the same way 2.0.x does? > CAVEAT: I've asked for someone to do that trace several times in the > last 4-6 months, and no-one has stepped forward and done it. Well, I need to get this working by sometime next week. If that means setting up a PDC tonight, then that is what I will do. - Pat From lkcl at samba.org Sat Feb 19 17:48:07 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: > The only problem is that I can no longer authenticate Windows 98. It > says "your password is invalid or your logon share is inaccessible" or > somesuch. Note that this is the same TEST domain and user login which > worked on Windows 2000, so I do not think my configuration is the > problem. But who knows. > > I have a 55K level 10 debug log of the entire failed effort; I would pat, recompile with ./configure.developer, increase to 100, look for smb sessetupx requests. in between the request and the response will be a NETLOGON connection to netlogond. examine this, find error messages. examine log.netlogon (may be log.NETLOGON), find what problem is. examine srv_netlogon_nt.c, fix problem :) From lkcl at samba.org Sat Feb 19 17:49:19 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: NT/UNIX password synchronization, using LDAP for pasword store. In-Reply-To: <200002190134.MAA41277@au.padl.com> Message-ID: On Sat, 19 Feb 2000, Luke Howard wrote: > > >I intend for the same LDAP directory subtree to be used for > >authentication store by Samba-TNG running on Linux, so that eventually > >each entry should have these LDAP attributeTypes > > > > lmPassword > > ntPassword > > userPassword > > For TNG, that will _probably_ be dBCSPwd and unicodePwd, instead > of lmPassword and ntPassword. > > >Is there some feature of Samba which will cause it to synchronize > >lmPassword/ntPassword to the the userPassword attribute when an NT > >password changes ? If not, does anyone have any suggestions for how I > >might proceed ? > > Good question. I don't expect that SAMBA gets the new password in the > clear, but I may be wrong; this is just a guess. If it doesn't, then yes. unicode cleartext. the old password, however, is _not_ recieved. > If SAMBA (when acting as a PDC) does get the cleartext password, then > perhaps all you need is a conversation with the ldappasswd program (included > with OpenLDAP). "password chat = " option. From lkcl at samba.org Sat Feb 19 17:53:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: Samba-tng.0.4pre & win95 In-Reply-To: Message-ID: On Sat, 19 Feb 2000, Pieter Grimmerink wrote: > I'm trying to replace an old samba CVS-compiled PDC with one of the most > recent TNG ones. > I tried the 0.4pre tarball, from the NT servers/workstations I already have > more user/group functionality than before, which is great, but from the > win95 workstations, domainmembers can no longer login?! i know. @beging honest sentiments i'm sorry, i don't care enough about win9x to even install it @end honest sentiments. someone on the list volunteered to look at it :) it's probably due to in9x sending only a LM#, and netlogond probably wants both lm# && nt#. From lkcl at samba.org Sat Feb 19 17:56:48 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: Samba-TNG PDC <- Samba pre-3.0.0 join failed In-Reply-To: <38AE7F98.8AF36338@gis.org> Message-ID: hi alex, what you have done is... ask a non-TNG server to join the domain. what you will need to do instead is to log in to GISGATE and use smbpasswd *locally*. to join it to the domain. why? because GISGATE, being a 3.0 srv, doesn't support lsar_set_secret. On Sat, 19 Feb 2000, Alexander Davydenko wrote: > it may be known problem, but I couldn't join samba server to samba-tng > controlled domain. > > > root@rover:/usr/local/samba/bin# samedit -S rover -U root%lala -l > ./var/sameditlog -d 100 -W ORG > [ORG\root@ROVER]$ use \\gisgate -U root%fafa > use \\gisgate -U root%fafa > > --------------------------------------------------------------- > Server: \\GISGATE: User: root Domain: > Connection: OK > [ORG\root@ROVER]$ createuser gisgate$ -j > createuser gisgate$ -j > > SAM Create Domain User > Domain: ORG Name: gisgate$ ACB: [W ] > Create Domain User: OK > Join GISGATE to Domain ORG > Set $MACHINE.ACC: FAILED > [ORG\root@ROVER]$ use \\irene -U Administrator%lala > use \\irene -U Administrator%lala > > Server: \\IRENE: User: Administrator Domain: > Connection: OK > [ORG\root@ROVER]$ createuser irene$ -j > createuser irene$ -j > > SAM Create Domain User > Domain: ORG Name: irene$ ACB: [W ] > Create Domain User: OK > Join IRENE to Domain ORG > Create $MACHINE.ACC: OK > Set $MACHINE.ACC: OK > [ORG\root@ROVER]$ quit > ----------------------------------------------------------------- > > GISGATE is running Samba pre-3.0.0, and IRENE running NT4. > after that, I got a 512k log from samedit. > On the GISGATE side there is a big log too with : > > [2000/02/19 14:15:35, 0] > passdb/smbpassfile.c:trust_password_lock(119) > trust_password_lock: cannot open file > /usr/local/samba/private/WORKGROUP.GISGATE.mac - Error was No such file or > directory. > [2000/02/19 14:15:35, 0] > passdb/smbpassfile.c:trust_get_passwd(288) > domain_client_validate: unable to open the machine account password file > for machine GISGATE in domain WORKGROUP. > > > -- > Alexander Davydenko | > alex@javad.ru, mba_69@chat.ru | Moscow, USSR > ------------------------------------------------------------------------- > <<<<< Powered by Linux & 220V >>>>> > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sat Feb 19 18:01:22 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <004f01bf7af4$38fee120$0500000a@borntreger.com> Message-ID: rhciard [sharpe], you have one, don't you? On Sun, 20 Feb 2000, Lonnie J. Borntreger wrote: > Finally. I'm no longer the only one talking about this problem. > > STATUS: Samba TNG does not support Win9x authentication. I ONLY works for > users on NT or 2000. > > SOLUTION: Somebody with access to an NT PDC based domain needs to do a > netmon trace of a successful domain login and a successful GETDC request > from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he > has that, he will fix the implementation. > > CAVEAT: I've asked for someone to do that trace several times in the last > 4-6 months, and no-one has stepped forward and done it. > > TTFN, > Lonnie Borntreger > > > -----Original Message----- > > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > > Patrick J. LoPresti > > Sent: Friday, February 18, 2000 7:09 PM > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: TNG works with Win2k, fails with Win98 > > > > > > We have been authenticating Win98 users against Samba 2.0.5a for a > > long time, but I need a real PDC by next week (ahem) or the Powers > > That Be just might start imposing a real NT infrastructure. > > > > So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built > > it on a test machine, hacked up a smb.conf file to make it Domain > > Controller for a domain named "TEST", and copied smbpasswd from our > > existing installation. > > > > The result is that a Windows 2000 box can join the domain and > > authenticate users. Nice work! The native Win2k user admin tools > > tend to crash, but some command-line thingamys in the Resource Kit > > provide enough functionality (specifically, adding a domain account to > > the local Administrators group) that we can live with it. > > > > The only problem is that I can no longer authenticate Windows 98. It > > says "your password is invalid or your logon share is inaccessible" or > > somesuch. Note that this is the same TEST domain and user login which > > worked on Windows 2000, so I do not think my configuration is the > > problem. But who knows. > > > > I have a 55K level 10 debug log of the entire failed effort; I would > > be glad to send that and my smb.conf to any interested parties. I am > > also a reasonably competent C hacker with lots of spare time available > > this weekend... > > > > - Pat > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sat Feb 19 18:04:24 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: On Sun, 20 Feb 2000, Patrick J. LoPresti wrote: > "Lonnie J. Borntreger" writes: > > > Finally. I'm no longer the only one talking about this problem. > > > > STATUS: Samba TNG does not support Win9x authentication. I ONLY > > works for users on NT or 2000. > > Yes. I am not sure everyone believe this, since there are so many > ways you can botch your configuration... I have already received a > couple of Emails suggesting that this is my problem. > > But I have two machines, side-by-side, and the same login which works > on Win2k fails on Win98. And I have been authenticating Win98 > machines against earlier Samba versions (with "encrypt passwords = > yes") for years. So I am pretty sure this really is a problem with > TNG. > > > SOLUTION: Somebody with access to an NT PDC based domain needs to do > > a netmon trace of a successful domain login and a successful GETDC > > request from a Win9x machine and send it to Luke Leighton > > (lkcl@samba.org). Once he has that, he will fix the implementation. > > Why is this necessary? I can authenticate 98 against Samba 2.0.x just > fine; why is a netmon trace of *that* process not sufficient? Or, why i specifically need to know EXACTLY what the difference between a win9x UDP 138 request and an nt one (GETDC and SAMQUERY) _and_ i need to know what the responses are --- *from an nt server*. samba is not sufficient for this task. From sharpe at ns.aus.com Sat Feb 19 15:30:20 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <004f01bf7af4$38fee120$0500000a@borntreger.com> References: Message-ID: <3.0.6.32.20000220013020.0091c100@203.16.214.248> Hi, At 03:15 AM 2/20/00 +1100, Lonnie J. Borntreger wrote: >Finally. I'm no longer the only one talking about this problem. > >STATUS: Samba TNG does not support Win9x authentication. I ONLY works for >users on NT or 2000. > >SOLUTION: Somebody with access to an NT PDC based domain needs to do a >netmon trace of a successful domain login and a successful GETDC request >from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he >has that, he will fix the implementation. > >CAVEAT: I've asked for someone to do that trace several times in the last >4-6 months, and no-one has stepped forward and done it. Well, not quite true ... I actually have such traces ... And I have the werewithall to do the changes as well, I have just not had the time, as I have been trying to get a book finished and get a Samba course developed, and so on. However, we now have the tools to handle this correctly, I think. The question is: Will it be handled in nmbd as it was/is in 2.0.x, or will it be handled elsewhere, and where? Since the logons and GetDC requests are UDP based, not MSRPC, they are a different category. >TTFN, >Lonnie Borntreger > >> -----Original Message----- >> From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of >> Patrick J. LoPresti >> Sent: Friday, February 18, 2000 7:09 PM >> To: Multiple recipients of list SAMBA-NTDOM >> Subject: TNG works with Win2k, fails with Win98 >> >> >> We have been authenticating Win98 users against Samba 2.0.5a for a >> long time, but I need a real PDC by next week (ahem) or the Powers >> That Be just might start imposing a real NT infrastructure. >> >> So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built >> it on a test machine, hacked up a smb.conf file to make it Domain >> Controller for a domain named "TEST", and copied smbpasswd from our >> existing installation. >> >> The result is that a Windows 2000 box can join the domain and >> authenticate users. Nice work! The native Win2k user admin tools >> tend to crash, but some command-line thingamys in the Resource Kit >> provide enough functionality (specifically, adding a domain account to >> the local Administrators group) that we can live with it. >> >> The only problem is that I can no longer authenticate Windows 98. It >> says "your password is invalid or your logon share is inaccessible" or >> somesuch. Note that this is the same TEST domain and user login which >> worked on Windows 2000, so I do not think my configuration is the >> problem. But who knows. >> >> I have a 55K level 10 debug log of the entire failed effort; I would >> be glad to send that and my smb.conf to any interested parties. I am >> also a reasonably competent C hacker with lots of spare time available >> this weekend... >> >> - Pat >> > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From robert at dbservice.com Sat Feb 19 23:21:45 2000 From: robert at dbservice.com (Robert Carnecky) Date: Tue Dec 2 02:28:40 2003 Subject: Diagnosis failed but SAMBA works Message-ID: <008901bf7b30$169c4550$0a00a8c0@emmen.dbservice.com> I tried to go through the diagnosis steps and found the steps 4-6 failed with the error message: socket connect to /tmp/.nmb/agent failed: Connection refused Similar error message I got when I created users using rpcclient: socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused What's confusing - my clients (NT,W2K) was succesful created, can logon the PDC, see the resources in the browser, everything seems to work OK. What's wrong ? Robert -------------- next part -------------- HTML attachment scrubbed and removed From sharpe at ns.aus.com Sun Feb 20 01:07:26 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 Message-ID: <3.0.6.32.20000220110726.00862870@203.16.214.248> Hi, At 03:15 AM 2/20/00 +1100, Lonnie J. Borntreger wrote: >Finally. I'm no longer the only one talking about this problem. > >STATUS: Samba TNG does not support Win9x authentication. I ONLY works for >users on NT or 2000. > >SOLUTION: Somebody with access to an NT PDC based domain needs to do a >netmon trace of a successful domain login and a successful GETDC request >from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he >has that, he will fix the implementation. > >CAVEAT: I've asked for someone to do that trace several times in the last >4-6 months, and no-one has stepped forward and done it. OK, I have started to look at this, even though I have tons of other work to do. Samba-TNG has no problems with the logon request being sent by Win95, and even returns a response that Win95 can understand. However, when Win95 tries to connect to IPC$ using a SessionSetup&X, Samba-TNG returns a bad password response. This seems to be a problem with the LM# that Win95 is sending, and perhaps Samba-TNG is expecting an NT#. >TTFN, >Lonnie Borntreger > >> -----Original Message----- >> From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of >> Patrick J. LoPresti >> Sent: Friday, February 18, 2000 7:09 PM >> To: Multiple recipients of list SAMBA-NTDOM >> Subject: TNG works with Win2k, fails with Win98 >> >> >> We have been authenticating Win98 users against Samba 2.0.5a for a >> long time, but I need a real PDC by next week (ahem) or the Powers >> That Be just might start imposing a real NT infrastructure. >> >> So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built >> it on a test machine, hacked up a smb.conf file to make it Domain >> Controller for a domain named "TEST", and copied smbpasswd from our >> existing installation. >> >> The result is that a Windows 2000 box can join the domain and >> authenticate users. Nice work! The native Win2k user admin tools >> tend to crash, but some command-line thingamys in the Resource Kit >> provide enough functionality (specifically, adding a domain account to >> the local Administrators group) that we can live with it. >> >> The only problem is that I can no longer authenticate Windows 98. It >> says "your password is invalid or your logon share is inaccessible" or >> somesuch. Note that this is the same TEST domain and user login which >> worked on Windows 2000, so I do not think my configuration is the >> problem. But who knows. >> >> I have a 55K level 10 debug log of the entire failed effort; I would >> be glad to send that and my smb.conf to any interested parties. I am >> also a reasonably competent C hacker with lots of spare time available >> this weekend... >> >> - Pat >> > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From inge at cc.uit.no Sun Feb 20 00:21:36 2000 From: inge at cc.uit.no (Inge-Haavard Hunstad) Date: Tue Dec 2 02:28:40 2003 Subject: Diagnosis failed but SAMBA works References: <008901bf7b30$169c4550$0a00a8c0@emmen.dbservice.com> Message-ID: <38AF3390.D7F5941F@cc.uit.no> > Robert Carnecky wrote: > > I tried to go through the diagnosis steps and found the steps 4-6 > failed with the error message: > > socket connect to /tmp/.nmb/agent failed: Connection refused > > Similar error message I got when I created users using rpcclient: > > socket connect to /tmp/.msrpc/.samr/agent failed: Connection > refused > > What's confusing - my clients (NT,W2K) was succesful created, can > logon the PDC, see the resources in the browser, everything seems to > work OK. What's wrong ? I have the same problem, but I tried a nmblookup from samba 2.0.4b and it worked like a charm. So my suggestion is that nmblookup is broken in samba_tng. inge > > Robert > > From sharpe at ns.aus.com Sun Feb 20 02:06:09 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 Message-ID: <3.0.6.32.20000220120609.0085d7d0@203.16.214.248> Hi, At 03:15 AM 2/20/00 +1100, Lonnie J. Borntreger wrote: >Finally. I'm no longer the only one talking about this problem. > >STATUS: Samba TNG does not support Win9x authentication. I ONLY works for >users on NT or 2000. > >SOLUTION: Somebody with access to an NT PDC based domain needs to do a >netmon trace of a successful domain login and a successful GETDC request >from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he >has that, he will fix the implementation. > >CAVEAT: I've asked for someone to do that trace several times in the last >4-6 months, and no-one has stepped forward and done it. OK, It is the LM MD4 hash part that is failing ... I can't see yet what is wrong, as the code has changed a lot, but the functions look the same. I wonder, is there any way to force Samba to use the same challenge all the time? I need to be able to compare the results of Samba-TNG and Samba-2.0.6 to see if they produce the same result. >TTFN, >Lonnie Borntreger > >> -----Original Message----- >> From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of >> Patrick J. LoPresti >> Sent: Friday, February 18, 2000 7:09 PM >> To: Multiple recipients of list SAMBA-NTDOM >> Subject: TNG works with Win2k, fails with Win98 >> >> >> We have been authenticating Win98 users against Samba 2.0.5a for a >> long time, but I need a real PDC by next week (ahem) or the Powers >> That Be just might start imposing a real NT infrastructure. >> >> So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built >> it on a test machine, hacked up a smb.conf file to make it Domain >> Controller for a domain named "TEST", and copied smbpasswd from our >> existing installation. >> >> The result is that a Windows 2000 box can join the domain and >> authenticate users. Nice work! The native Win2k user admin tools >> tend to crash, but some command-line thingamys in the Resource Kit >> provide enough functionality (specifically, adding a domain account to >> the local Administrators group) that we can live with it. >> >> The only problem is that I can no longer authenticate Windows 98. It >> says "your password is invalid or your logon share is inaccessible" or >> somesuch. Note that this is the same TEST domain and user login which >> worked on Windows 2000, so I do not think my configuration is the >> problem. But who knows. >> >> I have a 55K level 10 debug log of the entire failed effort; I would >> be glad to send that and my smb.conf to any interested parties. I am >> also a reasonably competent C hacker with lots of spare time available >> this weekend... >> >> - Pat >> > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From sharpe at ns.aus.com Sun Feb 20 02:37:54 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 Message-ID: <3.0.6.32.20000220123754.0085a100@203.16.214.248> Hi, I wrote: >It is the LM MD4 hash part that is failing ... I can't see yet what is wrong, as >the code has changed a lot, but the functions look the same. This actually accords with my experience as well, as just trying to use Samba-TNG from Windows 95 fails. That is, Windows 9X cannot use Samba TNG at all. Can anyone else confirm. Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From patl at cag.lcs.mit.edu Sun Feb 20 02:09:27 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Richard Sharpe's message of "Sun, 20 Feb 2000 11:05:00 +1100" References: <3.0.6.32.20000220110726.00862870@203.16.214.248> Message-ID: Richard Sharpe writes: > OK, I have started to look at this, even though I have tons of other > work to do. If you get this working within the week, a case of beer (*) of your choice is on me. I do not know how I will get it to Australia, but I will find a way. And if there is anything I can do to help, please let me know. I have no other plans for the next 48 hours. I actually did set up a fresh NT PDC today to capture a netmon trace of a Win98 login, but I guess that was unnecessary after all. > However, when Win95 tries to connect to IPC$ using a SessionSetup&X, > Samba-TNG returns a bad password response. This seems to be a > problem with the LM# that Win95 is sending, and perhaps Samba-TNG is > expecting an NT#. Yes, that is consistent with the logs I am seeing, too. After the failed LM authentication Samba falls back to using something (the LM hash?) as Unix password; we are seeing syslog messages about failed authentication attempts from the PAM passwd module. Incidentally, I do have a workaround of sorts: 1) Set up TNG as domain controller for the "FOO" domain 2) Set up 2.0.x to serve domain logons for the "FOO9X" domain 3) Configure the 2.0.x box with "security = server" and "password server = " 4) Have WinNT/Win2k clients use the FOO domain 5) Have Win9x clients live in the FOO workgroup but authenticate against the FOO9X domain This actually appears to work, although it requires you to set the domain differently for Win9x and WinNT clients, which is more than slightly annoying. (Especially if you already have lots of 98 and NT clients using the same domain, like we do.) But maybe if you were setting up a network from scratch it would not be so bad. - Pat From sidious at dark-jedi.net Sun Feb 20 02:45:09 2000 From: sidious at dark-jedi.net (Sidious) Date: Tue Dec 2 02:28:40 2003 Subject: Win2k pro / PDC problems Message-ID: Welp I had everything working with Windows 2000 RC2 and having it join the domain/all the fun stuff.. I've got the final release of Windows 2000 Professional and if I try to join the domain I get "the specified domain either does not exist or could not be contacted." Another strange thing is that if I pull up Server Manager from the Win2k box my samba PDC appears to be a BDC in the list. Does Samba not support domain joins from Win2k releases or am I just doing something wrong? I checked out the latest samba from CVS today, but I didn't use any flags when I compiled it. Any help would be appreciated. Paul From karl at Denninger.Net Sun Feb 20 03:32:10 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:40 2003 Subject: Win2k pro / PDC problems In-Reply-To: ; from Sidious on Sun, Feb 20, 2000 at 01:41:15PM +1100 References: Message-ID: <20000219213210.A24099@Denninger.Net> It doesn't work. I've got it too; same problem, 2.0.6. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Sun, Feb 20, 2000 at 01:41:15PM +1100, Sidious wrote: > > > Welp I had everything working with Windows 2000 RC2 and having it join the > domain/all the fun stuff.. > > I've got the final release of Windows 2000 Professional and if I try to > join the domain I get "the specified domain either does not exist or could > not be contacted." > > Another strange thing is that if I pull up Server Manager from the Win2k > box my samba PDC appears to be a BDC in the list. > > Does Samba not support domain joins from Win2k releases or am I just doing > something wrong? > > I checked out the latest samba from CVS today, but I didn't use any flags > when I compiled it. Any help would be appreciated. > > > Paul > From sharpe at ns.aus.com Sun Feb 20 04:50:05 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220132513.008593e0@203.16.214.248> References: <3.0.6.32.20000220123754.0085a100@203.16.214.248> Message-ID: <3.0.6.32.20000220145005.0086b670@203.16.214.248> At 01:25 PM 2/20/00 +1000, Richard Sharpe wrote: >At 12:36 PM 2/20/00 +1100, you wrote: >>Hi, >> >Hmmm, OK, further checking seems to show that the E_P24 routines and some >associated routines are working correctly. That is, Luke has not perturbed >the E_P24 routine in changing things around. I now have to check some >other avenues ... OK, it looks like the LM Challenge Response that was returned is not making it all the way to smb_password_ok routine, as it is different in the code to what ethereal shows it to be. Have to take the children swimming now, so have to stop :-) Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From lkcl at samba.org Sun Feb 20 04:25:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220013020.0091c100@203.16.214.248> Message-ID: > >SOLUTION: Somebody with access to an NT PDC based domain needs to do a > >netmon trace of a successful domain login and a successful GETDC request > >from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he > >has that, he will fix the implementation. > However, we now have the tools to handle this correctly, I think. > > The question is: Will it be handled in nmbd as it was/is in 2.0.x, or will > it be handled elsewhere, and where? Since the logons and GetDC requests in nmbd. it's just that we need a _proper_ means to distinguish win95 UDP requests from nt. From lkcl at samba.org Sun Feb 20 04:26:49 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: Diagnosis failed but SAMBA works In-Reply-To: <008901bf7b30$169c4550$0a00a8c0@emmen.dbservice.com> Message-ID: these are warnings, only, robert. i added a redirector agent to tng. so the code first tries to connect to the agent, and then proceeds to make its own connection instead of using the ones made by the agent. On Sun, 20 Feb 2000, Robert Carnecky wrote: > I tried to go through the diagnosis steps and found the steps 4-6 failed with the error message: > > socket connect to /tmp/.nmb/agent failed: Connection refused > > Similar error message I got when I created users using rpcclient: > > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > > What's confusing - my clients (NT,W2K) was succesful created, can logon the PDC, see the resources in the browser, everything seems to work OK. What's wrong ? > > Robert > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 20 04:31:05 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220110726.00862870@203.16.214.248> Message-ID: > >CAVEAT: I've asked for someone to do that trace several times in the last > >4-6 months, and no-one has stepped forward and done it. > > OK, I have started to look at this, even though I have tons of other work > to do. thx richard. > Samba-TNG has no problems with the logon request being sent by Win95, and > even returns a response that Win95 can understand. it does??? gosh :) > However, when Win95 tries to connect to IPC$ using a SessionSetup&X, > Samba-TNG returns a bad password response. This seems to be a problem with > the LM# that Win95 is sending, and perhaps Samba-TNG is expecting an NT#. ok, that's what i suspected. i need that level 100 trace of log.win95 and log.netlogon (passwords will be in it) with -DDEBUG_PASSWORD enabled. From lkcl at samba.org Sun Feb 20 04:32:22 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220120609.0085d7d0@203.16.214.248> Message-ID: AH! i know what it is - i removed a memset in smbencrypt.c because it was causing a bug in gcc. On Sun, 20 Feb 2000, Richard Sharpe wrote: > Hi, > > At 03:15 AM 2/20/00 +1100, Lonnie J. Borntreger wrote: > >Finally. I'm no longer the only one talking about this problem. > > > >STATUS: Samba TNG does not support Win9x authentication. I ONLY works for > >users on NT or 2000. > > > >SOLUTION: Somebody with access to an NT PDC based domain needs to do a > >netmon trace of a successful domain login and a successful GETDC request > >from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he > >has that, he will fix the implementation. > > > >CAVEAT: I've asked for someone to do that trace several times in the last > >4-6 months, and no-one has stepped forward and done it. > > OK, > > It is the LM MD4 hash part that is failing ... I can't see yet what is > wrong, as the code has changed a lot, but the functions look the same. > > I wonder, is there any way to force Samba to use the same challenge all the > time? I need to be able to compare the results of Samba-TNG and > Samba-2.0.6 to see if they produce the same result. > > >TTFN, > >Lonnie Borntreger > > > >> -----Original Message----- > >> From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > >> Patrick J. LoPresti > >> Sent: Friday, February 18, 2000 7:09 PM > >> To: Multiple recipients of list SAMBA-NTDOM > >> Subject: TNG works with Win2k, fails with Win98 > >> > >> > >> We have been authenticating Win98 users against Samba 2.0.5a for a > >> long time, but I need a real PDC by next week (ahem) or the Powers > >> That Be just might start imposing a real NT infrastructure. > >> > >> So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built > >> it on a test machine, hacked up a smb.conf file to make it Domain > >> Controller for a domain named "TEST", and copied smbpasswd from our > >> existing installation. > >> > >> The result is that a Windows 2000 box can join the domain and > >> authenticate users. Nice work! The native Win2k user admin tools > >> tend to crash, but some command-line thingamys in the Resource Kit > >> provide enough functionality (specifically, adding a domain account to > >> the local Administrators group) that we can live with it. > >> > >> The only problem is that I can no longer authenticate Windows 98. It > >> says "your password is invalid or your logon share is inaccessible" or > >> somesuch. Note that this is the same TEST domain and user login which > >> worked on Windows 2000, so I do not think my configuration is the > >> problem. But who knows. > >> > >> I have a 55K level 10 debug log of the entire failed effort; I would > >> be glad to send that and my smb.conf to any interested parties. I am > >> also a reasonably competent C hacker with lots of spare time available > >> this weekend... > >> > >> - Pat > >> > > > > > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > Author: First Australian 2-day, intensive, hands-on Samba course > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 20 04:34:47 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220120609.0085d7d0@203.16.214.248> Message-ID: On Sun, 20 Feb 2000, Richard Sharpe wrote: > Hi, > > At 03:15 AM 2/20/00 +1100, Lonnie J. Borntreger wrote: > >Finally. I'm no longer the only one talking about this problem. > > > >STATUS: Samba TNG does not support Win9x authentication. I ONLY works for > >users on NT or 2000. > > > >SOLUTION: Somebody with access to an NT PDC based domain needs to do a > >netmon trace of a successful domain login and a successful GETDC request > >from a Win9x machine and send it to Luke Leighton (lkcl@samba.org). Once he > >has that, he will fix the implementation. > > > >CAVEAT: I've asked for someone to do that trace several times in the last > >4-6 months, and no-one has stepped forward and done it. > > OK, > > It is the LM MD4 hash part that is failing ... I can't see yet what is > wrong, as the code has changed a lot, but the functions look the same. > > I wonder, is there any way to force Samba to use the same challenge all the > time? I need to be able to compare the results of Samba-TNG and > Samba-2.0.6 to see if they produce the same result. urr..... get_challenge() in 2.0.x, isn't it? i forget :) it's in negprot.c. yeah, generate_next_challenge(). > >TTFN, > >Lonnie Borntreger > > > >> -----Original Message----- > >> From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > >> Patrick J. LoPresti > >> Sent: Friday, February 18, 2000 7:09 PM > >> To: Multiple recipients of list SAMBA-NTDOM > >> Subject: TNG works with Win2k, fails with Win98 > >> > >> > >> We have been authenticating Win98 users against Samba 2.0.5a for a > >> long time, but I need a real PDC by next week (ahem) or the Powers > >> That Be just might start imposing a real NT infrastructure. > >> > >> So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built > >> it on a test machine, hacked up a smb.conf file to make it Domain > >> Controller for a domain named "TEST", and copied smbpasswd from our > >> existing installation. > >> > >> The result is that a Windows 2000 box can join the domain and > >> authenticate users. Nice work! The native Win2k user admin tools > >> tend to crash, but some command-line thingamys in the Resource Kit > >> provide enough functionality (specifically, adding a domain account to > >> the local Administrators group) that we can live with it. > >> > >> The only problem is that I can no longer authenticate Windows 98. It > >> says "your password is invalid or your logon share is inaccessible" or > >> somesuch. Note that this is the same TEST domain and user login which > >> worked on Windows 2000, so I do not think my configuration is the > >> problem. But who knows. > >> > >> I have a 55K level 10 debug log of the entire failed effort; I would > >> be glad to send that and my smb.conf to any interested parties. I am > >> also a reasonably competent C hacker with lots of spare time available > >> this weekend... > >> > >> - Pat > >> > > > > > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > Author: First Australian 2-day, intensive, hands-on Samba course > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 20 04:37:00 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:40 2003 Subject: Win2k pro / PDC problems In-Reply-To: Message-ID: sidious, how many letters in the name of your domain, server and nt5rtm box? please change each of these by one letter in length (one at a time) and let me know if it works. thx. On Sun, 20 Feb 2000, Sidious wrote: > > > Welp I had everything working with Windows 2000 RC2 and having it join the > domain/all the fun stuff.. > > I've got the final release of Windows 2000 Professional and if I try to > join the domain I get "the specified domain either does not exist or could > not be contacted." > > Another strange thing is that if I pull up Server Manager from the Win2k > box my samba PDC appears to be a BDC in the list. > > Does Samba not support domain joins from Win2k releases or am I just doing > something wrong? > > I checked out the latest samba from CVS today, but I didn't use any flags > when I compiled it. Any help would be appreciated. > > > Paul > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 20 04:38:16 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220145005.0086b670@203.16.214.248> Message-ID: On Sun, 20 Feb 2000, Richard Sharpe wrote: > At 01:25 PM 2/20/00 +1000, Richard Sharpe wrote: > >At 12:36 PM 2/20/00 +1100, you wrote: > >>Hi, > >> > >Hmmm, OK, further checking seems to show that the E_P24 routines and some > >associated routines are working correctly. That is, Luke has not perturbed > >the E_P24 routine in changing things around. I now have to check some > >other avenues ... > > OK, it looks like the LM Challenge Response that was returned is not making > it all the way to smb_password_ok routine, as it is different in the code > to what ethereal shows it to be. yes, a different codepath is used. i now *always* use domain_client_validate(), and as a pdc this takes you through to netlogond on loopback. in _there_ it calls smb_password_ok(). From lkcl at samba.org Sun Feb 20 06:23:18 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: samba-tng-alpha-0.5.tar.gz Message-ID: ftp://samba.org/pub/samba/alpha. please use mirror site for preference. From sharpe at ns.aus.com Sun Feb 20 08:31:05 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220145005.0086b670@203.16.214.248> References: <3.0.6.32.20000220132513.008593e0@203.16.214.248> <3.0.6.32.20000220123754.0085a100@203.16.214.248> Message-ID: <3.0.6.32.20000220183105.00906290@203.16.214.248> At 02:50 PM 2/20/00 +1100, Richard Sharpe wrote: >At 01:25 PM 2/20/00 +1000, Richard Sharpe wrote: >>At 12:36 PM 2/20/00 +1100, you wrote: >>>Hi, >>> >>Hmmm, OK, further checking seems to show that the E_P24 routines and some >>associated routines are working correctly. That is, Luke has not perturbed >>the E_P24 routine in changing things around. I now have to check some >>other avenues ... > >OK, it looks like the LM Challenge Response that was returned is not making >it all the way to smb_password_ok routine, as it is different in the code >to what ethereal shows it to be. OK, I think I have nailed it. make_id_info2 which was building a structure that is passed to netlogond via that damned complicated internal MSRPC crap, was overwriting the lm_chal_resp with a constant! Fixing now. Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From sharpe at ns.aus.com Sun Feb 20 08:57:12 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: <3.0.6.32.20000220185712.00869be0@203.16.214.248> OK, Now, from Win98 I get: You were successfully logged on to SAMBA1 as win95user by \\LINSRV1 with USER privilege. Make it Sam Bass please. We drink real beer here in Oz :-) Actually, I would not advise sending a case of beer to OZ. Keep it until I get to a conference in the US! Then we can share it among the members of the team who are there. I will upload the fixes to the CVS tree soon. If you do not have access to the CVS tree, please ask Luke nicely. At 12:09 PM 2/19/00 +1100, Patrick J. LoPresti wrote: >We have been authenticating Win98 users against Samba 2.0.5a for a >long time, but I need a real PDC by next week (ahem) or the Powers >That Be just might start imposing a real NT infrastructure. > >So I checked out TNG this afternoon at 1:50 P.M. EST (6:50 UTC), built >it on a test machine, hacked up a smb.conf file to make it Domain >Controller for a domain named "TEST", and copied smbpasswd from our >existing installation. > >The result is that a Windows 2000 box can join the domain and >authenticate users. Nice work! The native Win2k user admin tools >tend to crash, but some command-line thingamys in the Resource Kit >provide enough functionality (specifically, adding a domain account to >the local Administrators group) that we can live with it. > >The only problem is that I can no longer authenticate Windows 98. It >says "your password is invalid or your logon share is inaccessible" or >somesuch. Note that this is the same TEST domain and user login which >worked on Windows 2000, so I do not think my configuration is the >problem. But who knows. > >I have a 55K level 10 debug log of the entire failed effort; I would >be glad to send that and my smb.conf to any interested parties. I am >also a reasonably competent C hacker with lots of spare time available >this weekend... > > - Pat > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From sharpe at ns.aus.com Sun Feb 20 09:08:21 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 Message-ID: <3.0.6.32.20000220190821.00856e90@203.16.214.248> Luke, You IDIOT! When you cut and paste, you have to make sure you fix up the variable names. All it was that was preventing Win9X clients from logging in and accessing Samba TNG was that you were calculating MIN(nt_chal_len, sizeof(lm_owf)) when that should have been lm_chal_len!! Of course it was zero and as a result you were passing through an initialized buffer instead of the lm_chal_resp! Whew. Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From sharpe at ns.aus.com Sun Feb 20 09:23:57 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: References: Message-ID: <3.0.6.32.20000220192357.00910b00@203.16.214.248> At 04:51 AM 2/20/00 +1100, Luke Kenneth Casson Leighton wrote: >> The only problem is that I can no longer authenticate Windows 98. It >> says "your password is invalid or your logon share is inaccessible" or >> somesuch. Note that this is the same TEST domain and user login which >> worked on Windows 2000, so I do not think my configuration is the >> problem. But who knows. >> > >> I have a 55K level 10 debug log of the entire failed effort; I would > >pat, recompile with ./configure.developer, increase to 100, look for smb >sessetupx requests. in between the request and the response will be a >NETLOGON connection to netlogond. examine this, find error messages. > >examine log.netlogon (may be log.NETLOGON), find what problem is. > >examine srv_netlogon_nt.c, fix problem :) Nope! Examine coder's head! Fix the problem :-) Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From sharpe at ns.aus.com Sun Feb 20 10:12:13 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: Printing from Win9X is broken under Samba-TNG Message-ID: <3.0.6.32.20000220201213.008ebd00@203.16.214.248> Damn, Printing is broken ... Luke, what have you done? I shall have to fix that now too! Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From lonnie at borntreger.com Sun Feb 20 09:55:05 2000 From: lonnie at borntreger.com (Lonnie J. Borntreger) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220183105.00906290@203.16.214.248> Message-ID: <006601bf7b88$912d5860$0500000a@borntreger.com> Beautiful!!! It works. I can login, browse/access shares, and view user lists when setting sharing from the Win9x machine.. Only Win9x issue still remaining... The user manager and server manager report that the PDC can't be found. Server manager shows the samba server as BDC. Seems like an issue with Win9x/GETDC. Nice! Thanks, Lonnie Borntreger > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Richard Sharpe > Sent: Sunday, February 20, 2000 1:44 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: RE: TNG works with Win2k, fails with Win98 > > > At 02:50 PM 2/20/00 +1100, Richard Sharpe wrote: > >At 01:25 PM 2/20/00 +1000, Richard Sharpe wrote: > >>At 12:36 PM 2/20/00 +1100, you wrote: > >>>Hi, > >>> > >>Hmmm, OK, further checking seems to show that the E_P24 > routines and some > >>associated routines are working correctly. That is, Luke > has not perturbed > >>the E_P24 routine in changing things around. I now have to > check some > >>other avenues ... > > > >OK, it looks like the LM Challenge Response that was > returned is not making > >it all the way to smb_password_ok routine, as it is > different in the code > >to what ethereal shows it to be. > > OK, I think I have nailed it. make_id_info2 which was > building a structure > that is passed to netlogond via that damned complicated internal MSRPC > crap, was overwriting the lm_chal_resp with a constant! > > Fixing now. > > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, > www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux > SysAdmin course > Author: First Australian 2-day, intensive, hands-on Samba course > From sharpe at ns.aus.com Sun Feb 20 11:34:58 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <006601bf7b88$912d5860$0500000a@borntreger.com> References: <3.0.6.32.20000220183105.00906290@203.16.214.248> Message-ID: <3.0.6.32.20000220213458.008e9e30@203.16.214.248> At 08:57 PM 2/20/00 +1100, Lonnie J. Borntreger wrote: >Beautiful!!! It works. I can login, browse/access shares, and view user >lists when setting sharing from the Win9x machine.. > >Only Win9x issue still remaining... The user manager and server manager >report that the PDC can't be found. Server manager shows the samba server >as BDC. Seems like an issue with Win9x/GETDC. OK, where did you get Server manager and User Manager from? I have not looked at the GetDC issue yet ... If I can find the right programs I can look at it. Does printing work? >Nice! > >Thanks, >Lonnie Borntreger > >> -----Original Message----- >> From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of >> Richard Sharpe >> Sent: Sunday, February 20, 2000 1:44 AM >> To: Multiple recipients of list SAMBA-NTDOM >> Subject: RE: TNG works with Win2k, fails with Win98 >> >> >> At 02:50 PM 2/20/00 +1100, Richard Sharpe wrote: >> >At 01:25 PM 2/20/00 +1000, Richard Sharpe wrote: >> >>At 12:36 PM 2/20/00 +1100, you wrote: >> >>>Hi, >> >>> >> >>Hmmm, OK, further checking seems to show that the E_P24 >> routines and some >> >>associated routines are working correctly. That is, Luke >> has not perturbed >> >>the E_P24 routine in changing things around. I now have to >> check some >> >>other avenues ... >> > >> >OK, it looks like the LM Challenge Response that was >> returned is not making >> >it all the way to smb_password_ok routine, as it is >> different in the code >> >to what ethereal shows it to be. >> >> OK, I think I have nailed it. make_id_info2 which was >> building a structure >> that is passed to netlogond via that damned complicated internal MSRPC >> crap, was overwriting the lm_chal_resp with a constant! >> >> Fixing now. >> >> >> Regards >> ------- >> Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), >> Samba (Team member, www.samba.org), Ethereal (Team member, >> www.zing.org) >> Co-author, SAMS Teach Yourself Samba in 24 Hours >> Author: First Australian 5-day, intensive, hands-on Linux >> SysAdmin course >> Author: First Australian 2-day, intensive, hands-on Samba course >> > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From lars at kneschke.de Sun Feb 20 10:51:46 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 References: <3.0.6.32.20000220183105.00906290@203.16.214.248> <3.0.6.32.20000220213458.008e9e30@203.16.214.248> Message-ID: <38AFC742.2FA22F9A@kneschke.de> Richard Sharpe wrote: > > At 08:57 PM 2/20/00 +1100, Lonnie J. Borntreger wrote: > >Beautiful!!! It works. I can login, browse/access shares, and view user > >lists when setting sharing from the Win9x machine.. > > > >Only Win9x issue still remaining... The user manager and server manager > >report that the PDC can't be found. Server manager shows the samba server > >as BDC. Seems like an issue with Win9x/GETDC. > > OK, where did you get Server manager and User Manager from? > http://de.samba.org/samba/docs/ntdom_faq/page5.html The fine Samba NTDOM FAQ! :-) Cu -- Watch our projects at http://www.kneschke.de/projekte! ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer From sharpe at ns.aus.com Sun Feb 20 14:08:38 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <38AFC742.2FA22F9A@kneschke.de> References: <3.0.6.32.20000220183105.00906290@203.16.214.248> <3.0.6.32.20000220213458.008e9e30@203.16.214.248> Message-ID: <3.0.6.32.20000221000838.008f3570@203.16.214.248> At 10:51 AM 2/20/00 +0000, Lars Kneschke wrote: >Richard Sharpe wrote: >> >> At 08:57 PM 2/20/00 +1100, Lonnie J. Borntreger wrote: >> >Beautiful!!! It works. I can login, browse/access shares, and view user >> >lists when setting sharing from the Win9x machine.. >> > >> >Only Win9x issue still remaining... The user manager and server manager >> >report that the PDC can't be found. Server manager shows the samba server >> >as BDC. Seems like an issue with Win9x/GETDC. >> >> OK, where did you get Server manager and User Manager from? OK, I can see the difference in what we are returning ... nmbd_processlogon.c is returning too much info for the moment. An NT4.0 system returns much less in a GETDC response ... I will hack it back but I fear that Win2000 will not be happy ... Will test that next week. >Cu >-- >Watch our projects at http://www.kneschke.de/projekte! >ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From sharpe at ns.aus.com Sun Feb 20 14:17:06 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 Message-ID: <3.0.6.32.20000221001706.008ef790@203.16.214.248> >> At 08:57 PM 2/20/00 +1100, Lonnie J. Borntreger wrote: >> >Beautiful!!! It works. I can login, browse/access shares, and view user >> >lists when setting sharing from the Win9x machine.. >> > >> >Only Win9x issue still remaining... The user manager and server manager >> >report that the PDC can't be found. Server manager shows the samba server >> >as BDC. Seems like an issue with Win9x/GETDC. >> >> OK, where did you get Server manager and User Manager from? Well, I now have Server Manager finding the PDC, but it displays my PDC as a Workstation, and there are a whole bunch of MSRPCs being thrown around that I cannot yet figure out :-( In the response to a GETDC, you have to return just the PDC name and none of the extra stuff. I think that this happens if you get a short GETDC request, but I have not coded it up properly yet. I have other things to do. >Cu >-- >Watch our projects at http://www.kneschke.de/projekte! >ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From patl at cag.lcs.mit.edu Sun Feb 20 14:08:56 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Richard Sharpe's message of "Sun, 20 Feb 2000 19:08:02 +1100" References: <3.0.6.32.20000220185712.00869be0@203.16.214.248> Message-ID: Richard Sharpe writes: > OK, > > Now, from Win98 I get: > > You were successfully logged on to SAMBA1 as win95user by \\LINSRV1 with > USER privilege. Fantastic!! Many thanks. > Make it Sam Bass please. We drink real beer here in Oz :-) > > Actually, I would not advise sending a case of beer to OZ. Keep it until I > get to a conference in the US! Then we can share it among the members of > the team who are there. I look forward to it. I just have one more question... Are we in feature freeze yet? :-) - Pat From S.J.Hodgson-99 at student.lboro.ac.uk Sun Feb 20 15:03:56 2000 From: S.J.Hodgson-99 at student.lboro.ac.uk (Simon Hodgson) Date: Tue Dec 2 02:28:41 2003 Subject: RPC Client Problems Message-ID: When I run rpc client I get the following errors ./rcpdcclient -s . -U root socket connect to tmp/.smb.0/agent failed: Connection Refused error connecting to 255.255.255.255:445 (Network is unreachable) error connecting to 225.255.255.255:139 (Network is unreahcable) cli_established_connection: failed to connect to MYSERVER<00> (255.255.255.255) cli_net_use_add: connection failed I nned to be able to connect to make my Samba server a PDC, is there something I might be doing wrong? Many Thanks Simon Hodgson S.J.Hodgson-99@student.lboro.ac.uk From sidious at dark-jedi.net Sun Feb 20 15:34:10 2000 From: sidious at dark-jedi.net (Sidious) Date: Tue Dec 2 02:28:41 2003 Subject: Win2k pro / PDC problems In-Reply-To: Message-ID: On Sun, 20 Feb 2000, Luke Kenneth Casson Leighton wrote: > sidious, > > how many letters in the name of your domain, server and nt5rtm box? > please change each of these by one letter in length (one at a time) and > let me know if it works. > > thx. Samba server is elvis Win2k workstation is harvey domain name is kravshera I tried increasing the characters on everything by 1 (just set names to elvis1, harvey1, kravshera1) but still no luck. Paul From patl at cag.lcs.mit.edu Sun Feb 20 20:14:16 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Richard Sharpe's message of "Sun, 20 Feb 2000 19:08:02 +1100" References: <3.0.6.32.20000220185712.00869be0@203.16.214.248> Message-ID: OK, current CVS works a lot better, but I still have two problems. First, my Win98 machine still fails to log on the first time I try, but works the second and subsequent times. I am not even re-typing the password; I just click "OK" the second time and it works. If, after it is working, I wait a few minutes *or* try to log on as someone else, it again fails once and then succeeds. Second, my netlogon script is not running for Win98 nor for Win2k (is it even supposed to for the latter?). I am guessing this has something to do with the netlogon share or the "home" share or something. Is it possible that using smbd and nmbd from the HEAD branch would be better? Is that even still supported with TNG? Thanks... - Pat From mgeddes at xavier.sa.edu.au Sun Feb 20 22:07:57 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:41 2003 Subject: RPC Client Problems References: Message-ID: <38B065BD.445A4777@xavier.sa.edu.au> Simon Hodgson wrote: > > When I run rpc client I get the following errors > > /rcpdcclient -s . -U root > > socket connect to tmp/.smb.0/agent failed: Connection Refused > error connecting to 255.255.255.255:445 (Network is unreachable) > error connecting to 225.255.255.255:139 (Network is unreahcable) > cli_established_connection: failed to connect to MYSERVER<00> > (255.255.255.255) > cli_net_use_add: connection failed > > I nned to be able to connect to make my Samba server a PDC, is there > something I might be doing wrong? > > Many Thanks > > Simon Hodgson > S.J.Hodgson-99@student.lboro.ac.uk Errr. Can you ping any other machine from the PDC? I only had that problem when I had no running network interfaces.... Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From sharpe at ns.aus.com Sun Feb 20 23:16:04 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: Problems with Samba-TNG and Win9X etc Message-ID: <3.0.6.32.20000221091604.008ff100@203.16.214.248> Hi I have been looking at the GETDC and other response, and it looks like Windows gets confused by a number of things. I think that Samba-TNG should respond to a cut-down GETDC request with a cut-down GETDC response. This is easy to do in nmbd/nmbd_processlogon.c by noting the length of the incomming request, and if it is short (ie, ends in the name of the domain the PDC is being sought for, instead of including the last few parameters) then we should only send back the name of the PDC. I will probably code this up later today and upload it to the CVS tree. Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From patl at cag.lcs.mit.edu Sun Feb 20 23:49:23 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: patl@cag.lcs.mit.edu's message of "Mon, 21 Feb 2000 07:18:34 +1100" References: <3.0.6.32.20000220185712.00869be0@203.16.214.248> Message-ID: patl@cag.lcs.mit.edu (Patrick J. LoPresti) writes: > First, my Win98 machine still fails to log on the first time I try, > but works the second and subsequent times. I applied a patch (appended) to msrpc_netlogon.c to output the MD4 sum of the trust account password. Should I expect this value to change? It does for me... A similar patch to srv_netlogon_nt.c shows that the trust password as seen from there does NOT change. And when the code below prints out the same value, I can log in; when it differs, I can't. I am going to continue trying to track this down, but I thought I would see if anyone on this list had any ideas for things to try. - Pat RCS file: /cvsroot/samba/source/rpc_client/Attic/msrpc_netlogon.c,v retrieving revision 1.1.2.20 diff -u10 -r1.1.2.20 msrpc_netlogon.c --- msrpc_netlogon.c 2000/02/20 05:47:01 1.1.2.20 +++ msrpc_netlogon.c 2000/02/20 23:36:45 @@ -106,20 +107,22 @@ ("domain_client_validate: could not find domain %s\n", domain)); return False; } if (!msrpc_lsa_query_trust_passwd("\\\\.", "$MACHINE.ACC", trust_passwd, NULL)) { return False; } + + dump_data_pw ("trustpw:", trust_passwd, 16); /* * At this point, smb_apasswd points to the lanman response to * the challenge in local_challenge, and smb_ntpasswd points to * the NT response to the challenge in local_challenge. Ship * these over the secure channel to a domain controller and * see if they were valid. */ /* From patl at cag.lcs.mit.edu Mon Feb 21 01:00:54 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: patl@cag.lcs.mit.edu's message of "Mon, 21 Feb 2000 10:54:12 +1100" References: <3.0.6.32.20000220185712.00869be0@203.16.214.248> Message-ID: The story so far... My current problem appears to be that this call: msrpc_lsa_query_trust_passwd("\\\\.", "$MACHINE.ACC", trust_passwd, NULL)) ...does not always place the same value in trust_passwd. This is causing my logons to fail from time to time. Could this have something to do with the fact that I never created a machine account for my Samba PDC? Just in case, I tried to create one like so (EGGHEAD is both the PDC and local host): samedit -S . -U root -l log createuser EGGHEAD$ -j And the result was: SAM Create Domain User Domain: TEST Name: EGGHEAD$ ACB: [W ] Create Domain User: OK Join EGGHEAD to Domain TEST Set $MACHINE.ACC: OK However, when I examine smbpasswd, no entry has been created for EGGHEAD$. The same sequence works fine for creating other accounts, just not this one. Yes, I have a user "root" in smbpasswd. Yes, I have an EGGHEAD$ account in /etc/passwd. What am I doing wrong? How can I create an entry for my PDC in smbpasswd? Should I care that I can't? - Pat From lkcl at samba.org Mon Feb 21 01:15:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220183105.00906290@203.16.214.248> Message-ID: > OK, I think I have nailed it. make_id_info2 which was building a structure > that is passed to netlogond via that damned complicated internal MSRPC > crap, :) > was overwriting the lm_chal_resp with a constant! > Fixing now. thx richard. From lkcl at samba.org Mon Feb 21 01:17:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000220190821.00856e90@203.16.214.248> Message-ID: On Sun, 20 Feb 2000, Richard Sharpe wrote: > Luke, You IDIOT! > > When you cut and paste, you have to make sure you fix up the variable names. > > All it was that was preventing Win9X clients from logging in and accessing > Samba TNG was that you were calculating MIN(nt_chal_len, sizeof(lm_owf)) > when that should have been lm_chal_len!! Of course it was zero and as a > result you were passing through an initialized buffer instead of the > lm_chal_resp! *muur*. yeah, i moved the code that did 24-byte challenge/responses and had to make it all variable-length structures, instead, to do NTLMv2. From lkcl at samba.org Mon Feb 21 01:18:11 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: Printing from Win9X is broken under Samba-TNG In-Reply-To: <3.0.6.32.20000220201213.008ebd00@203.16.214.248> Message-ID: leave that to jean-francois... uh... win95? absolutely no idea. On Sun, 20 Feb 2000, Richard Sharpe wrote: > Damn, > > Printing is broken ... Luke, what have you done? > > I shall have to fix that now too! > > > > Regards > ------- > Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), > Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) > Co-author, SAMS Teach Yourself Samba in 24 Hours > Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course > Author: First Australian 2-day, intensive, hands-on Samba course > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From zen at uninet.net.id Mon Feb 21 01:07:56 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:41 2003 Subject: Samba-TNG 0.5 Message-ID: <00022108211300.00650@zen.sphenisci.or.id> I've just compiled and run the TNG-0.5. It works fine... I notice there is a regedit. Is it meant to able to run against all hives in Windows NT 4 and 5 registry? I didn't find the manual of it. Is there an explanation of this tools in Lars Kneschke site? I have to tell that I really enjoy and amazed of how people in this Samba team works. I just want to say that you are doing very great. Or to quote from a Whitney Houston's song: You all SIMPLY THE BEST :-D -- ZEN VP of Jakarta Linux User Group zen@jakarta.linux.or.id ================================= SPHEnisci Team http://www.sphenisci.or.id ================================= Make sure it's LINUX, and Do the SAMBA (62-21) 845 5355 zen@uninet.net.id zen@sphenisci.or.id From lkcl at samba.org Mon Feb 21 01:29:14 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000221000838.008f3570@203.16.214.248> Message-ID: > OK, I can see the difference in what we are returning ... > nmbd_processlogon.c is returning too much info for the moment. An NT4.0 > system returns much less in a GETDC response ... I will hack it back but I no! please don't do that, no-one _else_ will be able t use tng at _all_ if you do that. [to say that i care more about nt than win9x implies that i have some sort of feeling towards win9x, when i would actually be happier if it dropped off the face of the earth.] so, i care more about nt users than win9x, so please don't make any changes that will lock out nt. thx, luke From lkcl at samba.org Mon Feb 21 01:30:48 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000221001706.008ef790@203.16.214.248> Message-ID: > In the response to a GETDC, you have to return just the PDC name and none > of the extra stuff. I think that this happens if you get a short GETDC > request, but I have not coded it up properly yet. I have other things to do. well, if you send the short-getdc request to the list, i [or others] can take a look at it. thx, luke From Jean-Francois.Micouleau at dalalu.fr Mon Feb 21 01:36:05 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:41 2003 Subject: Printing from Win9X is broken under Samba-TNG In-Reply-To: Message-ID: On Mon, 21 Feb 2000, Luke Kenneth Casson Leighton wrote: > leave that to jean-francois... uh... win95? absolutely no idea. on W95 ? don't know. From lkcl at samba.org Mon Feb 21 01:37:28 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: > Are we in feature freeze yet? :-) well, we don't have complete features yet, so no, not really. for example, connections are made (SMB) over which DCE/RPC function calls are sent, but either the client or the server can drop the connection. now, do you _want_ me to add a "feature" which allows connections to be automatically reestablished, or do you want me to freeze functionality now, with the consequences that your system may be unreliable? ok, i'm being silly. i'm a little over-sensitive about the comments i saw on linuxcare's website saying i don't know how to work in a production environment (hi guys! saw your running commentary on the lists, i absolutely loved it, it's a scream. i _am_ a little miffed about the code-freeze comments though). lukes From lkcl at samba.org Mon Feb 21 01:37:57 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: RPC Client Problems In-Reply-To: Message-ID: -S not -s > When I run rpc client I get the following errors > > /rcpdcclient -s . -U root From lkcl at samba.org Mon Feb 21 01:38:49 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: Win2k pro / PDC problems In-Reply-To: Message-ID: ok, create logs level 100, see what's going on. also recompile with -DDEBUG_PASSWORD. On Sun, 20 Feb 2000, Sidious wrote: > > On Sun, 20 Feb 2000, Luke Kenneth Casson Leighton wrote: > > > sidious, > > > > how many letters in the name of your domain, server and nt5rtm box? > > please change each of these by one letter in length (one at a time) and > > let me know if it works. > > > > thx. > > Samba server is elvis > Win2k workstation is harvey > domain name is kravshera > > I tried increasing the characters on everything by 1 (just set names to > elvis1, harvey1, kravshera1) but still no luck. > > Paul > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 02:04:43 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: > Second, my netlogon script is not running for Win98 nor for Win2k (is > it even supposed to for the latter?). *ah*. that. see, we have a real problem, there. netlogin scripts were added as a hack to the nt domain code. hmmm... let me take a look-see From lkcl at samba.org Mon Feb 21 02:13:16 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: Problems with Samba-TNG and Win9X etc In-Reply-To: <3.0.6.32.20000221091604.008ff100@203.16.214.248> Message-ID: On Mon, 21 Feb 2000, Richard Sharpe wrote: > Hi > > I have been looking at the GETDC and other response, and it looks like > Windows gets confused by a number of things. > > I think that Samba-TNG should respond to a cut-down GETDC request with a > cut-down GETDC response. This is easy to do in nmbd/nmbd_processlogon.c by > noting the length of the incomming request, and if it is short (ie, ends in > the name of the domain the PDC is being sought for, instead of including > the last few parameters) then we should only send back the name of the PDC. yep. that's the way to do it. the last string is non-unicode. > I will probably code this up later today and upload it to the CVS tree. thanks richard!! From lkcl at samba.org Mon Feb 21 02:25:01 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: i removed the code that requires samba servers to be joined to their own domain (see cvs message last week). On Mon, 21 Feb 2000, Patrick J. LoPresti wrote: > The story so far... > > My current problem appears to be that this call: > > msrpc_lsa_query_trust_passwd("\\\\.", "$MACHINE.ACC", trust_passwd, NULL)) > > ..does not always place the same value in trust_passwd. This is > causing my logons to fail from time to time. > > Could this have something to do with the fact that I never created a > machine account for my Samba PDC? Just in case, I tried to create one > like so (EGGHEAD is both the PDC and local host): > > samedit -S . -U root -l log > createuser EGGHEAD$ -j > > And the result was: > > SAM Create Domain User > Domain: TEST Name: EGGHEAD$ ACB: [W ] > Create Domain User: OK > Join EGGHEAD to Domain TEST > Set $MACHINE.ACC: OK > > However, when I examine smbpasswd, no entry has been created for > EGGHEAD$. The same sequence works fine for creating other accounts, > just not this one. Yes, I have a user "root" in smbpasswd. Yes, I > have an EGGHEAD$ account in /etc/passwd. > > What am I doing wrong? How can I create an entry for my PDC in > smbpasswd? Should I care that I can't? > > - Pat > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 02:25:34 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: > have an EGGHEAD$ account in /etc/passwd. remove it, it's not needed, From lkcl at samba.org Mon Feb 21 02:26:47 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: Samba-TNG 0.5 In-Reply-To: <00022108211300.00650@zen.sphenisci.or.id> Message-ID: On Mon, 21 Feb 2000, ZEN el GUAY wrote: > I've just compiled and run the TNG-0.5. It works fine... I notice there is a > regedit. Is it meant to able to run against all hives in Windows NT 4 and 5 > registry? yep. issue a help command and then help commandname From patl at cag.lcs.mit.edu Mon Feb 21 03:25:52 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Luke Kenneth Casson Leighton's message of "Mon, 21 Feb 2000 13:28:03 +1100" References: Message-ID: Luke Kenneth Casson Leighton writes: > i removed the code that requires samba servers to be joined to their own > domain (see cvs message last week). OK. Let me repeat my problem then, at least as I have tracked it so far. > > My current problem appears to be that this call: > > > > msrpc_lsa_query_trust_passwd("\\\\.", "$MACHINE.ACC", trust_passwd, NULL)) > > > > ..does not always place the same value in trust_passwd. This is > > causing my logons to fail from time to time. This code is in msrpc_netlogon.c:domain_client_validate(), line 111 or so. This is where the client code is getting hold of the workstation trust password to compute the session key. My authentication is failing once because the same call in netlogond is getting a different value for the trust password, thus disagreeing about the correct value for the session key. The second login attempt succeeds because the trust account password (and session key) match both in this code and in netlogond. (I have logs demonstrating this if you are interested.) I apologize if this is a stupid question, but isn't the $MACHINE.ACC trust password supposed to be constant? - Pat From lkcl at samba.org Mon Feb 21 03:40:02 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: On 20 Feb 2000, Patrick J. LoPresti wrote: > Luke Kenneth Casson Leighton writes: > > > i removed the code that requires samba servers to be joined to their own > > domain (see cvs message last week). > > OK. > > Let me repeat my problem then, at least as I have tracked it so far. > > > > My current problem appears to be that this call: > > > > > > msrpc_lsa_query_trust_passwd("\\\\.", "$MACHINE.ACC", trust_passwd, NULL)) > > > > > > ..does not always place the same value in trust_passwd. This is > > > causing my logons to fail from time to time. > > This code is in msrpc_netlogon.c:domain_client_validate(), line 111 or > so. This is where the client code is getting hold of the workstation > trust password to compute the session key. My authentication is > failing once because the same call in netlogond is getting a different > value for the trust password, thus disagreeing about the correct value > for the session key. The second login attempt succeeds because the > trust account password (and session key) match both in this code and > in netlogond. (I have logs demonstrating this if you are interested.) > > I apologize if this is a stupid question, but isn't the $MACHINE.ACC > trust password supposed to be constant? check param/loadparm.c it should have machine_trust_password_timeout = 60*60*24*7, if there's a line saying =60, you got a cvs update _just_ when i was doing some tests :) From patl at cag.lcs.mit.edu Mon Feb 21 03:44:05 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Luke Kenneth Casson Leighton's message of "Mon, 21 Feb 2000 12:52:03 +1100" References: Message-ID: Luke Kenneth Casson Leighton writes: > now, do you _want_ me to add a "feature" which allows connections to > be automatically reestablished, or do you want me to freeze > functionality now, with the consequences that your system may be > unreliable? I would call that a bug fix, but I agree the line is blurry. > ok, i'm being silly. i'm a little over-sensitive about the comments > i saw on linuxcare's website saying i don't know how to work in a > production environment (hi guys! saw your running commentary on the > lists, i absolutely loved it, it's a scream. i _am_ a little miffed > about the code-freeze comments though). Luke, everybody thinks you are amazing. When anybody says "You should...", they actually mean, "Might you please consider..." *Nobody* making suggestions feels anything towards you other than gratitude and a bit of awe. It's just that some of us really want to use your stuff in a production environment soon. (In my case, very, very soon...) Anyway, I apologize if I touched a nerve. Go rewrite the RPC layer from scratch again if it will make you happy :-). - Pat From patl at cag.lcs.mit.edu Mon Feb 21 03:48:40 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Luke Kenneth Casson Leighton's message of "Mon, 21 Feb 2000 14:40:02 +1100" References: Message-ID: Luke Kenneth Casson Leighton writes: > check param/loadparm.c it should have machine_trust_password_timeout = > 60*60*24*7, if there's a line saying =60, you got a cvs update _just_ when > i was doing some tests :) Sure enough, here are two consecutive lines from that file: Globals.machine_password_timeout = 60*60*24*7; /* 7 days default. */ Globals.machine_password_timeout = 60; /* 7 days default. */ OK, that's pretty funny. Luke, the designers of CVS never anticipated *anybody* like you. - Pat From mgeddes at xavier.sa.edu.au Mon Feb 21 04:59:39 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:41 2003 Subject: Samba-TNG 0.5 References: <00022108211300.00650@zen.sphenisci.or.id> Message-ID: <38B0C63B.245ED9CF@xavier.sa.edu.au> ZEN el GUAY wrote: > > I've just compiled and run the TNG-0.5. It works fine... Yeah, ummm. Is there any difference between joining a domain controlled by 0.3 and 0.5 from NT WKS? I have the same configuration as I did with a successful 0.3 and I can't make NT workstation join the domain. I have tried using the root account as well as various other Domain Administrator accounts. I also tried to create the account on the server and then join the domain. Any suggestions? Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Mon Feb 21 05:32:13 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: > > functionality now, with the consequences that your system may be > > unreliable? > > I would call that a bug fix, but I agree the line is blurry. not helped by me basically going, hm, what shall i do with samba today, for over two years. also not helped by this nt domains thing being so... comprehensive, youu really _can't_ take it in stages (well , you can, and we have: nt domain member, the 2.0.x series; the next stage is full nt domain support). > Luke, everybody thinks you are amazing. When anybody says "You > should...", they actually mean, "Might you please consider..." now you've gon and embarrased me, there's a thousand people on this list! :) > *Nobody* making suggestions feels anything towards you other than > gratitude and a bit of awe. It's just that some of us really want to > use your stuff in a production environment soon. (In my case, very, > very soon...) yeah, that's waht happened two years ago, too. well, if that's really what you want, then every time you come across a problem, give me a decent report and track down the bug to actual lines of code or a speciic DEBUG message. > Anyway, I apologize if I touched a nerve. Go rewrite the RPC layer > from scratch again if it will make you happy :-). well i _would_ be more comfortable with auto-generated code. once you have the basic types right, and you're happy with all of them, it's much easier to be confident that some new auto-generated code is also going to be ok. we're still coming across 4-byte alignment issues, and it's been over two years, now. _but_... that's going to take a while, so we'll roll with the hand-coded stuff for now. we need to write an IDL compiler. lukes From lkcl at samba.org Mon Feb 21 05:53:37 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: :)actually, nobody else anticipated anybody like me, including myself. if you do a cvs update this line will disappear. *however*... it seems like you've brought up a _really_ important point: there is a race condition that can result in intermittent login failures. hmmm.... hmmm..... how am i going to fix this? i store the old value, but that's kind-of tacky, reading new value of $MACHINE.ACC and old value of $MACHINE.ACC and checking _two_ logins! it wouldn't surprise me if htat's what the NT team chose to do, however, otherwise they wouldn't have put old value in the LSA-secrets store. *sigh*. ok. so you made a connection, and it failed. second time, it worked. thanks for finding this, it would have been one of those bitch-to-find bugs as it would only come up once a week. On 20 Feb 2000, Patrick J. LoPresti wrote: > Luke Kenneth Casson Leighton writes: > > > check param/loadparm.c it should have machine_trust_password_timeout = > > 60*60*24*7, if there's a line saying =60, you got a cvs update _just_ when > > i was doing some tests :) > > Sure enough, here are two consecutive lines from that file: > > Globals.machine_password_timeout = 60*60*24*7; /* 7 days default. */ > Globals.machine_password_timeout = 60; /* 7 days default. */ > > > OK, that's pretty funny. > > Luke, the designers of CVS never anticipated *anybody* like you. > > - Pat > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mgeddes at xavier.sa.edu.au Mon Feb 21 06:11:18 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:41 2003 Subject: PAM_SMBPASS Message-ID: <38B0D706.F9D97AA5@xavier.sa.edu.au> Hi Guys, Has PAM_SMBPASS or mr vorlon surfaced yet? Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Mon Feb 21 06:21:47 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:41 2003 Subject: PAM_SMBPASS In-Reply-To: <38B0D706.F9D97AA5@xavier.sa.edu.au> Message-ID: On Mon, 21 Feb 2000, Matthew Geddes wrote: > > Hi Guys, > > Has PAM_SMBPASS or mr vorlon surfaced yet? his name's steve, vorlon@express.net, i think :) From skvidal at phy.duke.edu Mon Feb 21 07:08:20 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:41 2003 Subject: PAM_SMBPASS In-Reply-To: Message-ID: > his name's steve, vorlon@express.net, i think :) wrong address( bouncy bouncy bouncy :) -sv From inge at cc.uit.no Mon Feb 21 09:33:06 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:41 2003 Subject: PAM_SMBPASS References: Message-ID: <38B10652.E21C5C23@cc.uit.no> Seth Vidal wrote: > > > his name's steve, vorlon@express.net, i think :) > The last time mr. Langasek mailed this list he used this address: vorlon@netexpress.net Hope this helps. inge From sharpe at ns.aus.com Mon Feb 21 00:45:29 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:41 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: References: Message-ID: <3.0.6.32.20000221104529.00932e70@203.16.214.248> At 02:47 PM 2/21/00 +1100, Patrick J. LoPresti wrote: >Luke Kenneth Casson Leighton writes: > >> ok, i'm being silly. i'm a little over-sensitive about the comments >> i saw on linuxcare's website saying i don't know how to work in a >> production environment (hi guys! saw your running commentary on the >> lists, i absolutely loved it, it's a scream. i _am_ a little miffed >> about the code-freeze comments though). > >Luke, everybody thinks you are amazing. When anybody says "You >should...", they actually mean, "Might you please consider..." Well, hang on there ... He's not the messiah you know, he's just a naughty boy :-) Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From ed at schernau.com Mon Feb 21 12:15:14 2000 From: ed at schernau.com (Edward Schernau) Date: Tue Dec 2 02:28:42 2003 Subject: cvsweb Message-ID: <38B12C52.8C92908D@schernau.com> Can't seem to get to files via cvsweb on samba.org. How do you download from there? -- Edward Schernau http://www.schernau.com Network Architect mailto:ed@schernau.com Rational Computing Providence, RI, USA From paulken at metaphor.no Mon Feb 21 13:45:23 2000 From: paulken at metaphor.no (Paul Kenneth Egell-Johnsen) Date: Tue Dec 2 02:28:42 2003 Subject: Authenticaion of NT users to their Unix user space via Samba. Message-ID: <38B14173.DBE06E7A@metaphor.no> I'm sorry to burst in this door, I've read the faq, I've searched the samba.org site, and I don't know what to do, even now. The problem is this, I have a network with SGI computers whoose shared drives some NT workstations are accessing. This have worked fine until now. After acquiring two new NT workstations, it seems that I can't get them to access the shared drives. As far as I can ascertain it is because of the password/username supplied by the new (ie. Service Pack 4) versions of the OS is encrypted, while the old way was unencrypted. Where do I change this to encryptet (or rather unencrypted) on the NT box? I can't find any answers pertaining to that. But a couple of unanswered questions to that same effect, seems to lurk in the archives. Confounding my problem is that this fscked OS is translated to Norwegian, so the error message which I get could be one which is mentioned in the faq, but then again, it might not. User friendly? Probably. Admin friendly? No way. And one more thing, I'm on Samba way old. I think 1. something. I'd rather not touch this for a while, as I have more pressing matters than upgrading samba. (After all, the guys and gals in marketing have reached those drives until now, except for the new ones, so why would I?) Please have mercy on me, poor sinner, who has trodden wrong and needs a guiding hand to find the path again. -- Paul Kenneth Egell-Johnsen Sales Support and System Development Metaphor as http://www.metaphor.no/ From LEYMARIE_Gerard at accor-hotels.com Mon Feb 21 13:56:27 2000 From: LEYMARIE_Gerard at accor-hotels.com (LEYMARIE Gerard) Date: Tue Dec 2 02:28:42 2003 Subject: Samba 2.0.6 & W2000Pro Message-ID: <020801bf7c73$72fc3dc0$2300c839@accorhotels.com> All, I'm using Samba 2.0.6 as a PDC for a NT4 SP5 domain without any problems. I've tried to join the domain with an NT2000Pro without success What do I have to do? Thanks. From LEYMARIE_Gerard at accor-hotels.com Mon Feb 21 14:16:49 2000 From: LEYMARIE_Gerard at accor-hotels.com (LEYMARIE Gerard) Date: Tue Dec 2 02:28:42 2003 Subject: Still problems of password sync Message-ID: <021801bf7c76$4b2033d0$2300c839@accorhotels.com> All, I'm using Samba 2.0.6 as a PDC on a YP server. Nt password are crypted and not in plaintext I want to synchronise samba and YP password I use %u parameter for username and receive it when users change password. I use also use %n to get new password, but this field is keep blank when informations are transmitted to the passwd chat. In my script I use echo %u:%n > toto.txt and chpasswd %u:%n What can I do? Thanks From karl at Denninger.Net Mon Feb 21 14:29:25 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:42 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: <020801bf7c73$72fc3dc0$2300c839@accorhotels.com>; from LEYMARIE Gerard on Tue, Feb 22, 2000 at 01:04:15AM +1100 References: <020801bf7c73$72fc3dc0$2300c839@accorhotels.com> Message-ID: <20000221082925.D54510@Denninger.Net> It doesn't work. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 01:04:15AM +1100, LEYMARIE Gerard wrote: > All, > > I'm using Samba 2.0.6 as a PDC for a NT4 SP5 domain without any problems. > > I've tried to join the domain with an NT2000Pro without success > What do I have to do? > > Thanks. > > From lk at netuse.de Mon Feb 21 14:41:10 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:42 2003 Subject: Authenticaion of NT users to their Unix user space via Samba. References: <38B14173.DBE06E7A@metaphor.no> Message-ID: <38B14E86.12D04A71@netuse.de> Paul Kenneth Egell-Johnsen wrote: > > I'm sorry to burst in this door, I've read the faq, I've searched the > samba.org site, and I don't know what to do, even now. > > The problem is this, I have a network with SGI computers whoose shared > drives some NT workstations are accessing. This have worked fine until > now. After acquiring two new NT workstations, it seems that I can't get > them to access the shared drives. > > As far as I can ascertain it is because of the password/username > supplied by the new (ie. Service Pack 4) versions of the OS is > encrypted, while the old way was unencrypted. Where do I change this to > encryptet (or rather unencrypted) on the NT box? I can't find any > answers pertaining to that. But a couple of unanswered questions to that > same effect, seems to lurk in the archives. This is the registry patch to enable plainpasswords. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 -------------- next part -------------- REGEDIT4 ;Contributor: Tim Small (tim.small@virgin.net) ;Updated: 20 August 1997 ;Status: Current ; ;Subject: Registry file to enable plain text passwords in NT4-SP3 and later [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters] "EnablePlainTextPassword"=dword:00000001 From paulken at metaphor.no Mon Feb 21 15:00:23 2000 From: paulken at metaphor.no (Paul Kenneth Egell-Johnsen) Date: Tue Dec 2 02:28:42 2003 Subject: Authenticaion of NT users to their Unix user space via Samba. References: <38B14173.DBE06E7A@metaphor.no> <38B14E86.12D04A71@netuse.de> Message-ID: <38B15307.4D987D60@metaphor.no> Thanks to Lars Kneschke, Seth Vidal and Richard Sharpe for your prompt and timely help. I'll use the info later today and see if I can make this system sing. -- Paul Kenneth Egell-Johnsen Sales Support and System Development Metaphor as http://www.metaphor.no/ From p.mayers at ic.ac.uk Mon Feb 21 16:07:57 2000 From: p.mayers at ic.ac.uk (Mayers, P J) Date: Tue Dec 2 02:28:42 2003 Subject: Samba 2.0.6 & W2000Pro Message-ID: <0846B011B9A4D111A1EE006097DA4FCE02F81329@icex1.cc.ic.ac.uk> Nor will it ever work. Samba sharing and browsing will work, but the PDC functionality it barely functional for NT - IIRC, there are no plans to update it to W2K compatability. Use TNG. Read the archives (Lars' FAQ is what you need. The URL is somewhere). An alpha 5 release was posted a couple of days ago. Cheers, Phil ===================== The world is divided into two kinds of people, those who divide the world into two kinds of people, and those who don't... -----Original Message----- From: Karl Denninger [mailto:karl@Denninger.Net] Sent: Monday, February 21, 2000 2:31 PM To: Multiple recipients of list SAMBA-NTDOM Subject: Re: Samba 2.0.6 & W2000Pro It doesn't work. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 01:04:15AM +1100, LEYMARIE Gerard wrote: > All, > > I'm using Samba 2.0.6 as a PDC for a NT4 SP5 domain without any problems. > > I've tried to join the domain with an NT2000Pro without success > What do I have to do? > > Thanks. > > From karl at Denninger.Net Mon Feb 21 16:21:46 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:42 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: <0846B011B9A4D111A1EE006097DA4FCE02F81329@icex1.cc.ic.ac.uk>; from Mayers, P J on Tue, Feb 22, 2000 at 03:11:14AM +1100 References: <0846B011B9A4D111A1EE006097DA4FCE02F81329@icex1.cc.ic.ac.uk> Message-ID: <20000221102146.A56561@Denninger.Net> TNG does not yet work properly for Win95/98 users. There are still lingering authentication problems AND printing doesn't work. When there is a version that works for ALL of the common Windows platforms I can and will upgrade to it. Breaking Win98 compatibility to get Win2K to work is NOT an acceptable solution. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 03:11:14AM +1100, Mayers, P J wrote: > Nor will it ever work. Samba sharing and browsing will work, but the PDC > functionality it barely functional for NT - IIRC, there are no plans to > update it to W2K compatability. Use TNG. Read the archives (Lars' FAQ is > what you need. The URL is somewhere). An alpha 5 release was posted a couple > of days ago. > > Cheers, > Phil > > ===================== > > The world is divided into two kinds of people, those who divide the world > into two kinds of people, and those who don't... > > -----Original Message----- > From: Karl Denninger [mailto:karl@Denninger.Net] > Sent: Monday, February 21, 2000 2:31 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: Samba 2.0.6 & W2000Pro > > > It doesn't work. > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > > > On Tue, Feb 22, 2000 at 01:04:15AM +1100, LEYMARIE Gerard wrote: > > All, > > > > I'm using Samba 2.0.6 as a PDC for a NT4 SP5 domain without any problems. > > > > I've tried to join the domain with an NT2000Pro without success > > What do I have to do? > > > > Thanks. > > > > From jens.skripczynski at igd.fhg.de Mon Feb 21 16:25:26 2000 From: jens.skripczynski at igd.fhg.de (Jens Skripczynski) Date: Tue Dec 2 02:28:42 2003 Subject: Trying to avoid a silly question on samba-ntdom... In-Reply-To: <002301bf7c63$3ffee860$0200000a@lazarus>; from jdub@student.usyd.edu.au on Mon, Feb 21, 2000 at 11:00:29PM +1100 References: <002301bf7c63$3ffee860$0200000a@lazarus> Message-ID: <20000221172526.A3224@pclinux.igd.fhg.de> Jeff Waugh: > Hi there, > > You seem fairly active on the samba-ntdom list (which I've been > reading the archives for), and quite helpful to newbies... > > I'm not entirely sure the first part of this question is relevant > to ntdom, so I thought I'd ask. Hopefully, you'll have time to > respond. > > I want to switch to Samba to for control the domain and > authenticate users on a small network of Win98 machines (8 > computers). The Linux box will also be used for ip_masq, Squid, > etc. > > Once that is done, the machine will move to a more important role > as the domain server for the entire office (about 24 machines), > including the NT server machine which we need to keep as our > software vendor doesn't support Samba file-serving for our core > business app. > > Does the normal version of Samba offer PDC-like capabilities for > Win98 clients? There seem to be references to all three versions in > response to this question, so I'm very unsure. Win98 has _no_ PDC funktionality in Term of Windows NT. It only offers the possibility of an (unsecure) logon at some Server. Unsecure because it never saves who its PDC is, so it is very vulneralbe to a man-in-the-middle-attack. The next Problem is on what you refer to the "normal" version of SAMBA as there are currently three Branches. Lars Kneschkes FAQ should probably answer some of your question about this subject, what branch has what abilities. > I've used Samba in a workgroup, and it's tops, but now I'm looking > for a little more security. :) With security and M$ it should be NT. Ciao Jens Skripczynski -- E-Mail: skripi@igd.fhg.de Computers are like airconditioners: They stop working properly if you open windows. From inge at cc.uit.no Mon Feb 21 16:36:57 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:42 2003 Subject: Problems with TNG and LDAP Message-ID: <38B169A9.E907433E@cc.uit.no> Ok, now I have used over a week trying to compile and run samba_tng with support for ldap. So now I'm giving up and cry for help. My problem is that after joining the domain and the complementary reboot I can't log on to the domain from a NT4WS sp3. The error messages is this: The system cannot log you on to this domain because the systems computer account in its primary domain is missing or the password on that account is incorrect. or this: The system cannot log you on because the domain LDAP is not available. the NETLOGON logfile have these errors: ERROR: become root depth is non zero ERROR: unbecome root depth is 0 ERROR: setgroups call failed! I also spotted this one: credentials check wrong I can send the complete logs on request. By the way I have no problem using the smbclient to contact shares on the PDC. I also can't get rpcclient's deluser to work, but this is of not very important. Thanks in advance for helping me track down this problem. inge smb.conf global section: #======================= Global Settings ===================================== [global] ldap suffix = "ou=People,dc=student,dc=uit,dc=no" ldap bind as = "uid=manager,dc=student,dc=uit,dc=no" ldap passwd file = /opt/samba-tng/private/ldappasswd ldap server = localhost ldap port = 389 workgroup = LDAP netbios name = server string = Samba %v hosts allow = XXX.XXX.X. XXX.XXX.XX. 127. printcap name = /etc/printcap load printers = yes printing = BSD log level = 0 log file = /opt/samba-tng/var/log.%m max log size = 5000 security = user null passwords = No encrypt passwords = yes local master = Yes os level = 65 domain master = yes preferred master = yes domain logons = yes name resolve order = wins lmhosts bcast logon path = \\\Profiles\users.man logon home = \\\%U logon drive = H: Wins server = XXX.XXX.XX.XX Dns Proxy = No interfaces = XXX.XXX.XXX.XXX/24 From inge at cc.uit.no Mon Feb 21 16:37:16 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:42 2003 Subject: Printing in TNG Message-ID: <38B169BC.D5A1AC17@cc.uit.no> When I try to change printing system from the default "sysv" to "bsd" in smb.conf the printing commands doesn't seem to change. When I run testparm after changing the "printing" parameter it looks like this: print ok = No postscript = No printing = bsd print command = lp -c -d%p %s; rm %s lpq command = lpstat -o%p lprm command = cancel %p-%j lppause command = lp -i %p-%j -H hold lpresume command = lp -i %p-%j -H resume queuepause command = lpc stop %p queueresume command = lpc start %p printer name = printer driver = NULL printer driver location = At least I didn't know that BSD printing used lp and lpstat so I think there is an error somewhere. Thanks for all help. inge smb.conf global section: #======================= Global Settings ===================================== [global] ldap suffix = "ou=People,dc=student,dc=uit,dc=no" ldap bind as = "uid=manager,dc=student,dc=uit,dc=no" ldap passwd file = /opt/samba-tng/private/ldappasswd ldap server = localhost ldap port = 389 workgroup = LDAP netbios name = server string = Samba %v hosts allow = XXX.XXX.X. XXX.XXX.XX. 127. printcap name = /etc/printcap load printers = yes printing = BSD log level = 0 log file = /opt/samba-tng/var/log.%m max log size = 5000 security = user null passwords = No encrypt passwords = yes local master = Yes os level = 65 domain master = yes preferred master = yes domain logons = yes name resolve order = wins lmhosts bcast logon path = \\\Profiles\users.man logon home = \\\%U logon drive = H: Wins server = XXX.XXX.XX.XX Dns Proxy = No interfaces = XXX.XXX.XXX.XXX/24 -- Inge-H?vard Hunstad email: inge@cc.uit.no Tlf: 77646527 (intern nr. UiT: 6527) From inge at cc.uit.no Mon Feb 21 16:38:17 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:42 2003 Subject: Can't get nmblookup to work in TNG Message-ID: <38B169F9.CB6A94B7@cc.uit.no> As I said in a previous mail I can't get nmblookup work in samba_TNG. Is this something I have to live with or maybe it is my configuration that fails? I also noticed that nmblookup for samba ver 2.0.4b works like a charm on my system. When I try Diagnosis step 4-6 I get this with tng's nmblookup: $nmblookup -B __SAMBA__ socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name __SAMBA__ $nmblookup -B ji '*' socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name * $nmblookup -d 2 '*' socket connect to /tmp/.nmb/agent failed: Connection refused name_query failed to find name * I have cvs co of samba_TNG from today compiled with support for ldap under RH linux 6.1. Thanks in advance for all your help. inge smb.conf global section: #======================= Global Settings ===================================== [global] ldap suffix = "ou=People,dc=student,dc=uit,dc=no" ldap bind as = "uid=manager,dc=student,dc=uit,dc=no" ldap passwd file = /opt/samba-tng/private/ldappasswd ldap server = localhost ldap port = 389 workgroup = LDAP netbios name = server string = Samba %v hosts allow = XXX.XXX.X. XXX.XXX.XX. 127. printcap name = /etc/printcap load printers = yes printing = BSD log level = 0 log file = /opt/samba-tng/var/log.%m max log size = 5000 security = user null passwords = No encrypt passwords = yes local master = Yes os level = 65 domain master = yes preferred master = yes domain logons = yes name resolve order = wins lmhosts bcast logon path = \\\Profiles\users.man logon home = \\\%U logon drive = H: Wins server = XXX.XXX.XX.XX Dns Proxy = No interfaces = XXX.XXX.XXX.XXX/24 From hanak at IRIS.osu.cz Mon Feb 21 17:18:25 2000 From: hanak at IRIS.osu.cz (Ondrej Hanak) Date: Tue Dec 2 02:28:42 2003 Subject: Still problems of password sync In-Reply-To: <021801bf7c76$4b2033d0$2300c839@accorhotels.com> Message-ID: On Tue, 22 Feb 2000, LEYMARIE Gerard wrote: > All, > > I'm using Samba 2.0.6 as a PDC on a YP server. > Nt password are crypted and not in plaintext > > I want to synchronise samba and YP password > > I use %u parameter for username and receive it when users change password. > I use also use %n to get new password, but this field is keep blank when > informations are transmitted to the passwd chat. > > In my script I use echo %u:%n > toto.txt and chpasswd %u:%n > > What can I do? > > Thanks > I had same problem with sync on RedHat6.1 and samba-2.1.prealpha. I found that second response in chat sometimes didn't arrive to passwd. Two times everything goes fine and 10 times not. I solved this problem by hacking smbd/chpasswd.c. I changed IPC between smbd and passwd from terminal pair to two pipes. After this everything was o.k. Maybe problem is in something else (bad parameters of used terminal dev). But i didn't understand why such IPC was used. Any comment will be fine. Cus. O.H. From zen at uninet.net.id Mon Feb 21 17:14:57 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:42 2003 Subject: Samba-TNG 0.5 In-Reply-To: References: Message-ID: <00022200160308.00608@zen.sphenisci.or.id> > On Mon, 21 Feb 2000, ZEN el GUAY wrote: > > > I've just compiled and run the TNG-0.5. It works fine... I notice there is a > > regedit. Is it meant to able to run against all hives in Windows NT 4 and 5 > > registry? > > yep. > Cool...:-D I learn new things every day, Thanx.... -- ZEN VP of Jakarta Linux User Group zen@jakarta.linux.or.id ================================= SPHEnisci Team http://www.sphenisci.or.id ================================= Make sure it's LINUX, and Do the SAMBA (62-21) 845 5355 zen@uninet.net.id zen@sphenisci.or.id From zen at uninet.net.id Mon Feb 21 17:21:07 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:42 2003 Subject: Samba-TNG 0.5 In-Reply-To: <38B0C63B.245ED9CF@xavier.sa.edu.au> References: <00022108211300.00650@zen.sphenisci.or.id> <38B0C63B.245ED9CF@xavier.sa.edu.au> Message-ID: <0002220039240A.00608@zen.sphenisci.or.id> > > Yeah, ummm. Is there any difference between joining a domain controlled > by 0.3 and 0.5 from NT WKS? I have the same configuration as I did with > a successful 0.3 and I can't make NT workstation join the domain. I have > tried using the root account as well as various other Domain > Administrator accounts. I also tried to create the account on the server > and then join the domain. > I did not use the 0.3, I used 0.2 before, it was broken :-D Then 0.4 was unsuccessfully downloaded. So I couldn't tell the difference. I haven't tried the file serving (wkssvcd and srvsvcd, is it?). -- ZEN VP of Jakarta Linux User Group zen@jakarta.linux.or.id From skvidal at phy.duke.edu Mon Feb 21 17:38:55 2000 From: skvidal at phy.duke.edu (Seth Vidal) Date: Tue Dec 2 02:28:42 2003 Subject: pam_smbpass (fwd) Message-ID: here are mr vorlon's words on the pam_smpass info. -sv ---------- Forwarded message ---------- Date: Mon, 21 Feb 2000 10:44:03 -0600 (CST) From: Steve Langasek To: Seth Vidal Subject: Re: pam_smbpass On Mon, 21 Feb 2000, Seth Vidal wrote: > Luke Leighton dropped your name regarding pam_smbpass and getting it > ported/changed to be useable as a pam_ntpass (so we can sync unix pw > changes against a samba_tng pdc) > so a few of us we're wondering where we can get pam_smbpass from so we can > hack on it - unless you'd like to.:) Hi Seth, The most current version of pam_smbpass is always available as ftp://ftp.netexpress.net/pub/pam/pam_smbpass.newest.tgz. I might recommend holding off for about a week before trying to make use of the code base; I've been in the process of cleaning up some long-outstanding issues in the PAM code, and will hopefully be releasing soon. I was hoping to see the next version released as a stand-alone, but until the SAMBA_TNG CVS installs header files onto the system, that's not going to happen. Cheers, Steve Langasek postmodern programmer From inge at cc.uit.no Mon Feb 21 17:46:10 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:42 2003 Subject: [RFC] LDAP user management tools References: <3804F5AB.E6394A8E@eng.auburn.edu> Message-ID: <38B179E2.B6E3F120@cc.uit.no> Gerald Carter wrote: > > I'm in the process of building some tools > for manipulating users in a Samba LDAP account > backend. This will mostly likely be ing Perl > using the Mozilla::LDAP module. > > Here's the RFC... > > Right now, I have an quick and dirty script to upload > a smbpasswd file to the LDAP server. My plan are to > also include tools for... > > * add / deleting accounts > * enabling / disabling accounts > * setting passwords > * updating account information > > etc... > > I know that I could just extend .../bin/smbpasswd, but > writing the scripts in Perl would also allow for a Perl/TK > GUI that could run on any platform for the most part (Windows, > Solaris, Linux, etc...) This would basically be a Usrmgr > type interface with the headache of RPC and named pipes. > > What say everyone? is there enough interest for this? > >From my part of view the automation scripts come first > and the GUI later. > Is it rude of me asking how did it go? Was the interest so low that it wasn't worth finishing or did you try to implement it and have a tool ready for alpha or beta testing? If the latter is true then I'm willing to try it:) inge From giulioo at pobox.com Mon Feb 21 17:49:39 2000 From: giulioo at pobox.com (Giulio Orsero) Date: Tue Dec 2 02:28:42 2003 Subject: Still problems of password sync In-Reply-To: References: <021801bf7c76$4b2033d0$2300c839@accorhotels.com> Message-ID: <20000221174943.B91912AE74@i3.golden.dom> On Tue, 22 Feb 2000 04:16:31 +1100, hai scritto: >I had same problem with sync on RedHat6.1 and samba-2.1.prealpha. >I found that second response in chat sometimes didn't arrive to passwd. >Two times everything goes fine and 10 times not. >I solved this problem by hacking smbd/chpasswd.c. I changed IPC between Note that in samba < 2.0.6 there was a timing problem in the chat handling that has been solved in 2.0.6. I think pre-2.1 doesn't have this fix. The probem manifested this way: you could change the password 1 out of 7/10 times. The other times you got something like "child exited while we were waiting" or similar. -- giulioo@pobox.com From GLeblanc at cu-portland.edu Mon Feb 21 18:06:03 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:42 2003 Subject: Win9x and TNG status? Message-ID: I read all the messages, but I'm still not clear. What is and isn't working with regards to Win9x machines logging into a TNG PDC? If it's not working, do you guys still need a netmon trace? I'm at work today with my PDC and 250 workstations, so I can get any kind of login traces you might want, but that's not to say that I can make heads or tails of them. Greg From slitt at troubleshooters.com Mon Feb 21 18:19:55 2000 From: slitt at troubleshooters.com (Steve Litt) Date: Tue Dec 2 02:28:42 2003 Subject: Printing in TNG In-Reply-To: <38B169BC.D5A1AC17@cc.uit.no> Message-ID: <3.0.6.32.20000221131955.009207f0@pop.pacificnet.net> Inge, What you describe is the as-designed performance of Samba as configured by the Red Hat distro. With Red Hat, you need to hard code printing, print command, and any other commands you regularly use (lprm command, for instance). You'll also need to change the printcap name= to /etc/printcap. If you get a SWAT problem mentioning lpstat, the printcap name= change will fix it. As an alternative, I download the Samba 2.0.x .tgz and compile and make. I've found that to yield a better setup, and it doesn't default to sysv printing. Steve Litt At 03:50 AM 02/22/2000 +1100, Inge-H?vard Hunstad wrote: >When I try to change printing system from the default "sysv" to "bsd" in >smb.conf the printing commands doesn't seem to change. When I run >testparm after changing the "printing" parameter it looks like this: > > print ok = No > postscript = No > printing = bsd > print command = lp -c -d%p %s; rm %s > lpq command = lpstat -o%p > lprm command = cancel %p-%j > lppause command = lp -i %p-%j -H hold > lpresume command = lp -i %p-%j -H resume > queuepause command = lpc stop %p > queueresume command = lpc start %p > printer name = > printer driver = NULL > printer driver location = > >At least I didn't know that BSD printing used lp and lpstat so I think >there is an error somewhere. > >Thanks for all help. > >inge > > >smb.conf global section: > >#======================= Global Settings >===================================== >[global] >ldap suffix = "ou=People,dc=student,dc=uit,dc=no" >ldap bind as = "uid=manager,dc=student,dc=uit,dc=no" >ldap passwd file = /opt/samba-tng/private/ldappasswd >ldap server = localhost >ldap port = 389 >workgroup = LDAP >netbios name = >server string = Samba %v >hosts allow = XXX.XXX.X. XXX.XXX.XX. 127. >printcap name = /etc/printcap >load printers = yes >printing = BSD >log level = 0 >log file = /opt/samba-tng/var/log.%m >max log size = 5000 >security = user >null passwords = No >encrypt passwords = yes >local master = Yes >os level = 65 >domain master = yes >preferred master = yes >domain logons = yes >name resolve order = wins lmhosts bcast >logon path = \\\Profiles\users.man >logon home = \\\%U >logon drive = H: >Wins server = XXX.XXX.XX.XX >Dns Proxy = No >interfaces = XXX.XXX.XXX.XXX/24 > > > >-- >Inge-H?vard Hunstad >email: inge@cc.uit.no >Tlf: 77646527 >(intern nr. UiT: 6527) > From nazard at dragoninc.on.ca Mon Feb 21 18:51:11 2000 From: nazard at dragoninc.on.ca (nazard@dragoninc.on.ca) Date: Tue Dec 2 02:28:42 2003 Subject: Problems with TNG and LDAP In-Reply-To: <38B169A9.E907433E@cc.uit.no> Message-ID: <20000221185124Z13352725-24228+56620@samba.anu.edu.au> On 22 Feb, Inge-H?vard Hunstad wrote: > Ok, now I have used over a week trying to compile and run samba_tng with > support for ldap. So now I'm giving up and cry for help. My problem is > that after joining the domain and the complementary reboot I can't log > on to the domain from a NT4WS sp3. The error messages is this: > > The system cannot log you on to this domain because the systems computer > account in its primary domain is missing or the password on that account > is incorrect. > > or this: > > The system cannot log you on because the domain LDAP is not available. I've been successfully using the ldap backend for several months. Note that this is the original style ldap, not the new NT5LDAP. > the NETLOGON logfile have these errors: > > ERROR: become root depth is non zero > ERROR: unbecome root depth is 0 > ERROR: setgroups call failed! Here's the patch I've been using to work around that error. Index: util_sec.c =================================================================== RCS file: /cvsroot/samba/source/lib/util_sec.c,v retrieving revision 1.2.4.1 diff -u -w -r1.2.4.1 util_sec.c --- util_sec.c 2000/01/14 22:01:19 1.2.4.1 +++ util_sec.c 2000/02/21 18:40:47 @@ -42,6 +42,17 @@ #define smb_panic(x) exit(1) #endif +#if HAVE_SETRESUID + #define USE_SETRESUID 1 +#elif HAVE_SETEUID + #define USE_SETEUID 1 +#elif HAVE_SETREUID + #define USE_SETREUID 1 +#elif HAVE_SETUIDX + #define USE_SETUIDX 1 +#endif + + /**************************************************************************** abort if we haven't set the uid correctly ****************************************************************************/ > ldap suffix = "ou=People,dc=student,dc=uit,dc=no" If you're trying to share entries with the system accounts per RFC2307, I've also found the following patch useful Index: ldap.c =================================================================== RCS file: /cvsroot/samba/source/passdb/ldap.c,v retrieving revision 1.36 diff -u -w -r1.36 ldap.c --- ldap.c 1999/03/25 13:54:30 1.36 +++ ldap.c 2000/02/21 18:49:35 @@ -272,11 +272,11 @@ *mods = NULL; if(operation == LDAP_MOD_ADD) { /* immutable attributes */ ldap_make_mod(mods, LDAP_MOD_ADD, "objectclass", "sambaAccount"); - +/* ldap_make_mod(mods, LDAP_MOD_ADD, "uid", newpwd->unix_name); slprintf(temp, sizeof(temp)-1, "%d", newpwd->unix_uid); ldap_make_mod(mods, LDAP_MOD_ADD, "uidNumber", temp); - +*/ ldap_make_mod(mods, LDAP_MOD_ADD, "ntuid", newpwd->nt_name); slprintf(temp, sizeof(temp)-1, "%x", newpwd->user_rid); ldap_make_mod(mods, LDAP_MOD_ADD, "rid", temp); From lkcl at samba.org Mon Feb 21 19:37:23 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: <3.0.6.32.20000221104529.00932e70@203.16.214.248> Message-ID: > Well, hang on there ... He's not the messiah you know, he's just a naughty > boy :-) all right! i *am* the messiah. now xxxx.... xxx! From lkcl at samba.org Mon Feb 21 19:50:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: <20000221102146.A56561@Denninger.Net> Message-ID: On Tue, 22 Feb 2000, Karl Denninger wrote: > TNG does not yet work properly for Win95/98 users. There are still > lingering authentication problems AND printing doesn't work. richard tracked down the auth issues. can you give more [specific] details about printing? thx, luke From SGerstacker at gradall.com Mon Feb 21 19:50:17 2000 From: SGerstacker at gradall.com (Gerstacker, Steve) Date: Tue Dec 2 02:28:42 2003 Subject: NT Print sharing Message-ID: <451F628D6C94D2119B650004AC4C4B42281623@EXCHANGE> My sys admin asked me to set up a linux print server on out NT Domain. Later I found out that you cant print share wit hNT because you have to be a super user t oadd the printers. Will there ever be a way to just double click to add the printers to an NT Machine??? ******************************************************* The information contained in this transmission is confidential. It is intended solely for the use of the individual(s) or organization(s) to whom it is addressed. Any disclosure, copying or further distribution is not permitted unless such privilege is explicitly granted in writing by Gradall, a wholly owned subsidiary of JLG Industries, Inc. Further, Gradall is not responsible for the proper and complete transmission of the substance of this communication nor for any delay in its receipt. From patl at cag.lcs.mit.edu Mon Feb 21 19:51:18 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:42 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Luke Kenneth Casson Leighton's message of "Mon, 21 Feb 2000 13:04:43 +1100" References: Message-ID: Luke Kenneth Casson Leighton writes: > > Second, my netlogon script is not running for Win98 nor for Win2k (is > > it even supposed to for the latter?). > > *ah*. that. see, we have a real problem, there. netlogin scripts > were added as a hack to the nt domain code. > > hmmm... let me take a look-see I think I found the bug. In sampass.c:getsamfile21pwent(), you are checking a bunch of char *'s in the "user" structure against NULL to see if you need to fill them in. The problem is that they aren't NULL, they are just empty; so things like the logon_script field end up empty instead of acquiring their proper values from the smb.conf file. When I fixed this, my logon scripts started working again. My patch is appended; rewrite it as you see fit... - Pat -------------- next part -------------- Index: passdb/sampass.c =================================================================== RCS file: /cvsroot/samba/source/passdb/Attic/sampass.c,v retrieving revision 1.5.2.5 diff -u -r1.5.2.5 sampass.c --- sampass.c 2000/02/08 04:25:55 1.5.2.5 +++ sampass.c 2000/02/21 19:48:11 @@ -63,6 +63,11 @@ return setsmbpwpos(vp, tok); } +static BOOL string_empty (const char *str) +{ + return str == NULL || *str == '\0'; +} + /************************************************************************* Routine to return the next entry in the smbpasswd list. this function is a nice, messy combination of reading: @@ -109,19 +114,19 @@ didn't filled the values */ - if (user->full_name == NULL) + if (string_empty (user->full_name)) user->full_name = full_name; - if (user->home_dir == NULL) + if (string_empty (user->home_dir)) user->home_dir = home_dir; - if (user->dir_drive == NULL) + if (string_empty (user->dir_drive)) user->dir_drive = home_drive; - if (user->logon_script == NULL) + if (string_empty (user->logon_script)) user->logon_script = logon_script; - if (user->profile_path == NULL) + if (string_empty (user->profile_path)) user->profile_path = profile_path; - if (user->acct_desc == NULL) + if (string_empty (user->acct_desc)) user->acct_desc = acct_desc; - if (user->workstations == NULL) + if (string_empty (user->workstations)) user->workstations = workstations; user->unknown_str = NULL; /* don't know, yet! */ From jblyberg at marco.com Mon Feb 21 19:55:50 2000 From: jblyberg at marco.com (John F. Blyberg) Date: Tue Dec 2 02:28:42 2003 Subject: using samedit Message-ID: <000001bf7ca5$a7cab130$eb0b170a@johnb.marco.com> Hi, I've recently tried to install samba-tng-0.5. The readme states that you must first run: bin/smbpasswd -a -m your_samba_server_name ok, so I do that, but -m is disabled, so I then run: samedit createuser my_server$ which returns: socket connect to /tmp/.smb.0/agent failed: Connection refused cli_net_use_add: connection failed I have loaded the daemons mentioned in the README. The other problem I have encountered is that where the attached, shared printer was working before, it is not now. --John --------- John Blyberg Michigan Automotive Research Corp. 734/995-2544 ext. 227 jblyberg@marco.com From lkcl at samba.org Mon Feb 21 19:56:50 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: Problems with TNG and LDAP In-Reply-To: <38B169A9.E907433E@cc.uit.no> Message-ID: On Tue, 22 Feb 2000, Inge-H?vard Hunstad wrote: > Ok, now I have used over a week trying to compile and run samba_tng with > support for ldap. So now I'm giving up and cry for help. My problem is > that after joining the domain and the complementary reboot I can't log > on to the domain from a NT4WS sp3. The error messages is this: > > The system cannot log you on to this domain because the systems computer > account in its primary domain is missing or the password on that account > is incorrect. > > or this: > > The system cannot log you on because the domain LDAP is not available. > > the NETLOGON logfile have these errors: > > ERROR: become root depth is non zero > ERROR: unbecome root depth is 0 > ERROR: setgroups call failed! the first unbecome_root() will stop root access needed in between the first and second unbecome_root(). this may cause problems such as those you decsribe. anyone want to try to track this down? and deluser isn't implemented server-side yet. From lkcl at samba.org Mon Feb 21 19:59:39 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: Samba-TNG 0.5 In-Reply-To: <00022200160308.00608@zen.sphenisci.or.id> Message-ID: On Tue, 22 Feb 2000, ZEN el GUAY wrote: > > > On Mon, 21 Feb 2000, ZEN el GUAY wrote: > > > > > I've just compiled and run the TNG-0.5. It works fine... I notice there is a > > > regedit. Is it meant to able to run against all hives in Windows NT 4 and 5 > > > registry? > > > > yep. > > > Cool...:-D > I learn new things every day, Thanx.... > > -- > ZEN > VP of Jakarta Linux User Group > zen@jakarta.linux.or.id > > ================================= > SPHEnisci Team > http://www.sphenisci.or.id > ================================= > Make sure it's LINUX, and Do the SAMBA > (62-21) 845 5355 > zen@uninet.net.id > zen@sphenisci.or.id > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 20:01:38 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: Samba-TNG 0.5 In-Reply-To: <0002220039240A.00608@zen.sphenisci.or.id> Message-ID: if you are not running the daemons that are described as required in lars' FAQ, you will find that certain things will fail. as a reminder, if you want a PDC, you will need: - smbd - nmbd - samrd - netlogond - lsarpcd - winregd - wkssvcd - srvsvcd anything else is optional: these are not. On Tue, 22 Feb 2000, ZEN el GUAY wrote: > > > > > Yeah, ummm. Is there any difference between joining a domain controlled > > by 0.3 and 0.5 from NT WKS? I have the same configuration as I did with > > a successful 0.3 and I can't make NT workstation join the domain. I have > > tried using the root account as well as various other Domain > > Administrator accounts. I also tried to create the account on the server > > and then join the domain. > > > I did not use the 0.3, I used 0.2 before, it was broken :-D > Then 0.4 was unsuccessfully downloaded. So I couldn't tell the difference. > I haven't tried the file serving (wkssvcd and srvsvcd, is it?). > > -- > ZEN > VP of Jakarta Linux User Group > zen@jakarta.linux.or.id > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 20:06:46 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: [RFC] LDAP user management tools In-Reply-To: <38B179E2.B6E3F120@cc.uit.no> Message-ID: > > I know that I could just extend .../bin/smbpasswd, but > > writing the scripts in Perl would also allow for a Perl/TK > > GUI that could run on any platform for the most part (Windows, > > Solaris, Linux, etc...) This would basically be a Usrmgr > > type interface with the headache of RPC and named pipes. > > > > What say everyone? is there enough interest for this? > > >From my part of view the automation scripts come first > > and the GUI later. > > a much more, f you're asking my opinion, noteworthy and fairly easy task, would be to take the display_*.c code and add a switch to print html as well as text. that was actually the original intention, except i never got round to doing the html. then, making these programs run as a swat-like daemon is absolutely trivial. hmm. an interesting, intriguing project :) > Is it rude of me asking how did it go? Was the interest so low that it > wasn't worth finishing or did you try to implement it and have a tool > ready for alpha or beta testing? If the latter is true then I'm willing > to try it:) > > inge > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 20:11:19 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: Win9x and TNG status? In-Reply-To: Message-ID: On Tue, 22 Feb 2000, Gregory Leblanc wrote: > I read all the messages, but I'm still not clear. What is and isn't working > with regards to Win9x machines logging into a TNG PDC? If it's not working, > do you guys still need a netmon trace? I'm at work today with my PDC and > 250 workstations, so I can get any kind of login traces you might want, but > that's not to say that I can make heads or tails of them. :) thx. richard fixed auth over the weekend. someone else reported printing not working (needs more details). usrmgr.exe and srvmgr.exe (win95 versions) don't work, probably related to GETDC request not being right. From roy.karlsbakk at a-team.no Mon Feb 21 20:19:08 2000 From: roy.karlsbakk at a-team.no (Roy Sigurd Karlsbakk) Date: Tue Dec 2 02:28:42 2003 Subject: Newbe questions Message-ID: <51313828EB3CD211A49A006097AD457E0EA481@infosys.a-team.no> Hi all I have a couple of questions... - I've noticed the lack of support for Windoze 9x. Does anyone know if this will be fixed? - Can Samba-TNG integrate with more than one domain? - Where can I download the Samba-TNG? Thanks in advance Roy Sigurd Karlsbakk -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at samba.org Mon Feb 21 20:20:02 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: Problems with TNG and LDAP In-Reply-To: <20000221185124Z13352725-24228+56620@samba.anu.edu.au> Message-ID: oh , this means that ... ok, i've got this. please cvs update, there are some autoconf issues. > > Here's the patch I've been using to work around that error. > > Index: util_sec.c > =================================================================== > RCS file: /cvsroot/samba/source/lib/util_sec.c,v > retrieving revision 1.2.4.1 > diff -u -w -r1.2.4.1 util_sec.c > --- util_sec.c 2000/01/14 22:01:19 1.2.4.1 > +++ util_sec.c 2000/02/21 18:40:47 > @@ -42,6 +42,17 @@ > #define smb_panic(x) exit(1) > #endif > > +#if HAVE_SETRESUID > + #define USE_SETRESUID 1 > +#elif HAVE_SETEUID > + #define USE_SETEUID 1 > +#elif HAVE_SETREUID > + #define USE_SETREUID 1 > +#elif HAVE_SETUIDX > + #define USE_SETUIDX 1 > +#endif > + > + > /**************************************************************************** > abort if we haven't set the uid correctly > ****************************************************************************/ > > > > > ldap suffix = "ou=People,dc=student,dc=uit,dc=no" > > If you're trying to share entries with the system accounts per RFC2307, I've also found the following patch useful > > Index: ldap.c > =================================================================== > RCS file: /cvsroot/samba/source/passdb/ldap.c,v > retrieving revision 1.36 > diff -u -w -r1.36 ldap.c > --- ldap.c 1999/03/25 13:54:30 1.36 > +++ ldap.c 2000/02/21 18:49:35 > @@ -272,11 +272,11 @@ > *mods = NULL; > if(operation == LDAP_MOD_ADD) { /* immutable attributes */ > ldap_make_mod(mods, LDAP_MOD_ADD, "objectclass", "sambaAccount"); > - > +/* > ldap_make_mod(mods, LDAP_MOD_ADD, "uid", newpwd->unix_name); > slprintf(temp, sizeof(temp)-1, "%d", newpwd->unix_uid); > ldap_make_mod(mods, LDAP_MOD_ADD, "uidNumber", temp); > - > +*/ > ldap_make_mod(mods, LDAP_MOD_ADD, "ntuid", newpwd->nt_name); > slprintf(temp, sizeof(temp)-1, "%x", newpwd->user_rid); > ldap_make_mod(mods, LDAP_MOD_ADD, "rid", temp); > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 20:24:32 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: ok. ok. i buy that. yeah. On 21 Feb 2000, Patrick J. LoPresti wrote: > Luke Kenneth Casson Leighton writes: > > > > Second, my netlogon script is not running for Win98 nor for Win2k (is > > > it even supposed to for the latter?). > > > > *ah*. that. see, we have a real problem, there. netlogin scripts > > were added as a hack to the nt domain code. > > > > hmmm... let me take a look-see > > I think I found the bug. In sampass.c:getsamfile21pwent(), you are > checking a bunch of char *'s in the "user" structure against NULL to > see if you need to fill them in. The problem is that they aren't > NULL, they are just empty; so things like the logon_script field end > up empty instead of acquiring their proper values from the smb.conf > file. > > When I fixed this, my logon scripts started working again. > > My patch is appended; rewrite it as you see fit... > > - Pat > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals -------------- next part -------------- Index: passdb/sampass.c =================================================================== RCS file: /cvsroot/samba/source/passdb/Attic/sampass.c,v retrieving revision 1.5.2.5 diff -u -r1.5.2.5 sampass.c --- sampass.c 2000/02/08 04:25:55 1.5.2.5 +++ sampass.c 2000/02/21 19:48:11 @@ -63,6 +63,11 @@ return setsmbpwpos(vp, tok); } +static BOOL string_empty (const char *str) +{ + return str == NULL || *str == '\0'; +} + /************************************************************************* Routine to return the next entry in the smbpasswd list. this function is a nice, messy combination of reading: @@ -109,19 +114,19 @@ didn't filled the values */ - if (user->full_name == NULL) + if (string_empty (user->full_name)) user->full_name = full_name; - if (user->home_dir == NULL) + if (string_empty (user->home_dir)) user->home_dir = home_dir; - if (user->dir_drive == NULL) + if (string_empty (user->dir_drive)) user->dir_drive = home_drive; - if (user->logon_script == NULL) + if (string_empty (user->logon_script)) user->logon_script = logon_script; - if (user->profile_path == NULL) + if (string_empty (user->profile_path)) user->profile_path = profile_path; - if (user->acct_desc == NULL) + if (string_empty (user->acct_desc)) user->acct_desc = acct_desc; - if (user->workstations == NULL) + if (string_empty (user->workstations)) user->workstations = workstations; user->unknown_str = NULL; /* don't know, yet! */ From lkcl at samba.org Mon Feb 21 20:38:36 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:42 2003 Subject: using samedit In-Reply-To: <000001bf7ca5$a7cab130$eb0b170a@johnb.marco.com> Message-ID: On Tue, 22 Feb 2000, John F. Blyberg wrote: > Hi, > > I've recently tried to install samba-tng-0.5. The readme states that you > must first run: > bin/smbpasswd -a -m your_samba_server_name > ok, so I do that, but -m is disabled, so I then run: > samedit createuser my_server$ not needed any more. From mg at plum.de Mon Feb 21 20:47:17 2000 From: mg at plum.de (Michael Glauche) Date: Tue Dec 2 02:28:43 2003 Subject: Newbe questions References: <51313828EB3CD211A49A006097AD457E0EA481@infosys.a-team.no> Message-ID: <38B1A455.28D69FC@plum.de> > Roy Sigurd Karlsbakk wrote: > > Hi all > > I have a couple of questions... > - I've noticed the lack of support for Windoze 9x. Does anyone know > if this will be fixed? Richard Sharpe is working on it. > - Can Samba-TNG integrate with more than one domain? yes. > - Where can I download the Samba-TNG? ftp://samba.org/pub/samba/alpha. please use mirror site for preference. regards, Michael From lkcl at samba.org Mon Feb 21 20:41:19 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Newbe questions In-Reply-To: <51313828EB3CD211A49A006097AD457E0EA481@infosys.a-team.no> Message-ID: On Tue, 22 Feb 2000, Roy Sigurd Karlsbakk wrote: > Hi all > > I have a couple of questions... > - I've noticed the lack of support for Windoze 9x. Does anyone know if this > will be fixed? if people are interested in fixing it, yes. it's just a matter of when and who. > - Can Samba-TNG integrate with more than one domain? no, because we don't have a surs implementation (SID to UID Resolution system) that will cope with more than one domain, at the moment. hmmm, i _must_ address this. > - Where can I download the Samba-TNG? you just joined this list? alpha 0.5 samba ftp mirror. > Thanks in advance > > Roy Sigurd Karlsbakk > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From sharpe at ns.aus.com Mon Feb 21 05:12:11 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:43 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: References: Message-ID: <3.0.6.32.20000221151211.00996320@203.16.214.248> At 07:00 AM 2/22/00 +1100, Patrick J. LoPresti wrote: >Luke Kenneth Casson Leighton writes: > >> > Second, my netlogon script is not running for Win98 nor for Win2k (is >> > it even supposed to for the latter?). >> >> *ah*. that. see, we have a real problem, there. netlogin scripts >> were added as a hack to the nt domain code. >> >> hmmm... let me take a look-see > >I think I found the bug. In sampass.c:getsamfile21pwent(), you are >checking a bunch of char *'s in the "user" structure against NULL to >see if you need to fill them in. The problem is that they aren't >NULL, they are just empty; so things like the logon_script field end >up empty instead of acquiring their proper values from the smb.conf >file. > >When I fixed this, my logon scripts started working again. > >My patch is appended; rewrite it as you see fit... Hmmm, that is interesting, because logon scripts worked for me in an all Samba-TNG after I fixed the auth problem ... > - Pat > > >Attachment Converted: "c:\eudora\attach\sampass.c.diff" > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From sharpe at ns.aus.com Mon Feb 21 05:10:47 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:43 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: References: <20000221102146.A56561@Denninger.Net> Message-ID: <3.0.6.32.20000221151047.0098ce90@203.16.214.248> At 06:55 AM 2/22/00 +1100, Luke Kenneth Casson Leighton wrote: >On Tue, 22 Feb 2000, Karl Denninger wrote: > >> TNG does not yet work properly for Win95/98 users. There are still >> lingering authentication problems AND printing doesn't work. > >richard tracked down the auth issues. can you give more [specific] >details about printing? There are two that I am aware of: 1. Seems to get confused about the GID of the user and fails, at least on Linux 2. Still has bugs we fixed 2.0.x a month or so ago (screws up on setting the various printing parameters). >thx, > >luke > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From sharpe at ns.aus.com Mon Feb 21 05:15:03 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: References: Message-ID: <3.0.6.32.20000221151503.0085a5c0@203.16.214.248> At 07:32 AM 2/22/00 +1100, Luke Kenneth Casson Leighton wrote: >On Tue, 22 Feb 2000, Gregory Leblanc wrote: > >> I read all the messages, but I'm still not clear. What is and isn't working >> with regards to Win9x machines logging into a TNG PDC? If it's not working, >> do you guys still need a netmon trace? I'm at work today with my PDC and >> 250 workstations, so I can get any kind of login traces you might want, but >> that's not to say that I can make heads or tails of them. > >:) thx. richard fixed auth over the weekend. someone else reported >printing not working (needs more details). usrmgr.exe and srvmgr.exe >(win95 versions) don't work, probably related to GETDC request not being >right. I have a patch for that, but then svrmgr regards Samba TNG as a workstation. I will upload the patch soon. Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From s.striker at striker.nl Mon Feb 21 21:06:14 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:43 2003 Subject: [RFC] LDAP user management tools In-Reply-To: Message-ID: >then, making these programs run as a swat-like daemon is absolutely >trivial. > >hmm. an interesting, intriguing project :) No Luke No. Not a new idea, please... :-) Sander From patl at cag.lcs.mit.edu Mon Feb 21 21:07:52 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:43 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Richard Sharpe's message of "Mon, 21 Feb 2000 15:12:11 +1000" References: <3.0.6.32.20000221151211.00996320@203.16.214.248> Message-ID: Richard Sharpe writes: > >When I fixed this, my logon scripts started working again. > > > >My patch is appended; rewrite it as you see fit... > > Hmmm, that is interesting, because logon scripts worked for me in an all > Samba-TNG after I fixed the auth problem ... Slightly different copies of the CVS tree, perhaps? Or different authentication mechanisms? (I am using smbpasswd.) My changes are pretty simple, and I swear they *do* fix my problem. Before my patch, I was seeing empty strings for the logon script, the home share, and so forth. Digging a little deeper, the function pwdb_smb_to_sam() in sampassdb.c uses a bunch of unititialized local static variables (home_dir, home_drive, logon_script, etc.) These locals are arrays of char, which is where my empty strings were coming from; see the call to pwdb_smb_to_sam() in getsamfile21pwent(). (I just double-checked all this with a freshly-checked-out copy of TNG.) What's up with those unitialized static char arrays? They are guaranteed to be zero, but there are better ways to get the various pw_buf fields set to empty strings if that is the goal... - Pat From jblyberg at marco.com Mon Feb 21 21:11:23 2000 From: jblyberg at marco.com (John F. Blyberg) Date: Tue Dec 2 02:28:43 2003 Subject: using samedit In-Reply-To: Message-ID: <000501bf7cb0$35e87ba0$eb0b170a@johnb.marco.com> Thanks for your response, but if that is the case, how do you add a machine to the domain? Also, where can I find more in-depth documentation on tng than what comes with it? -----Original Message----- From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of Luke Kenneth Casson Leighton Sent: Monday, February 21, 2000 3:55 PM To: Multiple recipients of list SAMBA-NTDOM Subject: Re: using samedit On Tue, 22 Feb 2000, John F. Blyberg wrote: > Hi, > > I've recently tried to install samba-tng-0.5. The readme states that you > must first run: > bin/smbpasswd -a -m your_samba_server_name > ok, so I do that, but -m is disabled, so I then run: > samedit createuser my_server$ not needed any more. From lkcl at samba.org Mon Feb 21 21:13:05 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: <3.0.6.32.20000221151503.0085a5c0@203.16.214.248> Message-ID: > I have a patch for that, but then svrmgr regards Samba TNG as a workstation. that's ok, i know what that is, i'll fix it. From lkcl at samba.org Mon Feb 21 21:18:38 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: <3.0.6.32.20000221151503.0085a5c0@203.16.214.248> Message-ID: > I have a patch for that, but then svrmgr regards Samba TNG as a workstation. richard, i added code that will say "server" or "workstation", can you cvs update, try again? thx. From sharpe at ns.aus.com Mon Feb 21 06:03:26 2000 From: sharpe at ns.aus.com (Richard Sharpe) Date: Tue Dec 2 02:28:43 2003 Subject: Printing in TNG In-Reply-To: <3.0.6.32.20000221131955.009207f0@pop.pacificnet.net> References: <38B169BC.D5A1AC17@cc.uit.no> Message-ID: <3.0.6.32.20000221160326.0099c910@203.16.214.248> At 05:37 AM 2/22/00 +1100, Steve Litt wrote: >Inge, > >What you describe is the as-designed performance of Samba as configured by >the Red Hat distro. With Red Hat, you need to hard code printing, print >command, and any other commands you regularly use (lprm command, for >instance). You'll also need to change the printcap name= to /etc/printcap. >If you get a SWAT problem mentioning lpstat, the printcap name= change will >fix it. Hmmm, a small correction. With the old versions of Samba, this is true. The RH 2.0.3 RPM did have a bug like Inge describes below, but an upgrade to 2.0.5a fixes that problem. However, there was also an underlying bug in Samba (fixed in 2.0.7, I think) where we were handling various printing-related parameters correctly. >As an alternative, I download the Samba 2.0.x .tgz and compile and make. >I've found that to yield a better setup, and it doesn't default to sysv >printing. > >Steve Litt > >At 03:50 AM 02/22/2000 +1100, Inge-H?vard Hunstad wrote: >>When I try to change printing system from the default "sysv" to "bsd" in >>smb.conf the printing commands doesn't seem to change. When I run >>testparm after changing the "printing" parameter it looks like this: >> >> print ok = No >> postscript = No >> printing = bsd >> print command = lp -c -d%p %s; rm %s >> lpq command = lpstat -o%p >> lprm command = cancel %p-%j >> lppause command = lp -i %p-%j -H hold >> lpresume command = lp -i %p-%j -H resume >> queuepause command = lpc stop %p >> queueresume command = lpc start %p >> printer name = >> printer driver = NULL >> printer driver location = >> >>At least I didn't know that BSD printing used lp and lpstat so I think >>there is an error somewhere. >> >>Thanks for all help. >> >>inge >> >> >>smb.conf global section: >> >>#======================= Global Settings >>===================================== >>[global] >>ldap suffix = "ou=People,dc=student,dc=uit,dc=no" >>ldap bind as = "uid=manager,dc=student,dc=uit,dc=no" >>ldap passwd file = /opt/samba-tng/private/ldappasswd >>ldap server = localhost >>ldap port = 389 >>workgroup = LDAP >>netbios name = >>server string = Samba %v >>hosts allow = XXX.XXX.X. XXX.XXX.XX. 127. >>printcap name = /etc/printcap >>load printers = yes >>printing = BSD >>log level = 0 >>log file = /opt/samba-tng/var/log.%m >>max log size = 5000 >>security = user >>null passwords = No >>encrypt passwords = yes >>local master = Yes >>os level = 65 >>domain master = yes >>preferred master = yes >>domain logons = yes >>name resolve order = wins lmhosts bcast >>logon path = \\\Profiles\users.man >>logon home = \\\%U >>logon drive = H: >>Wins server = XXX.XXX.XX.XX >>Dns Proxy = No >>interfaces = XXX.XXX.XXX.XXX/24 >> >> >> >>-- >>Inge-H?vard Hunstad >>email: inge@cc.uit.no >>Tlf: 77646527 >>(intern nr. UiT: 6527) >> > > Regards ------- Richard Sharpe, sharpe@ns.aus.com, Master Linux Administrator :-), Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org) Co-author, SAMS Teach Yourself Samba in 24 Hours Author: First Australian 5-day, intensive, hands-on Linux SysAdmin course Author: First Australian 2-day, intensive, hands-on Samba course From karl at Denninger.Net Mon Feb 21 21:35:45 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 07:32:53AM +1100 References: Message-ID: <20000221153545.A63842@Denninger.Net> On Tue, Feb 22, 2000 at 07:32:53AM +1100, Luke Kenneth Casson Leighton wrote: > On Tue, 22 Feb 2000, Gregory Leblanc wrote: > > > I read all the messages, but I'm still not clear. What is and isn't working > > with regards to Win9x machines logging into a TNG PDC? If it's not working, > > do you guys still need a netmon trace? I'm at work today with my PDC and > > 250 workstations, so I can get any kind of login traces you might want, but > > that's not to say that I can make heads or tails of them. > > :) thx. richard fixed auth over the weekend. someone else reported > printing not working (needs more details). usrmgr.exe and srvmgr.exe > (win95 versions) don't work, probably related to GETDC request not being > right. > I can't build the current version... it blows up with: Compiling rpcclient/rpcclient.c rpcclient/rpcclient.c: In function `main': rpcclient/rpcclient.c:768: Internal compiler error in `build_insn_chain', at global.c:1756 Please submit a full bug report. See for instructions. *** Error code 1 Stop in /disk/develop.new/samba/samba/source. FreeBSD Genesis.Denninger.Net 4.0-CURRENT FreeBSD 4.0-CURRENT #4: Tue Jan 18 16:12:18 CST 2000 karl@Genesis.Denninger.Net:/usr/src/sys/compile/KARL i386 A pretty current FreeBSD machine... -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! From mgeddes at xavier.sa.edu.au Mon Feb 21 21:55:08 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:43 2003 Subject: using samedit References: <000501bf7cb0$35e87ba0$eb0b170a@johnb.marco.com> Message-ID: <38B1B43C.E8D7DF3E@xavier.sa.edu.au> "John F. Blyberg" wrote: > > Thanks for your response, but if that is the case, how do you add a machine > to the domain? > > Also, where can I find more in-depth documentation on tng than what comes > with it? Errr. Want to help write it? Check out Lars Kneschke's (Wonderful) Samba TNG FAQ at http://www.kneschke.de/projekte/samba_tng/ It's good. Matt "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Mon Feb 21 21:57:08 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: [RFC] LDAP user management tools In-Reply-To: Message-ID: On Mon, 21 Feb 2000, Sander Striker wrote: > >then, making these programs run as a swat-like daemon is absolutely > >trivial. > > > >hmm. an interesting, intriguing project :) > > No Luke No. Not a new idea, please... :-) it's not, it's an old one (over 2 years), re-voiced. From jblyberg at marco.com Mon Feb 21 21:57:59 2000 From: jblyberg at marco.com (John F. Blyberg) Date: Tue Dec 2 02:28:43 2003 Subject: rpcclient badpipe to lsarpc Message-ID: <000001bf7cb6$b830ef10$eb0b170a@johnb.marco.com> Hi, I'm still getting this error from the rpcclient log. I don't know what I am doing wrong, or where I should go to correct it. *PENGUIN is the linux server netbios name. socket connect to /tmp/.smb.0/agent failed: Connection refused cli_nt_session_open: cli_open failed on pipe \PIPE\samr to machine *PENGUIN. Error was ERRDOS - ERRbadpipe ncacn_np_use_add: connection failed cli_nt_session_open: cli_open failed on pipe \PIPE\lsarpc to machine *PENGUIN. Error was ERRDOS - ERRbad pipe ncacn_np_use_add: connection failed --------- John Blyberg Michigan Automotive Research Corp. 734/995-2544 ext. 227 jblyberg@marco.com From lkcl at samba.org Mon Feb 21 21:58:06 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: <3.0.6.32.20000221151047.0098ce90@203.16.214.248> Message-ID: On Tue, 22 Feb 2000, Richard Sharpe wrote: > At 06:55 AM 2/22/00 +1100, Luke Kenneth Casson Leighton wrote: > >On Tue, 22 Feb 2000, Karl Denninger wrote: > > > >> TNG does not yet work properly for Win95/98 users. There are still > >> lingering authentication problems AND printing doesn't work. > > > >richard tracked down the auth issues. can you give more [specific] > >details about printing? > > There are two that I am aware of: > > 1. Seems to get confused about the GID of the user and fails, at least on > Linux that is either a config problem OR it's to do with the use of standard_sub_vuser(). it may not be working as expected. From lkcl at samba.org Mon Feb 21 21:58:53 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: <3.0.6.32.20000221151503.0085a5c0@203.16.214.248> Message-ID: > I have a patch for that, but then svrmgr regards Samba TNG as a workstation. i fixed this. From lkcl at samba.org Mon Feb 21 22:00:19 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: using samedit In-Reply-To: <000501bf7cb0$35e87ba0$eb0b170a@johnb.marco.com> Message-ID: On Mon, 21 Feb 2000, John F. Blyberg wrote: > Thanks for your response, but if that is the case, how do you add a machine > to the domain? createuser memberserver$. it's just you don't need it for the samba server itself, any more. From lkcl at samba.org Mon Feb 21 22:03:38 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: (M)IDL compiler Message-ID: there were a couple of people i know who were interested in such a project. please speak now (again), on samba-technical, if you were or are. thx, luke From karl at Denninger.Net Mon Feb 21 22:04:28 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 07:32:53AM +1100 References: Message-ID: <20000221160428.A66713@Denninger.Net> Ok, what am I doing wrong. I just CVS'd a new copy of TNG. The version claims to be "pre-3.0.0", so I assume its correct. The configure/makefile pleasantly put the files in a different base under /usr/local/samba (thank you!), making it possible for me to leave alone my 2.0.6 config. So I do that, change inetd.conf, kill the existing daemons and hit inetd, and then hit the disk. It fails, as expected (no password entry). So I move the password entry for my current logged-in user on the workgroup from Win2K, and reclick the drive. It comes up. So at this point I know that file service is actually working off TNG (because it had to read the new config and control files). Now I go try to conncet to the domain and get a bunch of: [2000/02/21 16:00:43, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69) process_logon_packet: Logon from 192.168.3.1: code = 12 [2000/02/21 16:00:43, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69) process_logon_packet: Logon from 192.168.3.1: code = 12 [2000/02/21 16:00:48, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69) process_logon_packet: Logon from 192.168.3.1: code = 12 Exactly what I was getting under 2.0.6! What did I do wrong? -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! From lkcl at samba.org Mon Feb 21 22:05:14 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: TNG works with Win2k, fails with Win98 In-Reply-To: Message-ID: ah. yes. see andrew's post to samba-technical regarding the development and use of talloc, for details. On Tue, 22 Feb 2000, Patrick J. LoPresti wrote: > Richard Sharpe writes: > > > >When I fixed this, my logon scripts started working again. > > > > > >My patch is appended; rewrite it as you see fit... > > > > Hmmm, that is interesting, because logon scripts worked for me in an all > > Samba-TNG after I fixed the auth problem ... > > Slightly different copies of the CVS tree, perhaps? Or different > authentication mechanisms? (I am using smbpasswd.) > > My changes are pretty simple, and I swear they *do* fix my problem. > Before my patch, I was seeing empty strings for the logon script, the > home share, and so forth. > > Digging a little deeper, the function pwdb_smb_to_sam() in sampassdb.c > uses a bunch of unititialized local static variables (home_dir, > home_drive, logon_script, etc.) These locals are arrays of char, > which is where my empty strings were coming from; see the call to > pwdb_smb_to_sam() in getsamfile21pwent(). > > (I just double-checked all this with a freshly-checked-out copy of > TNG.) > > What's up with those unitialized static char arrays? They are > guaranteed to be zero, but there are better ways to get the various > pw_buf fields set to empty strings if that is the goal... > > - Pat > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 22:05:51 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: using samedit In-Reply-To: <000501bf7cb0$35e87ba0$eb0b170a@johnb.marco.com> Message-ID: > Also, where can I find more in-depth documentation on tng than what comes > with it? eh he. anyone want to write this? lars' faq, see source/README for url. From lkcl at samba.org Mon Feb 21 22:12:24 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221153545.A63842@Denninger.Net> Message-ID: karl, there _isn't_ a line 768 in rpcclient.c., it only has 40 lines in it. do a cvs co (a new one), delete whatever you had before. On Mon, 21 Feb 2000, Karl Denninger wrote: > On Tue, Feb 22, 2000 at 07:32:53AM +1100, Luke Kenneth Casson Leighton wrote: > > On Tue, 22 Feb 2000, Gregory Leblanc wrote: > > > > > I read all the messages, but I'm still not clear. What is and isn't working > > > with regards to Win9x machines logging into a TNG PDC? If it's not working, > > > do you guys still need a netmon trace? I'm at work today with my PDC and > > > 250 workstations, so I can get any kind of login traces you might want, but > > > that's not to say that I can make heads or tails of them. > > > > :) thx. richard fixed auth over the weekend. someone else reported > > printing not working (needs more details). usrmgr.exe and srvmgr.exe > > (win95 versions) don't work, probably related to GETDC request not being > > right. > > > > I can't build the current version... it blows up with: > > Compiling rpcclient/rpcclient.c > rpcclient/rpcclient.c: In function `main': > rpcclient/rpcclient.c:768: Internal compiler error in `build_insn_chain', at > global.c:1756 > Please submit a full bug report. > See for > instructions. > *** Error code 1 > > Stop in /disk/develop.new/samba/samba/source. > > FreeBSD Genesis.Denninger.Net 4.0-CURRENT FreeBSD 4.0-CURRENT #4: Tue Jan 18 16:12:18 CST 2000 karl@Genesis.Denninger.Net:/usr/src/sys/compile/KARL i386 > > > A pretty current FreeBSD machine... > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 22:16:53 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221160428.A66713@Denninger.Net> Message-ID: yes, but if you look at the resonses coming back, you'll find that they are different. run with 2.0.6 nmbd for now, the rest samba tng, you should be ok with that, except if you have a mixed nt and 9x environment. one or the other, not both, for now. sorry. On Mon, 21 Feb 2000, Karl Denninger wrote: > Ok, what am I doing wrong. > > I just CVS'd a new copy of TNG. The version claims to be "pre-3.0.0", so I > assume its correct. > > The configure/makefile pleasantly put the files in a different base under > /usr/local/samba (thank you!), making it possible for me to leave alone my > 2.0.6 config. > > So I do that, change inetd.conf, kill the existing daemons and hit inetd, > and then hit the disk. It fails, as expected (no password entry). > > So I move the password entry for my current logged-in user on the workgroup > from Win2K, and reclick the drive. It comes up. > > So at this point I know that file service is actually working off TNG > (because it had to read the new config and control files). > > Now I go try to conncet to the domain and get a bunch of: > > [2000/02/21 16:00:43, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69) > process_logon_packet: Logon from 192.168.3.1: code = 12 > [2000/02/21 16:00:43, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69) > process_logon_packet: Logon from 192.168.3.1: code = 12 > [2000/02/21 16:00:48, 1] nmbd/nmbd_processlogon.c:process_logon_packet(69) > process_logon_packet: Logon from 192.168.3.1: code = 12 > > Exactly what I was getting under 2.0.6! > > What did I do wrong? > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Mon Feb 21 22:18:09 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: rpcclient badpipe to lsarpc In-Reply-To: <000001bf7cb6$b830ef10$eb0b170a@johnb.marco.com> Message-ID: if you get the cli_nt_session_open error, it means you're not running samr or lsarpc services. are you running samrd and lsarpcd? read lars' FAQ, thx. On Tue, 22 Feb 2000, John F. Blyberg wrote: > Hi, I'm still getting this error from the rpcclient log. I don't know what > I am doing wrong, or where I should go to correct it. > *PENGUIN is the linux server netbios name. > > socket connect to /tmp/.smb.0/agent failed: Connection refused > cli_nt_session_open: cli_open failed on pipe \PIPE\samr to machine *PENGUIN. > Error was ERRDOS - ERRbadpipe > ncacn_np_use_add: connection failed > cli_nt_session_open: cli_open failed on pipe \PIPE\lsarpc to machine > *PENGUIN. Error was ERRDOS - ERRbad pipe > ncacn_np_use_add: connection failed > > --------- > John Blyberg > Michigan Automotive Research Corp. > 734/995-2544 ext. 227 > jblyberg@marco.com > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From karl at Denninger.Net Mon Feb 21 22:21:18 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 09:12:24AM +1100 References: <20000221153545.A63842@Denninger.Net> Message-ID: <20000221162118.A67081@Denninger.Net> I figured that part out. I had the current branch, not TNG. I'm re-CVSing and will report back in a while when I've had the chance the beat the snot out of it for a while. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 09:12:24AM +1100, Luke Kenneth Casson Leighton wrote: > karl, there _isn't_ a line 768 in rpcclient.c., it only has 40 lines in > it. > > do a cvs co (a new one), delete whatever you had before. > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > On Tue, Feb 22, 2000 at 07:32:53AM +1100, Luke Kenneth Casson Leighton wrote: > > > On Tue, 22 Feb 2000, Gregory Leblanc wrote: > > > > > > > I read all the messages, but I'm still not clear. What is and isn't working > > > > with regards to Win9x machines logging into a TNG PDC? If it's not working, > > > > do you guys still need a netmon trace? I'm at work today with my PDC and > > > > 250 workstations, so I can get any kind of login traces you might want, but > > > > that's not to say that I can make heads or tails of them. > > > > > > :) thx. richard fixed auth over the weekend. someone else reported > > > printing not working (needs more details). usrmgr.exe and srvmgr.exe > > > (win95 versions) don't work, probably related to GETDC request not being > > > right. > > > > > > > I can't build the current version... it blows up with: > > > > Compiling rpcclient/rpcclient.c > > rpcclient/rpcclient.c: In function `main': > > rpcclient/rpcclient.c:768: Internal compiler error in `build_insn_chain', at > > global.c:1756 > > Please submit a full bug report. > > See for > > instructions. > > *** Error code 1 > > > > Stop in /disk/develop.new/samba/samba/source. > > > > FreeBSD Genesis.Denninger.Net 4.0-CURRENT FreeBSD 4.0-CURRENT #4: Tue Jan 18 16:12:18 CST 2000 karl@Genesis.Denninger.Net:/usr/src/sys/compile/KARL i386 > > > > > > A pretty current FreeBSD machine... > > > > -- > > -- > > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > > Isn't it time we started putting KIDS first? See the above URL for > > a plan to do exactly that! > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From lkcl at samba.org Mon Feb 21 22:34:59 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221162118.A67081@Denninger.Net> Message-ID: On Mon, 21 Feb 2000, Karl Denninger wrote: > I figured that part out. > > I had the current branch, not TNG. > > I'm re-CVSing and will report back in a while when I've had the chance the > beat the snot out of it for a while. very cool. if you REALLY want to give tng (or any other system) a difficult time, do make bin/rpctorture. if anyone else wants to try this, i'd really appreciate some feedback. rpctorture is part of the same suite / family as rpcclient, samedit, regedit etc. so it takes the same command-line arguments. two special _extra_ arguments to rpctorture are -N numberofforkedprocesses -o numberofoperations. you can specify these at the start of any rpctorture command, and they will be set as the defaults and used for the corrent and subsequent commands. e.g: rpcclient -S ntsrv -U% -l log [ntsrv$ ] logintest -N 100 -o 100 DOMAINNAME\user password this will do 10,000 interactive NT logins - 100 of them in parallel, 100 times. i like doing this to NT, it tends to creak, croak and only accept 28 incoming connections. of those 28 incoming connections, it rejects most of them because of internal bottlenecks on SMB, \PIPE\NETLOGON and internal resources. last time i checked, NT only actually completed about... something like... 600 of the requested 10,000 logins. actually, i think it was 100,000 that i requested, only 500-600 succeeded. TNG fares a little better, except that i came across a bug in tdb that causes it to fail, and _stay_ failed. if anyone can repro this, please SAVE your netlogoncreds.tdb file because we REALLY need to track this down. thx, luke From Jean-Francois.Micouleau at dalalu.fr Mon Feb 21 22:38:21 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:43 2003 Subject: NT Print sharing In-Reply-To: <451F628D6C94D2119B650004AC4C4B42281623@EXCHANGE> Message-ID: On Tue, 22 Feb 2000, Gerstacker, Steve wrote: > My sys admin asked me to set up a linux print server on out NT Domain. > Later I found out that you cant print share wit hNT because you have to be a > super user t oadd the printers. Will there ever be a way to just double > click to add the printers to an NT Machine??? yes. And you won't need to add the printers to the NT machines at all. The drivers will be downloaded at print time. J.F. From cartegw at Eng.Auburn.EDU Mon Feb 21 22:39:21 2000 From: cartegw at Eng.Auburn.EDU (Gerald W. Carter) Date: Tue Dec 2 02:28:43 2003 Subject: [RFC] LDAP user management tools In-Reply-To: <38B179E2.B6E3F120@cc.uit.no> Message-ID: On Mon, 21 Feb 2000, [iso-8859-1] Inge-Håvard Hunstad wrote: > Gerald Carter wrote: > > > > I'm in the process of building some tools > > for manipulating users in a Samba LDAP account > > backend. This will mostly likely be ing Perl > > using the Mozilla::LDAP module. > > > > Is it rude of me asking how did it go? Was the interest so low that it > wasn't worth finishing or did you try to implement it and have a tool > ready for alpha or beta testing? If the latter is true then I'm willing > to try it:) Well...I wrote an initial script and got distracted by other things. Right now we are in the processing of pushing into LDAP very hard. So I've picked it back up. It's not ready for any release yet. Only command line driven at the moment (no GUI stuff). Let me work out some other things and send you a copy of what I have sometime in the next few days ok? Cheers, jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From s.striker at striker.nl Mon Feb 21 23:07:26 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:43 2003 Subject: [RFC] LDAP user management tools In-Reply-To: Message-ID: >On Mon, 21 Feb 2000, Sander Striker wrote: > >> >then, making these programs run as a swat-like daemon is absolutely >> >trivial. >> > >> >hmm. an interesting, intriguing project :) >> >> No Luke No. Not a new idea, please... :-) > >it's not, it's an old one (over 2 years), re-voiced. :-) :-) Ok. Ok. You win, just put it in the freezer for now, until after the big code freeze. Any ideas on when this is expected? Sander From lkcl at samba.org Mon Feb 21 23:07:28 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: [samba-tng] status In-Reply-To: Message-ID: > >it's not, it's an old one (over 2 years), re-voiced. > > :-) :-) > > Ok. Ok. You win, just put it in the freezer for now, until after the > big code freeze. Any ideas on when this is expected? well, i've basically been idling along now for over a week, just tinkering and fixing things that people report. so it's kind-of already in effect. if i get bored, there's always samrtdb (which doesn't affect anyone else but me, it's not enabled by default). i'm still taking in code clean-ups and mini-useful stuff from elrond, sander and others. i still have the "reestablish dce/rpc connection" code to do,i haven't even started investigating this, i'm still thinking about it [including whether to do it]. what else.. there's still a surs implementation to do, and that's a simple, simple bit of code -- behind an API, in a separate library _anyway-. tim [potter], do you want to try and write an algorithmic combined "mydomain plus BUILTIN" domain thing? maybe reserving a range of gids for the BUILTIN domain's use? From s.striker at striker.nl Mon Feb 21 23:30:27 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:43 2003 Subject: [samba-tng] status In-Reply-To: Message-ID: >well, i've basically been idling along now for over a week, just tinkering >and fixing things that people report. so it's kind-of already in effect. A whole week, if now you could hear yourself talking... :-) >if i get bored, there's always samrtdb (which doesn't affect anyone else >but me, it's not enabled by default). You will get bored, and you know it. *big smile* >i'm still taking in code clean-ups and mini-useful stuff from elrond, >sander and others. Hmm. Yes, I still need to do something in that area too. :-( >i still have the "reestablish dce/rpc connection" code to do,i haven't >even started investigating this, i'm still thinking about it [including >whether to do it]. This is usefull to code up, I guess. >what else.. there's still a surs implementation to do, and that's a >simple, simple bit of code -- behind an API, in a separate library >_anyway-. Heh heh, so you can freeze and still play around :-) Sander From Jean-Francois.Micouleau at dalalu.fr Mon Feb 21 23:23:52 2000 From: Jean-Francois.Micouleau at dalalu.fr (Jean Francois Micouleau) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: Message-ID: On Tue, 22 Feb 2000, Luke Kenneth Casson Leighton wrote: > karl, there _isn't_ a line 768 in rpcclient.c., it only has 40 lines in > it. there is. after the preprocessor has run. look again at his report, that's a compiler bug. What gcc version is that ? egcs 2.95-something ? > > Compiling rpcclient/rpcclient.c > > rpcclient/rpcclient.c: In function `main': > > rpcclient/rpcclient.c:768: Internal compiler error in `build_insn_chain', at > > global.c:1756 > > Please submit a full bug report. > > See for > > instructions. > > *** Error code 1 From karl at Denninger.Net Mon Feb 21 23:25:26 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 10:21:11AM +1100 References: <20000221162118.A67081@Denninger.Net> Message-ID: <20000221172526.A22369@Denninger.Net> Well, now with TNG, I get this on attempting to start nmbd: NetBIOS name list:- my_netbios_names[0]="GENESIS" lp_file_list_changed() file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf last mod_time: Mon Feb 21 17:18:12 2000 set_samba_nb_type: 0 standard input is not a socket, assuming -D option Becoming a daemon. fcntl_lock 4 8 0 1 3 Lock call successful Opening sockets 137 bind succeeded on port 137 bind succeeded on port 138 open_sockets: Broadcast sockets opened. Added interface ip=192.168.0.0 bcast=192.168.255.255 nmask=255.255.0.0 bind failed on port 137 socket_addr=192.168.0.0 (Can't assign requested address) nmbd_subnetdb:make_subnet() Failed to open nmb socket on interface 192.168.0.0 for port 137. Error was Can't assign requested address ERROR: Failed when creating subnet lists. Exiting. Barf. That IS a valid address on that interface, the mask was right, and it worked with 2.0.6! SMBD appears to work (after it was restarted I could see the shares again) Ideas? -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 10:21:11AM +1100, Luke Kenneth Casson Leighton wrote: > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > I figured that part out. > > > > I had the current branch, not TNG. > > > > I'm re-CVSing and will report back in a while when I've had the chance the > > beat the snot out of it for a while. > > very cool. if you REALLY want to give tng (or any other system) a > difficult time, do make bin/rpctorture. > > if anyone else wants to try this, i'd really appreciate some feedback. > > rpctorture is part of the same suite / family as rpcclient, samedit, > regedit etc. so it takes the same command-line arguments. > > two special _extra_ arguments to rpctorture are -N numberofforkedprocesses > -o numberofoperations. > > you can specify these at the start of any rpctorture command, and they > will be set as the defaults and used for the corrent and subsequent > commands. > > e.g: > > rpcclient -S ntsrv -U% -l log > [ntsrv$ ] logintest -N 100 -o 100 DOMAINNAME\user password > > this will do 10,000 interactive NT logins - 100 of them in parallel, 100 > times. > > i like doing this to NT, it tends to creak, croak and only accept 28 > incoming connections. of those 28 incoming connections, it rejects most > of them because of internal bottlenecks on SMB, \PIPE\NETLOGON and > internal resources. > > last time i checked, NT only actually completed about... something like... > 600 of the requested 10,000 logins. actually, i think it was 100,000 that > i requested, only 500-600 succeeded. > > TNG fares a little better, except that i came across a bug in tdb that > causes it to fail, and _stay_ failed. if anyone can repro this, please > SAVE your netlogoncreds.tdb file because we REALLY need to track this > down. > > thx, > > luke > From GLeblanc at cu-portland.edu Mon Feb 21 23:31:33 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? Message-ID: > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@samba.org] > Sent: Monday, February 21, 2000 3:21 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: Win9x and TNG status? > > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > I figured that part out. > > > > I had the current branch, not TNG. > > > > I'm re-CVSing and will report back in a while when I've had > the chance the > > beat the snot out of it for a while. > > very cool. if you REALLY want to give tng (or any other system) a > difficult time, do make bin/rpctorture. > > if anyone else wants to try this, i'd really appreciate some feedback. Well, if I get TNG going tonight, I'll run it at a TNG PDC. > > rpctorture is part of the same suite / family as rpcclient, samedit, > regedit etc. so it takes the same command-line arguments. > > two special _extra_ arguments to rpctorture are -N > numberofforkedprocesses > -o numberofoperations. > > you can specify these at the start of any rpctorture command, and they > will be set as the defaults and used for the corrent and subsequent > commands. > > e.g: > > rpcclient -S ntsrv -U% -l log > [ntsrv$ ] logintest -N 100 -o 100 DOMAINNAME\user password > > this will do 10,000 interactive NT logins - 100 of them in > parallel, 100 > times. > > i like doing this to NT, it tends to creak, croak and only accept 28 > incoming connections. of those 28 incoming connections, it > rejects most > of them because of internal bottlenecks on SMB, \PIPE\NETLOGON and > internal resources. > > last time i checked, NT only actually completed about... > something like... > 600 of the requested 10,000 logins. actually, i think it was > 100,000 that > i requested, only 500-600 succeeded. Uhm, what kind of hardware? Hopefully I can borrow an P166 type machine from work for an NT PDC, but the TNG server will be a dual-proc SPARC with 128MB of ram, running almost nothing else. > > TNG fares a little better, except that i came across a bug in tdb that > causes it to fail, and _stay_ failed. if anyone can repro > this, please > SAVE your netlogoncreds.tdb file because we REALLY need to track this > down. Again, if I can get this running (my incompetence is the barrier here :), I'll leave it running tonight and all day tomorrow, and we'll see how fast it brings that machine to it's knees. Greg From lkcl at samba.org Mon Feb 21 23:36:27 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: [samba-tng] status In-Reply-To: Message-ID: > Heh heh, so you can freeze and still play around :-) damn, someone noticed. From lkcl at samba.org Mon Feb 21 23:38:37 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221172526.A22369@Denninger.Net> Message-ID: dodes anyone remember if this was an issue / fixed in 2.0.x? > set_samba_nb_type: 0 > standard input is not a socket, assuming -D option > Becoming a daemon. > fcntl_lock 4 8 0 1 3 > Lock call successful > Opening sockets 137 > bind succeeded on port 137 > bind succeeded on port 138 > open_sockets: Broadcast sockets opened. > Added interface ip=192.168.0.0 bcast=192.168.255.255 nmask=255.255.0.0 > bind failed on port 137 socket_addr=192.168.0.0 (Can't assign requested address) > nmbd_subnetdb:make_subnet() > Failed to open nmb socket on interface 192.168.0.0 for port 137. Error was Can't assign requested address > ERROR: Failed when creating subnet lists. Exiting. > > Barf. > > That IS a valid address on that interface, the mask was right, and it > worked with 2.0.6! > > SMBD appears to work (after it was restarted I could see the shares again) > > Ideas? > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > > > On Tue, Feb 22, 2000 at 10:21:11AM +1100, Luke Kenneth Casson Leighton wrote: > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > I figured that part out. > > > > > > I had the current branch, not TNG. > > > > > > I'm re-CVSing and will report back in a while when I've had the chance the > > > beat the snot out of it for a while. > > > > very cool. if you REALLY want to give tng (or any other system) a > > difficult time, do make bin/rpctorture. > > > > if anyone else wants to try this, i'd really appreciate some feedback. > > > > rpctorture is part of the same suite / family as rpcclient, samedit, > > regedit etc. so it takes the same command-line arguments. > > > > two special _extra_ arguments to rpctorture are -N numberofforkedprocesses > > -o numberofoperations. > > > > you can specify these at the start of any rpctorture command, and they > > will be set as the defaults and used for the corrent and subsequent > > commands. > > > > e.g: > > > > rpcclient -S ntsrv -U% -l log > > [ntsrv$ ] logintest -N 100 -o 100 DOMAINNAME\user password > > > > this will do 10,000 interactive NT logins - 100 of them in parallel, 100 > > times. > > > > i like doing this to NT, it tends to creak, croak and only accept 28 > > incoming connections. of those 28 incoming connections, it rejects most > > of them because of internal bottlenecks on SMB, \PIPE\NETLOGON and > > internal resources. > > > > last time i checked, NT only actually completed about... something like... > > 600 of the requested 10,000 logins. actually, i think it was 100,000 that > > i requested, only 500-600 succeeded. > > > > TNG fares a little better, except that i came across a bug in tdb that > > causes it to fail, and _stay_ failed. if anyone can repro this, please > > SAVE your netlogoncreds.tdb file because we REALLY need to track this > > down. > > > > thx, > > > > luke > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From ed at schernau.com Mon Feb 21 23:59:11 2000 From: ed at schernau.com (Edward Schernau) Date: Tue Dec 2 02:28:43 2003 Subject: pam_ntdom via cvs Message-ID: <38B1D14F.7FB44DBE@schernau.com> there a howto somewhere? cvs doesn't work, and the cvsweb thingie on samba.org doesn't either. -- Edward Schernau http://www.schernau.com Network Architect mailto:ed@schernau.com Rational Computing Providence, RI, USA From karl at Denninger.Net Tue Feb 22 00:18:44 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:43 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 10:38:37AM +1100 References: <20000221172526.A22369@Denninger.Net> Message-ID: <20000221181844.A23312@Denninger.Net> It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that box and it works PERFECTLY. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 10:38:37AM +1100, Luke Kenneth Casson Leighton wrote: > dodes anyone remember if this was an issue / fixed in 2.0.x? > > > set_samba_nb_type: 0 > > standard input is not a socket, assuming -D option > > Becoming a daemon. > > fcntl_lock 4 8 0 1 3 > > Lock call successful > > Opening sockets 137 > > bind succeeded on port 137 > > bind succeeded on port 138 > > open_sockets: Broadcast sockets opened. > > Added interface ip=192.168.0.0 bcast=192.168.255.255 nmask=255.255.0.0 > > bind failed on port 137 socket_addr=192.168.0.0 (Can't assign requested address) > > nmbd_subnetdb:make_subnet() > > Failed to open nmb socket on interface 192.168.0.0 for port 137. Error was Can't assign requested address > > ERROR: Failed when creating subnet lists. Exiting. > > > > Barf. > > > > That IS a valid address on that interface, the mask was right, and it > > worked with 2.0.6! > > > > SMBD appears to work (after it was restarted I could see the shares again) > > > > Ideas? > > > > -- > > -- > > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > > Isn't it time we started putting KIDS first? See the above URL for > > a plan to do exactly that! > > > > > > On Tue, Feb 22, 2000 at 10:21:11AM +1100, Luke Kenneth Casson Leighton wrote: > > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > > > I figured that part out. > > > > > > > > I had the current branch, not TNG. > > > > > > > > I'm re-CVSing and will report back in a while when I've had the chance the > > > > beat the snot out of it for a while. > > > > > > very cool. if you REALLY want to give tng (or any other system) a > > > difficult time, do make bin/rpctorture. > > > > > > if anyone else wants to try this, i'd really appreciate some feedback. > > > > > > rpctorture is part of the same suite / family as rpcclient, samedit, > > > regedit etc. so it takes the same command-line arguments. > > > > > > two special _extra_ arguments to rpctorture are -N numberofforkedprocesses > > > -o numberofoperations. > > > > > > you can specify these at the start of any rpctorture command, and they > > > will be set as the defaults and used for the corrent and subsequent > > > commands. > > > > > > e.g: > > > > > > rpcclient -S ntsrv -U% -l log > > > [ntsrv$ ] logintest -N 100 -o 100 DOMAINNAME\user password > > > > > > this will do 10,000 interactive NT logins - 100 of them in parallel, 100 > > > times. > > > > > > i like doing this to NT, it tends to creak, croak and only accept 28 > > > incoming connections. of those 28 incoming connections, it rejects most > > > of them because of internal bottlenecks on SMB, \PIPE\NETLOGON and > > > internal resources. > > > > > > last time i checked, NT only actually completed about... something like... > > > 600 of the requested 10,000 logins. actually, i think it was 100,000 that > > > i requested, only 500-600 succeeded. > > > > > > TNG fares a little better, except that i came across a bug in tdb that > > > causes it to fail, and _stay_ failed. if anyone can repro this, please > > > SAVE your netlogoncreds.tdb file because we REALLY need to track this > > > down. > > > > > > thx, > > > > > > luke > > > > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From lkcl at samba.org Tue Feb 22 00:34:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: Message-ID: > > if anyone else wants to try this, i'd really appreciate some feedback. > > Well, if I get TNG going tonight, I'll run it at a TNG PDC. cool. i'll be around, if you have questions. > > 600 of the requested 10,000 logins. actually, i think it was > > 100,000 that > > i requested, only 500-600 succeeded. > > Uhm, what kind of hardware? Hopefully I can borrow an P166 type machine > from work for an NT PDC, but the TNG server will be a dual-proc SPARC with > 128MB of ram, running almost nothing else. i was using a p166 or a p200 with 128mb ram. > > > > TNG fares a little better, except that i came across a bug in tdb that > > causes it to fail, and _stay_ failed. if anyone can repro > > this, please > > SAVE your netlogoncreds.tdb file because we REALLY need to track this > > down. > > Again, if I can get this running (my incompetence is the barrier here :), > I'll leave it running tonight and all day tomorrow, and we'll see how fast > it brings that machine to it's knees. check how many processes it can handle, you need one smbd, one netlogond and one lsarpcd per user (not all at the same time, they are used and then diee pretty quick). there's no logging of the number of successful or failed logins, so if you output stdout to a file and count the number of "yeses" and "nos" with some scripts... also, remember rpctorture forks() too so if you want 100 connections, that's 100 rpctortures, 100 smbds, about 50-80 netlogonds and 50-80 lsarpcds (depends on who's up and who's down, and when :) doesn't apache keep a few daemons "on ice", on the select() loop? From lkcl at samba.org Tue Feb 22 00:35:34 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221181844.A23312@Denninger.Net> Message-ID: On Mon, 21 Feb 2000, Karl Denninger wrote: > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > box and it works PERFECTLY. yes, exactly. nmbd from tng is over two years old code. these kinds of issues are likely to have been fixed, by now, if they were ever encountered (likely). From lkcl at samba.org Tue Feb 22 00:36:18 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: pam_ntdom via cvs In-Reply-To: <38B1D14F.7FB44DBE@schernau.com> Message-ID: http://samba.org/cvs.html. On Tue, 22 Feb 2000, Edward Schernau wrote: > there a howto somewhere? cvs doesn't work, and the cvsweb > thingie on samba.org doesn't either. > -- > Edward Schernau http://www.schernau.com > Network Architect mailto:ed@schernau.com > Rational Computing Providence, RI, USA > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From zen at uninet.net.id Tue Feb 22 01:05:28 2000 From: zen at uninet.net.id (ZEN el GUAY) Date: Tue Dec 2 02:28:44 2003 Subject: Samba-TNG 0.5 In-Reply-To: References: Message-ID: <00022208072605.00599@zen.sphenisci.or.id> On Tue, 22 Feb 2000, you wrote: > if you are not running the daemons that are described as required in lars' > FAQ, you will find that certain things will fail. > > as a reminder, if you want a PDC, you will need: > > - smbd > - nmbd > - samrd > - netlogond > - lsarpcd > - winregd > - wkssvcd > - srvsvcd > anything else is optional: these are not. > Yeup, thanks a lot. I begin to realize the difference between PDC and login server only, the one that implemented in 2.0.x. -- ZEN VP of Jakarta Linux User Group zen@jakarta.linux.or.id ================================= SPHEnisci Team http://www.sphenisci.or.id ================================= Make sure it's LINUX, and Do the SAMBA (62-21) 845 5355 zen@uninet.net.id zen@sphenisci.or.id From karl at Denninger.Net Tue Feb 22 01:08:37 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 11:35:34AM +1100 References: <20000221181844.A23312@Denninger.Net> Message-ID: <20000221190837.A24217@Denninger.Net> Ah. Ok. Well, since I can't see the commit logs (I'm checking out over the net, not keeping the repository locally) someone is going to have to look at this one for me. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 11:35:34AM +1100, Luke Kenneth Casson Leighton wrote: > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > > box and it works PERFECTLY. > > yes, exactly. nmbd from tng is over two years old code. these kinds of > issues are likely to have been fixed, by now, if they were ever > encountered (likely). > From karl at Denninger.Net Tue Feb 22 01:25:45 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 12:09:07PM +1100 References: <20000221181844.A23312@Denninger.Net> Message-ID: <20000221192545.A31361@Denninger.Net> Luke, I think I found it - there is a SO_REUSEPORT option in the 2.0.6 code that is NOT present (test and structure definition) in lib/util_sock.c. I'm attempting to patch in the appropriate lines from 2.0.6 and will advise. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 12:09:07PM +1100, Luke Kenneth Casson Leighton wrote: > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > > box and it works PERFECTLY. > > yes, exactly. nmbd from tng is over two years old code. these kinds of > issues are likely to have been fixed, by now, if they were ever > encountered (likely). > From cartegw at Eng.Auburn.EDU Tue Feb 22 01:43:35 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:44 2003 Subject: [Fwd: Usenix LISA NT 2000 conference Call for papers] Message-ID: <38B1E9C7.2294134F@eng.auburn.edu> Greetings everyone, This is a repost since the submission deadline has been extended. Probably need to have the abstract in by next Monday, February 28. Good oportunity to let others in the same field what you're doing. Cheers, jerry -------- Original Message -------- Fyi folks, Last year I served as co-chair for this conference (LISA-NT). It provides a very good outlet for letting others know some of the extremely interesting sysadmin stuff you people are doing. And because you run Samba I know you using Windows clients in some fashion. :-) This year's conference is in Seattle, Washington, USA, from July 30 - August 2. Should be a very good program with respect to technical content. I really believe some of you could offer a lot of input with regards to NT administration, deployment and integration. The deadline for paper proposals is February 16 (that gives you about one month). This deadline does **not** require a completed paper. Just an abstract and proposal is fine. The original call for papers is at http://www.usenix.org/events/lisa-nt2000/cfp/ Here's a blurb about the conference itself... > LISA-NT 2000 will bring together peers and experts in our > field to discuss leading edge solutions that have a proven track > record of working. LISA-NT is put together by and for > Windows NT administrators who need solutions to problems > such as integration, migration, security, and management using > today's technology. We invite you to submit technical papers as > well as proposals for invited talks, panel sessions, tutorials, > and work-in-progress reports. There are also opportunities for > Birds-of-a-Feather sessions and demonstrations of products > and solutions. Please review this call for papers, prepare a > submission, and join us in making LISA-NT 2000 the premiere > conference for system administrators of distributed NT-based > environments. If you have any specific questions regarding logistics, etc..., send mail to btw...I have presented two papers in the past involving Samba and Windows NT. If you want to see them as examples, the URL's are http://www.eng.auburn.edu/~cartegw/patch32/ and http://www.eng.auburn.edu/~cartegw/non-NT_PDC/ Cheers, jerry SAMBA Team ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From karl at Denninger.Net Tue Feb 22 01:50:32 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221192545.A31361@Denninger.Net>; from Karl Denninger on Tue, Feb 22, 2000 at 12:37:14PM +1100 References: <20000221181844.A23312@Denninger.Net> <20000221192545.A31361@Denninger.Net> Message-ID: <20000221195032.A76035@Denninger.Net> Well, the simple attempt (graft in the test and option set) didn't do it. Time to recompile with -g and have a go at this, unless someone else knows what's going on here. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 12:37:14PM +1100, Karl Denninger wrote: > Luke, > > I think I found it - there is a SO_REUSEPORT option in the 2.0.6 code that > is NOT present (test and structure definition) in lib/util_sock.c. I'm > attempting to patch in the appropriate lines from 2.0.6 and will advise. > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > > > On Tue, Feb 22, 2000 at 12:09:07PM +1100, Luke Kenneth Casson Leighton wrote: > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > > > box and it works PERFECTLY. > > > > yes, exactly. nmbd from tng is over two years old code. these kinds of > > issues are likely to have been fixed, by now, if they were ever > > encountered (likely). > > From lkcl at samba.org Tue Feb 22 01:56:30 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Samba-TNG 0.5 In-Reply-To: <00022208072605.00599@zen.sphenisci.or.id> Message-ID: > > if you are not running the daemons that are described as required in lars' > > FAQ, you will find that certain things will fail. > > > > as a reminder, if you want a PDC, you will need: > > > > - smbd > > - nmbd > > - samrd > > - netlogond > > - lsarpcd > > - winregd > > - wkssvcd > > - srvsvcd > > anything else is optional: these are not. > > > > Yeup, thanks a lot. > I begin to realize the difference between PDC and login server only, the one > that implemented in 2.0.x. > np. btw, if you want to run with "security = domain", you will _still_ need lsarpcd. and if you want to have "local" accounts, you will _still_ need to run netlogond, winregd, etc etc. in order to use those accounts. if you're not sure what i mean, try accessing an NT workstation (joined to the domain) like this: net use \\ntwks\ipc$ /user:NTWKS\administrator From lkcl at samba.org Tue Feb 22 01:56:50 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221190837.A24217@Denninger.Net> Message-ID: http://samba.org/cgi-bin/cvsweb/samba On Mon, 21 Feb 2000, Karl Denninger wrote: > Ah. > > Ok. Well, since I can't see the commit logs (I'm checking out over the net, > not keeping the repository locally) someone is going to have to look at this > one for me. > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > > > On Tue, Feb 22, 2000 at 11:35:34AM +1100, Luke Kenneth Casson Leighton wrote: > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > > > box and it works PERFECTLY. > > > > yes, exactly. nmbd from tng is over two years old code. these kinds of > > issues are likely to have been fixed, by now, if they were ever > > encountered (likely). > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From pkennedy at loudcloud.com Tue Feb 22 02:02:08 2000 From: pkennedy at loudcloud.com (Paul Kennedy) Date: Tue Dec 2 02:28:44 2003 Subject: Problem Solved References: Message-ID: <38B1EE20.BD5EE295@loudcloud.com> Luke Kenneth Casson Leighton wrote: > :) no problem joe. remember to run all the other ones, too, if you want > pdc support. I just ran into the same issue with lsarpc as Joe. I didn't realize that one had to run anything other then nmbd or smbd as daemons. Is this documented or FAQ'd anywhere ? I thought I'd located and read everything I could on this subject, if there's some documentation on what extra daemons one needs for full PDC support, please point me at it. I'd like to know what is the full list of daemons to be run. Regards, Pk. > > > On Fri, 18 Feb 2000, Joe Manojlovich wrote: > > > Yeah, running lsarpcd fixed everything. Did I miss the faq about making > > sure that was running? Anyway, thanks for being patient with all this. > > > > -- > > Joe Manojlovich > > jxm533@psu.edu > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 22 02:01:19 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221192545.A31361@Denninger.Net> Message-ID: fantastic. there is a lot more thanthat, i'm sure :) On Mon, 21 Feb 2000, Karl Denninger wrote: > Luke, > > I think I found it - there is a SO_REUSEPORT option in the 2.0.6 code that > is NOT present (test and structure definition) in lib/util_sock.c. I'm > attempting to patch in the appropriate lines from 2.0.6 and will advise. > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > > > On Tue, Feb 22, 2000 at 12:09:07PM +1100, Luke Kenneth Casson Leighton wrote: > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > > > box and it works PERFECTLY. > > > > yes, exactly. nmbd from tng is over two years old code. these kinds of > > issues are likely to have been fixed, by now, if they were ever > > encountered (likely). > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From karl at Denninger.Net Tue Feb 22 02:05:57 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 12:56:50PM +1100 References: <20000221190837.A24217@Denninger.Net> Message-ID: <20000221200557.A94897@Denninger.Net> I don't see anything in there that indicates a problme that was discovered and fixed, and the differences between the two versions in this particular area are minor. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 12:56:50PM +1100, Luke Kenneth Casson Leighton wrote: > http://samba.org/cgi-bin/cvsweb/samba > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > Ah. > > > > Ok. Well, since I can't see the commit logs (I'm checking out over the net, > > not keeping the repository locally) someone is going to have to look at this > > one for me. > > > > -- > > -- > > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > > Isn't it time we started putting KIDS first? See the above URL for > > a plan to do exactly that! > > > > > > On Tue, Feb 22, 2000 at 11:35:34AM +1100, Luke Kenneth Casson Leighton wrote: > > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > > > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > > > > box and it works PERFECTLY. > > > > > > yes, exactly. nmbd from tng is over two years old code. these kinds of > > > issues are likely to have been fixed, by now, if they were ever > > > encountered (likely). > > > > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From karl at Denninger.Net Tue Feb 22 02:34:27 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221200557.A94897@Denninger.Net>; from Karl Denninger on Tue, Feb 22, 2000 at 01:20:07PM +1100 References: <20000221190837.A24217@Denninger.Net> <20000221200557.A94897@Denninger.Net> Message-ID: <20000221203427.A11141@Denninger.Net> Ok, I got past that. Now when I try to join the domain I get "the credentials supplied conflict with an existing set of credentials". Huh? Someone tell me I'm not going insane here, please? I also can't use "samedit"; it is also blowing chunks and complaining about not being able to connect. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 01:20:07PM +1100, Karl Denninger wrote: > I don't see anything in there that indicates a problme that was discovered > and fixed, and the differences between the two versions in this particular > area are minor. > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > > > On Tue, Feb 22, 2000 at 12:56:50PM +1100, Luke Kenneth Casson Leighton wrote: > > http://samba.org/cgi-bin/cvsweb/samba > > > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > Ah. > > > > > > Ok. Well, since I can't see the commit logs (I'm checking out over the net, > > > not keeping the repository locally) someone is going to have to look at this > > > one for me. > > > > > > -- > > > -- > > > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > > > Isn't it time we started putting KIDS first? See the above URL for > > > a plan to do exactly that! > > > > > > > > > On Tue, Feb 22, 2000 at 11:35:34AM +1100, Luke Kenneth Casson Leighton wrote: > > > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > > > > > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > > > > > box and it works PERFECTLY. > > > > > > > > yes, exactly. nmbd from tng is over two years old code. these kinds of > > > > issues are likely to have been fixed, by now, if they were ever > > > > encountered (likely). > > > > > > > > > > > Luke Kenneth Casson Leighton > > Samba and Network Development > > Samba Web site > > Internet Security Systems, Inc. > > Macmillan Technical Publishing > > > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > From lkcl at samba.org Tue Feb 22 02:46:46 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Problem Solved In-Reply-To: <38B1EE20.BD5EE295@loudcloud.com> Message-ID: On Mon, 21 Feb 2000, Paul Kennedy wrote: > > > Luke Kenneth Casson Leighton wrote: > > > :) no problem joe. remember to run all the other ones, too, if you want > > pdc support. > > I just ran into the same issue with lsarpc as Joe. I didn't realize that one > had to run anything other then nmbd or smbd as daemons. Is this documented or > FAQ'd anywhere ? yep. lars' faq, see source/README for url. From karl at Denninger.Net Tue Feb 22 02:51:15 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221203427.A11141@Denninger.Net>; from Karl Denninger on Tue, Feb 22, 2000 at 01:41:22PM +1100 References: <20000221190837.A24217@Denninger.Net> <20000221200557.A94897@Denninger.Net> <20000221203427.A11141@Denninger.Net> Message-ID: <20000221205115.A11634@Denninger.Net> Hi folks, Ok, now I got past joining the domain - and promptly ran into the next problem. How do I get this silly thing to work with the profiles and such that I used to have working? It looks like there are other changes required to the smb.conf file to get the old functionality to work. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 01:41:22PM +1100, Karl Denninger wrote: > Ok, I got past that. > > Now when I try to join the domain I get "the credentials supplied conflict > with an existing set of credentials". > > Huh? > > Someone tell me I'm not going insane here, please? > > I also can't use "samedit"; it is also blowing chunks and complaining about > not being able to connect. > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > > > On Tue, Feb 22, 2000 at 01:20:07PM +1100, Karl Denninger wrote: > > I don't see anything in there that indicates a problme that was discovered > > and fixed, and the differences between the two versions in this particular > > area are minor. > > > > -- > > -- > > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > > Isn't it time we started putting KIDS first? See the above URL for > > a plan to do exactly that! > > > > > > On Tue, Feb 22, 2000 at 12:56:50PM +1100, Luke Kenneth Casson Leighton wrote: > > > http://samba.org/cgi-bin/cvsweb/samba > > > > > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > > > Ah. > > > > > > > > Ok. Well, since I can't see the commit logs (I'm checking out over the net, > > > > not keeping the repository locally) someone is going to have to look at this > > > > one for me. > > > > > > > > -- > > > > -- > > > > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > > > > Isn't it time we started putting KIDS first? See the above URL for > > > > a plan to do exactly that! > > > > > > > > > > > > On Tue, Feb 22, 2000 at 11:35:34AM +1100, Luke Kenneth Casson Leighton wrote: > > > > > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > > > > > > > > > It is NOT an issue with 2.0.x on the same hardware. I have 2.0.x on that > > > > > > box and it works PERFECTLY. > > > > > > > > > > yes, exactly. nmbd from tng is over two years old code. these kinds of > > > > > issues are likely to have been fixed, by now, if they were ever > > > > > encountered (likely). > > > > > > > > > > > > > > > Luke Kenneth Casson Leighton > > > Samba and Network Development > > > Samba Web site > > > Internet Security Systems, Inc. > > > Macmillan Technical Publishing > > > > > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > > From lkcl at samba.org Tue Feb 22 02:52:19 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221203427.A11141@Denninger.Net> Message-ID: On Tue, 22 Feb 2000, Karl Denninger wrote: > Ok, I got past that. > > Now when I try to join the domain I get "the credentials supplied conflict > with an existing set of credentials". cool. do a net use on the nt wks. if you have any explorer.exe windows open, close them. if anything showed up in the net use, do a net use \\sdjfhsdfhasjdhahkl /del on all of them. i answered this issue only a few days ago, someone else asked about it - exact same question. the answer is exactlythe same, and it's not even a samba-specific issue, this can happen in an nt-only environment. > Huh? > > Someone tell me I'm not going insane here, please? > > I also can't use "samedit"; it is also blowing chunks and complaining about > not being able to connect. please do a *bleeur* then at debug level 100. also please send exact syntax you're using. thx karl, i appreciate you taking time to go through this. lukes From lkcl at samba.org Tue Feb 22 03:06:43 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221205115.A11634@Denninger.Net> Message-ID: On Tue, 22 Feb 2000, Karl Denninger wrote: > Hi folks, > > Ok, now I got past joining the domain - and promptly ran into the next > problem. > > How do I get this silly thing to work with the profiles and such that I used > to have working? It looks like there are other changes required to the > smb.conf file to get the old functionality to work. *sigh*. you're now at the stage everyone else is, where the fact that the NETLOGON connection, over which the profile is obtained, is on an anonymous SMB session. therefore, the profile returned is that of the guest user -- for every single user. luke From karl at Denninger.Net Tue Feb 22 03:09:20 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 02:06:43PM +1100 References: <20000221205115.A11634@Denninger.Net> Message-ID: <20000221210920.A11962@Denninger.Net> Yikes. So the bottom line here is that there's no fix for this possible as things stand right now? W2k, by the way, barfs on using my LOCAL profile as well (it says "yeah, guest all right - we'll just kill everything you do when you sign off") Not good! -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 02:06:43PM +1100, Luke Kenneth Casson Leighton wrote: > On Tue, 22 Feb 2000, Karl Denninger wrote: > > > Hi folks, > > > > Ok, now I got past joining the domain - and promptly ran into the next > > problem. > > > > How do I get this silly thing to work with the profiles and such that I used > > to have working? It looks like there are other changes required to the > > smb.conf file to get the old functionality to work. > > *sigh*. you're now at the stage everyone else is, where the fact that the > NETLOGON connection, over which the profile is obtained, is on an > anonymous SMB session. > > therefore, the profile returned is that of the guest user -- for every > single user. > > luke > From computec at bigfoot.com Tue Feb 22 03:11:28 2000 From: computec at bigfoot.com (Kevin Murphy) Date: Tue Dec 2 02:28:44 2003 Subject: Help with SMBFS Message-ID: I know that the Samba team themselves are not responsible for SMBFS, but can anyone point me to the person who is responsible for maintaining that section of the kernel? I have some questions for someone who is familiar with the code but have been unable to find anyone. If you can show me to the person who might know what I need, please do. Thank You -Kevin Murphy From lkcl at samba.org Tue Feb 22 03:20:41 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221210920.A11962@Denninger.Net> Message-ID: On Mon, 21 Feb 2000, Karl Denninger wrote: > Yikes. > > So the bottom line here is that there's no fix for this possible as things > stand right now? yeah. do you need this? i'm looking at doing a surs tdb table to replace the algorithmic one (#ifdef style) but it's not a high priority. i can take a look-see at this one, if you like. [i dread to think what solution i come up with...] From mhw at wittsend.com Tue Feb 22 03:25:12 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue Dec 2 02:28:44 2003 Subject: Help with SMBFS In-Reply-To: ; from computec@bigfoot.com on Tue, Feb 22, 2000 at 02:16:17PM +1100 References: Message-ID: <20000221222512.C9973@alcove.wittsend.com> On Tue, Feb 22, 2000 at 02:16:17PM +1100, Kevin Murphy wrote: > I know that the Samba team themselves are not responsible for SMBFS, but can anyone point me to the person who is responsible for maintaining that section of the kernel? I have some questions for > someone who is familiar with the code but have been unable to find anyone. If you can show me to the person who might know what I need, please do. I was doing it for a bit and Tridge has taken over responsiblity for it since he moved over to LinuxCare (that'll teach 'm). Try Tridge first... I haven't stuck my nose in it for a bit now. > Thank You > -Kevin Murphy Mike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From karl at Denninger.Net Tue Feb 22 03:25:42 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 02:22:35PM +1100 References: <20000221210920.A11962@Denninger.Net> Message-ID: <20000221212542.A12075@Denninger.Net> Well, what do you do about the profile? If I comment out the profiles stuff in smb.conf the system does NOT get it from the login share, as it used to with 2.0.6. It also doesn't get it off the LOCAL disk! This is with Win2k, by the way. So if I authenticate as a domain user with Win2K off the Samba PDC I get a "guest" profile that disappears as soon as I sign off! That sucks, needless to say. 2.0.6 would grab it out of your home directory if you didn't make other arrangements. TNG doesn't (apparently) do that. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 02:22:35PM +1100, Luke Kenneth Casson Leighton wrote: > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > Yikes. > > > > So the bottom line here is that there's no fix for this possible as things > > stand right now? > > yeah. do you need this? i'm looking at doing a surs tdb table to replace > the algorithmic one (#ifdef style) but it's not a high priority. i can > take a look-see at this one, if you like. > > [i dread to think what solution i come up with...] > From lkcl at samba.org Tue Feb 22 03:28:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221212542.A12075@Denninger.Net> Message-ID: On Mon, 21 Feb 2000, Karl Denninger wrote: > Well, what do you do about the profile? karl just did a reasonably good hack-fix for it :) i'm cvs committing right now. From karl at Denninger.Net Tue Feb 22 03:35:34 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 02:28:44PM +1100 References: <20000221212542.A12075@Denninger.Net> Message-ID: <20000221213534.A12147@Denninger.Net> How do you think it will behave? :-) (Win2k has some real odd things enclosed - there is stuff I like, but plenty I don't as well) -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 02:28:44PM +1100, Luke Kenneth Casson Leighton wrote: > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > Well, what do you do about the profile? > > karl just did a reasonably good hack-fix for it :) i'm cvs committing > right now. > > From lkcl at samba.org Tue Feb 22 03:54:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: <20000221213534.A12147@Denninger.Net> Message-ID: On Mon, 21 Feb 2000, Karl Denninger wrote: > How do you think it will behave? :-) should do all right. usual rules apply: try to avoid using tng for file serving, jump to a 2.0.x server for profiles, home dirs, etc. > (Win2k has some real odd things enclosed - there is stuff I like, but > plenty I don't as well) eh he. nt just gets stranger and stranger... From karl at Denninger.Net Tue Feb 22 04:05:20 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:44 2003 Subject: Win9x and TNG status? In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 02:54:20PM +1100 References: <20000221213534.A12147@Denninger.Net> Message-ID: <20000221220520.A12435@Denninger.Net> Oh c'mon - there's no fun in that! Why not just see how it really works ;-) -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 02:54:20PM +1100, Luke Kenneth Casson Leighton wrote: > On Mon, 21 Feb 2000, Karl Denninger wrote: > > > How do you think it will behave? :-) > > should do all right. usual rules apply: try to avoid using tng for file > serving, jump to a 2.0.x server for profiles, home dirs, etc. > > > (Win2k has some real odd things enclosed - there is stuff I like, but > > plenty I don't as well) > > eh he. nt just gets stranger and stranger... > From gleblanc at cu-portland.edu Tue Feb 22 04:23:30 2000 From: gleblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:44 2003 Subject: FAQ request(s) Message-ID: <38B20F42.FBD8A405@cu-portland.edu> Well, there's only one, really. Could you make at least one sample smb.conf available in tar.gz or tgz or some format that I can save it in using lynx? I'm going to copy it over from netscape on this machine in a little bit, but on my server (sort of) I don't have any GUI, and that makes it hard to cut and paste. I'll fire up that rpc torture in just a little while, once I get this copied over. Thanks guys! Greg From mgeddes at xavier.sa.edu.au Tue Feb 22 04:48:12 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:44 2003 Subject: FAQ request(s) References: <38B20F42.FBD8A405@cu-portland.edu> Message-ID: <38B2150C.804F5C48@xavier.sa.edu.au> Gregory Leblanc wrote: > > Well, there's only one, really. Could you make at least one sample > smb.conf available in tar.gz or tgz or some format that I can save it in > using lynx? I'm going to copy it over from netscape on this machine in > a little bit, but on my server (sort of) I don't have any GUI, and that > makes it hard to cut and paste. I'll fire up that rpc torture in just a > little while, once I get this copied over. Thanks guys! > Greg You can't save the smb.conf examples on Lars Kenschke's FAQ page? http://www.kneschke.de/projekte/samba_tng/ Methinks we need a link to that on Samba.org.... [hint hint] Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Tue Feb 22 04:45:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: FAQ request(s) In-Reply-To: <38B20F42.FBD8A405@cu-portland.edu> Message-ID: [global] log file = /usr/local/samba/log.%m debug level = 100 ; debug level = 0 workgroup = TEST security = user encrypt passwords = yes domain master = yes domain logons = yes ; server schannel = Auto [homes] this is all i use! :) From lkcl at samba.org Tue Feb 22 04:48:29 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: FAQ request(s) In-Reply-To: <38B2150C.804F5C48@xavier.sa.edu.au> Message-ID: gregory, i'm ashamed at you. print on pdc.php3, select the save-to-file option. On Tue, 22 Feb 2000, Matthew Geddes wrote: > Gregory Leblanc wrote: > > > > Well, there's only one, really. Could you make at least one sample > > smb.conf available in tar.gz or tgz or some format that I can save it in > > using lynx? I'm going to copy it over from netscape on this machine in > > a little bit, but on my server (sort of) I don't have any GUI, and that > > makes it hard to cut and paste. I'll fire up that rpc torture in just a > > little while, once I get this copied over. Thanks guys! > > Greg > > You can't save the smb.conf examples on Lars Kenschke's FAQ page? > > http://www.kneschke.de/projekte/samba_tng/ > > Methinks we need a link to that on Samba.org.... [hint hint] > > Matt > > -- > "Our goal for the next release of Windows 2000 is to have zero bugs." > - Lucovsky, Microsoft > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From GLeblanc at cu-portland.edu Tue Feb 22 05:43:34 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:44 2003 Subject: Samba-TNG 0.5 Message-ID: It's a good thing I keep this stuff around in my mailbox, because the archive only seems to go up to the second of Feb. Did somebody break the list archives? Greg > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@samba.org] > Sent: Monday, February 21, 2000 12:13 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: Samba-TNG 0.5 > > > if you are not running the daemons that are described as > required in lars' > FAQ, you will find that certain things will fail. > > as a reminder, if you want a PDC, you will need: > > - smbd > > - nmbd > > - samrd > > - netlogond > > - lsarpcd > > - winregd > > - wkssvcd > > - srvsvcd > > anything else is optional: these are not. > From D.Bannon at latrobe.edu.au Tue Feb 22 06:07:58 2000 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:28:44 2003 Subject: Long User names In-Reply-To: References: <38B2150C.804F5C48@xavier.sa.edu.au> Message-ID: <3.0.6.32.20000222170758.008ddd60@bioserve.latrobe.edu.au> Hi Folks, Who knows about length of user name limits ? I have been using an old (Oct99) NTDom stream version in a production situation (NT4sp4) and have just found that our IT department is making student logon names as long as 15 characters. The NTDom side of things is fine, the user is logged on without problems but no home directory. The user can browse to homes but not the (homes) directory in their name. Will I see similar problems in Head/TNG or TNG alone ? (if so, maybe I just hack at the old code I have here ...). David ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From lkcl at samba.org Tue Feb 22 06:21:05 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: Long User names In-Reply-To: <3.0.6.32.20000222170758.008ddd60@bioserve.latrobe.edu.au> Message-ID: more than likely. find a unix os that does >8 chars on unix names. On Tue, 22 Feb 2000, David Bannon wrote: > Hi Folks, > > Who knows about length of user name limits ? I have been using an old > (Oct99) NTDom stream version in a production situation (NT4sp4) and have > just found that our IT department is making student logon names as long as > 15 characters. > > The NTDom side of things is fine, the user is logged on without problems > but no home directory. The user can browse to homes but not the (homes) > directory in their name. > > Will I see similar problems in Head/TNG or TNG alone ? (if so, maybe I just > hack at the old code I have here ...). > > David > ------------------------------------------------------------ > David Bannon D.Bannon@latrobe.edu.au > School of Biochemistry Phone 61 03 9479 2197 > La Trobe University, Plenty Rd, Fax 61 03 9479 2467 > Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au > ------------------------------------------------------------ > .... Humpty Dumpty was pushed ! > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lars at kneschke.de Tue Feb 22 06:18:26 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:44 2003 Subject: FAQ request(s) References: Message-ID: <38B22A32.9D170583@kneschke.de> Luke Kenneth Casson Leighton wrote: > > gregory, i'm ashamed at you. print on pdc.php3, select the save-to-file > option. :-) But that is not a very comfortable way. I want to integrate a link, which sends you the file. But i'm short of time currently. I need also to update the FAQ, because the basic steps, to create a samba domain, have changed. But i don't get the current samba tng working, so i can't update the FAQ. Cu -- Watch our projects at http://www.kneschke.de/projekte! ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer From lkcl at samba.org Tue Feb 22 06:29:38 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:44 2003 Subject: FAQ request(s) In-Reply-To: <38B22A32.9D170583@kneschke.de> Message-ID: make it the straight file, .conf extension, (or .tar.gz or .gz), that would do it. On Tue, 22 Feb 2000, Lars Kneschke wrote: > Luke Kenneth Casson Leighton wrote: > > > > gregory, i'm ashamed at you. print on pdc.php3, select the save-to-file > > option. > :-) > > But that is not a very comfortable way. I want to integrate a link, > which sends you the file. But i'm short of time currently. I need also > to update the FAQ, because the basic steps, to create a samba domain, > have changed. But i don't get the current samba tng working, so i can't > update the FAQ. > > Cu > -- > Watch our projects at http://www.kneschke.de/projekte! > ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From GLeblanc at cu-portland.edu Tue Feb 22 07:16:57 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:44 2003 Subject: FAQ request(s) Message-ID: > -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@samba.org] > Sent: Monday, February 21, 2000 8:51 PM > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: FAQ request(s) > > > gregory, i'm ashamed at you. print on pdc.php3, select the > save-to-file > option. print? guess I never thought of that. :) Sorry. There should be some link the the FAQ on samba.org, but there isn't. I didn't claim to be lynx savvy, did I? BTW, one more thing on samba CVS. Add a -z3 option to those, for faster download times, and it shouldn't kill the server (and if it does, it's time to get a bigger one). Anyway, I've certainly got questions, and I promise that their better. I haven't touched this stuff for a while so I'm a bit rusty (those GUI config tools are making me lose my touch). Before I go any farther, let me say that the nsswitch.conf that ships with RH6.1 SPARC sucks, it should all be looking to dns or files, but nis and nisplus are higher in the list... Now that I've re-done that whole think I'll stick some logs on here... My sources are up to date, except for 'source/lib/surstdb.c', as of 11:00 PM tonight (monday). I just tried a win98 login, with things configured the way they should be for a single domain/single workgroup environment. I'm having the same problem that somebody else had earilier, because you'd changed something for testing. :) The first time that I try to log on, it doesn't work, subsequent logons work just fine. No, I didn't mistype the password. log level is set at 100, so the things are huge. I'll bzip2 them, but which ones do you want? My "home" share doesn't seem to be getting mapped, and my REALLY basic logon.bat isn't running. (at least, it's not giving me the share that I asked for). I've attached smb.conf (uncompressed) and log.smb.bz2. Thanks for telling me which things I've mangled, Greg -------------- next part -------------- A non-text attachment was scrubbed... Name: log_smb.bz2 Type: application/octet-stream Size: 25681 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000221/e226dabe/log_smb.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: smb.conf Type: application/octet-stream Size: 1363 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000221/e226dabe/smb.obj From inge at cc.uit.no Tue Feb 22 10:13:04 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:45 2003 Subject: Printing in TNG References: <38B169BC.D5A1AC17@cc.uit.no> <3.0.6.32.20000221160326.0099c910@203.16.214.248> Message-ID: <38B26130.5C464381@cc.uit.no> Richard Sharpe wrote: > > At 05:37 AM 2/22/00 +1100, Steve Litt wrote: > >Inge, > > > >What you describe is the as-designed performance of Samba as configured by > >the Red Hat distro. With Red Hat, you need to hard code printing, print > >command, and any other commands you regularly use (lprm command, for > >instance). You'll also need to change the printcap name= to /etc/printcap. > >If you get a SWAT problem mentioning lpstat, the printcap name= change will > >fix it. > > Hmmm, a small correction. With the old versions of Samba, this is true. > The RH 2.0.3 RPM did have a bug like Inge describes below, but an upgrade > to 2.0.5a fixes that problem. > > However, there was also an underlying bug in Samba (fixed in 2.0.7, I > think) where we were handling various printing-related parameters correctly. > > >As an alternative, I download the Samba 2.0.x .tgz and compile and make. > >I've found that to yield a better setup, and it doesn't default to sysv > >printing. > > > >Steve Litt > > Ok maybe I wasn't clear enough. The little TNG in the subject field wasn't big enough:) I have to write it in the body next time:) Sorry folks! This is a matter with samba_TNG so if this was fixed in samba 2.0.7 maybe I have to wait for the big merge before this "error" is fixed. I thanks for trying to help me anyway! Sorry for bugging you. I just try to report all the error I can find with TNG so that maybe they can be fixed be for a stable release is out. Thanks! inge > >At 03:50 AM 02/22/2000 +1100, Inge-H?vard Hunstad wrote: > >>When I try to change printing system from the default "sysv" to "bsd" in > >>smb.conf the printing commands doesn't seem to change. When I run > >>testparm after changing the "printing" parameter it looks like this: > >> > >> print ok = No > >> postscript = No > >> printing = bsd > >> print command = lp -c -d%p %s; rm %s > >> lpq command = lpstat -o%p > >> lprm command = cancel %p-%j > >> lppause command = lp -i %p-%j -H hold > >> lpresume command = lp -i %p-%j -H resume > >> queuepause command = lpc stop %p > >> queueresume command = lpc start %p > >> printer name = > >> printer driver = NULL > >> printer driver location = > >> > >>At least I didn't know that BSD printing used lp and lpstat so I think > >>there is an error somewhere. > >> > >>Thanks for all help. > >> > >>inge From cyris at rapidsolution.de Tue Feb 22 10:36:41 2000 From: cyris at rapidsolution.de (Stefan Cyris) Date: Tue Dec 2 02:28:45 2003 Subject: searching for domain users Message-ID: <38B266B9.B70CF11E@rapidsolution.de> Hi My samba pdc works almost fine. I can share printers, files, profiles etc... but on a WinNT4 WS SP5 Client I'm not able to add a domain user to a local group. I don't see the list of users on this domain. :(( smb.conf: [global] workgroup = rs-ka domain logons = yes force group = normal preferred master = yes local master = yes domain groups = normal encrypt passwords = yes null passwords = no socket options = TCP_NODELAY map to guest = Bad User wins support = yes logon script = login-%I.bat logon drive = y: domain logons = yes domain master = yes any ideas ? cya Stefan From fricke at team.owl-online.de Tue Feb 22 10:30:57 2000 From: fricke at team.owl-online.de (fricke@team.owl-online.de) Date: Tue Dec 2 02:28:45 2003 Subject: Antwort: searching for domain users Message-ID: Which Version of Samba you?re using? -------------------------------------------------------------------------------------------------- Mit freundlichen Gr??en Cord-H. Fricke Fon: 0 52 1 / 52 51-133 Fax: 0 52 1 / 52 51- 115 fricke@team.owl-online.de web team.owl-online.de ...keep on headbangin? , that rocks!!! From cyris at rapidsolution.de Tue Feb 22 10:59:11 2000 From: cyris at rapidsolution.de (Stefan Cyris) Date: Tue Dec 2 02:28:45 2003 Subject: Antwort: searching for domain users References: Message-ID: <38B26BFF.C4367EA@rapidsolution.de> Version 2.0.5a fricke@team.owl-online.de wrote: > > Which Version of Samba you?re using? > -------------------------------------------------------------------------------------------------- > Mit freundlichen Gr??en > > Cord-H. Fricke > Fon: 0 52 1 / 52 51-133 > Fax: 0 52 1 / 52 51- 115 > fricke@team.owl-online.de > web team.owl-online.de > > ...keep on headbangin? , that rocks!!! From plasma at gen.latrobe.edu.au Tue Feb 22 11:00:04 2000 From: plasma at gen.latrobe.edu.au (Scott Rosicka) Date: Tue Dec 2 02:28:45 2003 Subject: Compile error In-Reply-To: <3.0.6.32.20000222170758.008ddd60@bioserve.latrobe.edu.au> Message-ID: Whilst trying to compile samba_TNG on RedHat Linux 6.1 (ALPHA) i got this error Linking bin/smbd lib/set_uid.o: In function `init_uid': set_uid.c(.text+0xb4): undefined reference to `setresgid' set_uid.c(.text+0xb8): undefined reference to `setresgid' lib/set_uid.o: In function `become_gid': set_uid.c(.text+0x3f4): undefined reference to `setresgid' set_uid.c(.text+0x3f8): undefined reference to `setresgid' lib/set_uid.o: In function `unbecome_to_initial_uid': set_uid.c(.text+0x584): undefined reference to `setresgid' lib/set_uid.o(.text+0x588):set_uid.c: more undefined references to `setresgid' f ollow collect2: ld returned 1 exit status make: *** [bin/smbd] Error 1 From stolze at math.uni-muenster.de Tue Feb 22 13:18:32 2000 From: stolze at math.uni-muenster.de (Andre Stolze) Date: Tue Dec 2 02:28:45 2003 Subject: Problem with samedit, cmdat Message-ID: <38B28CA8.D9490183@math.uni-muenster.de> Hi I Have a problem with samedit, cmdat and all the other new programs. If I start them I get a Bus Error, a core is dumped and the program has length 0 at the end. I use the CVS from this morning on a sparc Solaris 2.7 Andre -- Andre Stolze stolze@math.uni-muenster.de IVV FB7 / FB 10 Westf. Wilhelms-Universitaet Fliednerstr. 21 support@psy.uni-muenster.de 48149 Muenster Tel.: 0251/83-31357 From owensc at enc.edu Tue Feb 22 13:41:15 2000 From: owensc at enc.edu (Charles N. Owens) Date: Tue Dec 2 02:28:45 2003 Subject: Long User names References: Message-ID: <38B291FB.DDD0C870@enc.edu> With FreeBSD 3.0 and up usernames may be up to 16 characters in length. Luke Kenneth Casson Leighton wrote: > more than likely. find a unix os that does >8 chars on unix names. > > On Tue, 22 Feb 2000, David Bannon wrote: > > > Hi Folks, > > > > Who knows about length of user name limits ? I have been using an old > > (Oct99) NTDom stream version in a production situation (NT4sp4) and have > > just found that our IT department is making student logon names as long as > > 15 characters. > > > > The NTDom side of things is fine, the user is logged on without problems > > but no home directory. The user can browse to homes but not the (homes) > > directory in their name. > > > > Will I see similar problems in Head/TNG or TNG alone ? (if so, maybe I just > > hack at the old code I have here ...). > > > > David > > ------------------------------------------------------------ > > David Bannon D.Bannon@latrobe.edu.au > > School of Biochemistry Phone 61 03 9479 2197 > > La Trobe University, Plenty Rd, Fax 61 03 9479 2467 > > Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au > > ------------------------------------------------------------ > > .... Humpty Dumpty was pushed ! > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals -- ------------------------------------------------------------------------- Charles N. Owens Email: owensc@enc.edu http://www.enc.edu/~owensc Network & Systems Administrator Information Technology Services "Outside of a dog, a book is a man's Eastern Nazarene College best friend. Inside of a dog it's too dark to read." - Groucho Marx ------------------------------------------------------------------------- From cartegw at Eng.Auburn.EDU Tue Feb 22 14:08:03 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:45 2003 Subject: FAQ request(s) References: Message-ID: <38B29843.8C334F90@eng.auburn.edu> Gregory Leblanc wrote: > > There should be some link the the FAQ on samba.org, but > there isn't. I didn't claim to be lynx savvy, did I? Hmmm....seems as if the fixes and links I places in Samba NT Domain FAQ never made it from CVS to the web. I'm checking on this now. jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From cartegw at Eng.Auburn.EDU Tue Feb 22 14:17:37 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:45 2003 Subject: US1.samba.org not updating currently Message-ID: <38B29A81.8F64505B@eng.auburn.edu> Apparently the us1.samba.org site is not updating currently. us2.samba.org is as well as au2.samba.org. These are the pointers posted on the main Samba.org site. Many thanks to Lars for maintaining the newer FAQ. >From the somewhat older Samba NT Domain FAQ... NOTICE : This FAQ has become somewhat outdated since the creation of the SAMBA_TNG branch. This branch while introducing quite a lot of new functionality, has also introduced as much if not more changes to the way things are configured. Lars Kneschke has the only SAMBA_TNG FAQ that I am currently aware of. If you are dealing with the TNG branch, you should read his Introduction to the Samba TNG branch. Unless otherwise stated all functionality described in this FAQ is contained only in the HEAD samba branch prior to January ?? (don't remember the exact date....check the HEAD branch CVS logs) of 2000 which is different that the main distributed branch (e.g.2.0.6 at the moment; about to be 2.0.7). The HEAD branch is used for developmental purposes and should not be used in a production environment. This does not mean that is does not work, but rather changes very quickly and is to be considered a work in progress. The distributed version is considered to be "stable" code but may not contain all the functionality of the HEAD branch. Also, the FAQ deals with functioanality specific to interaction regarding Windows NT Domains and Samba. For general setup information, please refer to the files located in the docs/ directory in the Samba distribution or to the documentation links on the Samba home page. Cheers, jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From richard.ferris at ncn.ac.uk Tue Feb 22 14:34:01 2000 From: richard.ferris at ncn.ac.uk (Richard Ferris) Date: Tue Dec 2 02:28:45 2003 Subject: unsubscribe Message-ID: <6114EF4D9AF0D1119ADD00805F9F11B198B0CA@exchange.ncn.internal> unsubscribe Richard Ferris - Visions Systems Analyst Visions Project Clarendon City College Stoney Street Nottingham NG1 1NG email: richard.ferris@ncn.ac.uk SMS: richardferris@sms.genie.co.uk Tel: 0115 9104 566 -------------- next part -------------- HTML attachment scrubbed and removed From jblyberg at marco.com Tue Feb 22 14:54:36 2000 From: jblyberg at marco.com (John F. Blyberg) Date: Tue Dec 2 02:28:45 2003 Subject: rpcclient badpipe to lsarpc In-Reply-To: Message-ID: <000601bf7d44$bd7e1c70$eb0b170a@johnb.marco.com> Yes, I am running both of those, and all of the other necessary daemons. --John -----Original Message----- From: Luke Leighton [mailto:lkcl@samba.org] Sent: Monday, February 21, 2000 5:18 PM To: John F. Blyberg Cc: Multiple recipients of list SAMBA-NTDOM Subject: Re: rpcclient badpipe to lsarpc if you get the cli_nt_session_open error, it means you're not running samr or lsarpc services. are you running samrd and lsarpcd? read lars' FAQ, thx. From wirbserd at t-online.de Tue Feb 22 15:03:00 2000 From: wirbserd at t-online.de (wirbserd@t-online.de) Date: Tue Dec 2 02:28:45 2003 Subject: Problem Samba & NT in a Domain - NT_STATUS_WRONG_PASSWORD ? Message-ID: <12NGqX-1lgJTkC@fwd03.sul.t-online.de> Hello together! I have a problem with Samba and the binding into Windows NT a domain. I would like to achieve that authorizing the Samba user takes place over the primary domains controller. I executed the following steps (domain name: LANGROUP, name of the PCD: NOSTROMO): (configuration: PDC: NT-Server 4.0, SP 5 Windows-Client: NT-Workstation 4.0, SP 5 Linux-Server: SuSE Linux 6.3, Samba 2.0.5a) 1. On NT Server: added in the server manager the Samba server (MOON44) to the domain. 2. on the Linux server: stopped smbd and nbmd - processes; the following instruction executed: smbpasswd - j LANGROUP - r NOSTROMO Ausgabe: 2000/02/21 13:44:31 : change_trust_account_password: Changed password for domain LANGROUP. Joined domain LANGROUP. 3. edited smb.conf: # globale Einstellungen workgroup = LANGROUP netbios name = MOON44 security = DOMAIN add user script = /usr/sbin/useradd %u -m delete user script = /usr/sbin/userdel %u password server = NOSTROMO encrypt passwords = YES min passwd length = 0 null passwords = YES socket options = TCP_NODELAY os level = 2 server string = Server Linux max log size = 1000 keepalive = 30 [homes] comment = Heimatverzeichnis read only = No create mask = 0750 valid users = %u 4. /etc/rc.d/smb start -> to restart Samba When I wanted to now test the connection to the Samba server, I could not get a connection to the samba-server (form a Windows NT Client; SP 5; username (zander) und password are correct and tehs user "zander" exists on the Windows NT PDC). In the log file / var/log/log.smb the following messages appear: .... [2000/02/21 15:01:33, 0] rpc_client/cli_netlogon.c:cli_net_sam_logon(392) cli_net_sam_logon: NT_STATUS_WRONG_PASSWORD [2000/02/21 15:01:33, 0] smbd/password.c:domain_client_validate(1369) domain_client_validate: unable to validate password for user zander in domain LANGROUP to Domain controller NOSTROMO. Error was NT_STATUS_WRONG_PASSWORD. [2000/02/21 15:01:33, 1] smbd/password.c:pass_check_smb(532) smb_password_check failed. Invalid password given for user 'zander' It seems to be a problem with the passwords (NT_STATUS_WRONG_PASSWORD?) I would be grateful for your information to solve the problem. Thank you. Daniel ----- Daniel Wirbser wirbserd@t-online.de ----- From karl at Denninger.Net Tue Feb 22 15:39:46 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:45 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: ; from Luke Kenneth Casson Leighton on Tue, Feb 22, 2000 at 06:50:44AM +1100 References: <20000221102146.A56561@Denninger.Net> Message-ID: <20000222093946.A70091@Denninger.Net> OK, an update: 1. Win98 now works - including printing. 2. Win2K no longer bitches about not being able to find a roaming profile, BUT it DOES bitch on log out about not being able to UPDATE the roaming profile! I think we got HALF the fix in TNG, but not ALL of it ;-) That's where we stand right now - further help appreciated! -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Tue, Feb 22, 2000 at 06:50:44AM +1100, Luke Kenneth Casson Leighton wrote: > On Tue, 22 Feb 2000, Karl Denninger wrote: > > > TNG does not yet work properly for Win95/98 users. There are still > > lingering authentication problems AND printing doesn't work. > > richard tracked down the auth issues. can you give more [specific] > details about printing? > > thx, > > luke > From karl at Denninger.Net Tue Feb 22 16:06:41 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:45 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: <20000222093946.A70091@Denninger.Net>; from Karl Denninger on Wed, Feb 23, 2000 at 02:45:01AM +1100 References: <20000221102146.A56561@Denninger.Net> <20000222093946.A70091@Denninger.Net> Message-ID: <20000222100641.A70738@Denninger.Net> I take that back. Win2k kinda works. But I have ALL KINDS of strange profile and settings-related problems when authenticated against TNG as a PDC. Programs installed shared (as administrator locally) refuse to run or refuse to save their personalized settings, OFFICE blew chunks and says it can't find a "valid source" (one of those bizarro errors), printing to my fax server hung in the queue (and the job couldn't be killed), etc. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! On Wed, Feb 23, 2000 at 02:45:01AM +1100, Karl Denninger wrote: > OK, an update: > > 1. Win98 now works - including printing. > > 2. Win2K no longer bitches about not being able to find a roaming profile, > BUT it DOES bitch on log out about not being able to UPDATE the roaming > profile! I think we got HALF the fix in TNG, but not ALL of it ;-) > > That's where we stand right now - further help appreciated! > > -- > -- > Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org > Isn't it time we started putting KIDS first? See the above URL for > a plan to do exactly that! > > > On Tue, Feb 22, 2000 at 06:50:44AM +1100, Luke Kenneth Casson Leighton wrote: > > On Tue, 22 Feb 2000, Karl Denninger wrote: > > > > > TNG does not yet work properly for Win95/98 users. There are still > > > lingering authentication problems AND printing doesn't work. > > > > richard tracked down the auth issues. can you give more [specific] > > details about printing? > > > > thx, > > > > luke > > From lk at netuse.de Tue Feb 22 17:01:39 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:45 2003 Subject: FAQ request(s) References: Message-ID: <38B2C0F3.3F736CA8@netuse.de> Luke Kenneth Casson Leighton wrote: > > gregory, i'm ashamed at you. print on pdc.php3, select the save-to-file > option. Gregory, just for you! :-) Now i have links to tar.gz files on top of every page with smb.conf examples. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From manojlov at cse.psu.edu Tue Feb 22 17:24:21 2000 From: manojlov at cse.psu.edu (Joseph Manojlovich) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit Message-ID: I tried to add a new nt4 workstation to my domain using "smbpasswd -a -m NAME" only to see that we are supposed to use "createuser NAME$" with samedit now. Anyway, after entering samedit using "samedit -S . -W DOMAIN", as root, and running the creatuser, which says it created the account fine, no one can log into the domain from the workstation. The error message is "the system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect". I know I created the computer account, but I thought these accounts didnt need passwords. And strangely enough, the workstation joined the domain just fine when I set up the networking on it. Joe Manojlovich manojlov@cse.psu.edu From lkcl at samba.org Tue Feb 22 17:56:09 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: rpcclient badpipe to lsarpc In-Reply-To: <000601bf7d44$bd7e1c70$eb0b170a@johnb.marco.com> Message-ID: then examine the logs at level 100 to find ou more about why this is failing. thx. On Tue, 22 Feb 2000, John F. Blyberg wrote: > Yes, I am running both of those, and all of the other necessary daemons. > > --John > > -----Original Message----- > From: Luke Leighton [mailto:lkcl@samba.org] > Sent: Monday, February 21, 2000 5:18 PM > To: John F. Blyberg > Cc: Multiple recipients of list SAMBA-NTDOM > Subject: Re: rpcclient badpipe to lsarpc > > > if you get the cli_nt_session_open error, it means you're not running samr > or lsarpc services. > > are you running samrd and lsarpcd? read lars' FAQ, thx. > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 22 17:59:03 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: <20000222093946.A70091@Denninger.Net> Message-ID: On Tue, 22 Feb 2000, Karl Denninger wrote: > OK, an update: > > 1. Win98 now works - including printing. > > 2. Win2K no longer bitches about not being able to find a roaming profile, > BUT it DOES bitch on log out about not being able to UPDATE the roaming > profile! I think we got HALF the fix in TNG, but not ALL of it ;-) ok, great. right. that's likely to be related to one of the following: - crreate time / ntsmb query info on files/dirs - a bug in nt clients where the connection from WINLOGON.EXE is maintained *after* the users logs out. likrly to be the first. check the differences between nttrans.c in 2.0.x and tng. From lkcl at samba.org Tue Feb 22 18:03:47 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit In-Reply-To: Message-ID: On Wed, 23 Feb 2000, Joseph Manojlovich wrote: > I tried to add a new nt4 workstation to my domain using "smbpasswd -a -m > NAME" only to see that we are supposed to use "createuser NAME$" with > samedit now. Anyway, after entering samedit using "samedit -S . -W > DOMAIN", as root, and running the creatuser, which says it created the > account fine, no one can log into the domain from the workstation. The samedit -S . -U root% at a root unix prompt. you have destroyed the trust account of a previously successfully-joined workstation. see posting last week which i sent out detailing how to deal with this (subject contains rpccline / samedit etc) From karl at Denninger.Net Tue Feb 22 18:24:05 2000 From: karl at Denninger.Net (Karl Denninger) Date: Tue Dec 2 02:28:45 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: ; from Luke Kenneth Casson Leighton on Wed, Feb 23, 2000 at 04:59:03AM +1100 References: <20000222093946.A70091@Denninger.Net> Message-ID: <20000222122405.A73279@Denninger.Net> On Wed, Feb 23, 2000 at 04:59:03AM +1100, Luke Kenneth Casson Leighton wrote: > On Tue, 22 Feb 2000, Karl Denninger wrote: > > > OK, an update: > > > > 1. Win98 now works - including printing. > > > > 2. Win2K no longer bitches about not being able to find a roaming profile, > > BUT it DOES bitch on log out about not being able to UPDATE the roaming > > profile! I think we got HALF the fix in TNG, but not ALL of it ;-) > > ok, great. right. that's likely to be related to one of the following: > > - crreate time / ntsmb query info on files/dirs Gotta be on the directory, because on the first login there's no file set (or directory for that user) there to grab. > - a bug in nt clients where the connection from WINLOGON.EXE is maintained > *after* the users logs out. > > likrly to be the first. > > check the differences between nttrans.c in 2.0.x and tng. Uh, 2.0.x doesn't work *at all* with Win2k.... Still a valid thing to look at? Also, see my other post about Win2K acting VERY strange when authenticated against TNG as a PDC. -- -- Karl Denninger (karl@denninger.net) Web: http://childrens-justice.org Isn't it time we started putting KIDS first? See the above URL for a plan to do exactly that! From lkcl at samba.org Tue Feb 22 18:42:12 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: Samba 2.0.6 & W2000Pro In-Reply-To: <20000222122405.A73279@Denninger.Net> Message-ID: > > check the differences between nttrans.c in 2.0.x and tng. > > Uh, 2.0.x doesn't work *at all* with Win2k.... code. > Still a valid thing to look at? yes. also, redirect the profile path to a 2.0.x server, see if it works correctly. From george at biomed.abdn.ac.uk Tue Feb 22 19:10:12 2000 From: george at biomed.abdn.ac.uk (George Cameron) Date: Tue Dec 2 02:28:45 2003 Subject: Problem with samedit, cmdat Message-ID: <200002221910.TAA07594@hebe.biomed.abdn.ac.uk> > Hi > > I Have a problem with samedit, cmdat and all the other new programs. > If I start them I get a Bus Error, a core is dumped and the program has > length 0 at the end. > I use the CVS from this morning on a sparc Solaris 2.7 Hi Andre, There's a problem in codepage_initialise() which causes all the command-line programs to crash exactly as you describe (I should say that I'm also using sparc Solaris 2.7). Perhaps an endianness problem on sparc? - I haven't had time to investigate so far. I've temporarily worked around it with the following in lib/cmd_interp.c : #if 0 codepage_initialise(lp_client_code_page()); #endif (line 1475 in my version, from yesterday). I've assumed (without checking) that the omission won't cause me too much grief for the moment, and it has at least allowed the programs to start. George > > Andre > -- > Andre Stolze stolze@math.uni-muenster.de > IVV FB7 / FB 10 Westf. Wilhelms-Universitaet > Fliednerstr. 21 support@psy.uni-muenster.de > 48149 Muenster Tel.: 0251/83-31357 --------------------------------------------------------------------- George Cameron g.cameron@biomed.abdn.ac.uk Dept. BioMedical Physics Aberdeen University Foresterhill Fax: +44 (0)1224-685645 Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210 Scotland, UK From lkcl at samba.org Tue Feb 22 21:01:18 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: Compile error In-Reply-To: Message-ID: fixed. On Tue, 22 Feb 2000, Scott Rosicka wrote: > > Whilst trying to compile samba_TNG on RedHat Linux 6.1 (ALPHA) i got this > error > > Linking bin/smbd > lib/set_uid.o: In function `init_uid': > set_uid.c(.text+0xb4): undefined reference to `setresgid' > set_uid.c(.text+0xb8): undefined reference to `setresgid' > lib/set_uid.o: In function `become_gid': > set_uid.c(.text+0x3f4): undefined reference to `setresgid' > set_uid.c(.text+0x3f8): undefined reference to `setresgid' > lib/set_uid.o: In function `unbecome_to_initial_uid': > set_uid.c(.text+0x584): undefined reference to `setresgid' > lib/set_uid.o(.text+0x588):set_uid.c: more undefined references to > `setresgid' f > ollow > collect2: ld returned 1 exit status > make: *** [bin/smbd] Error 1 > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From george at biomed.abdn.ac.uk Tue Feb 22 21:05:12 2000 From: george at biomed.abdn.ac.uk (George Cameron) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit Message-ID: <200002222105.VAA07953@hebe.biomed.abdn.ac.uk> > On Wed, 23 Feb 2000, Joseph Manojlovich wrote: > > > I tried to add a new nt4 workstation to my domain using "smbpasswd -a -m > > NAME" only to see that we are supposed to use "createuser NAME$" with > > samedit now. Anyway, after entering samedit using "samedit -S . -W > > DOMAIN", as root, and running the creatuser, which says it created the > > account fine, no one can log into the domain from the workstation. The > > samedit -S . -U root% at a root unix prompt. > > you have destroyed the trust account of a previously successfully-joined > workstation. > > see posting last week which i sent out detailing how to deal with this > (subject contains rpccline / samedit etc) > Having seen this message, I tried what I thought were the right instructions (looks like Lars' very helpful pages now need updating :) but got the following (names & ips substituted): machines are: MYPDC, ip 123.456.789.012 MYWKS, ip 123.456.789.345 mypdc# samedit \\\\mypdc -U Administrator Added interface ip=123.456.789.012 bcast=123.456.789.255 nmask=255.255.255.0 Enter Password: socket connect to /tmp/.smb.0/agent failed: No such file or directory error connecting to 123.456.789.012:445 (Connection refused) session setup ok Domain=[MYTEST] OS=[Unix] Server=[Samba TNG-prealpha] [Administrator@MYPDC]$ use \\\\mywks -U Administrator use \\\\mywks -U Administrator Enter Password: Server: \\MYWKS: User: Administrator Domain: ^^^^^^^^^^^^^ Connection: socket connect to /tmp/.smb.0/agent failed: No such file or directory error connecting to 123.456.789.345:445 (Connection refused) failed session setup cli_net_use_add: connection failed FAILED [Administrator@MYPDC]$ quit quit mypdc# I don't understand: 1. why I'm getting 'socket connect to /tmp/.smb.0/agent failed: No such file or directory' (and in a little more logging detail): socket open succeeded. file name: /tmp/.smb.0/agent socket connect to /tmp/.smb.0/agent failed: No such file or directory redirect FAILED, make direct connection Connecting to 123.456.789.345 at port 445 error connecting to 123.456.789.345:445 (Connection refused) Connecting to 123.456.789.345 at port 139 [000] 81 00 00 48 20 46 41 46 ... 2. why both machines seem to be reporting an error connecting to port 445 3. why, if the PDC and local machine administrator accounts have different names, it echos the administrator account name of the *PDC* rather than the workstation where I've underlined with ^^^^^ (I then changed them to have the same name to see if that would help but that made no difference) I'm running on sparc, Solaris 7, TNG from yesterday. Have NT machines running on a 2.0.6 PDC but am keen to get TNG working now. I could send a high-level log but from the missing file message I guess I may have something a little more fundamental wrong. George PS/ OK - I guess there is stuff in the logs after all. I've got multiple ERROR: unbecome root depth is 0 ERROR: become root depth is non zero in log.netlogon . Should there perhaps be something on this in Lars' FAQ? The only reference I found in the archives which seemed to be relevant was the reminder that you can't have users & groups with the same name in NT. I think I've remapped all my duplicate groups to different names using a 'domain group map' file but I still seem to have the problem. And in log.smb: (lots of) socket connect to /tmp/.msrpc/.wkssvc/agent failed: No such file or directory socket connect to /tmp/.msrpc/.lsarpc/agent failed: No such file or directory socket connect to /tmp/.msrpc/.NETLOGON/agent failed: No such file or directory --------------------------------------------------------------------- George Cameron g.cameron@biomed.abdn.ac.uk Dept. BioMedical Physics Aberdeen University Foresterhill Fax: +44 (0)1224-685645 Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210 Scotland, UK From lkcl at samba.org Tue Feb 22 21:14:53 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit In-Reply-To: <200002222105.VAA07953@hebe.biomed.abdn.ac.uk> Message-ID: > mypdc# samedit \\\\mypdc -U Administrator > Added interface ip=123.456.789.012 bcast=123.456.789.255 nmask=255.255.255.0 > Enter Password: > socket connect to /tmp/.smb.0/agent failed: No such file or directory > error connecting to 123.456.789.012:445 (Connection refused) > session setup ok this is good. > Domain=[MYTEST] OS=[Unix] Server=[Samba TNG-prealpha] > [Administrator@MYPDC]$ use \\\\mywks -U Administrator > use \\\\mywks -U Administrator > Enter Password: > Server: \\MYWKS: User: Administrator Domain: > ^^^^^^^^^^^^^ > Connection: socket connect to /tmp/.smb.0/agent failed: No such file or > directory > error connecting to 123.456.789.345:445 (Connection refused) > failed session setup > cli_net_use_add: connection failed hmm, this shouldn't happen. ok, try this: use \\\\mywks -U administrator -W mywks this will force mywks to verify administrator against the *local* SAM database. i'm certain that if you renamed the administrator account on the local workstation to something _other_ than the same name as the Domain Admin account on mypdc, this would not be necessary [specifying a Domain name of mywks]. please let me know if this works. > I don't understand: > > 1. why I'm getting > > 'socket connect to /tmp/.smb.0/agent failed: No such file or directory' it's a warning. don't worry about it. > 2. why both machines seem to be reporting an error connecting > to port 445 because the client code in TNG now supports SMB over port 445. the server code (smbd) is a little trickier, so i disabled it there (it didna' wurk :( ) > 3. why, if the PDC and local machine administrator accounts have > different names, it echos the administrator account name of the > *PDC* rather than the workstation where I've underlined with > ^^^^^ (I then changed them to have the same name to see if that > would help but that made no difference) um... because you specified use \\mywks -U administrator [same name?] i don't know. if that's the case, it's a bug! > I'm running on sparc, Solaris 7, TNG from yesterday. Have NT machines > running on a 2.0.6 PDC but am keen to get TNG working now. I could send > a high-level log but from the missing file message I guess I may have > something a little more fundamental wrong. > > George > > PS/ OK - I guess there is stuff in the logs after all. I've got multiple > > ERROR: unbecome root depth is 0 > ERROR: become root depth is non zero *sigh*. this _really_ needs to be sorted out, and it's not simple, so i've been avoiding it. i know how long it would take to sort out the code involved in this (passdb/*.c, groupdb/*.c) if i tackled it. thx george. From mgeddes at xavier.sa.edu.au Tue Feb 22 22:05:46 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:45 2003 Subject: FAQ request(s) References: <38B2C0F3.3F736CA8@netuse.de> Message-ID: <38B3083A.C7C47F46@xavier.sa.edu.au> Lars Kneschke wrote: > > Luke Kenneth Casson Leighton wrote: > > > > gregory, i'm ashamed at you. print on pdc.php3, select the save-to-file > > option. > Gregory, just for you! :-) > Now i have links to tar.gz files on top of every page with > smb.conf examples. Does this mean you have the current Samba TNG working? ;-) Once I have a spare minute here, I want to try and get it working also and update the smb.conf examples (I think there were a couple of errors on them anyway). Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From george at biomed.abdn.ac.uk Tue Feb 22 22:20:11 2000 From: george at biomed.abdn.ac.uk (George Cameron) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit Message-ID: <200002222220.WAA08140@hebe.biomed.abdn.ac.uk> > > Domain=[MYTEST] OS=[Unix] Server=[Samba TNG-prealpha] > > [Administrator@MYPDC]$ use \\\\mywks -U Administrator > > use \\\\mywks -U Administrator > > Enter Password: > > Server: \\MYWKS: User: Administrator Domain: > > ^^^^^^^^^^^^^ > > Connection: socket connect to /tmp/.smb.0/agent failed: No such file or > > directory > > error connecting to 123.456.789.345:445 (Connection refused) > > failed session setup > > cli_net_use_add: connection failed > > hmm, this shouldn't happen. ok, try this: > > use \\\\mywks -U administrator -W mywks > > this will force mywks to verify administrator against the *local* SAM > database. i'm certain that if you renamed the administrator account on > the local workstation to something _other_ than the same name as the > Domain Admin account on mypdc, this would not be necessary [specifying a > Domain name of mywks]. > > please let me know if this works. 'fraid not. I tried it both with & without making the two accounts different (actually I renamed the admin account on the PDC back to its original name & left the workstation one the same), but explicitly setting the domain name to that of the workstation still results in failed session setup cli_net_use_add: connection failed FAILED I also tried renaming the workstation admin account to match the (original) PDC admin account. Still no joy. However, I notice that neither the user nor the domain I specify are reported after issuing the 'use' command, e.g. I get: [pdcadmin@MYPDC]$ use \\\\mywks -U wksadmin -W mywks use \\\\ptah -U Administrator -W ptah Enter Password: Server: \\MYWKS: User: pdcadmin Domain: ^^^^^^^^ ^^^^^^^^^ Connection: socket connect to /tmp/.smb.0/agent failed: No such file or directory error connecting to 139.133.211.101:445 (Connection refused) failed session setup cli_net_use_add: connection failed FAILED Hmmm. George > > > I don't understand: > > > > 1. why I'm getting > > > > 'socket connect to /tmp/.smb.0/agent failed: No such file or directory' > > it's a warning. don't worry about it. > > > 2. why both machines seem to be reporting an error connecting > > to port 445 > > because the client code in TNG now supports SMB over port 445. the server > code (smbd) is a little trickier, so i disabled it there (it didna' wurk > :( ) > > > 3. why, if the PDC and local machine administrator accounts have > > different names, it echos the administrator account name of the > > *PDC* rather than the workstation where I've underlined with > > ^^^^^ (I then changed them to have the same name to see if that > > would help but that made no difference) > > um... because you specified use \\mywks -U administrator [same name?] > > i don't know. if that's the case, it's a bug! > > > > I'm running on sparc, Solaris 7, TNG from yesterday. Have NT machines > > running on a 2.0.6 PDC but am keen to get TNG working now. I could send > > a high-level log but from the missing file message I guess I may have > > something a little more fundamental wrong. > > > > George > > > > PS/ OK - I guess there is stuff in the logs after all. I've got multiple > > > > ERROR: unbecome root depth is 0 > > ERROR: become root depth is non zero > > *sigh*. this _really_ needs to be sorted out, and it's not simple, so > i've been avoiding it. i know how long it would take to sort out the code > involved in this (passdb/*.c, groupdb/*.c) if i tackled it. > > thx george. > --------------------------------------------------------------------- George Cameron g.cameron@biomed.abdn.ac.uk Dept. BioMedical Physics Aberdeen University Foresterhill Fax: +44 (0)1224-685645 Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210 Scotland, UK From lars at kneschke.de Tue Feb 22 22:05:46 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit References: <200002222105.VAA07953@hebe.biomed.abdn.ac.uk> Message-ID: <38B3083A.FFCE31B6@kneschke.de> George Cameron wrote: > Having seen this message, I tried what I thought were the right instructions > (looks like Lars' very helpful pages now need updating :) but got the following > (names & ips substituted): Yes, my pages need a update. :-) I got samba tng working. Now i'm able to test it. Today evenning or tommorow morning i will update the FAQ. Cu -- Watch our projects at http://www.kneschke.de/projekte! ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer From lkcl at samba.org Tue Feb 22 22:31:49 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit In-Reply-To: <200002222220.WAA08140@hebe.biomed.abdn.ac.uk> Message-ID: > > use \\\\mywks -U administrator -W mywks > > > > this will force mywks to verify administrator against the *local* SAM > > database. i'm certain that if you renamed the administrator account on > > the local workstation to something _other_ than the same name as the > > Domain Admin account on mypdc, this would not be necessary [specifying a > > Domain name of mywks]. > > > > please let me know if this works. > > 'fraid not. I tried it both with & without making the two accounts > different (actually I renamed the admin account on the PDC back to > its original name & left the workstation one the same), but explicitly > setting the domain name to that of the workstation still results in i'm sorry, then i don't know what is wrong. i tried exactly this and it worked fine. tested against nt5 and nt4. can u report: - whether you are using latest cvs (which you always should be) - smb.conf file - os type can u check: - local admin account actually works (use another nt wksta, do net use \\ntwks /user:NTWKS\localadmin). - more log info, debug level 100, recompile with -DDEBUG_PASSWORD. thx. luke From D.Bannon at latrobe.edu.au Tue Feb 22 23:55:55 2000 From: D.Bannon at latrobe.edu.au (David Bannon) Date: Tue Dec 2 02:28:45 2003 Subject: Long User names In-Reply-To: References: <3.0.6.32.20000222170758.008ddd60@bioserve.latrobe.edu.au> Message-ID: <3.0.6.32.20000223105555.008c34d0@bioserve.latrobe.edu.au> At 05:21 PM 22/02/2000 +1100, Luke Kenneth Casson Leighton wrote: >more than likely. find a unix os that does >8 chars on unix names. > No, it does not matter about the underlying unix, The NTDom coders (thanks Luke) did a good a job. smbpasswd is quite happy with long names and as an aside, pam_smb is too. These particular users don't get to logon with a shell. I create the user's entry in /etc/passwd with a script, not via adduser and there seems to be no problems with most of the samba activity. Everything works except the automatic connection to z: which can be done with 'net use z: \\server\homes' (which was once a security problem ??). The real point in issue here is that NT allows user names longer than 8 char, linux (at least) seems happy about it apart from some minor quibbles as long as all access is through samba. If we are going to work in an NT enviorment then names longer than 8 char are going to be encounted. >On Tue, 22 Feb 2000, David Bannon wrote: > >> Hi Folks, >> >> Who knows about length of user name limits ? I have been using an old >> (Oct99) NTDom stream version in a production situation (NT4sp4) and have >> just found that our IT department is making student logon names as long as >> 15 characters. >> >> The NTDom side of things is fine, the user is logged on without problems >> but no home directory. The user can browse to homes but not the (homes) >> directory in their name. >> >> Will I see similar problems in Head/TNG or TNG alone ? (if so, maybe I just >> hack at the old code I have here ...). >> >> David >> ------------------------------------------------------------ >> David Bannon D.Bannon@latrobe.edu.au >> School of Biochemistry Phone 61 03 9479 2197 >> La Trobe University, Plenty Rd, Fax 61 03 9479 2467 >> Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au >> ------------------------------------------------------------ >> .... Humpty Dumpty was pushed ! >> > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > >ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > ------------------------------------------------------------ David Bannon D.Bannon@latrobe.edu.au School of Biochemistry Phone 61 03 9479 2197 La Trobe University, Plenty Rd, Fax 61 03 9479 2467 Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au ------------------------------------------------------------ ..... Humpty Dumpty was pushed ! From mgeddes at xavier.sa.edu.au Wed Feb 23 01:11:35 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit References: Message-ID: <38B333C7.81E89E65@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > > i'm sorry, then i don't know what is wrong. i tried exactly this and it > worked fine. tested against nt5 and nt4. > It's very similar to that problem I had about a week ago and haven't sent you the debug report about yet. From what I can gather it is a trust relationship problem. I can do what I like with rpcclient and samedit as long as it's from server '.'. If I try from NT, it fails. If I try to samedit / rpcclient from the (soon-to-be) BDC, I get the message: cli_net_use_add: connection failed. I have also tried adding a trust account for the PDC to the domain (which I could and I know you said it wasn't necessary), but to no avail. I have mostly been using the alpha tarballs. 0.3 worked, 0.4 and 0.5 have this problem. I am trying the samba-latest from sernet.pair.com (that's last nights or today's or something isn't it?). If this don't work, I will send a bug report (I promise ;-)). Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Wed Feb 23 01:06:55 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: Adding NT Workstations with samedit In-Reply-To: <38B333C7.81E89E65@xavier.sa.edu.au> Message-ID: On Wed, 23 Feb 2000, Matthew Geddes wrote: > Luke Kenneth Casson Leighton wrote: > > > > > i'm sorry, then i don't know what is wrong. i tried exactly this and it > > worked fine. tested against nt5 and nt4. > > > > It's very similar to that problem I had about a week ago and haven't > sent you the debug report about yet. From what I can gather it is a > trust relationship problem. I can do what I like with rpcclient and > samedit as long as it's from server '.'. If I try from NT, it fails. If > I try to samedit / rpcclient from the (soon-to-be) BDC, I get the > message: cli_net_use_add: connection failed. I have also tried adding a hm, i think i know what that might be, then. urr... DOH! there's a machine_passworD_timeout = 60 seconds still in there!!! DOH! > If this don't work, I will send a bug report (I promise ;-)). thx. From timothy_d_cole at md.northgrum.com Tue Feb 22 15:23:22 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:45 2003 Subject: Long User names Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB563215@xcgmd008.md.essd.northgrum.com> Hmm. afaiK, there are a number that do allow that. but certainly not a majority. > -----Original Message----- > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > Sent: Tuesday, February 22, 2000 1:22 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: Long User names > > more than likely. find a unix os that does >8 chars on unix names. > > On Tue, 22 Feb 2000, David Bannon wrote: > > > Hi Folks, > > > > Who knows about length of user name limits ? I have been using an old > > (Oct99) NTDom stream version in a production situation (NT4sp4) and have > > just found that our IT department is making student logon names as long > as > > 15 characters. > > > > The NTDom side of things is fine, the user is logged on without problems > > but no home directory. The user can browse to homes but not the (homes) > > directory in their name. > > > > Will I see similar problems in Head/TNG or TNG alone ? (if so, maybe I > just > > hack at the old code I have here ...). > > > > David > > ------------------------------------------------------------ > > David Bannon D.Bannon@latrobe.edu.au > > School of Biochemistry Phone 61 03 9479 2197 > > La Trobe University, Plenty Rd, Fax 61 03 9479 2467 > > Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au > > ------------------------------------------------------------ > > .... Humpty Dumpty was pushed ! > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 23 01:12:31 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: [samba-tng] possible byte order issue - feedback needed Message-ID: hi, of those people who do _not_ have tng working who have tried it recently, could you let me know if your architecture has an intel-byte-order or a non-intel-byte-order (LSB or MSB). if you do not know, please could you just report what processor type you have on which tng is NOT working. thx, luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 23 01:16:33 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: [samba-tng] status Message-ID: hello all, um... i got the format of LsaSetSecret / LsaQuerySecret private data wrong. it's the plaintext (Unicode) password, from which the NT# is generate. so, i'm really sorry, but if you are using TNG as either a bdc or with "security = domain", you are going to have to rejoin it to the domain. i don't think anyone's using it like this, but just in case. this does NOT affect TNG as a PDC, only as a member-of-a-domain. luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mgeddes at xavier.sa.edu.au Wed Feb 23 01:43:42 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:45 2003 Subject: [samba-tng] possible byte order issue - feedback needed References: Message-ID: <38B33B4E.A231B42E@xavier.sa.edu.au> Four Intel-based machines DON'T work. I have no other platforms :-( Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From SC4211 at email.mot.com Tue Feb 22 20:49:17 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:45 2003 Subject: Samba and NT 4.0 References: Message-ID: <38B2F64D.7DEA621F@email.mot.com> We are having an issue where I have a samba share pointing to an Automount point. When people go into that share, it takes FOREVER to pull up the directory. I went into the logs and I would 'tail -f' the log file and see what PID was pulling the directory, then I would TRUSS the PID. It would say things like "directory_x/desktop.ini not found". So the NT 4.0 machine was trying to go into EVERY directory and look for a file called "desktop.ini". Some of the directories actually are on servers that the user does not have permissions to and also the samba server does not have access to. It would take about 20 seconds PER directory that it could not get into to timeout on the desktop.ini file. Anyone know a way around this?? What is NT looking for these dang desktop.ini files? Thanks. -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From mbreuer at siac.com Tue Feb 22 19:02:10 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:45 2003 Subject: TNG 0.5 - Still can't join W2K to domain... Message-ID: <38B2DD32.A795ED46@siac.com> Ok... I've attempted to join a W2K workstation to TNG 0.5: Network password fails. Tracing through code and log messages, it seems that /tmp/.msrpc is sometimes /tmp/.msrpc and sometimes LOCKDIR/.msrpc. So... msrpc-agent.c: 221 and msrpc-client.c: 263 should have /tmp... replaced with LOCKDIR.... (I think). Likewise, the 'pipe_name' parameters are also inconsistant... sometimes in a "dot" directory (..../.NETLOGON) and sometimes not (.../NETLOGON). Perhaps I'm missing something? (BTW: the dotted versions are never created... only the non-dot versions. When I changed code to always use non dotted versions, the code complained that the pipes were not directories). Also, for what it's worth, the log messages seem to indicate that during the attempt to validate the network ID, complain about /.msrpc/.lsarpc/agent and /.msrpc/.NETLOGON/agent not being found (or if I delete the dots, not being directories). Note that is after I changed the /tmp code. Additional notes: 1) When I first ran 0.5, .SID and "MACHINE.SID" both existed... smbd didn't like this and crashed. I moved "MACHINE.SID" out of the way, and now smbd runs. Perhaps this was due to the former requirement to join your own domain? 2) samedit installed in /usr/samba/bin doesn't work (just has a line complaining about missing codepage 000). samedit in the compilation bin directory works. From mbreuer at siac.com Tue Feb 22 20:37:17 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:45 2003 Subject: TNG: configure fix for IRIX 6.5.x TCP_NODELAY Message-ID: <38B2F37C.27119DF9@siac.com> Change to tng 0.5 1952c1952,1955 < --- >#ifdef IRIX >cat >>confdefs.h <#include >EOF -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2028 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000222/201af201/smime.bin From lkcl at samba.org Wed Feb 23 03:30:56 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: TNG 0.5 - Still can't join W2K to domain... In-Reply-To: <38B2DD32.A795ED46@siac.com> Message-ID: > Perhaps I'm missing something? (BTW: the dotted versions are never created... only the non-dot versions. When I changed code to > always use non dotted versions, the code complained that the pipes were not directories). Also, for what it's worth, the log > messages seem to indicate that during the attempt to validate the network ID, complain about /.msrpc/.lsarpc/agent and > /.msrpc/.NETLOGON/agent not being found (or if I delete the dots, not being directories). Note that is after I > changed the /tmp code. don't worry about agents, that's redirector stuff that isn't active. > Additional notes: > 1) When I first ran 0.5, .SID and "MACHINE.SID" both existed... smbd didn't like this and crashed. I moved "MACHINE.SID" > out of the way, and now smbd runs. Perhaps this was due to the former requirement to join your own domain? this would have been because you ran tng, returned to 2.0.x, then ran tng. this isn't ok, because 2.0.x recreates MACHINE.SID, and tng moves MACHINE.SID to THESAMDATABASENAME.SID > 2) samedit installed in /usr/samba/bin doesn't work (just has a line > complaining about missing codepage 000). samedit in the compilation > bin directory works. hmm, there's a bug in the codepage stuff, fixed for 2.0.x. From lkcl at samba.org Wed Feb 23 03:31:43 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:45 2003 Subject: TNG: configure fix for IRIX 6.5.x TCP_NODELAY In-Reply-To: <38B2F37C.27119DF9@siac.com> Message-ID: which file? On Wed, 23 Feb 2000, Michael Breuer wrote: > Change to tng 0.5 > > 1952c1952,1955 > < > --- > >#ifdef IRIX > >cat >>confdefs.h < >#include > >EOF > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lars at kneschke.de Wed Feb 23 06:41:58 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:45 2003 Subject: FAQ request(s) References: <38B2C0F3.3F736CA8@netuse.de> <38B3083A.C7C47F46@xavier.sa.edu.au> Message-ID: <38B38136.9AFAF4DB@kneschke.de> Matthew Geddes wrote: > > Lars Kneschke wrote: > > > > Luke Kenneth Casson Leighton wrote: > > > > > > gregory, i'm ashamed at you. print on pdc.php3, select the save-to-file > > > option. > > Gregory, just for you! :-) > > Now i have links to tar.gz files on top of every page with > > smb.conf examples. > > Does this mean you have the current Samba TNG working? ;-) Yes, but i have not WindowsNT at home. But i'm able to create Workstation Trustaccounts with rpcclient. This was'n t working the last 3 days for me. At work i can test it with Windows NT. > Once I have a spare minute here, I want to try and get it working also > and update the smb.conf examples (I think there were a couple of errors > on them anyway). I modified the bdc file and the domainmember file already(wins server). Cu -- Watch our projects at http://www.kneschke.de/projekte! ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer From s.striker at striker.nl Wed Feb 23 07:38:43 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:45 2003 Subject: FAQ request(s) In-Reply-To: <38B38136.9AFAF4DB@kneschke.de> Message-ID: Hi, Lars, could you update the FAQ so people can read about the redirector and not worry about the warnings. There are several posting on this (non)issue every week. Thx, Sander From hanak at IRIS.osu.cz Wed Feb 23 08:18:13 2000 From: hanak at IRIS.osu.cz (Ondrej Hanak) Date: Tue Dec 2 02:28:46 2003 Subject: Long User names again In-Reply-To: <51FBD4A8EFD9D111BA7300A0C927DADB563215@xcgmd008.md.essd.northgrum.com> Message-ID: I found same problem on our SAMBA NTDOM as described by David Bannon. Users with too long (e.g. 13 chars) usernames (cause big change from NT server to SAMBA, all users we accomodated on Linux) did't have H: drive mapped as others. I can see that user's home of his/her name in share list, but after effort to connect to this share error message appeared: "Can't find share name..." I solved this problem by mapping homes in user's login script (net use h: \\server\homes). Can anybody explain what's wrong? Cus O.H. On Wed, 23 Feb 2000, Cole, Timothy D. wrote: > Hmm. afaiK, there are a number that do allow that. but certainly not a > majority. > > > -----Original Message----- > > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > > Sent: Tuesday, February 22, 2000 1:22 > > To: Multiple recipients of list SAMBA-NTDOM > > Subject: Re: Long User names > > > > more than likely. find a unix os that does >8 chars on unix names. > > > > On Tue, 22 Feb 2000, David Bannon wrote: > > > > > Hi Folks, > > > > > > Who knows about length of user name limits ? I have been using an old > > > (Oct99) NTDom stream version in a production situation (NT4sp4) and have > > > just found that our IT department is making student logon names as long > > as > > > 15 characters. > > > > > > The NTDom side of things is fine, the user is logged on without problems > > > but no home directory. The user can browse to homes but not the (homes) > > > directory in their name. > > > > > > Will I see similar problems in Head/TNG or TNG alone ? (if so, maybe I > > just > > > hack at the old code I have here ...). > > > > > > David > > > ------------------------------------------------------------ > > > David Bannon D.Bannon@latrobe.edu.au > > > School of Biochemistry Phone 61 03 9479 2197 > > > La Trobe University, Plenty Rd, Fax 61 03 9479 2467 > > > Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au > > > ------------------------------------------------------------ > > > .... Humpty Dumpty was pushed ! > > > > > > > Luke Kenneth Casson Leighton > > Samba and Network Development > > Samba Web site > > Internet Security Systems, Inc. > > Macmillan Technical Publishing > > > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > From lk at netuse.de Wed Feb 23 08:18:57 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:46 2003 Subject: FAQ request(s) References: Message-ID: <38B397F1.465AEE0B@netuse.de> Sander Striker wrote: > > Hi, > > Lars, could you update the FAQ so people can read about the redirector > and not worry about the warnings. There are several posting on this > (non)issue every week. Yes, i had this idea also this morning. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lauffer at ph-freiburg.de Wed Feb 23 09:42:40 2000 From: lauffer at ph-freiburg.de (Stephan Lauffer) Date: Tue Dec 2 02:28:46 2003 Subject: "bug": DMB, bind interfaces and localhost Message-ID: Hi all! There?s a little problem if you want to set up your samba server as DMB and if you want to use "bind interfaces only". (in samba-2.x and TNG) In many cases you must have localhost added to the interfaces, like: interfaces = aaa.bbb.ccc.ddd/255.255.255.0 127.0.0.1 bind interfaces only = true Then if you?ll set up your host as dmb (and pdc) like domain master = true domain logons = true (...) and your?re using another wins-server (in my network it?s a NT-Wins Server), you?ll get an error message in the nmdb-logfiles like this: (substituted ip of wins server to xxx.yyy.zzz.a) ================ [2000/02/22 18:03:16, 0] libsmb/nmblib.c:send_udp(755) Packet send failed to xxx.yyy.zzz.a(137) ERRNO=Invalid argument [2000/02/22 18:03:16, 0] nmbd/nmbd_packets.c:send_netbios_packet(173) send_netbios_packet: send_packet() to IP xxx.yyy.zzz.a port 137 failed [2000/02/22 18:03:16, 0] nmbd/nmbd_namerelease.c:release_name(233) release_name: Failed to send packet trying to release name LINUX-AG<00> IP 127.0.0.1 ================ This causes samba not to become a dmb! And then you?ve got a little problem... ;-) Liebe Gruesse, Stephan Lauffer [ Paedagogische Hochschule Freiburg - Systemtechnik - Germany ] [ Abteilung ZIK: WWW ] [ Tel.: 0761 - 682 447 Mobil: 0172 - 7145 197 ] From lk at netuse.de Wed Feb 23 12:04:14 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails Message-ID: <38B3CCBE.A95B072@netuse.de> Hello Luke! I can join the domain, using the join dialog from networksettings(under windows nt). I have not created a workstation trustaccount with rpcclient before. I created a password entry for root in smbpasswd and created a unix user for the workstation. After that i was able to join the domain. But after reboot i was not able to login. The error message was: computer account does not exist or the password is wrong.(translated from german) I can't find something wrong in the log.files. If i use rpcclient as root, under solaris, i get a buserror and the size of rpcclient is zero. After that i can't use rpcclient anymore. Need to investigate this more. While playing with rpcclient, i tried to shutdown i Windows NT workstation, but i failed. But that's not important. But i would be funny, to shutdown the NT pc. :-) Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lepape at shom.fr Wed Feb 23 12:07:33 2000 From: lepape at shom.fr (Jean-Marc Le Pape) Date: Tue Dec 2 02:28:46 2003 Subject: Can't login TNG.0.5 Message-ID: <38B3CD85.AA031D9C@shom.fr> Hello, I'm using Samba tng 0.5 on Linux RH6.1 (pasglop) I use a NT 4 SP 4 Workstation (moliere). I succesfully compile and install Samba. I do a samedit -S . -U root%monpassword then [root@.]$ use \\\\moliere -U Administrateur use \\\\moliere -U Administrateur Enter Password: Server: \\MOLIERE: User: Administrateur Domain: Connection: OK [root@.]$ createuser moliere$ -j createuser moliere$ -j SAM Create Domain User Domain: PDCTEST Name: moliere$ ACB: [W ] Create Domain User: OK Join MOLIERE to Domain PDCTEST Set $MACHINE.ACC: OK and createuser toto -p toto SAM Create Domain User Domain: PDCTEST Name: toto ACB: [U ] Create Domain User: OK I can't join the fist time the PDC from the NTWorkstation but i can join the twice. And now i can't loggin on the PDCTEST from the NT W with the account toto and password toto. Do I something wrong or I am definitively STUPID. PS : I make it work with samba 0.0 and smbpasswd's commands. => smb.conf [global] netbios name = PASGLOP workgroup = PDCTEST log level = 100 log file = /opt/samba_tng/var/log.%m domain group map = /opt/samba_tng/private/domaingroup.map domain user map = /opt/samba_tng/private/domainuser.map domain alias map = /opt/samba_tng/private/domainalias.map security = user domain logons = yes encrypt passwords = yes os level = 65 domain master = yes preferred master = yes local master = yes logon script = %U.bat logon drive = H: logon home = \\PASGLOP\%U logon path = \\PASGLOP\profile\%U [homes] browseable = no writable = yes Thanks JM From cyris at rapidsolution.de Wed Feb 23 13:04:10 2000 From: cyris at rapidsolution.de (Stefan Cyris) Date: Tue Dec 2 02:28:46 2003 Subject: NT domain controller support == samba-latest.tar.gz Message-ID: <38B3DACA.98DC56A2@rapidsolution.de> hi I'm wondering if TNG is included in the samba-package ??? thanx Stefan From LEYMARIE_Gerard at accor-hotels.com Wed Feb 23 13:05:37 2000 From: LEYMARIE_Gerard at accor-hotels.com (LEYMARIE Gerard) Date: Tue Dec 2 02:28:46 2003 Subject: NT domain controller support == samba-latest.tar.gz References: <38B3DACA.98DC56A2@rapidsolution.de> Message-ID: <006b01bf7dfe$ad6e5ec0$2300c839@accorhotels.com> Sorry for this question, but what is exaclty the TNG? Thks ----- Message d'origine ----- De : "Stefan Cyris" ? : "Multiple recipients of list SAMBA-NTDOM" Envoy? : mercredi 23 f?vrier 2000 14:01 Objet : NT domain controller support == samba-latest.tar.gz > hi > > I'm wondering if TNG is included in the samba-package ??? > > thanx > Stefan From george at biomed.abdn.ac.uk Wed Feb 23 13:32:12 2000 From: george at biomed.abdn.ac.uk (George Cameron) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails Message-ID: <200002231332.NAA12508@hebe.biomed.abdn.ac.uk> > Hello Luke! > > I can join the domain, using the join dialog from > networksettings(under windows nt). I have not created a > workstation trustaccount with rpcclient before. I created a > password entry for root in smbpasswd and created a unix user for > the workstation. After that i was able to join the domain. But > after reboot i was not able to login. The error message was: > computer account does not exist or the password is > wrong.(translated from german) > I can't find something wrong in the log.files. Lars, Yes, I now get this too. I *think* there may be a bug in samedit where it incorrectly uses pdc's username+password for the local machine, but it works if they happen to be the same (and as long as you remember to update your domainuser.map, which I hadn't!). But now that I've got this to work (i.e. samedit succeeds), it still isn't accepting a login to the domain. > > If i use rpcclient as root, under solaris, i get a buserror and > the size of rpcclient is zero. After that i can't use rpcclient > anymore. Need to investigate this more. Yes I've found this too, also on Solaris 7/sparc . There seems to be a problem in the code page code. If you comment out the call in lib/cmd_interp.c : #if 0 codepage_initialise(lp_client_code_page()); #endif (line 1475 in my version, recently updated), the command line programs should work again, and stop overwriting the binaries with zero-length files :-o George > > While playing with rpcclient, i tried to shutdown i Windows NT > workstation, but i failed. But that's not important. But i would > be funny, to shutdown the NT pc. :-) > --------------------------------------------------------------------- George Cameron g.cameron@biomed.abdn.ac.uk Dept. BioMedical Physics Aberdeen University Foresterhill Fax: +44 (0)1224-685645 Aberdeen AB25 2ZD Telephone: +44 (0)1224-553210 Scotland, UK From cyris at rapidsolution.de Wed Feb 23 13:45:10 2000 From: cyris at rapidsolution.de (Stefan Cyris) Date: Tue Dec 2 02:28:46 2003 Subject: NT domain controller support == samba-latest.tar.gz References: <38B3DACA.98DC56A2@rapidsolution.de> <006b01bf7dfe$ad6e5ec0$2300c839@accorhotels.com> Message-ID: <38B3E466.99412A51@rapidsolution.de> no idea :)) I read the archive and everyone is talkign about tng so i asked :)) cya Stefan LEYMARIE Gerard wrote: > > Sorry for this question, but what is exaclty the TNG? > > Thks > > ----- Message d'origine ----- > De : "Stefan Cyris" > ? : "Multiple recipients of list SAMBA-NTDOM" > Envoy? : mercredi 23 f?vrier 2000 14:01 > Objet : NT domain controller support == samba-latest.tar.gz > > > hi > > > > I'm wondering if TNG is included in the samba-package ??? > > > > thanx > > Stefan From mbreuer at siac.com Wed Feb 23 13:51:14 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:46 2003 Subject: TNG: configure fix for IRIX 6.5.x TCP_NODELAY References: Message-ID: <38B3E5D2.F93C406F@siac.com> configure. However... I believe there is more code needed which exists in 2.x and sets HAVE_NETINET_TCP_H. Luke Kenneth Casson Leighton wrote: > which file? > > On Wed, 23 Feb 2000, Michael Breuer wrote: > > > Change to tng 0.5 > > > > 1952c1952,1955 > > < > > --- > > >#ifdef IRIX > > >cat >>confdefs.h < > >#include > > >EOF > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mbreuer at siac.com Wed Feb 23 13:52:32 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:46 2003 Subject: [samba-tng] possible byte order issue - feedback needed References: Message-ID: <38B3E620.7C1CFC0B@siac.com> Not working... Irix (MIPS R10K) Big Endian. Luke Kenneth Casson Leighton wrote: > hi, > > of those people who do _not_ have tng working who have tried it recently, > could you let me know if your architecture has an intel-byte-order or a > non-intel-byte-order (LSB or MSB). > > if you do not know, please could you just report what processor type you > have on which tng is NOT working. > > thx, > > luke > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From ertl at emp.paed.uni-muenchen.de Wed Feb 23 14:41:26 2000 From: ertl at emp.paed.uni-muenchen.de (Bernhard Ertl) Date: Tue Dec 2 02:28:46 2003 Subject: Netload using wins support References: <200002231332.NAA12508@hebe.biomed.abdn.ac.uk> Message-ID: <38B3F196.829B8C15@emp.paed.uni-muenchen.de> Does anyone know about the implementation of the wins support? How much netload does it cause (for about 50 Computers in the domain) and does samba start search queries for clients from other domains/ workgroups? Thx Be From cartegw at Eng.Auburn.EDU Wed Feb 23 14:00:58 2000 From: cartegw at Eng.Auburn.EDU (Gerald Carter) Date: Tue Dec 2 02:28:46 2003 Subject: Samba and NT 4.0 References: <38B2F64D.7DEA621F@email.mot.com> Message-ID: <38B3E81A.7369F551@eng.auburn.edu> Ryan Wyler wrote: > > Anyone know a way around this?? What is NT looking for these dang > desktop.ini files? Thanks. Ryna, this has come up before. Have you checked through the list archives? I can't remember the details off the top of my head right now. Sorry. Cheers, jerry ________________________________________________________________________ Gerald ( Jerry ) Carter Engineering Network Services Auburn University jerry@eng.auburn.edu http://www.eng.auburn.edu/users/cartegw "...a hundred billion castaways looking for a home." - Sting "Message in a Bottle" ( 1979 ) From pierre.hjalm at dis.uu.se Wed Feb 23 14:01:26 2000 From: pierre.hjalm at dis.uu.se (Pierre Hjalm) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails In-Reply-To: <200002231332.NAA12508@hebe.biomed.abdn.ac.uk> References: <200002231332.NAA12508@hebe.biomed.abdn.ac.uk> Message-ID: <14515.59446.810239.527434@ida.dis.uu.se> George Cameron writes: > > Hello Luke! > > > > I can join the domain, using the join dialog from > > networksettings(under windows nt). I have not created a > > workstation trustaccount with rpcclient before. I created a > > password entry for root in smbpasswd and created a unix user for > > the workstation. After that i was able to join the domain. But > > after reboot i was not able to login. The error message was: > > computer account does not exist or the password is > > wrong.(translated from german) > > I can't find something wrong in the log.files. > > Lars, > > Yes, I now get this too. I *think* there may be a bug in samedit where > it incorrectly uses pdc's username+password for the local machine, but > it works if they happen to be the same (and as long as you remember > to update your domainuser.map, which I hadn't!). But now that I've > got this to work (i.e. samedit succeeds), it still isn't accepting > a login to the domain. > > > > > If i use rpcclient as root, under solaris, i get a buserror and > > the size of rpcclient is zero. After that i can't use rpcclient > > anymore. Need to investigate this more. > > Yes I've found this too, also on Solaris 7/sparc . There seems to be > a problem in the code page code. If you comment out the call in > lib/cmd_interp.c : > > #if 0 > codepage_initialise(lp_client_code_page()); > #endif > > (line 1475 in my version, recently updated), the command line > programs should work again, and stop overwriting the binaries > with zero-length files :-o > Actually, it's a problem with the debugging/logging code. Someone (no names) decided it would be a good idea to take the name for the log file from argv[0]. That works if you happen to have rpcclient in your PATH but if you have to start it by giving the whole path to it, it will overwrite the binary. Another problem with this is that if you do have rpcclient in your PATH but happen to stand in a directory with a directory named rpcclient (like for example samba/source) rpcclient SIGSEGVs. This ought to be fixed. Quite annoying. -- Pierre Hj?lm, Systems Administrator Department of Information Science, Uppsala University, Sweden email:pierre.hjalm@dis.uu.se phone:+46-(0)18-4711044 fax:+46-(0)18-554422 From mbreuer at siac.com Wed Feb 23 14:28:09 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:46 2003 Subject: TNG: Samr can't open smbpasswd... Message-ID: <38B3EE78.E5E5FA29@siac.com> I haven't check code yet, but when I attempt to manipulate smbpasswd using samedit, samr can't open the smbpasswd file (permission). smbpasswd is owned by root and chmod 600. Note that I can login and mount shares from w2k, I just can't join the domain or access smbpasswd from samedit. From lk at netuse.de Wed Feb 23 14:47:03 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails References: <200002231332.NAA12508@hebe.biomed.abdn.ac.uk> <14515.59446.810239.527434@ida.dis.uu.se> Message-ID: <38B3F2E7.8689CD4C@netuse.de> Pierre Hjalm wrote: > Actually, it's a problem with the debugging/logging code. Someone (no > names) decided it would be a good idea to take the name for the log file > from argv[0]. That works if you happen to have rpcclient in your PATH but if > you have to start it by giving the whole path to it, it will overwrite > the binary. Another problem with this is that if you do have rpcclient > in your PATH but happen to stand in a directory with a directory named > rpcclient (like for example samba/source) rpcclient SIGSEGVs. This ought > to be fixed. Quite annoying. AAHHHH! Now i know why the commands in Luke's examples always have the "-l log" parameter. :-) Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lk at netuse.de Wed Feb 23 14:49:33 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:46 2003 Subject: NT domain controller support == samba-latest.tar.gz References: <38B3DACA.98DC56A2@rapidsolution.de> <006b01bf7dfe$ad6e5ec0$2300c839@accorhotels.com> <38B3E466.99412A51@rapidsolution.de> Message-ID: <38B3F37D.3AAF2412@netuse.de> > I'm wondering if TNG is included in the samba-package ??? Which package do you mean? Samba TNG is splitt from the Main samba cvs version. You can get i via cvs. You can find information about samba-tng at http://www.kneschke.de/projekte/samba-tng. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From inge at cc.uit.no Wed Feb 23 16:09:33 2000 From: inge at cc.uit.no (=?iso-8859-1?Q?Inge=2DH=E5vard?= Hunstad) Date: Tue Dec 2 02:28:46 2003 Subject: Can't login TNG.0.5 References: <38B3CD85.AA031D9C@shom.fr> Message-ID: <38B4063D.E4B25F1B@cc.uit.no> Jean-Marc Le Pape wrote: > > Hello, > > I'm using Samba tng 0.5 on Linux RH6.1 (pasglop) > I use a NT 4 SP 4 Workstation (moliere). > I succesfully compile and install Samba. > > I do a > samedit -S . -U root%monpassword > then > [root@.]$ use \\\\moliere -U Administrateur > use \\\\moliere -U Administrateur > Enter Password: > Server: \\MOLIERE: User: Administrateur Domain: > Connection: OK > [root@.]$ createuser moliere$ -j > createuser moliere$ -j > SAM Create Domain User > Domain: PDCTEST Name: moliere$ ACB: [W ] > Create Domain User: OK > Join MOLIERE to Domain PDCTEST > Set $MACHINE.ACC: OK > > and > createuser toto -p toto > SAM Create Domain User > Domain: PDCTEST Name: toto ACB: [U ] > Create Domain User: OK > > I can't join the fist time the PDC from the NTWorkstation but i can join > the twice. > > And now i can't loggin on the PDCTEST from the NT W with the account > toto and password toto. > > Do I something wrong or I am definitively STUPID. If so I think I'm stupid too. But so finally it's not just me that has these strange problems logging in after joining the domain. I thought it was a problem with ldap but it seems that this also happens in a standard setup too. After the fix Doug Nazar presented I don't get "ERROR: setgroups call failed!" anymore, thanks for helping Dough! I also have RH linux 6.1 and it is running on a Intel Pentium II 450 MHz based computer (Since you asked Luke.) And the problem description is identical to JM's so my question is; is this a intel problem? If so what can be done to fix this? I'm more than willing to provide logs if requested. inge From lkcl at samba.org Wed Feb 23 16:24:37 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: Long User names again In-Reply-To: Message-ID: ah! that is a limitation of NT - 12 chars is the maximum share length. you can change the location of profiles to \\server\homedirs\%L\profile and the problem will go away. or upgrade to nt5, and the problem will go away. On Wed, 23 Feb 2000, Ondrej Hanak wrote: > > I found same problem on our SAMBA NTDOM as described by David Bannon. > Users with too long (e.g. 13 chars) usernames (cause big change from NT > server to SAMBA, all users we accomodated on Linux) > did't have H: drive mapped as others. I can see that user's home of his/her > name in share list, but after effort to connect to this share error > message appeared: "Can't find share name..." > I solved this problem by mapping homes in user's login script (net use h: > \\server\homes). > Can anybody explain what's wrong? > > Cus O.H. > > On Wed, 23 Feb 2000, Cole, Timothy D. wrote: > > > Hmm. afaiK, there are a number that do allow that. but certainly not a > > majority. > > > > > -----Original Message----- > > > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > > > Sent: Tuesday, February 22, 2000 1:22 > > > To: Multiple recipients of list SAMBA-NTDOM > > > Subject: Re: Long User names > > > > > > more than likely. find a unix os that does >8 chars on unix names. > > > > > > On Tue, 22 Feb 2000, David Bannon wrote: > > > > > > > Hi Folks, > > > > > > > > Who knows about length of user name limits ? I have been using an old > > > > (Oct99) NTDom stream version in a production situation (NT4sp4) and have > > > > just found that our IT department is making student logon names as long > > > as > > > > 15 characters. > > > > > > > > The NTDom side of things is fine, the user is logged on without problems > > > > but no home directory. The user can browse to homes but not the (homes) > > > > directory in their name. > > > > > > > > Will I see similar problems in Head/TNG or TNG alone ? (if so, maybe I > > > just > > > > hack at the old code I have here ...). > > > > > > > > David > > > > ------------------------------------------------------------ > > > > David Bannon D.Bannon@latrobe.edu.au > > > > School of Biochemistry Phone 61 03 9479 2197 > > > > La Trobe University, Plenty Rd, Fax 61 03 9479 2467 > > > > Bundoora, Vic, Australia, 3083 http://bioserve.latrobe.edu.au > > > > ------------------------------------------------------------ > > > > .... Humpty Dumpty was pushed ! > > > > > > > > > > Luke Kenneth Casson Leighton > > > Samba and Network Development > > > Samba Web site > > > Internet Security Systems, Inc. > > > Macmillan Technical Publishing > > > > > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mbreuer at siac.com Wed Feb 23 16:52:53 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:46 2003 Subject: TNG: Success w2k joining tng domain! Message-ID: <38B41065.7CCD6385@siac.com> Some info: 1) When validating password joining the domain, usernamemap is not consulted. (I have different nt/novell and unix usernames which map to the same account). 2) The unix and smbpasswd entries must reflect the same password (don't know why). 3) Compiling with PASSWORD_DEBUG is really useful in tracking down these things. Hopefully, I have enough disk space left for my profile ;) Now... to reboot and see if I can log in! From lkcl at samba.org Wed Feb 23 17:45:30 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: Can't login TNG.0.5 In-Reply-To: <38B3CD85.AA031D9C@shom.fr> Message-ID: hi jean0marc, *embarrased* - i store the wrong $MACHINE.ACC ok, so you'll have to use tng.0.6 when i make it, or use latest cvs, ok? On Wed, 23 Feb 2000, Jean-Marc Le Pape wrote: > Hello, > > I'm using Samba tng 0.5 on Linux RH6.1 (pasglop) > I use a NT 4 SP 4 Workstation (moliere). > I succesfully compile and install Samba. > > I do a > samedit -S . -U root%monpassword > then > [root@.]$ use \\\\moliere -U Administrateur > use \\\\moliere -U Administrateur > Enter Password: > Server: \\MOLIERE: User: Administrateur Domain: > Connection: OK > [root@.]$ createuser moliere$ -j > createuser moliere$ -j > SAM Create Domain User > Domain: PDCTEST Name: moliere$ ACB: [W ] > Create Domain User: OK > Join MOLIERE to Domain PDCTEST > Set $MACHINE.ACC: OK > > and > createuser toto -p toto > SAM Create Domain User > Domain: PDCTEST Name: toto ACB: [U ] > Create Domain User: OK > > I can't join the fist time the PDC from the NTWorkstation but i can join > the twice. > > And now i can't loggin on the PDCTEST from the NT W with the account > toto and password toto. > > Do I something wrong or I am definitively STUPID. > > PS : I make it work with samba 0.0 and smbpasswd's commands. > > => smb.conf > [global] > netbios name = PASGLOP > workgroup = PDCTEST > log level = 100 > log file = /opt/samba_tng/var/log.%m > domain group map = /opt/samba_tng/private/domaingroup.map > domain user map = /opt/samba_tng/private/domainuser.map > domain alias map = /opt/samba_tng/private/domainalias.map > > security = user > domain logons = yes > encrypt passwords = yes > > os level = 65 > domain master = yes > preferred master = yes > local master = yes > > logon script = %U.bat > logon drive = H: > logon home = \\PASGLOP\%U > logon path = \\PASGLOP\profile\%U > > [homes] > browseable = no > writable = yes > > Thanks > > JM > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 23 17:48:17 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails In-Reply-To: <200002231332.NAA12508@hebe.biomed.abdn.ac.uk> Message-ID: On Thu, 24 Feb 2000, George Cameron wrote: > > Hello Luke! > > > > I can join the domain, using the join dialog from > > networksettings(under windows nt). I have not created a > > workstation trustaccount with rpcclient before. I created a > > password entry for root in smbpasswd and created a unix user for > > the workstation. After that i was able to join the domain. But > > after reboot i was not able to login. The error message was: > > computer account does not exist or the password is > > wrong.(translated from german) > > I can't find something wrong in the log.files. > > Lars, > > Yes, I now get this too. I *think* there may be a bug in samedit where > it incorrectly uses pdc's username+password for the local machine, but > it works if they happen to be the same (and as long as you remember argh, i hate messing with that code (cli_use.c etc). i'll take a look. a different password, you say? From lkcl at samba.org Wed Feb 23 17:53:44 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails In-Reply-To: <14515.59446.810239.527434@ida.dis.uu.se> Message-ID: that explains why ... *muur*! can u try 2 fix it and send me a diff -u patch? thx On Thu, 24 Feb 2000, Pierre Hjalm wrote: > George Cameron writes: > > > Hello Luke! > > > > > > I can join the domain, using the join dialog from > > > networksettings(under windows nt). I have not created a > > > workstation trustaccount with rpcclient before. I created a > > > password entry for root in smbpasswd and created a unix user for > > > the workstation. After that i was able to join the domain. But > > > after reboot i was not able to login. The error message was: > > > computer account does not exist or the password is > > > wrong.(translated from german) > > > I can't find something wrong in the log.files. > > > > Lars, > > > > Yes, I now get this too. I *think* there may be a bug in samedit where > > it incorrectly uses pdc's username+password for the local machine, but > > it works if they happen to be the same (and as long as you remember > > to update your domainuser.map, which I hadn't!). But now that I've > > got this to work (i.e. samedit succeeds), it still isn't accepting > > a login to the domain. > > > > > > > > If i use rpcclient as root, under solaris, i get a buserror and > > > the size of rpcclient is zero. After that i can't use rpcclient > > > anymore. Need to investigate this more. > > > > Yes I've found this too, also on Solaris 7/sparc . There seems to be > > a problem in the code page code. If you comment out the call in > > lib/cmd_interp.c : > > > > #if 0 > > codepage_initialise(lp_client_code_page()); > > #endif > > > > (line 1475 in my version, recently updated), the command line > > programs should work again, and stop overwriting the binaries > > with zero-length files :-o > > > Actually, it's a problem with the debugging/logging code. Someone (no > names) decided it would be a good idea to take the name for the log file > from argv[0]. That works if you happen to have rpcclient in your PATH but if > you have to start it by giving the whole path to it, it will overwrite > the binary. Another problem with this is that if you do have rpcclient > in your PATH but happen to stand in a directory with a directory named > rpcclient (like for example samba/source) rpcclient SIGSEGVs. This ought > to be fixed. Quite annoying. > > -- > Pierre Hj?lm, Systems Administrator > Department of Information Science, Uppsala University, Sweden > email:pierre.hjalm@dis.uu.se phone:+46-(0)18-4711044 fax:+46-(0)18-554422 > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Wed Feb 23 17:55:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: TNG: Samr can't open smbpasswd... In-Reply-To: <38B3EE78.E5E5FA29@siac.com> Message-ID: On Thu, 24 Feb 2000, Michael Breuer wrote: > I haven't check code yet, but when I attempt to manipulate smbpasswd > using samedit, samr can't open the smbpasswd file (permission). > smbpasswd is owned by root and chmod 600. Note that I can login and > mount shares from w2k, I just can't join the domain or access > smbpasswd from samedit. samedit goes to \PIPE\samr, which goes to samrd. you therefore need to use a root login to make samrd do a setuid to root, which will allow access to smbpasswd. From Elrond at Wunder-Nett.org Wed Feb 23 17:55:20 2000 From: Elrond at Wunder-Nett.org (Elrond) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails In-Reply-To: <38B3CCBE.A95B072@netuse.de>; from Lars Kneschke on Wed, Feb 23, 2000 at 11:06:03PM +1100 References: <38B3CCBE.A95B072@netuse.de> Message-ID: <20000223185519.A13984@baerbel.mug.maschinenbau.tu-darmstadt.de> On Wed, Feb 23, 2000 at 11:06:03PM +1100, Lars Kneschke wrote: > Hello Luke! > > I can join the domain, using the join dialog from > networksettings(under windows nt). I have not created a > workstation trustaccount with rpcclient before. I created a > password entry for root in smbpasswd and created a unix user for > the workstation. After that i was able to join the domain. But > after reboot i was not able to login. The error message was: > computer account does not exist or the password is > wrong.(translated from german) Precisely what I got, when I tried to join a laptop, that was connected via RAS to my Linux box. The only differences are: - I did a createuser ntws$ in rpcclient - I used nt4sp4 When I tried to let nt create the machine account, I got a drwatson... > I can't find something wrong in the log.files. I didn't check the logs that carefully.... (yet...) [...] Elrond From lkcl at samba.org Wed Feb 23 17:56:07 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails In-Reply-To: <38B3F2E7.8689CD4C@netuse.de> Message-ID: > > in your PATH but happen to stand in a directory with a directory named > > rpcclient (like for example samba/source) rpcclient SIGSEGVs. This ought > > to be fixed. Quite annoying. > AAHHHH! Now i know why the commands in Luke's examples always > have the "-l log" parameter. :-) i run at log level 100, have oyu ever seen what happens with this stuff ons-screen at level 100??? From GLeblanc at cu-portland.edu Wed Feb 23 20:58:25 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:46 2003 Subject: multiple logs Message-ID: Speaking of seeing things fly by on the screen, will multiple -l options work together (TNG from CVS, whenever)? I.E. if I want to log to tty8 and $logdir/log.smb, can I get output both places? Greg From lars at kneschke.de Wed Feb 23 20:55:00 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails References: <38B3CCBE.A95B072@netuse.de> <20000223185519.A13984@baerbel.mug.maschinenbau.tu-darmstadt.de> Message-ID: <38B44924.60ED1F1E@kneschke.de> Elrond wrote: > > On Wed, Feb 23, 2000 at 11:06:03PM +1100, Lars Kneschke wrote: > > Hello Luke! > > > > I can join the domain, using the join dialog from > > networksettings(under windows nt). I have not created a > > workstation trustaccount with rpcclient before. I created a > > password entry for root in smbpasswd and created a unix user for > > the workstation. After that i was able to join the domain. But > > after reboot i was not able to login. The error message was: > > computer account does not exist or the password is > > wrong.(translated from german) > > Precisely what I got, when I tried to join a laptop, that > was connected via RAS to my Linux box. > > The only differences are: > - I did a createuser ntws$ in rpcclient > - I used nt4sp4 > > When I tried to let nt create the machine account, I got a > drwatson... I got him too. But if you delete the ntws$ line from smbpasswd it should succed. Cu -- Watch our projects at http://www.kneschke.de/projekte! ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer From mgeddes at xavier.sa.edu.au Wed Feb 23 22:17:50 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails References: Message-ID: <38B45C8E.6B505B6A@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > > > > in your PATH but happen to stand in a directory with a directory named > > > rpcclient (like for example samba/source) rpcclient SIGSEGVs. This ought > > > to be fixed. Quite annoying. > > > AAHHHH! Now i know why the commands in Luke's examples always > > have the "-l log" parameter. :-) > > i run at log level 100, have oyu ever seen what happens with this stuff > ons-screen at level 100??? It "builds character", Luke. So stop your complaining ;-). I had a real look at the logs and crap from that login problem I had, but can't find much. Any ideas what to do next? I'm not much of a programmer, but I can try and find the problem if you give us a couple of hints. If not, I might try to document some of the new tools..... Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From mgeddes at xavier.sa.edu.au Wed Feb 23 22:47:56 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:46 2003 Subject: Netload using wins support References: <200002231332.NAA12508@hebe.biomed.abdn.ac.uk> <38B3F196.829B8C15@emp.paed.uni-muenchen.de> Message-ID: <38B4639C.1F93F247@xavier.sa.edu.au> Bernhard Ertl wrote: > > Does anyone know about the implementation of the wins support? How much > netload does it cause (for about 50 Computers in the domain) and does > samba start search queries for clients from other domains/ workgroups? > > Thx Be I don't know specific numbers, but it doesn't appear to be the most chatty protocol on our network. I have a technical articile from technet on WINS if you want it. It may have the info you are after. Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From SC4211 at email.mot.com Thu Feb 24 01:15:19 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:46 2003 Subject: Inaccessable folders and desktop.ini issues Message-ID: <38B48627.B0255CD9@email.mot.com> I have some shares that point to automount points. When NT boxes pull up these automount points, there are some directories that the sambaserver does not have access to or that are down at the time. In this scenario when the NT client opens the share on the sambe server with these automount folders, it tries to go into EACH AND EVERY folder and look for a desktop.ini file. If a folder is not accessable it tries to get the file 3 or 4 times before giving up and moving onto the next folder. It takes like 5 minutes to pull up these folders because of this. Is there a fix for this??? Or is this something I'm just going to have to deal with ?? -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From mgeddes at xavier.sa.edu.au Thu Feb 24 02:02:57 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:46 2003 Subject: I love you Luke!!! Message-ID: <38B49151.B5D9B6EE@xavier.sa.edu.au> I can now join a Samba domain (got to create the account with rpcclient first though), from an NT workstation. I didn't need to create a trust account for myself and the 'rpcclient -S servername' still worked. I'm going to try TNG -> TNG trusts next. If this works, we'll not have NT server here by the end of the week(except for the token NT server running an NT specific database). Love your work. Thanks heaps and stuff, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Thu Feb 24 03:23:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: joining a domain works, but login fails In-Reply-To: <38B45C8E.6B505B6A@xavier.sa.edu.au> Message-ID: > try and find the problem if you give us a couple of hints. If not, I > might try to document some of the new tools..... > yes please. i started with rpcclient manpage, of course there isn't one specifically for all the other commands. From lkcl at samba.org Thu Feb 24 04:08:07 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: samba-tng-alpha-0.6.tar.gz Message-ID: ftp://samba.org/pub/samba/alpha. please use a mirror site, for preference. thx. Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From kabethel at hotmail.com Thu Feb 24 05:55:38 2000 From: kabethel at hotmail.com (Keith Bethel) Date: Tue Dec 2 02:28:46 2003 Subject: ?? Message-ID: <20000224055538.9611.qmail@hotmail.com> I am NT admin looking to use Linux more on the network. Is there an easy and reliable way to link NT domain groups and linux group permissions. I have been researching the samba sites, but have yet to come up with anything definite. Are there any other resources for more specific information regarding NT groups/Samba groups? Thank you, Keith Bethel ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com From muchos at ip6seguridad.com Thu Feb 24 12:42:02 2000 From: muchos at ip6seguridad.com (muchos) Date: Tue Dec 2 02:28:46 2003 Subject: Samba + LDAP Message-ID: <20000224124202.A1094@ip6seguridad.com> Hi, i'm new in the maillist and i don't know if this question is asked or resolved, or another thing. I'm trying to put samba 2.1 as a PDC working with LDAP. I know that the support for LDAP is not completed, but i think that if samba can use PAM for user auten. and PAM can use LDAP. . . Well, after working about this idea, i arrive to the conclusion that: 1? Unix Password != NT Password 2? If you want a samba working as a PDC you must add and /etc/passwd account for each machine, it means that if you uses pam+ldap, the ldap must have an account for each machine$ and for each user. 3? Samba needs (this is a must) the /etc/smbpasswd file, it means that passwd db is in that file and can't use de standard ldap pass db, I read he ldap support (not working yet) and it says that need 2 fields in the user definition storing the NT passwords. My idea is: To do a /etc/passwd to samba comverter dinamicly (may be imposible?), i mean, a /usr/bin/passwd that's change your normal unix pass, and your ntpass at the same time, and using pam+ldap, when you change your unix pass, you change the ldap pass and the nt pass stored all in the ldap, well another idea is doing a script that when you add a ldap user, ugrade the smbpass file, someone do it? i need ;))! Well, may be this mail is a bit complicate (my english may be is a bit bad X'D), and i don't know if this problem is aswered or not greatings to samba users ;) -- ========================================================================= Gabriel D?iaz L?opez de la Llave Ip6 Seguridad S.L gabidiaz@ip6seguridad.com c: Zurbaran 28 tlf : 91 700 01 84 ext 165 28010 Madrid fax : 91 700 01 73 http://www.ip6seguridad.com ========================================================================= From mbreuer at siac.com Thu Feb 24 14:19:24 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:46 2003 Subject: tng: 0.6 compile error Message-ID: <38B53DEB.F28441FD@siac.com> lsarpcd.c: 109 - length of "16" passed as third param where a pointer is required. Perhaps, gcc fixes this automatically, but Mips Pro cc does not. From ed at schernau.com Thu Feb 24 15:20:01 2000 From: ed at schernau.com (Edward Schernau) Date: Tue Dec 2 02:28:46 2003 Subject: browser issue not solves from samba@samba.org Message-ID: <38B54C21.3D502F22@schernau.com> apologies for posting here, but I've got a cross-domain browsing problem that the reular samba list can't, so I'm hoping you guys can help. I've got 2 domains, DOM1 and DOM2. DOM1 has a 3.51PDC with a samba box running WINS. All clients point at it. The PDC is the DMB. DOM1 has 2 subnets, linked by the linux/samba box. All is cool in DOM1. DOM2 PCs and their PDC register with the samba (WINS) server, but don't show up in network neighborhood. "Find Computer" works. How do I get this combination of Samba 2.0.6 and NT to show both domains in NN ? Thanks, -- Edward Schernau http://www.schernau.com Network Architect mailto:ed@schernau.com Rational Computing Providence, RI, USA From lkcl at samba.org Thu Feb 24 15:09:27 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:46 2003 Subject: I love you Luke!!! In-Reply-To: <38B49151.B5D9B6EE@xavier.sa.edu.au> Message-ID: On Thu, 24 Feb 2000, Matthew Geddes wrote: > I can now join a Samba domain (got to create the account with rpcclient > first though), from an NT workstation. I didn't need to create a trust > account for myself and the 'rpcclient -S servername' still worked. I'm very cool. > going to try TNG -> TNG trusts next. If this works, we'll not have NT > server here by the end of the week(except for the token NT server > running an NT specific database). i still have some work to do on trusts. it's possible to set up, just smb auth might go a bit funny woring out what username, unixwise. From muchos at ip6seguridad.com Thu Feb 24 16:21:47 2000 From: muchos at ip6seguridad.com (muchos) Date: Tue Dec 2 02:28:46 2003 Subject: Samba, hum what's strange world Message-ID: <20000224162147.A2089@ip6seguridad.com> I'm trying today Samba-tng-0.6 Is necesary to register machines after running it or NT's registers theirselfs? -- ========================================================================= Gabriel D?iaz L?opez de la Llave Ip6 Seguridad S.L gabidiaz@ip6seguridad.com c: Zurbaran 28 tlf : 91 700 01 84 ext 165 28010 Madrid fax : 91 700 01 73 http://www.ip6seguridad.com ========================================================================= From anders at aae.wisc.edu Thu Feb 24 16:43:53 2000 From: anders at aae.wisc.edu (Anders C. Thorsen) Date: Tue Dec 2 02:28:46 2003 Subject: Samba and NT 4.0 In-Reply-To: <38B2F64D.7DEA621F@email.mot.com> from Ryan Wyler at "Feb 23, 2000 01:02:17 pm" Message-ID: <200002241643.KAA32156@pug.aae.wisc.edu> The infamous Microsoft Internet Exploder Active Desktop Add-on stuff try WITHOUT installing this when you Install IE 4.x / 5.x [don't believe it can be proplerly disintegrated from your computer... I'ts probably implemented in your kernel as the rest of IE :) ] --Anders -- > We are having an issue where I have a samba share pointing to an > Automount point. When people go into that share, it takes FOREVER to > pull up the directory. I went into the logs and I would 'tail -f' the > log file and see what PID was pulling the directory, then I would TRUSS > the PID. It would say things like "directory_x/desktop.ini not found". > > So the NT 4.0 machine was trying to go into EVERY directory and look for > a file called "desktop.ini". Some of the directories actually are on > servers that the user does not have permissions to and also the samba > server does not have access to. It would take about 20 seconds PER > directory that it could not get into to timeout on the desktop.ini file. > > Anyone know a way around this?? What is NT looking for these dang > desktop.ini files? Thanks. > > > > -- > > Ryan Wyler > SC4211@email.mot.com Voice: (480) 732-4318 > Motorola ITSS Pager: ryan.page@monitor.sat.mot.com > U N I X > > [ Unix is very Friendly ... > ... just pickier about who it makes friends with. ] > From ctooley at joslyn.org Thu Feb 24 17:33:21 2000 From: ctooley at joslyn.org (Chris Tooley) Date: Tue Dec 2 02:28:47 2003 Subject: Printing with 2.0.6 In-Reply-To: <20000224055538.9611.qmail@hotmail.com> Message-ID: <001601bf7eed$3fa52640$1900a8c0@joslyn.org> I have a Samba 2.0.6 (from the RPM for RedHat 6.1) setup as a login server. This machine shares out several printers (2 HP LaserJet 4V's and a Lexmark Optra K 1220) that are used throughout the building. Lately when I added the second HP LaserJet I am having a lot of trouble. The 2nd LJ doesn't work at all, as it shows up continually in offline mode, and the orginal LJ shows up as paused. Some machines can print to it (all the clients are 95 or 98 and range from 95 orginal version to 98 SE) and some can't print in paused mode. Now the Lexmark is showing up as paused and no one can print to it. I can print using the lpr command to all the printers and can ftp files to them and watch the printer spit them out. The connection works and the printer works, so I think it may be Samba. Any ideas? Enclosed is a copy of my smb.conf, printcap, and "ls -al -R /usr/spool/lpd". If any more information is needed please let me know. Chris Tooley Software Specialist Joslyn Art Museum 2200 Dodge St Omaha, NE 68102 (402)342-3300 ext 247 (402)342-0091 fax -----Original Message----- From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of Keith Bethel Sent: Thursday, February 24, 2000 5:01 AM To: Multiple recipients of list SAMBA-NTDOM Subject: ?? I am NT admin looking to use Linux more on the network. Is there an easy and reliable way to link NT domain groups and linux group permissions. I have been researching the samba sites, but have yet to come up with anything definite. Are there any other resources for more specific information regarding NT groups/Samba groups? Thank you, Keith Bethel ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com -------------- next part -------------- A non-text attachment was scrubbed... Name: printcap Type: application/octet-stream Size: 914 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000224/44e357d7/printcap.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: lsoflpd.dir Type: application/x-director Size: 1834 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000224/44e357d7/lsoflpd.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smb.conf Type: application/octet-stream Size: 2245 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000224/44e357d7/smb.obj From SC4211 at email.mot.com Thu Feb 24 17:50:09 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:47 2003 Subject: Samba and NT 4.0 References: <200002241643.KAA32156@pug.aae.wisc.edu> Message-ID: <38B56F51.54704DAD@email.mot.com> I was afraid of that.. :( Maybe I should just go into the samba source code and skip any request for a file called */desktop.ini ... =) Just a thought.. humm.... Anders C. Thorsen wrote: > > The infamous Microsoft Internet Exploder Active Desktop Add-on stuff > try WITHOUT installing this when you Install IE 4.x / 5.x > [don't believe it can be proplerly disintegrated from your computer... > I'ts probably implemented in your kernel as the rest of IE :) ] > > --Anders > > -- > > > We are having an issue where I have a samba share pointing to an > > Automount point. When people go into that share, it takes FOREVER to > > pull up the directory. I went into the logs and I would 'tail -f' the > > log file and see what PID was pulling the directory, then I would TRUSS > > the PID. It would say things like "directory_x/desktop.ini not found". > > > > So the NT 4.0 machine was trying to go into EVERY directory and look for > > a file called "desktop.ini". Some of the directories actually are on > > servers that the user does not have permissions to and also the samba > > server does not have access to. It would take about 20 seconds PER > > directory that it could not get into to timeout on the desktop.ini file. > > > > Anyone know a way around this?? What is NT looking for these dang > > desktop.ini files? Thanks. > > > > > > > > -- > > > > Ryan Wyler > > SC4211@email.mot.com Voice: (480) 732-4318 > > Motorola ITSS Pager: ryan.page@monitor.sat.mot.com > > U N I X > > > > [ Unix is very Friendly ... > > ... just pickier about who it makes friends with. ] > > -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From mbreuer at siac.com Thu Feb 24 18:00:38 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:47 2003 Subject: tng 0.6 - can't join or manage domain - network password never correct... Message-ID: <38B571C6.B202B92C@siac.com> I have a lot of logs (level 100)... but the gist of the problem is that when attempting to connect for anything other than using shares, the password for the user on the domain never matches. This includes userid/password combinations which worked on 0.5, as well as two brand new ID's created just for 0.6 and added to "Domain Admins." The logs don't seem to show anything remarkable... no different than if I actually entered an incorrect password. I also removed the WS entry from smbpasswd and recreated the entry to see if that would change anything... it didn't. If anyone wants to look at any pieces of the logs, I'll cut and paste whatever is appropriate. From chatiz at yahoo.com Thu Feb 24 19:09:18 2000 From: chatiz at yahoo.com (gouri chati) Date: Tue Dec 2 02:28:47 2003 Subject: swat installation Message-ID: <20000224190918.29815.qmail@web1604.mail.yahoo.com> I'm trying to install swat. Used a redhat rpm to install on RH6.0 It automatically gets included in /etc/services and /etc/inetd.conf . when I open http://localhost:901, I get a 401 Authorization REquired error What else needs to be done? Thanks in advance, Gouri __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com From holm at informatik.umu.se Thu Feb 24 19:39:47 2000 From: holm at informatik.umu.se (=?ISO-8859-1?Q?=C5ke?= Holmlund) Date: Tue Dec 2 02:28:47 2003 Subject: LOTS of lsarpcd crasches Message-ID: <200002241939.UAA16602@jupiter.informatik.umu.se> Hi. I'm trying to run TNG (cvs:ed a few hours ago) with ldap and have been running into problems. I'm running on a Sun sparc, Solaris 7 server and NT4 sp5 client. I can set up Samba so i can join a domain and log in BUT i get quite a few errors like: =============================================================== INTERNAL ERROR: Signal 11 in pid 29513 (TNG-prealpha) Please read the file BUGS.txt in the distribution =============================================================== in the lsarpcd log file. Right now i'm in a situation where i have removed all workstation accounts. Trying to join the domain (which ofcourse is impossible since there are no ws accounts) gives me 8 coredumps from lsarpcd! The netlogond also had a tendency to crash when i had the domain running but much more infrequenly. Anyone having the same problems or an idea about whats going on? ----------------------------------------------------------------------------- ?ke Holmlund Tel: +46 - 90 786 57 16 Ume? University Fax: +46 - 90 786 65 50 Dept of informatics Email: holm@informatik.umu.se SE-901 87 Ume? Sweden From mgeddes at xavier.sa.edu.au Thu Feb 24 21:44:37 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:47 2003 Subject: joining a domain works, but login fails References: Message-ID: <38B5A645.D556C2A5@xavier.sa.edu.au> Luke Kenneth Casson Leighton wrote: > > > try and find the problem if you give us a couple of hints. If not, I > > might try to document some of the new tools..... > > > > yes please. i started with rpcclient manpage, of course there isn't one > specifically for all the other commands. The regedit man page is half done. I have a busy weekend ahead of me, but if you can possibly send a brief description of each command (or at least just the important ones) in regedit and samedit, I will endeavour to get both man pages done by Monday. If you can't, that's OK, I'll try to get it as accurate as I can. I will send the finished pages to you to make sure of accuracy and things and from there, you can do as you please. Thanks, Natt P.S. Can I log in if I use alpha-0.6? ;-) -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From mgeddes at xavier.sa.edu.au Thu Feb 24 22:36:08 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:47 2003 Subject: Broken or quiet? Message-ID: <38B5B258.3CFE1858@xavier.sa.edu.au> Hi guys, I am receiveing mail very slowly and getting very few messages from this list. Is the list just quiet, or am I broken? Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From thien at ac.housing.berkeley.edu Thu Feb 24 22:31:58 2000 From: thien at ac.housing.berkeley.edu (Thien Vu) Date: Tue Dec 2 02:28:47 2003 Subject: pam_smb or pam_ntdom questions Message-ID: I am running Redhat 6.0 on my workstations which triple boot into WinNT, Win98, and Linux. Since both the Microsoft platforms log into my Samba Domain, I would also like to use pam_smb or pam_ntdom to have the RH machines log into the Samba server. I was wondering if there are any problems with this because for any physical machine, it have the same name under each platform. Will this cause any problems with the smbpasswd file? Secondly, I've tried to have a test machine running Samba with domain logons point to itself, using pam_smb and that doesn't seem to work at all. I get to the logon prompt, but after entering in the username, the logon screen resets and doesn't allow for a password to be entered. I have configured the /etc/pam.d/login according to the docs. According to the docs, you have to modify the /etc/hosts and add the name of the Domain Controllers to the hosts, but the DNS and the WINS name of the server are different, but I've put both the DNS and WINS name into the /etc/hosts. Thien From lkcl at samba.org Fri Feb 25 04:09:05 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:47 2003 Subject: tng: 0.6 compile error In-Reply-To: <38B53DEB.F28441FD@siac.com> Message-ID: thx i missed that - explains a lot, i got some weird crashes reported, from lsarpcd. On Fri, 25 Feb 2000, Michael Breuer wrote: > lsarpcd.c: 109 - length of "16" passed as third param where a pointer is required. Perhaps, gcc fixes this automatically, but Mips > Pro cc does not. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 25 04:10:10 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:47 2003 Subject: Samba, hum what's strange world In-Reply-To: <20000224162147.A2089@ip6seguridad.com> Message-ID: they _should_ register themselves successfully if you type the admin user/pass in the ncp dialog. however there have been reports that this doesn't work. On Fri, 25 Feb 2000, muchos wrote: > I'm trying today Samba-tng-0.6 > > Is necesary to register machines after running it or NT's registers > theirselfs? > -- > ========================================================================= > Gabriel D?iaz L?opez de la Llave > Ip6 Seguridad S.L gabidiaz@ip6seguridad.com > c: Zurbaran 28 tlf : 91 700 01 84 ext 165 > 28010 Madrid fax : 91 700 01 73 > http://www.ip6seguridad.com > ========================================================================= > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 25 04:12:32 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:47 2003 Subject: tng 0.6 - can't join or manage domain - network password never correct... In-Reply-To: <38B571C6.B202B92C@siac.com> Message-ID: i found some errors where i was returning False instead of NT_STATUS_ACCESS_DENIED. oops. On Fri, 25 Feb 2000, Michael Breuer wrote: > I have a lot of logs (level 100)... but the gist of the problem is that when attempting to connect for anything other than using > shares, the password for the user on the domain never matches. This includes userid/password combinations which worked on 0.5, as > well as two brand new ID's created just for 0.6 and added to "Domain Admins." The logs don't seem to show anything remarkable... no > different than if I actually entered an incorrect password. I also removed the WS entry from smbpasswd and recreated the entry to > see if that would change anything... it didn't. > > If anyone wants to look at any pieces of the logs, I'll cut and paste whatever is appropriate. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 25 04:44:27 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:47 2003 Subject: LOTS of lsarpcd crasches In-Reply-To: <200002241939.UAA16602@jupiter.informatik.umu.se> Message-ID: ike, i just have a fix in for some stupid bug where i typecast a constant to a pointer. ndo a cvs update, now. thx. On Fri, 25 Feb 2000, ?ke Holmlund wrote: > Hi. > > I'm trying to run TNG (cvs:ed a few hours ago) with ldap and have been > running into problems. I'm running on a Sun sparc, Solaris 7 server > and NT4 sp5 client. > > I can set up Samba so i can join a domain and log in BUT i get quite a > few errors like: > > =============================================================== > INTERNAL ERROR: Signal 11 in pid 29513 (TNG-prealpha) > Please read the file BUGS.txt in the distribution > =============================================================== > > in the lsarpcd log file. Right now i'm in a situation where i have removed > all workstation accounts. Trying to join the domain (which ofcourse is > impossible since there are no ws accounts) gives me 8 coredumps from > lsarpcd! > > The netlogond also had a tendency to crash when i had the domain running > but much more infrequenly. > > Anyone having the same problems or an idea about whats going on? > > ----------------------------------------------------------------------------- > ?ke Holmlund Tel: +46 - 90 786 57 16 > Ume? University Fax: +46 - 90 786 65 50 > Dept of informatics Email: holm@informatik.umu.se > SE-901 87 Ume? > Sweden > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mgeddes at xavier.sa.edu.au Fri Feb 25 04:57:14 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:47 2003 Subject: LOTS of lsarpcd crasches References: <200002241939.UAA16602@jupiter.informatik.umu.se> Message-ID: <38B60BAA.F2ADFFE5@xavier.sa.edu.au> ?ke Holmlund wrote: > > Hi. > > I'm trying to run TNG (cvs:ed a few hours ago) with ldap and have been > running into problems. I'm running on a Sun sparc, Solaris 7 server > and NT4 sp5 client. > > I can set up Samba so i can join a domain and log in BUT i get quite a > few errors like: > > =============================================================== > INTERNAL ERROR: Signal 11 in pid 29513 (TNG-prealpha) > Please read the file BUGS.txt in the distribution > =============================================================== > > in the lsarpcd log file. Right now i'm in a situation where i have removed > all workstation accounts. Trying to join the domain (which ofcourse is > impossible since there are no ws accounts) gives me 8 coredumps from > lsarpcd! > > The netlogond also had a tendency to crash when i had the domain running > but much more infrequenly. > > Anyone having the same problems or an idea about whats going on? > It's the problem I sent you that report about, Luke. Whenever you attempt to log in / join a domain it core dumps. Since version prealpha-0.4. Do you got any ideas? I'll try to get those manpages done (using the source) and I'll send you the result for your inspection. Thanks, Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From lkcl at samba.org Fri Feb 25 04:57:30 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:47 2003 Subject: joining a domain works, but login fails In-Reply-To: <38B5A645.D556C2A5@xavier.sa.edu.au> Message-ID: thx! umm... can i ask you... hmmm.. how to do this. can u make each of these manpages _Exactly_ the same, and then refer rpcclient to each of them as a "developer" tool, a combination of _all_ the commands in regedit, samedit, lsa, etc etc, please see man pages for each blah blah. On Fri, 25 Feb 2000, Matthew Geddes wrote: > Luke Kenneth Casson Leighton wrote: > > > > > try and find the problem if you give us a couple of hints. If not, I > > > might try to document some of the new tools..... > > > > > > > yes please. i started with rpcclient manpage, of course there isn't one > > specifically for all the other commands. > > The regedit man page is half done. I have a busy weekend ahead of me, > but if you can possibly send a brief description of each command (or at > least just the important ones) in regedit and samedit, I will endeavour > to get both man pages done by Monday. If you can't, that's OK, I'll try > to get it as accurate as I can. I will send the finished pages to you to > make sure of accuracy and things and from there, you can do as you > please. > > Thanks, > Natt > > P.S. Can I log in if I use alpha-0.6? ;-) > > -- > "Our goal for the next release of Windows 2000 is to have zero bugs." > - Lucovsky, Microsoft > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Fri Feb 25 04:58:28 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:47 2003 Subject: Broken or quiet? In-Reply-To: <38B5B258.3CFE1858@xavier.sa.edu.au> Message-ID: turnaround on mail is pretty bad at the moment - i'm seeing delays of up to 8 hours. pqueue on samba.org is consuming 70 to 95% cpu. On Fri, 25 Feb 2000, Matthew Geddes wrote: > > Hi guys, I am receiveing mail very slowly and getting very few messages > from this list. Is the list just quiet, or am I broken? > > > Thanks, > Matt > > -- > "Our goal for the next release of Windows 2000 is to have zero bugs." > - Lucovsky, Microsoft > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From hpreg at vmware.com Fri Feb 25 07:20:39 2000 From: hpreg at vmware.com (Regis Duchesne) Date: Tue Dec 2 02:28:47 2003 Subject: Samba in VMware (Was: Another GPL violation?) Message-ID: Hi guys, I just wanted to let you know that your voices have been heard, and that the next release of VMware will do the following: 1) A file called SAMBA-LICENSE will be always installed in (/usr/doc/vmware by default) when VMware is installed. This file contains: a) A header from VMware explaining where (URL) to find VMware diffs to the Samba source version 2.0.6 b) The full content of the file COPYING (GPL v 2) included in the Samba source version 2.0.6 2) At configuration time of VMware, if the user decides to use the Samba server binary modified by VMware, he will be pointed at the file described in 1) Again, sorry for the delay, but we are at least as busy as you guys are :) Have a nice day, -- Regis "HPReg" Duchesne - Member of Technical Staff - VMWare, Inc. www http://www.VMware.com/ (O o) I use Linux (1135 KB/s over 10Mb/s ethernet) --.oOO--(_)--OOo.---------------------------------------------------- If cryptography is outlawed, only outlaws will have cryptography From allan at carhart.com Fri Feb 25 10:12:24 2000 From: allan at carhart.com (Allan Carhart) Date: Tue Dec 2 02:28:47 2003 Subject: Error was : code 131 (again...) Message-ID: Hey everyone. I've been searching the web, and see this is a common problem, but haven't found a solution. So I guess I'll go ahead and start my own thread here -- I'm getting very frustrated trying to add my samba server to my NT domain. Domain name is 'EASTSIDE", PDC name is 'PANTHER', IP is 10.0.0.245 My WINS server is sitting at 10.0.0.1 I've added my samba system to the Server Manager on my PDC. I then execute this command "smbpasswd -j EASTSIDE -r PANTHER -D 10" And receive this output: ---------------------------------------------------------------------- do_reseed: got 40 bytes from /dev/urandom. resolve_name: Attempting wins lookup for name PANTHER<0x20> bind succeeded on port 0 nmb packet from 10.0.0.1(137) header: id=5255 opcode=Query(0) response=No header: flags: bcast=No rec_avail=No rec_des=Yes trunc=No auth=No header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0 question: q_name=PANTHER<20> q_type=32 q_class=1 Sending a packet of len 50 to (10.0.0.1) on port 137 read_udp_socket: lastip 10.0.0.1 lastport 137 read: 62 parse_nmb: packet id = 5255 Received a packet of len 62 from (10.0.0.1) port 137 nmb packet from 10.0.0.1(137) header: id=5255 opcode=Query(0) response=Yes header: flags: bcast=No rec_avail=No rec_des=Yes trunc=No auth=Yes header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0 answers: nmb_name=PANTHER<20> rr_type=32 rr_class=1 ttl=4014 answers 0 char ...... hex 04000A0000F5 Got a positive name query response from 10.0.0.1 ( 10.0.0.245 ) Connecting to 10.0.0.245 at port 139 write_socket(4,76) write_socket(4,76) wrote 76 Sent session request got smb length of 1 size=1 smb_com=0x0 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=0 smb_flg2=0 smb_tid=0 smb_pid=0 smb_uid=0 smb_mid=0 smt_wct=0 smb_bcc=0 modify_trust_password: machine PANTHER rejected the session setup. Error was : code 131. 2000/02/24 04:24:26 : change_trust_account_password: Failed to change password for domain EASTSIDE. ---------------------------------------------------------------------- I really don't know where to go from here. I've been studying these docs, but I'm sure I'm missing something. Here is my [global] section of smb.conf: ---------------------------------------------------------------------- # Global parameters [global] workgroup = EASTSIDE netbios name = LPRINT1 security = SHARE encrypt passwords = Yes update encrypted = Yes log file = /var/log/samba.d/smb.%m max log size = 50 name resolve order = wins bcast lmhosts local master = No wins proxy = Yes wins server = 10.0.0.1 printing = lprng ---------------------------------------------------------------------- I have set 'security = SHARE' for the time being, because the docs seem to indicate I should not change that to 'security = domain' until after I've succesfully gotten through the 'smbpasswd' hurdle. ...I hope I'm being clear. By the way, I couldn't get 'security = server' to work either. When I had that set with PANTHER as my password server, I received the following message in my logs: [2000/02/24 03:48:51, 1] smbd/password.c:server_cryptkey(1022) PANTHER rejected the session [2000/02/24 03:48:51, 1] smbd/password.c:server_validate(1063) password server is not connected [2000/02/24 03:48:51, 0] passdb/smbpass.c:startsmbfilepwent(50) startsmbfilepwent: unable to open file /etc/smbpasswd --- The NT side: NT4 with Service Pack 6 Hostname: PANTHER The SAMBA Side: Linux 2.2.x with SAMBA-2.0.5a, Hostname: LPRINT1 The two systems are on the same physical (10.0.0.x) network. I have set encryption to 'yes' on the samba side, although I haven't done any re-linking to make it use encryption. Am I missing something with that? I've also made the "EnablePlainPassword" registry change on the NT side. Well, I know this message is LONG, but I hope I'm providing you all with the necessary information up front! Please let me know if you can give me a hand! Thanks, Allan Carhart allan@carhart.com From lk at netuse.de Fri Feb 25 14:50:18 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:47 2003 Subject: Broken or quiet? References: <38B5B258.3CFE1858@xavier.sa.edu.au> Message-ID: <38B696AA.E1FD077F@netuse.de> Matthew Geddes wrote: > > Hi guys, I am receiveing mail very slowly and getting very few messages > from this list. Is the list just quiet, or am I broken? > > Thanks, > Matt Very quiet in the last days. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From ken at hudat.com Fri Feb 25 15:04:38 2000 From: ken at hudat.com (Kendrick Vargas) Date: Tue Dec 2 02:28:47 2003 Subject: Samba and NT 4.0 In-Reply-To: <200002241643.KAA32156@pug.aae.wisc.edu> Message-ID: On Fri, 25 Feb 2000, Anders C. Thorsen wrote: > The infamous Microsoft Internet Exploder Active Desktop Add-on stuff > try WITHOUT installing this when you Install IE 4.x / 5.x > [don't believe it can be proplerly disintegrated from your computer... > I'ts probably implemented in your kernel as the rest of IE :) ] ahhh... If you've got a Win95 CDROM handy, you could "dis-integrate" it with http://www.98lite.net :-) -peace --- BEGIN GEEK CODE BLOCK ------------+----------- GAT d- s:+ !a C+(+++) UI/L/S/B++(+++) | "In the morning glad I see P>+ L+(++) E---- W+++ N+ o? K? w++++ | My foe outstrech'd beneath the tree." O--- M-- V PS+++@ PE Y-- PGP+ t++ 5 | -The Poison Tree X++ R- tv+ b DI++ D+ G e>* h*(!) r- | William Blake y*(+) ------ END GEEK CODE BLOCK -----+ From jhutchins at kc.rr.com Thu Feb 24 22:50:14 2000 From: jhutchins at kc.rr.com (Jonathan Hutchins) Date: Tue Dec 2 02:28:47 2003 Subject: Linux as an NT CLIENT References: Message-ID: <004701bf7f19$e20b8920$39950c0a@uhc.com> > On Sat, 19 Feb 2000, Jonathan Hutchins wrote: >> What are the critical steps in getting a Samba machine to join the >> domain and access shares? And Luke Kenneth Casson Leighton rather sparsely replied: > pam_ntdom. Which migh possibly be a compile-time option? Not currently doc'ed as a configuration keyword. >From the looks of the list, there are some problems with the authenticate-the-linux-user-from-the-NT-PDC code, yet Jason Holland says "I have several samba boxes joined and authenticating to NT PDC's". There appears to about 1/3 of a page of documentation on this. I'd gladly write a HOWTO if someone could take the time to elaborate a bit more. I've got most of the rest of the functionality of an NT Client working, just need the authenticate-from-NT part. From swaters at amicus.com Thu Feb 24 20:13:14 2000 From: swaters at amicus.com (Stephen Waters) Date: Tue Dec 2 02:28:47 2003 Subject: ?? References: <20000224055538.9611.qmail@hotmail.com> Message-ID: <38B590DA.66D31AAE@amicus.com> for 2.0.x, if you have an NT PDC, you have to have users and groups allocated both on the PDC and in /etc/passwd and /etc/group on the samba file server. samba knows which unix groups equal which NT groups using the /lib/domaingroup.map file. yes, this is a maintainence pain. although samba can auto-magically add non existent users to /etc/passwd via the Password Chat option (and thereby giving them a primary group), you have to manually add them to secondary groups in /etc/group. i can't speak for TNG... -s Keith Bethel wrote: > > I am NT admin looking to use Linux more on the network. > > Is there an easy and reliable way to link NT domain groups and linux group > permissions. > > I have been researching the samba sites, but have yet to come up with > anything definite. > > Are there any other resources for more specific information regarding NT > groups/Samba groups? > > Thank you, > > Keith Bethel > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com From vs at lasp.npi.msu.su Fri Feb 25 05:19:58 2000 From: vs at lasp.npi.msu.su (Vladimir Stavrinov) Date: Tue Dec 2 02:28:47 2003 Subject: amazing tng-0.6 Message-ID: Luck, my congratulations! - tng got new "feature" (once more new): while login NT say me: "system unable to create profile \\samba-pdc\\profile.pds". Logon path always setting up to \\%L\%U\profile, but I first see this for a 2 years. It seems, like %U substitution not recognized when login start, but when login complete (with new local profile) share \\%L\%U exist. And more, I logon as local admin and try load hive \\%L\%U\profile\ntuser.dat to registry, but it say "path not exist", the same response in attempt to map drive, while browser itself can read it. True mystery. What to do? Wait for tng-0.7? From alexandre.lecuyer at iu-vannes.fr Fri Feb 25 11:17:39 2000 From: alexandre.lecuyer at iu-vannes.fr (Alexandre =?iso-8859-1?Q?L=E9cuyer?=) Date: Tue Dec 2 02:28:47 2003 Subject: Domain Logins Message-ID: <38B664D3.71927CB6@iu-vannes.fr> Hello, We have been running Samba HEAD_BRANCH here for over 6 months now and we're really happy with it. The only thing people miss is the ability to change file's ACL, so I thougt I'd give Samba TNG a try. I have set up a Samba TNG server (Lars Kneschke's site has been very helpful.. thanks a lot!) which is running on a linux machine. I have created machine accounts and user accounts, then succesfully joined the domain. However I am unable to login after the reboot. I don't think it is a problem with the user account, since I am able to map shares from the same client machine with that username. It is probably not related to my NT setup either, since I can join and login to the other domain managed by a Samba HEAD_BRANCH. What did I miss ?? I have browsed the list archive and couldn't solve my problem. (Samba TNG: cvs from yesterday - 24/02/00) (NT Workstation 4.0 + SP6) -- Alexandre L?cuyer CCRI, IUT de Vannes From scottf at scs.unr.edu Fri Feb 25 16:26:51 2000 From: scottf at scs.unr.edu (Scott.) Date: Tue Dec 2 02:28:47 2003 Subject: TNG = No local account? :) Message-ID: Would TNG allow me to authenticate users against a PDC even if they don't have a local account on the samba server? the samba box is a print server and i want anyone with an account on the PDC to be able to print. if not, what's the best way to do this? pam_smb/ntdom ? ====---- - - - - - - - - - ____ __ Scott Fritzinger | \ | |/\ /\ Computing Helpdesk Specialist | \| < O O > Helpdesk: (775) 784.4320 | |\ | \o/ Office: (775) 784.6500 x338 |__| \ ___|evada WolfPack From hulet at ittc.ukans.edu Fri Feb 25 18:14:16 2000 From: hulet at ittc.ukans.edu (Michael S. Hulet) Date: Tue Dec 2 02:28:47 2003 Subject: Printing with 2.0.6 In-Reply-To: <001601bf7eed$3fa52640$1900a8c0@joslyn.org> Message-ID: We use lprng for printing through samba and it works great. Here's our global print definitions which may be helpful to you. # Print Globals printing = lprng print command = /usr/local/bin/lpr -r -P%p %s lpq command = /usr/local/bin/lpq -P%p lprm command = /usr/local/bin/lprm -P%p %j printcap name = /etc/printcap printable = yes browseable = yes printer driver file=/usr/local/samba/lib/printers.def Michael Hulet Network System Administrator ITTC, University of Kansas On Fri, 25 Feb 2000, Chris Tooley wrote: > I have a Samba 2.0.6 (from the RPM for RedHat 6.1) setup as a login server. > This machine shares out several printers (2 HP LaserJet 4V's and a Lexmark > Optra K 1220) that are used throughout the building. Lately when I added > the second HP LaserJet I am having a lot of trouble. The 2nd LJ doesn't > work at all, as it shows up continually in offline mode, and the orginal LJ > shows up as paused. Some machines can print to it (all the clients are 95 > or 98 and range from 95 orginal version to 98 SE) and some can't print in > paused mode. Now the Lexmark is showing up as paused and no one can print > to it. I can print using the lpr command to all the printers and can ftp > files to them and watch the printer spit them out. The connection works and > the printer works, so I think it may be Samba. > > Any ideas? > > Enclosed is a copy of my smb.conf, printcap, and "ls -al -R /usr/spool/lpd". > If any more information is needed please let me know. > > Chris Tooley > Software Specialist > Joslyn Art Museum > 2200 Dodge St > Omaha, NE 68102 > (402)342-3300 ext 247 > (402)342-0091 fax > > > -----Original Message----- > From: samba-ntdom@samba.org [mailto:samba-ntdom@samba.org]On Behalf Of > Keith Bethel > Sent: Thursday, February 24, 2000 5:01 AM > To: Multiple recipients of list SAMBA-NTDOM > Subject: ?? > > > I am NT admin looking to use Linux more on the network. > > Is there an easy and reliable way to link NT domain groups and linux group > permissions. > > I have been researching the samba sites, but have yet to come up with > anything definite. > > Are there any other resources for more specific information regarding NT > groups/Samba groups? > > > Thank you, > > Keith Bethel > > ______________________________________________________ > Get Your Private, Free Email at http://www.hotmail.com > From lars at kneschke.de Sat Feb 26 08:57:29 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:47 2003 Subject: Broken or quiet? References: <38B5B258.3CFE1858@xavier.sa.edu.au> Message-ID: <38B79579.C70FC3CD@kneschke.de> Matthew Geddes wrote: > > Hi guys, I am receiveing mail very slowly and getting very few messages > from this list. Is the list just quiet, or am I broken? Did you get any emails the last days? Cu -- Watch our projects at http://www.kneschke.de/projekte! ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer From lkcl at samba.org Sat Feb 26 16:33:03 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:48 2003 Subject: [admin] list problems Message-ID: this message may take a couple of days to get through. the list server on samba is reacting ... unbelievably slowly. so, please refrain from sending messages such as this one to it saying, "the list isn't working", because we will receive them ALL once the lists are sorted out -- all in one hit. hopefully we will find someone with root access to sort it out, soon. thx, luke From abrock at georgefox.edu Sat Feb 26 18:33:51 2000 From: abrock at georgefox.edu (Anthony Brock) Date: Tue Dec 2 02:28:48 2003 Subject: Status of changing passwords from NT ... Message-ID: We are seriously looking at using Samba in a small office, however we have not been able to change anyones passwords from an NT workstation. Each time we try, we get a message: Unable to change the password on this account (C00000BE). Please consult your system administrator. This occurs regardless of whether we login as administrator or an individual user. Does anyone know when this will be working, or is this a unique problem to our configuration? We have been willing to use this product since January except for this one problem. Once fixed, we would are very anxious to deploy this for our network server. Thanks in advance, Tony From p.grimmerink at home.nl Sat Feb 26 19:42:25 2000 From: p.grimmerink at home.nl (Pieter Grimmerink) Date: Tue Dec 2 02:28:48 2003 Subject: samba-tng-0.6 problems Message-ID: Hello, (sorry if this message appears twice, I sent it 6 hours ago, but I never received it from the list, so here's a retry) I recently tried out samba-tng-0.6, (tried 0.4 before, currently still running 6 months ago samba head branche) I have noticed the following 'problems', still keeping me from switching to samba-tng; -I have added an 'administrator' user in the samba domain, mapped a group it belonged to to 'BUILTIN\Administrators', and now I can't log into NT 4.0 server or workstation with this 'administrator' domain account. (log.smb says 'password did not match') From win9x, this user can log in correctly, though. -when I log in as 'root' (also in smbpasswd file, also member of the group mapped to 'BUILTIN\Administrators'), NT says that the machine account for the server is probably not there. Normal domain users work fine. -I can't see groups in the usermanager for domains, in NT. -can't use the usermanager for domains under win9x at all: "PDC for this domain can't be found" ?! -when I grant a group access to a share (NT), members from that group can't access the share. It works when I manually add all users to the share. Probably related: when I rpcclient to an NT server, and query the members of that group, the group appears to be empty. When I do the same for the samba-pdc, the group contains all the users. -when I do the same under win9x, members of groups only gain access when the group is recognized by windows ("Domain Users" for instance) Groups I don't map to a windows-builtin groupname, don't work. -From NT, the local administrator can't even access win9x machines via the network. (Probably the same problem as the administrator account in the domain not being able to log in to NT). This seems like a long list, but there is one huge improvement since version 0.4; win9x users can log in to the domain! (Login takes much longer than with the old head smbd, somehow, but it works) Conclusion: I can switch to samba-tng in only one of my network situations (the one at my home): One samba server (PDC), and only win98 workstations. The other situations have both NT and win9x, so I can't use TNG. I hope that most of these problems will be solved one day, then I can finally get rid off all NT servers! Best regards, Pieter From GLeblanc at cu-portland.edu Sat Feb 26 21:39:41 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Tue Dec 2 02:28:48 2003 Subject: anybody else having trouble with tng cvs, configure, and locking? Message-ID: It's entirely possible that I've fouled something up on my machine when I did a rebuild, but I've done two more re-installs of RH6.1 since then, and can't figure it out. I did a checkout of samba tng this morning, and when I run configure --prefix=/opt/samba, it zips (well, ponders) through a zillion checks, but pukes on the check for locking. To be more specific 'checking configure summary ERROR: No locking available. Running Samba would be unsafe configure: error: summary failure. Aborting config' Seems to me that I'm probably broken, but how? Thanks, Greg From patl at cag.lcs.mit.edu Sat Feb 26 22:02:51 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:48 2003 Subject: amazing tng-0.6 References: Message-ID: Vladimir Stavrinov writes: > Luck, my congratulations! - tng got new "feature" (once more new): > while login NT say me: "system unable to create profile > \\samba-pdc\\profile.pds". Logon path always setting up to > \\%L\%U\profile, but I first see this for a 2 years. It seems, like > %U substitution not recognized when login start, but when login > complete (with new local profile) share \\%L\%U exist. We have the same problem. See passdb/sampass.c, line 115. Although user->unix_name is filled in, user->nt_name is the empty string. I do not know why. The attached patch is a workaround; it uses the unix_name as if it were the requested name (%U). This is not a correct fix (I am looking into that now), but it does make my logon scripts and roving profiles work again. - Pat -------------- next part -------------- Index: source/passdb/sampass.c =================================================================== RCS file: /cvsroot/samba/source/passdb/Attic/sampass.c,v retrieving revision 1.5.2.8 diff -u -1 -0 -r1.5.2.8 sampass.c --- sampass.c 2000/02/22 03:28:13 1.5.2.8 +++ sampass.c 2000/02/26 21:53:02 @@ -105,21 +105,21 @@ /* * get all the other gubbins we need. substitute unix name for %U */ #if 0 vuser = get_valid_user_struct(get_sec_ctx()); #endif /* HACK to make %U work in substitutions below */ - fstrcpy(bogus_user_struct.requested_name, user->nt_name); + fstrcpy(bogus_user_struct.requested_name, user->unix_name); fstrcpy(bogus_user_struct.name , user->unix_name); pstrcpy(full_name , ""); pstrcpy(logon_script , lp_logon_script (&bogus_user_struct)); pstrcpy(profile_path , lp_logon_path (&bogus_user_struct)); pstrcpy(home_drive , lp_logon_drive (&bogus_user_struct)); pstrcpy(home_dir , lp_logon_home (&bogus_user_struct)); pstrcpy(acct_desc , ""); pstrcpy(workstations , ""); From patl at cag.lcs.mit.edu Sat Feb 26 22:27:09 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:48 2003 Subject: amazing tng-0.6 In-Reply-To: Vladimir Stavrinov's message of "Sun, 27 Feb 2000 07:25:50 +1100" References: Message-ID: Vladimir Stavrinov writes: > Luck, my congratulations! - tng got new "feature" (once more new): > while login NT say me: "system unable to create profile > \\samba-pdc\\profile.pds". Logon path always setting up to > \\%L\%U\profile, but I first see this for a 2 years. It seems, like > %U substitution not recognized when login start, but when login > complete (with new local profile) share \\%L\%U exist. OK, the problem is that the "nt_name" field is never being filled in at all in the sam_passwd structure used by getsamfile21pwent(). This structure is created by sampassdb.c:pwdb_smb_to_sam(), which inherits the nt_name value from the same field in the smb_passwd structure returned by smbpass.c:getsmbfilepwent(). Since "nt_name" is never explicitly assigned in any of these places, it is not available for the %U substitution, so the empty string gets substituted instead. I think the right solution is to arrange for nt_name to be set correctly, but I do not know the right way to do that. Luke? - Pat From lajbi at lajli.gau.hu Sun Feb 27 06:16:18 2000 From: lajbi at lajli.gau.hu (Lajber Zoltan) Date: Tue Dec 2 02:28:48 2003 Subject: nt lock and print, cvs compile In-Reply-To: Message-ID: Hi, I'm using the cvs main since a while, and is works as PDC (debian linux/slink, NT4sp3/sp5 clients). I want to use the server as print server too, but the printer is still on a workstation. I made a suitable printcap, so I can print from my linux on the remote printer just fine with lpr or even with dvips. But other NT clients can't connect to the server's printer. I recognized that the client can't get the status of the printer (one click on printer browsing window). What is the solution? (i'm using lprng) The other thing is: the file sharing (locking?) don't work well with NT. If a win9x (just installed for this test) is open a file on the server, the other win9x can open it as it need. In any combinations wich contains NT, the secondatempt will died with some strange error (somethin like "this is not a .doc file... etc). The third problem is: I can't compile the today (well, here night) cvs with debian/slink, (libc6), becouse the linking fail, missing some function in lib/util_sec.o. This functions are setresuid and around this. Thanks for your help. Bye, -=Lajbi=-------------------------------------------------------------------- LAJBER Zoltan lajbi@jht.gau.hu http://jht.gau.hu/~lajbi GATE Jarmu- es Hotechnika Tanszek http://jht.gau.hu A member of HuLUG http://mlf.linux.rulez.org/mlf From s.striker at striker.nl Sun Feb 27 10:39:53 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:48 2003 Subject: TNG configure error Message-ID: Hi, I just did a fresh cvs checkout this morning, but I get a configure error that wasn't present before. A few days ago everything configured/compiled fine. I didn't do any modifications to my system. I'm running RH6.0, kernel 2.2.14. Sander Striker From s.striker at striker.nl Sun Feb 27 10:41:53 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:48 2003 Subject: FW: TNG configure error Message-ID: Oops, forgot to paste in the error: checking configure summary ERROR: No locking available. Running Samba would be unsafe configure: error: summary failure. Aborting config Hi, I just did a fresh cvs checkout this morning, but I get a configure error that wasn't present before. A few days ago everything configured/compiled fine. I didn't do any modifications to my system. I'm running RH6.0, kernel 2.2.14. Sander Striker From merkes at t-online.de Sun Feb 27 10:50:04 2000 From: merkes at t-online.de (markus stephany) Date: Tue Dec 2 02:28:48 2003 Subject: amazing tng-0.6 In-Reply-To: References: Message-ID: <17493.000227@merkespages.de> Hello Vladimir, Saturday, February 26, 2000, 9:22:48 PM, you wrote: VS> Luck, my congratulations! - tng got new "feature" (once more new): while VS> login NT say me: "system unable to create profile VS> \\samba-pdc\\profile.pds". Logon path always setting up to VS> \\%L\%U\profile, but I first see this for a 2 years. It seems, like %U VS> substitution not recognized when login start, but when login complete VS> (with new local profile) share \\%L\%U exist. VS> And more, I logon as local admin and try load hive VS> \\%L\%U\profile\ntuser.dat to registry, but it say "path not exist", the VS> same response in attempt to map drive, while browser itself can read it. VS> True mystery. VS> What to do? Wait for tng-0.7? i have the same problem here with TNG newer than alpha-0.3. when setting the debug level to 100, i get an error message in log.lsarpc (cache->policy not found, Error getting policy state...). in log.netlogon all %U are replaced by an empty string in net_io_r_sam_logon (make_creds_key), that means the logon script is set to '.bat', and the profile and home pathes miss the user name. -- rgds, markus stephany ==================================== mailto:merkes@merkespages.de http://www.merkespages.de From p.mayers at ic.ac.uk Sun Feb 27 11:28:25 2000 From: p.mayers at ic.ac.uk (Mayers, P J) Date: Tue Dec 2 02:28:48 2003 Subject: Linux as an NT CLIENT Message-ID: <0846B011B9A4D111A1EE006097DA4FCE02F81344@icex1.cc.ic.ac.uk> Do you mean at login: prompt time? In which case, if your system supports pam, you can use pam_ntdom (hence luke's rather sparse reply). If not, you might want to investigate smb-agent, which does the same thing as ssh-agent - i.e. caches passwords. I don't know if pam_ntdom is integrated with smb-agent (if it were, it would give you single signon) but I doubt it. However, the code can't be the hardest thing in the world to write. But you need to be clear exactly what you mean, and how you're making Linux an NT client. smbmount will allow you to mount smb shares, but there's a program with Samba called smbsh, which uses a shell wrapper DSO to intercept filesystem calls, and create the equivalent of a network neighbourhood. Again, I don't know the state of integration between smb-agent, pam_ntdom and smbsh. Luke? Cheers, Phil -----Original Message----- From: Jonathan Hutchins To: Multiple recipients of list SAMBA-NTDOM Sent: 2/26/00 8:11 PM Subject: Re: Linux as an NT CLIENT > On Sat, 19 Feb 2000, Jonathan Hutchins wrote: >> What are the critical steps in getting a Samba machine to join the >> domain and access shares? And Luke Kenneth Casson Leighton rather sparsely replied: > pam_ntdom. Which migh possibly be a compile-time option? Not currently doc'ed as a configuration keyword. >From the looks of the list, there are some problems with the authenticate-the-linux-user-from-the-NT-PDC code, yet Jason Holland says "I have several samba boxes joined and authenticating to NT PDC's". There appears to about 1/3 of a page of documentation on this. I'd gladly write a HOWTO if someone could take the time to elaborate a bit more. I've got most of the rest of the functionality of an NT Client working, just need the authenticate-from-NT part. From T.Nijenbrink at pink.nl Sat Feb 26 23:54:39 2000 From: T.Nijenbrink at pink.nl (Tim Nijenbrink) Date: Tue Dec 2 02:28:48 2003 Subject: Can't join domain error code=12 Message-ID: <001101bf80b4$d9125870$0300a8c0@ps28> I have been trying to have my nt5 machine join the samba domain (tng 0.6), but failed. I keep getting an error code = 12. Does anyone know what this means? -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at samba.org Sun Feb 27 16:46:38 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:48 2003 Subject: Samba in VMware (Was: Another GPL violation?) In-Reply-To: Message-ID: thank you! On Sun, 27 Feb 2000, Regis Duchesne wrote: > Hi guys, > > I just wanted to let you know that your voices have been heard, and > that the next release of VMware will do the following: > > 1) A file called SAMBA-LICENSE will be always installed in > (/usr/doc/vmware by default) when VMware is installed. > > This file contains: > > a) A header from VMware explaining where (URL) to find VMware diffs to the > Samba source version 2.0.6 > > b) The full content of the file COPYING (GPL v 2) included in the > Samba source version 2.0.6 > > 2) At configuration time of VMware, if the user decides to use the > Samba server binary modified by VMware, he will be pointed at the > file described in 1) > > Again, sorry for the delay, but we are at least as busy as you guys > are :) > > Have a nice day, > -- > Regis "HPReg" Duchesne - Member of Technical Staff - VMWare, Inc. > www http://www.VMware.com/ > (O o) I use Linux (1135 KB/s over 10Mb/s ethernet) > --.oOO--(_)--OOo.---------------------------------------------------- > If cryptography is outlawed, only outlaws will have cryptography > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 27 16:54:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:48 2003 Subject: amazing tng-0.6 In-Reply-To: Message-ID: gimme chance to try it out, meself. this one's quite tricky. we done a patch to "fake" this stuf as best as poss, it should actualy work fine. if you can attempt to run with high log levels and track this yourself, the critical function that creates the goods (subst %L and %U) is getsamfile21pwent(). okie? luke On Sun, 27 Feb 2000, Vladimir Stavrinov wrote: > > Luck, my congratulations! - tng got new "feature" (once more new): while > login NT say me: "system unable to create profile > \\samba-pdc\\profile.pds". Logon path always setting up to > \\%L\%U\profile, but I first see this for a 2 years. It seems, like %U > substitution not recognized when login start, but when login complete > (with new local profile) share \\%L\%U exist. > > And more, I logon as local admin and try load hive > \\%L\%U\profile\ntuser.dat to registry, but it say "path not exist", the > same response in attempt to map drive, while browser itself can read it. > True mystery. > > What to do? Wait for tng-0.7? > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Sun Feb 27 16:56:20 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:48 2003 Subject: samba-tng-0.6 problems In-Reply-To: Message-ID: On Sun, 27 Feb 2000, Pieter Grimmerink wrote: > Hello, > > I recently tried out samba-tng-0.6, (tried 0.4 before, currently still > running 6 months ago samba head branche) > I have noticed the following 'problems', still keeping me from switching to > samba-tng; > > -I have added an 'administrator' user in the samba domain, mapped a group it > belonged to to 'BUILTIN\Administrators', and now I can't log into NT 4.0 > server or workstation with this 'administrator' domain account. (log.smb > says 'password did not match') From win9x, this user can log in correctly, > though. the BUILTIN domain is not correctly supported in any version of samba. if it is "supported" it's "fake". From lkcl at samba.org Sun Feb 27 16:56:57 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:48 2003 Subject: Status of changing passwords from NT ... In-Reply-To: Message-ID: which version? it should be working fine. On Sun, 27 Feb 2000, Anthony Brock wrote: > We are seriously looking at using Samba in a small office, however we have > not been able to change anyones passwords from an NT workstation. Each > time we try, we get a message: > > Unable to change the password on this account (C00000BE). Please consult > your system administrator. > > This occurs regardless of whether we login as administrator or an > individual user. Does anyone know when this will be working, or is this a > unique problem to our configuration? We have been willing to use this > product since January except for this one problem. Once fixed, we would > are very anxious to deploy this for our network server. > > Thanks in advance, > > Tony > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lars at kneschke.de Sun Feb 27 18:55:20 2000 From: lars at kneschke.de (Lars Kneschke) Date: Tue Dec 2 02:28:48 2003 Subject: bug in configure script Message-ID: <38B97318.7326A817@kneschke.de> Hello! The samba tng configure script has a bug! if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ac_try is "$CPP $CPPFLAGS conftest.c >/dev/null 2>conftest.out". But CPP and CPPFLAGS is empty ... echo configure:1704: $ac_try 1>&5 { (eval echo configure:1704: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ... that's why this eval will fail. You can see this also in config.log. You can't build a Makefile and compile samba tng. Cu -- Watch our projects at http://www.kneschke.de/projekte! ggitv, KSamba, PXTools, Samba TNG FAQ, myWebalizer From abrock at georgefox.edu Sun Feb 27 21:56:24 2000 From: abrock at georgefox.edu (Anthony Brock) Date: Tue Dec 2 02:28:48 2003 Subject: Re(2): Status of changing passwords from NT ... Message-ID: This occurs with every version we have updated to since I started looking at the SAMBA_TNG branch. The latest test was against CVS last Friday. I am including my smb.conf file below for reference. Just for confirmation, I will update against CVS again in a few minutes, and see if it works. The command I use to update with is: cvs update -r SAMBA_TNG -P -d Let me know if you have any thoughts. Tony *** include smb.conf *** # Samba config file created using SWAT # from host1.scg.com (10.0.0.2) # Date: 2000/02/25 19:15:30 # Global parameters workgroup = IT netbios name = WEB SERVER server string = Samba Server interfaces = 10.0.0.10/24 encrypt passwords = Yes passwd chat = *ew*password* %n\n *ew*password* %n\n *updated* syslog = 0 max log size = 50 timestamp logs = Yes time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain group map = /opt/samba-tng/lib/domaingroup.map domain user map = /opt/samba-tng/lib/domainuser.map logon script = startup.bat logon drive = H: domain logons = Yes os level = 34 preferred master = True domain master = True dns proxy = No wins support = Yes vfs option = [homes] comment = Home Directories read only = No browseable = No vfs option = [profiles] comment = Profile Share path = /export/shared/profiles read only = No create mask = 0700 directory mask = 0700 vfs option = [netlogon] comment = Startup Scripts path = /export/shared/netlogon vfs option = *** end smb.conf *** lkcl@samba.org writes: >which version? it should be working fine. > >On Sun, 27 Feb 2000, Anthony Brock wrote: > >> We are seriously looking at using Samba in a small office, however we >have >> not been able to change anyones passwords from an NT workstation. Each >> time we try, we get a message: >> >> Unable to change the password on this account (C00000BE). Please consult >> your system administrator. >> >> This occurs regardless of whether we login as administrator or an >> individual user. Does anyone know when this will be working, or is >this a >> unique problem to our configuration? We have been willing to use this >> product since January except for this one problem. Once fixed, we would >> are very anxious to deploy this for our network server. > From abrock at georgefox.edu Sun Feb 27 22:20:35 2000 From: abrock at georgefox.edu (Anthony Brock) Date: Tue Dec 2 02:28:48 2003 Subject: Fwd: Re(2): Status of changing passwords from NT ... Message-ID: Okay, I just tried it again, and received the following message: The User name or old password is incorrect. Letters in passwords must be typed using the correct case. Make sure that Caps Lock in not accidentally on. Hurrah! This is the first time I have received a different message in several months. However, it is obviously still not functioning correctly. This is against a CVS update around 1:59 pm PST today. I am positive I am using the correct username (administrator, in this case) since NT 4.0 fills this parameter in automatically, as well as the domain. The password is the same I just used to loggin to the domain with, and it allowed me access. I have even logged in and out twice to be sure I am using the correct password (and Caps Lock is off). The workstation is an Intel NT 4.0 Workstation with Service Pack 6a applied. I am attaching the log files from my RedHat 6.1 box incase they are of any use. Tony >This occurs with every version we have updated to since I started looking >at the SAMBA_TNG branch. The latest test was against CVS last Friday. I >am including my smb.conf file below for reference. > >Just for confirmation, I will update against CVS again in a few minutes, >and see if it works. The command I use to update with is: > >cvs update -r SAMBA_TNG -P -d > >Let me know if you have any thoughts. > >Tony > >*** include smb.conf *** ># Samba config file created using SWAT ># from host1.scg.com (10.0.0.2) ># Date: 2000/02/25 19:15:30 > ># Global parameters > workgroup = IT > netbios name = WEB SERVER > server string = Samba Server > interfaces = 10.0.0.10/24 > encrypt passwords = Yes > passwd chat = *ew*password* %n\n *ew*password* %n\n *updated* > syslog = 0 > max log size = 50 > timestamp logs = Yes > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > domain group map = /opt/samba-tng/lib/domaingroup.map > domain user map = /opt/samba-tng/lib/domainuser.map > logon script = startup.bat > logon drive = H: > domain logons = Yes > os level = 34 > preferred master = True > domain master = True > dns proxy = No > wins support = Yes > vfs option = > >[homes] > comment = Home Directories > read only = No > browseable = No > vfs option = > >[profiles] > comment = Profile Share > path = /export/shared/profiles > read only = No > create mask = 0700 > directory mask = 0700 > vfs option = > >[netlogon] > comment = Startup Scripts > path = /export/shared/netlogon > vfs option = >*** end smb.conf *** > >lkcl@samba.org writes: >which version? it should be working fine. > >On Sun, 27 Feb 2000, Anthony Brock wrote: > >> We are seriously looking at using Samba in a small office, however we >have >> not been able to change anyones passwords from an NT workstation. Each >> time we try, we get a message: >> >> Unable to change the password on this account (C00000BE). Please consult >> your system administrator. >> >> This occurs regardless of whether we login as administrator or an >> individual user. Does anyone know when this will be working, or is >this a >> unique problem to our configuration? We have been willing to use this >> product since January except for this one problem. Once fixed, we would >> are very anxious to deploy this for our network server. > -------------- next part -------------- A non-text attachment was scrubbed... Name: log.netlogon Type: application/octet-stream Size: 7482 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000227/4bec1763/log.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: log.samr Type: application/octet-stream Size: 2215 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000227/4bec1763/log-0001.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: log.smb Type: application/octet-stream Size: 4497 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000227/4bec1763/log-0002.obj From pkennedy at loudcloud.com Mon Feb 28 03:07:51 2000 From: pkennedy at loudcloud.com (Paul Kennedy) Date: Tue Dec 2 02:28:48 2003 Subject: Problems joining a domain with a Samba-TNG PDC Message-ID: <38B9E687.379AD63D@loudcloud.com> I'm getting pretty frustrated trying to get a Samba PDC working with an LDAP backend. Here's how I'm configuring my system. I am running Samba, built --with-ldap and installed from the latest Samba-TNG cvs source (as of Sunday Feb 27 2000 3pm PST) , on a host running RHL 2.2.12-20-smp, which is a HP Lpr Pentium III named millstreet.loudcloud.com. I am running all 8 daemons (nmbd, lsarpcd, smbd, etc) required for PDC support. [root@millstreet bin]# pdc-smb start Starting smbd... Starting nmbd... Starting srvsvcd... Starting wkssvcd... Starting lsarpcd... Starting samrd... Starting netlogond... Starting winregd... [root@millstreet bin]# For LDAP backend, I'm using Netscape Directory Server 4.12 on the same Linux host. I also have a PC with hostname PAULPC, running NT Server 4.0 SP5, which I am trying to make a member of the domain. The Linux host (PDC ) and PC (NT Server) are on different subnets. The Samba server's shares can be successfully viewed from other hosts. The problems arise when I try to add a new member to the domain. I've followed all but the out-of-date instructions at http://www.kneschke.de/projekte/samba_tng/faq/configuration.php3. In other words, I'm not using smbpasswd -m as directed there. Instead, I'm adding workstation accounts to the /etc/passwd file on the Linux system with /usr/sbin/useradd. In summary: Samba Domain name: AIRIUS Samba PDC Hostname: MILLSTREET NT Server: PAULPC [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c "NT Workstation Trust Account Samba" "millstreet\$" [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c "NT Workstation Trust Account Samba" "paulpc\$" [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -d /h/paul -c "User Account" nelson -p o9Huu26 [root@millstreet slapd-millstreet]# cat /etc/passwd | grep $: millstreet$:x:10107:10107:NT Workstation Trust Account Samba:/home/millstreet$:/bin/false paulpc$:x:10108:10108:NT Workstation Trust Account Samba:/home/paulpc$:/bin/false [root@millstreet slapd-millstreet]# cat /etc/passwd | grep nelson nelson:x:10109:10109:User Account:/h/paul:/bin/false [root@millstreet slapd-millstreet]# [root@millstreet bin]# samedit -S . -U root Added interface ip=192.168.100.62 bcast=192.168.100.255 nmask=255.255.255.0 Enter Password: [root@.]$ [root@.]$ [root@.]$ createuser millstreet$ -j createuser millstreet$ -j socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused SAM Create Domain User Domain: AIRIUS Name: millstreet$ ACB: [W ] socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused Create Domain User: OK Join MILLSTREET to Domain AIRIUS LSA_OPENSECRET: Set $MACHINE.ACC: OK [root@.]$ [root@.]$ [root@.]$ createuser paulpc$ createuser paulpc$ socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused SAM Create Domain User Domain: AIRIUS Name: paulpc$ ACB: [W ] socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused Create Domain User: OK [root@.]$ [root@.]$ [root@.]$ createuser nelson -p o9Huu26 createuser nelson -p o9Huu26 socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused SAM Create Domain User Domain: AIRIUS Name: nelson ACB: [U ] socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused Create Domain User: OK [root@.]$ Normally the PC running NT Server is a member of a workgroup, but when I make it a member of my AIRIUS domain, reboot and try to login to the AIRIUS domain using the nelson credentials which I've added above, the Linux host immediately ramps up to 100% cpu usage, and quickly reports "too many files open" when I try to run any commands at any shell prompt. Eventually, the NT Server logon attempt fails and a dialog is raised containing the message "The system cannot log you on now because the domain AIRIUS is not ". Questions: 1) Is the above sequence of operations for joining a workstation/server to a domain correct ? 2) Has anyone experienced similar behaviour ? I can post any fragments of logfiles. Here are some fragments which look useful: >From log.lsarpc: Changed root to / msrpc_process: client_name: lsarpc my_name: millstreet api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd Doing \PIPE\lsarpc api_rpc_command: LSA_OPENPOLICY2 Doing \PIPE\lsarpc api_rpc_command: LSA_OPENSECRET Doing \PIPE\lsarpc api_rpc_command: LSA_CLOSE policy(pnum=1 ): Closing end of file from client Error getting policy state Error getting policy state Error getting policy rid policy(pnum=2 ): Closing Closing connections Server exit (normal exit) Changed root to / msrpc_process: client_name: lsarpc my_name: millstreet api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd Doing \PIPE\lsarpc api_rpc_command: LSA_OPENPOLICY2 >From log.nmb process_logon_packet: SAMLOGON request from PAULPC(192.168.1.87) for PAULPC$, returning logon svr \\MILLSTREET domain AIRIUS code 13 token=ffff process_logon_packet: Logon from 192.168.1.87: code = 7 process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87, reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff lm_20 token=ffff wins_process_name_registration_request: Unique name registration for name AIRIUS<1d> IP 192.168.1.87 wins_process_name_registration_request: Ignoring request to register name AIRIUS<1d> from IP 192.168.1.87.wins_process_name_registration_request: Group name registration for name __MSBROWSE__<01> IP 192.168.1.87 wins_process_name_registration_request: Adding IP 255.255.255.255 to group name __MSBROWSE__<01>. wins_process_name_query: name query for name AIRIUS<1b> from IP 192.168.1.87 wins_process_name_query: name query for name AIRIUS<1b> returning first IP 192.168.100.62. process_logon_packet: Logon from 192.168.1.87: code = 7 process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87, reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff lm_20 token=ffff : Negative DNS answer for *SMBSERVER add_name_to_subnet: Added netbios name *SMBSERVER<20> with first IP 0.0.0.0 ttl=3600 nb_flags= 4 to subnet WINS_SERVER_SUBNET DNS calling send_wins_name_query_response process_name_query_request: Name query from 192.168.100.62 on subnet 192.168.100.62 for name MILLSTREET<20> OK process_name_query_request: Name query from 192.168.100.62 on subnet 192.168.100.62 for name MILLSTREET<20> OK process_name_query_request: Name query from 192.168.100.62 on subnet 192.168.100.62 for name MILLSTREET<20> OK process_name_query_request: Name query from 192.168.100.62 on subnet 192.168.100.62 for name *SMBSERVER<20> wins_process_name_query: name query for name *SMBSERVER<20> from IP 192.168.100.62 wins_process_name_query: name query for name *SMBSERVER<20> returning DNS fail. process_name_query_request: Name query from 192.168.100.62 on subnet 192.168.100.62 for name MILLSTREET<20> OK process_name_query_request: Name query from 192.168.100.62 on subnet 192.168.100.62 for name MILLSTREET<20> OK process_name_query_request: Name query from 192.168.100.62 on subnet 192.168.100.62 for name *SMBSERVER<20> wins_process_name_query: name query for name *SMBSERVER<20> from IP 192.168.100.62 wins_process_name_query: name query for name *SMBSERVER<20> returning DNS fail. process_name_query_request: Name query from 192.168.100.62 on subnet 192.168.100.62 for name *SMBSERVER<20> Below is my smb.conf [global] ldap suffix = "o=airius.com, o=loudcloud.com" ldap bind as = "uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot" ldap passwd file = /usr/local/etc/samba/private/ldappasswd ldap server = millstreet.loudcloud.com ldap port = 389 workgroup = AIRIUS netbios name = MILLSTREET comment = Linux RedHat PDC Samba Server with LDAP backend security = user null passwords = yes encrypt passwords = yes password server = millstreet logon path = \\MERCURY\profiles\%G logon script = %U.bat logon drive = U: socket options = TCP_NODELAY keep alive = 60 dead time = 30 domain master = yes domain logons = yes wins support = yes name resolve order = wins lmhosts hosts bcast wins proxy = yes time server = yes name resolve order = wins lmhosts hosts bcast [netlogon] path = /usr/local/etc/samba/netlogon locking = no writeable = yes comment = Net Logon share guest ok = no browseable = yes [joffre] path = /tmp/samba locking = no writeable = yes comment = Joffre share guest ok = yes browseable = yes From mgeddes at xavier.sa.edu.au Mon Feb 28 03:42:24 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:48 2003 Subject: TNG = No local account? :) References: Message-ID: <38B9EE9F.BFC5B65F@xavier.sa.edu.au> "Scott." wrote: > > Would TNG allow me to authenticate users against a PDC even if they don't > have a local account on the samba server? the samba box is a print server > and i want anyone with an account on the PDC to be able to print. > > if not, what's the best way to do this? pam_smb/ntdom ? > > ====---- - - - - - - - - - ____ __ > Scott Fritzinger | \ | |/\ /\ > Computing Helpdesk Specialist | \| < O O > > Helpdesk: (775) 784.4320 | |\ | \o/ > Office: (775) 784.6500 x338 |__| \ ___|evada WolfPack You can have the Samba server act as a Member server. You will need a Unix account on the machine, but this can be disabled. Samba will pass all auth requests to the PDC you specify. To find out more, check out Lars Kneschke's Samba TNG FAQ (http://www.kneschke.de/projekte/samba_tng). Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From mgeddes at xavier.sa.edu.au Mon Feb 28 05:18:01 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:48 2003 Subject: TNG 0.7 and locking in configure script. Message-ID: <38BA0509.A265DAF7@xavier.sa.edu.au> Hi guys, tried compiling tng 0.7 and the configure script tells me that there is no locking available and because this is a bad thing it won't continue. It's on a RH 6.0 box that has successfully compiled every other prealpha tarball. Any ideas? Thanks, Matt P.S. I wasn't root the first time I ran the script, but when I tried again as root it did the same.... -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From yannick.thoumelin at cnes.fr Mon Feb 28 13:39:58 2000 From: yannick.thoumelin at cnes.fr (Yannick Thoumelin - OSIATIS) Date: Tue Dec 2 02:28:48 2003 Subject: unsubscribe Message-ID: <38BA7AAE.BA3B1CBC@cnes.fr> unsubscribe -------------- next part -------------- A non-text attachment was scrubbed... Name: yannick.thoumelin.vcf Type: text/x-vcard Size: 296 bytes Desc: Card for Yannick Thoumelin - OSIATIS Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000228/a8ad148b/yannick.thoumelin.vcf From mca198 at ecs.soton.ac.uk Mon Feb 28 15:38:16 2000 From: mca198 at ecs.soton.ac.uk (Mark Cave-Ayland) Date: Tue Dec 2 02:28:48 2003 Subject: Multiple NT domains and Samba-TNG Message-ID: Hi guys, After a hard time fiddling with settings, I eventually got Samba-TNG to view as a server on the network. Huge credit to all you guys for being able to sort all this out. Now the problem is this: On the network we a have an NT server BG01 which is PDC for the BGDOMAIN domain. The Samba-TNG box is set up as ICTSERVER which is a PDC for the ICTDOMAIN domain. I can browse ICTSERVER from BG01 no problem (and vice-versa) - but I haven't had much luck with viewing user lists from ICTDOMAIN on BG01. When I use the NT User Manager and try and select ICTDOMAIN, ICTDOMAIN does not appear in the list. BUT if I type in ICTDOMAIN directly and hit OK then I get the message "Access is denied". Also, the eventlog command in rpcclient (when pointed at the NT box) doesn't seem to read back the NT event log and then typing enumusers results in a core dump. So it could be that I have set something up wrong here? Do I need to set up a domain trust relationship? I am using Samba-TNG CVSd about 2 days before the 0.6 pre-alpha release. Cheers, Mark. From wenk at s4d.ch Mon Feb 28 17:02:53 2000 From: wenk at s4d.ch (Fabian Wenk) Date: Tue Dec 2 02:28:48 2003 Subject: Status of changing passwords from NT ... References: Message-ID: <38BAAA3D.FBB8FAC7@s4d.ch> Anthony Brock wrote: > > We are seriously looking at using Samba in a small office, however we have > not been able to change anyones passwords from an NT workstation. Each > time we try, we get a message: I have a installation of Samba 2.0.6 running as an Primary Domain Controller, and changing passwords just works fine, with WinNT and Win9x clients (change other, domain password). bye Fabian From schley at bauinf.tu-cottbus.de Tue Feb 29 01:20:41 2000 From: schley at bauinf.tu-cottbus.de (Peter Frank Schley) Date: Tue Dec 2 02:28:48 2003 Subject: subscribe Message-ID: <38BB1EE9.93DF83F0@bauinf.tu-cottbus.de> I want to subscribe to the mailing list samba-ntdom@samba.org From allan at carhart.com Mon Feb 28 19:58:41 2000 From: allan at carhart.com (Allan Carhart) Date: Tue Dec 2 02:28:48 2003 Subject: Linux as an NT CLIENT In-Reply-To: <004701bf7f19$e20b8920$39950c0a@uhc.com> Message-ID: I recently posted about this -- And I observed specifically an NT box refusing connection from the Samba box (connection at the 'join the domain' step). I also saw alerts on my NT side of illegal 'short' SMB messages. Anyone else have similar experiences? --Allan From jthomas2 at uiuc.edu Mon Feb 28 19:25:35 2000 From: jthomas2 at uiuc.edu (Jay Thomas) Date: Tue Dec 2 02:28:48 2003 Subject: Linux as an NT CLIENT References: <004701bf7f19$e20b8920$39950c0a@uhc.com> Message-ID: <38BACBAF.632C981@uiuc.edu> Jonathan Hutchins wrote: > > On Sat, 19 Feb 2000, Jonathan Hutchins wrote: > > >> What are the critical steps in getting a Samba machine to join the > >> domain and access shares? > > And Luke Kenneth Casson Leighton rather sparsely replied: > > > pam_ntdom. > > Which migh possibly be a compile-time option? Not currently doc'ed as a > configuration keyword. > > >From the looks of the list, there are some problems with the > authenticate-the-linux-user-from-the-NT-PDC code, yet Jason Holland says "I > have several samba boxes joined and authenticating to NT PDC's". > > There appears to about 1/3 of a page of documentation on this. I'd gladly > write a HOWTO if someone could take the time to elaborate a bit more. I've > got most of the rest of the functionality of an NT Client working, just need > the authenticate-from-NT part. Do you need to have a passwd file entry for each user when they authenticate of a NT-PDC? Anyone got this to work w/ HPUX 10.20 or 11? (they seem to have an older PAM version than is standard) From mbreuer at siac.com Mon Feb 28 19:53:58 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:48 2003 Subject: TNG 0.7 - can't join domain Message-ID: <38BAD256.47DD6EC4@siac.com> Same as 0.6 ... network password is never correct. I have log 100 & DEBUG_PASSWORD. The log claims 'null' credentials. The attempt to validate the password (smb) attempts to validate as 'root' (uid 0) from the 'null' data. Needless to say, the check fails. If anyone needs these logs (or pieces of them), let me know. From SC4211 at email.mot.com Mon Feb 28 20:12:22 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:48 2003 Subject: browser issue not solves from samba@samba.org References: <38B54C21.3D502F22@schernau.com> Message-ID: <38BAD6A6.B8B5077A@email.mot.com> Well, my issue is I have two domains also, same situation basicly. The difference is on most machines I can go "start, run, \\sambaserver" and it will pull up the sambaserver shares/printers. But on some machines if I say "start, run, \\sambaserver" it says something like "computer not found or inaccessable". But then on that same machine if MAP A network drive to "\\sambaserver\projects" or any other share, the drive will map and function correctly. It's just not able to BROWSE the shares???? Very strange.. I'm thinking it's a wins issue?? Edward Schernau wrote: > > apologies for posting here, but I've got a cross-domain > browsing problem that the reular samba list can't, so > I'm hoping you guys can help. > > I've got 2 domains, DOM1 and DOM2. DOM1 has a 3.51PDC > with a samba box running WINS. All clients point at > it. The PDC is the DMB. DOM1 has 2 subnets, linked by > the linux/samba box. All is cool in DOM1. > > DOM2 PCs and their PDC register with the samba (WINS) > server, but don't show up in network neighborhood. > "Find Computer" works. > > How do I get this combination of Samba 2.0.6 and NT > to show both domains in NN ? > > Thanks, > -- > Edward Schernau http://www.schernau.com > Network Architect mailto:ed@schernau.com > Rational Computing Providence, RI, USA -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From abrock at georgefox.edu Mon Feb 28 19:07:22 2000 From: abrock at georgefox.edu (Anthony Brock) Date: Tue Dec 2 02:28:48 2003 Subject: Status of changing passwords from NT ... In-Reply-To: Message-ID: <4.2.2.20000228130517.00a813b0@localhost> But is this true if your not trying to synchronize against the UNIX passwd? If truth be told, I JUST need the password changed in the SMB password file, NOT in /etc/passwd. However, if this is true, I will attempt to find the correct configuration for this ... (and will try the log 100 anyway). Tony At 07:50 AM 2/28/00 -0800, hulet@ittc.ukans.edu wrote: >The problem usually lies in the passwd chat part. It took me a day to >figure out Digital Unix 4.0D. Set your log level to 100 and try and >change the password. The log will tell you what is going on in the chat. >This is what ours turned out to be: > >passwd program = /usr/local/bin/passwd %u >passwd chat debug = true >passwd chat = Changing\spassword\sfor\s%u.\nNew\spassword:\s %n\n >*(Checking*for*lousy*passwords...)*\n %n\n *Retype*new*passwd:*\n >log level = 100 > > >Michael Hulet >Network System Administrator >ITTC, University of Kansas > > >On Sun, 27 Feb 2000, Anthony Brock wrote: > > >> We are seriously looking at using Samba in a small office, however we > >have > >> not been able to change anyones passwords from an NT workstation. Each > >> time we try, we get a message: > >> > >> Unable to change the password on this account (C00000BE). Please consult > >> your system administrator. > >> > >> This occurs regardless of whether we login as administrator or an > >> individual user. Does anyone know when this will be working, or is > >this a > >> unique problem to our configuration? We have been willing to use this > >> product since January except for this one problem. Once fixed, we would > >> are very anxious to deploy this for our network server. > >> > >> Thanks in advance, > >> > >> Tony > >> ****************************************************************************** * Anthony Brock abrock@georgefox.edu * * Director of Network Services George Fox University * ****************************************************************************** From s.striker at striker.nl Tue Feb 29 00:18:42 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:48 2003 Subject: anybody else having trouble with tng cvs, configure, and locking? In-Reply-To: Message-ID: Hi, Yep. I tracked down the problem (with some tips) to a single commit and Luke will fix it. Try again later on. Sander >It's entirely possible that I've fouled something up on my machine when I >did a rebuild, but I've done two more re-installs of RH6.1 since then, and >can't figure it out. I did a checkout of samba tng this morning, >and when I >run configure --prefix=/opt/samba, it zips (well, ponders) through >a zillion >checks, but pukes on the check for locking. To be more specific >'checking configure summary >ERROR: No locking available. Running Samba would be unsafe >configure: error: summary failure. Aborting config' > >Seems to me that I'm probably broken, but how? Thanks, > Greg From s.striker at striker.nl Tue Feb 29 00:33:05 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:49 2003 Subject: TNG configure error In-Reply-To: Message-ID: Problem already solved. Damn, those slow lists are irritating... Sander From mgeddes at xavier.sa.edu.au Tue Feb 29 00:37:13 2000 From: mgeddes at xavier.sa.edu.au (Matthew Geddes) Date: Tue Dec 2 02:28:49 2003 Subject: anybody else having trouble with tng cvs, configure, and locking? References: Message-ID: <38BB14B9.ACD142CF@xavier.sa.edu.au> Gregory Leblanc wrote: > > It's entirely possible that I've fouled something up on my machine when I > did a rebuild, but I've done two more re-installs of RH6.1 since then, and > can't figure it out. I did a checkout of samba tng this morning, and when I > run configure --prefix=/opt/samba, it zips (well, ponders) through a zillion > checks, but pukes on the check for locking. To be more specific > 'checking configure summary > ERROR: No locking available. Running Samba would be unsafe > configure: error: summary failure. Aborting config' > > Seems to me that I'm probably broken, but how? Thanks, > Greg Me three. Same problem on SuSE 6.2 and two seperate RH 6.0 boxes. I had a look further up on the reams of configure output and found that it barfs at the fcntl and 64-bit fcntl locking lines (well not really barf as such, more a line with a 'no' on the end). Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From vs at lasp.npi.msu.su Tue Feb 29 00:35:10 2000 From: vs at lasp.npi.msu.su (Vladimir Stavrinov) Date: Tue Dec 2 02:28:49 2003 Subject: TNG: none-stop news... In-Reply-To: Message-ID: samba-tng.0.7: checking configure summary ERROR: No locking available. Running Samba would be unsafe configure: error: summary failure. Aborting config Can't use thg for a month or more but always waiting next.. From t.nijenbrink at pink.nl Tue Feb 29 02:55:46 2000 From: t.nijenbrink at pink.nl (Tim Nijenbrink) Date: Tue Dec 2 02:28:49 2003 Subject: amazing tng-0.6 References: Message-ID: <001201bf8260$7aa4b870$0300a8c0@ps28> I have been experiencing this problem to, and I substituted the NT username string %username% for %U. It seems to work for me. > Vladimir Stavrinov writes: > > > Luck, my congratulations! - tng got new "feature" (once more new): > > while login NT say me: "system unable to create profile > > \\samba-pdc\\profile.pds". Logon path always setting up to > > \\%L\%U\profile, but I first see this for a 2 years. It seems, like > > %U substitution not recognized when login start, but when login > > complete (with new local profile) share \\%L\%U exist. > > We have the same problem. See passdb/sampass.c, line 115. Although > user->unix_name is filled in, user->nt_name is the empty string. I do > not know why. > > The attached patch is a workaround; it uses the unix_name as if it > were the requested name (%U). This is not a correct fix (I am looking > into that now), but it does make my logon scripts and roving profiles > work again. > > - Pat > > From JasonJensen at home.com Tue Feb 29 03:41:05 2000 From: JasonJensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:49 2003 Subject: samedit connect errors Message-ID: <000801bf8266$cfe13060$0201a8c0@jason> When i run samedit i get connect errors to port 445 on ip 255.255.255.255 what is wrong? -------------- next part -------------- HTML attachment scrubbed and removed From JasonJensen at home.com Tue Feb 29 05:05:25 2000 From: JasonJensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:49 2003 Subject: err broke Message-ID: <000a01bf8272$969df480$0201a8c0@trt.cx> ok.. using rpcclient i could not only add all the trust account and users.. but i could join the domain SAMBA with win2k.. but i can't access ANY file shares. NOT ONE.. not even share listing.. NOTHING.. seems like smb is broke.. can anyone conferm this? I also do NOT have administrator privleges on my workstation..?? i don't know why! my user temper is part of the "Domain Admins" group. -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at samba.org Tue Feb 29 06:52:50 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: amazing tng-0.6 In-Reply-To: Message-ID: it means that the very broken, i wish i'd never WRITTEN then damn code, lib/domain_namemap.c module, is not working. fix or replace that, the problem goes away. nt_name should never e blank. On Tue, 29 Feb 2000, Patrick J. LoPresti wrote: > Vladimir Stavrinov writes: > > > Luck, my congratulations! - tng got new "feature" (once more new): > > while login NT say me: "system unable to create profile > > \\samba-pdc\\profile.pds". Logon path always setting up to > > \\%L\%U\profile, but I first see this for a 2 years. It seems, like > > %U substitution not recognized when login start, but when login > > complete (with new local profile) share \\%L\%U exist. > > We have the same problem. See passdb/sampass.c, line 115. Although > user->unix_name is filled in, user->nt_name is the empty string. I do > not know why. > > The attached patch is a workaround; it uses the unix_name as if it > were the requested name (%U). This is not a correct fix (I am looking > into that now), but it does make my logon scripts and roving profiles > work again. > > - Pat > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 29 06:58:49 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: amazing tng-0.6 In-Reply-To: Message-ID: > OK, the problem is that the "nt_name" field is never being filled in > at all in the sam_passwd structure used by getsamfile21pwent(). > > This structure is created by sampassdb.c:pwdb_smb_to_sam(), which > inherits the nt_name value from the same field in the smb_passwd > structure returned by smbpass.c:getsmbfilepwent(). > > Since "nt_name" is never explicitly assigned in any of these places, > it is not available for the %U substitution, so the empty string gets > substituted instead. > > I think the right solution is to arrange for nt_name to be set > correctly, but I do not know the right way to do that. Luke? lookupsmbpwnam() or lookupsmbpwuid() etc, in lib/domain_namemap.c, should be filling ALL the parameters, uid, gid, unix_name, nt_name, in correctly. that's their xxxxing job!!! that's their sole, stupid, expensive task in life, and i'm fed up with that damn code. it's responsible for order-n-cubed traversion of user lists, recursive black holes and infinite loops. i hate it. and i don't really yet have a good enough handle on what to do to be confident about replacing it. and that's after two years thinking about this, on-and-off, and one previous unsuccessful idea (present in the first version, from which 2.0.x was cut, and not removed from the release, against my advice). From lkcl at samba.org Tue Feb 29 07:02:58 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: Linux as an NT CLIENT In-Reply-To: <0846B011B9A4D111A1EE006097DA4FCE02F81344@icex1.cc.ic.ac.uk> Message-ID: On Tue, 29 Feb 2000, Mayers, P J wrote: > Do you mean at login: prompt time? In which case, if your system supports > pam, you can use pam_ntdom (hence luke's rather sparse reply). > > If not, you might want to investigate smb-agent, which does the same thing > as ssh-agent - i.e. caches passwords. I don't know if pam_ntdom is > integrated with smb-agent (if it were, it would give you single signon) but no it's not. actually, what smb-agent does is to cache _connections_ (smb connections) on a per-user basis. if the smb agent already has an SMB connection outstanding, it is reused. the agent deals with the multiplexing automatically. > But you need to be clear exactly what you mean, and how you're making Linux > an NT client. yes. > Again, I don't know the state of integration between smb-agent, pam_ntdom > and smbsh. Luke? all untested. From lkcl at samba.org Tue Feb 29 07:05:05 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: Re(2): Status of changing passwords from NT ... In-Reply-To: Message-ID: ok, yes: i found a few problems with password changing, and fixed them. On Tue, 29 Feb 2000, Anthony Brock wrote: > This occurs with every version we have updated to since I started looking > at the SAMBA_TNG branch. The latest test was against CVS last Friday. I > am including my smb.conf file below for reference. > > Just for confirmation, I will update against CVS again in a few minutes, > and see if it works. The command I use to update with is: > > cvs update -r SAMBA_TNG -P -d > > Let me know if you have any thoughts. > > Tony > > *** include smb.conf *** > # Samba config file created using SWAT > # from host1.scg.com (10.0.0.2) > # Date: 2000/02/25 19:15:30 > > # Global parameters > workgroup = IT > netbios name = WEB SERVER > server string = Samba Server > interfaces = 10.0.0.10/24 > encrypt passwords = Yes > passwd chat = *ew*password* %n\n *ew*password* %n\n *updated* > syslog = 0 > max log size = 50 > timestamp logs = Yes > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > domain group map = /opt/samba-tng/lib/domaingroup.map > domain user map = /opt/samba-tng/lib/domainuser.map > logon script = startup.bat > logon drive = H: > domain logons = Yes > os level = 34 > preferred master = True > domain master = True > dns proxy = No > wins support = Yes > vfs option = > > [homes] > comment = Home Directories > read only = No > browseable = No > vfs option = > > [profiles] > comment = Profile Share > path = /export/shared/profiles > read only = No > create mask = 0700 > directory mask = 0700 > vfs option = > > [netlogon] > comment = Startup Scripts > path = /export/shared/netlogon > vfs option = > *** end smb.conf *** > > lkcl@samba.org writes: > >which version? it should be working fine. > > > >On Sun, 27 Feb 2000, Anthony Brock wrote: > > > >> We are seriously looking at using Samba in a small office, however we > >have > >> not been able to change anyones passwords from an NT workstation. Each > >> time we try, we get a message: > >> > >> Unable to change the password on this account (C00000BE). Please consult > >> your system administrator. > >> > >> This occurs regardless of whether we login as administrator or an > >> individual user. Does anyone know when this will be working, or is > >this a > >> unique problem to our configuration? We have been willing to use this > >> product since January except for this one problem. Once fixed, we would > >> are very anxious to deploy this for our network server. > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 29 07:06:40 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: Fwd: Re(2): Status of changing passwords from NT ... In-Reply-To: Message-ID: ok, i lied: i tested it with rpcclient, which is not the same thing :) i will try with 2.0.x rpcclient (next best thing) -- actually, i _can't_ do that because SAMBA_2_0 rpcclient is broken, it will havbe to be cvs main rpcclient. On Tue, 29 Feb 2000, Anthony Brock wrote: > Okay, I just tried it again, and received the following message: > > The User name or old password is incorrect. Letters in passwords must be > typed using the correct case. Make sure that Caps Lock in not > accidentally on. > > Hurrah! This is the first time I have received a different message in > several months. However, it is obviously still not functioning correctly. > This is against a CVS update around 1:59 pm PST today. > > I am positive I am using the correct username (administrator, in this > case) since NT 4.0 fills this parameter in automatically, as well as the > domain. The password is the same I just used to loggin to the domain > with, and it allowed me access. I have even logged in and out twice to be > sure I am using the correct password (and Caps Lock is off). > > The workstation is an Intel NT 4.0 Workstation with Service Pack 6a > applied. > > I am attaching the log files from my RedHat 6.1 box incase they are of any > use. > > Tony > > >This occurs with every version we have updated to since I started looking > >at the SAMBA_TNG branch. The latest test was against CVS last Friday. I > >am including my smb.conf file below for reference. > > > >Just for confirmation, I will update against CVS again in a few minutes, > >and see if it works. The command I use to update with is: > > > >cvs update -r SAMBA_TNG -P -d > > > >Let me know if you have any thoughts. > > > >Tony > > > >*** include smb.conf *** > ># Samba config file created using SWAT > ># from host1.scg.com (10.0.0.2) > ># Date: 2000/02/25 19:15:30 > > > ># Global parameters > > workgroup = IT > > netbios name = WEB SERVER > > server string = Samba Server > > interfaces = 10.0.0.10/24 > > encrypt passwords = Yes > > passwd chat = *ew*password* %n\n *ew*password* %n\n *updated* > > syslog = 0 > > max log size = 50 > > timestamp logs = Yes > > time server = Yes > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > domain group map = /opt/samba-tng/lib/domaingroup.map > > domain user map = /opt/samba-tng/lib/domainuser.map > > logon script = startup.bat > > logon drive = H: > > domain logons = Yes > > os level = 34 > > preferred master = True > > domain master = True > > dns proxy = No > > wins support = Yes > > vfs option = > > > >[homes] > > comment = Home Directories > > read only = No > > browseable = No > > vfs option = > > > >[profiles] > > comment = Profile Share > > path = /export/shared/profiles > > read only = No > > create mask = 0700 > > directory mask = 0700 > > vfs option = > > > >[netlogon] > > comment = Startup Scripts > > path = /export/shared/netlogon > > vfs option = > >*** end smb.conf *** > > > >lkcl@samba.org writes: > >which version? it should be working fine. > > > >On Sun, 27 Feb 2000, Anthony Brock wrote: > > > >> We are seriously looking at using Samba in a small office, however we > >have > >> not been able to change anyones passwords from an NT workstation. Each > >> time we try, we get a message: > >> > >> Unable to change the password on this account (C00000BE). Please consult > >> your system administrator. > >> > >> This occurs regardless of whether we login as administrator or an > >> individual user. Does anyone know when this will be working, or is > >this a > >> unique problem to our configuration? We have been willing to use this > >> product since January except for this one problem. Once fixed, we would > >> are very anxious to deploy this for our network server. > > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 29 07:09:23 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: Problems joining a domain with a Samba-TNG PDC In-Reply-To: <38B9E687.379AD63D@loudcloud.com> Message-ID: paul, the passdb/ code is probably going recursive / infinite loop black hole because of lib/domain_namemap.c check that there are no duplicate names in users and groups that could cause domain_namemap to go recursive. either rename, remove or remap them ("doman group/alias/user/builtin map). On Tue, 29 Feb 2000, Paul Kennedy wrote: > I'm getting pretty frustrated trying to get a Samba PDC working with an > LDAP backend. Here's how I'm configuring my system. > > I am running Samba, built --with-ldap and installed from the latest > Samba-TNG cvs source (as of Sunday Feb 27 2000 3pm PST) , on a host > running RHL 2.2.12-20-smp, which is a HP Lpr Pentium III named > millstreet.loudcloud.com. I am running all 8 daemons (nmbd, lsarpcd, > smbd, etc) required for PDC support. > > [root@millstreet bin]# pdc-smb start > Starting smbd... > Starting nmbd... > Starting srvsvcd... > Starting wkssvcd... > Starting lsarpcd... > Starting samrd... > Starting netlogond... > Starting winregd... > [root@millstreet bin]# > > For LDAP backend, I'm using Netscape Directory Server 4.12 on the same > Linux host. > > I also have a PC with hostname PAULPC, running NT Server 4.0 SP5, which > I am trying to make a member of the domain. > > The Linux host (PDC ) and PC (NT Server) are on different subnets. > > The Samba server's shares can be successfully viewed from other hosts. > The problems arise when I try to add a new member to the domain. > > I've followed all but the out-of-date instructions at > http://www.kneschke.de/projekte/samba_tng/faq/configuration.php3. In > other words, I'm not using smbpasswd -m as directed there. Instead, I'm > adding workstation accounts to the /etc/passwd file on the Linux system > with /usr/sbin/useradd. > > In summary: > Samba Domain name: AIRIUS > Samba PDC Hostname: MILLSTREET > NT Server: PAULPC > > [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c > "NT Workstation Trust Account Samba" "millstreet\$" > [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c > "NT Workstation Trust Account Samba" "paulpc\$" > [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -d > /h/paul -c "User Account" nelson -p o9Huu26 > [root@millstreet slapd-millstreet]# cat /etc/passwd | grep $: > millstreet$:x:10107:10107:NT Workstation Trust Account > Samba:/home/millstreet$:/bin/false > paulpc$:x:10108:10108:NT Workstation Trust Account > Samba:/home/paulpc$:/bin/false > [root@millstreet slapd-millstreet]# cat /etc/passwd | grep nelson > nelson:x:10109:10109:User Account:/h/paul:/bin/false > [root@millstreet slapd-millstreet]# > > > [root@millstreet bin]# samedit -S . -U root > Added interface ip=192.168.100.62 bcast=192.168.100.255 > nmask=255.255.255.0 > Enter Password: > [root@.]$ > [root@.]$ > [root@.]$ createuser millstreet$ -j > createuser millstreet$ -j > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > SAM Create Domain User > Domain: AIRIUS Name: millstreet$ ACB: [W ] > socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > Create Domain User: OK > Join MILLSTREET to Domain AIRIUS > LSA_OPENSECRET: > Set $MACHINE.ACC: OK > [root@.]$ > [root@.]$ > [root@.]$ createuser paulpc$ > createuser paulpc$ > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > SAM Create Domain User > Domain: AIRIUS Name: paulpc$ ACB: [W ] > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > Create Domain User: OK > [root@.]$ > [root@.]$ > [root@.]$ createuser nelson -p o9Huu26 > createuser nelson -p o9Huu26 > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > SAM Create Domain User > Domain: AIRIUS Name: nelson ACB: [U ] > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > Create Domain User: OK > [root@.]$ > > Normally the PC running NT Server is a member of a workgroup, but when I > make it a member of my AIRIUS domain, reboot and try to login to the > AIRIUS domain using the nelson credentials which I've added above, the > Linux host immediately ramps up to 100% cpu usage, and quickly reports > "too many files open" when I try to run any commands at any shell > prompt. Eventually, the NT Server logon attempt fails and a dialog is > raised containing the message "The system cannot log you on now because > the domain AIRIUS is not ". > > Questions: > > 1) Is the above sequence of operations for joining a workstation/server > to a domain correct ? > > 2) Has anyone experienced similar behaviour ? > > I can post any fragments of logfiles. Here are some fragments which look > useful: > > >From log.lsarpc: > > Changed root to / > msrpc_process: client_name: lsarpc my_name: millstreet > api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd > Doing \PIPE\lsarpc > api_rpc_command: LSA_OPENPOLICY2 > Doing \PIPE\lsarpc > api_rpc_command: LSA_OPENSECRET > Doing \PIPE\lsarpc > api_rpc_command: LSA_CLOSE > policy(pnum=1 ): Closing > end of file from client > Error getting policy state > Error getting policy state > Error getting policy rid > policy(pnum=2 ): Closing > Closing connections > Server exit (normal exit) > Changed root to / > msrpc_process: client_name: lsarpc my_name: millstreet > api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd > Doing \PIPE\lsarpc > api_rpc_command: LSA_OPENPOLICY2 > > > >From log.nmb > > process_logon_packet: SAMLOGON request from PAULPC(192.168.1.87) for > PAULPC$, returning logon svr \\MILLSTREET domain AIRIUS code 13 > token=ffff > process_logon_packet: Logon from 192.168.1.87: code = 7 > process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87, > reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff > lm_20 token=ffff > wins_process_name_registration_request: Unique name registration for > name AIRIUS<1d> IP 192.168.1.87 > wins_process_name_registration_request: Ignoring request to register > name AIRIUS<1d> from IP > 192.168.1.87.wins_process_name_registration_request: Group name > registration for name __MSBROWSE__<01> IP 192.168.1.87 > wins_process_name_registration_request: Adding IP 255.255.255.255 to > group name __MSBROWSE__<01>. > wins_process_name_query: name query for name AIRIUS<1b> from IP > 192.168.1.87 > wins_process_name_query: name query for name AIRIUS<1b> returning first > IP 192.168.100.62. > process_logon_packet: Logon from 192.168.1.87: code = 7 > process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87, > reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff > lm_20 token=ffff > > : Negative DNS answer for *SMBSERVER > add_name_to_subnet: Added netbios name *SMBSERVER<20> with first IP > 0.0.0.0 ttl=3600 nb_flags= 4 to subnet WINS_SERVER_SUBNET > DNS calling send_wins_name_query_response > process_name_query_request: Name query from 192.168.100.62 on subnet > 192.168.100.62 for name MILLSTREET<20> > OK > process_name_query_request: Name query from 192.168.100.62 on subnet > 192.168.100.62 for name MILLSTREET<20> > OK > process_name_query_request: Name query from 192.168.100.62 on subnet > 192.168.100.62 for name MILLSTREET<20> > OK > process_name_query_request: Name query from 192.168.100.62 on subnet > 192.168.100.62 for name *SMBSERVER<20> > wins_process_name_query: name query for name *SMBSERVER<20> from IP > 192.168.100.62 > wins_process_name_query: name query for name *SMBSERVER<20> returning > DNS fail. > process_name_query_request: Name query from 192.168.100.62 on subnet > 192.168.100.62 for name MILLSTREET<20> > OK > process_name_query_request: Name query from 192.168.100.62 on subnet > 192.168.100.62 for name MILLSTREET<20> > OK > process_name_query_request: Name query from 192.168.100.62 on subnet > 192.168.100.62 for name *SMBSERVER<20> > wins_process_name_query: name query for name *SMBSERVER<20> from IP > 192.168.100.62 > wins_process_name_query: name query for name *SMBSERVER<20> returning > DNS fail. > process_name_query_request: Name query from 192.168.100.62 on subnet > 192.168.100.62 for name *SMBSERVER<20> > > > > Below is my smb.conf > > [global] > ldap suffix = "o=airius.com, o=loudcloud.com" > ldap bind as = "uid=admin, ou=Administrators, ou=TopologyManagement, > o=NetscapeRoot" > ldap passwd file = /usr/local/etc/samba/private/ldappasswd > ldap server = millstreet.loudcloud.com > ldap port = 389 > > workgroup = AIRIUS > netbios name = MILLSTREET > comment = Linux RedHat PDC Samba Server with LDAP backend > security = user > null passwords = yes > encrypt passwords = yes > password server = millstreet > > logon path = \\MERCURY\profiles\%G > logon script = %U.bat > logon drive = U: > > socket options = TCP_NODELAY > keep alive = 60 > dead time = 30 > > domain master = yes > domain logons = yes > > wins support = yes > name resolve order = wins lmhosts hosts bcast > wins proxy = yes > > time server = yes > > name resolve order = wins lmhosts hosts bcast > > [netlogon] > path = /usr/local/etc/samba/netlogon > locking = no > writeable = yes > comment = Net Logon share > guest ok = no > browseable = yes > > [joffre] > path = /tmp/samba > locking = no > writeable = yes > comment = Joffre share > guest ok = yes > browseable = yes > > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 29 07:19:11 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: Multiple NT domains and Samba-TNG In-Reply-To: Message-ID: 1) cvs update -- always. a report for something that is out-of-date by more than about... four hours is almost always _also_ out-of-date. 2) do a net use \\thesambaserver\ipc$ /user:THESAMBASERVERSDOMAIN\anadminaccountonthesamadomain this will allow running usrmgr from another domain to succeed. 3) no, trust relationships aren't exactly working properly (due to the use of a SURS algorithm that doesn't support anything more than its own domain) try it, you might get lucky... On Tue, 29 Feb 2000, Mark Cave-Ayland wrote: > Hi guys, > > After a hard time fiddling with settings, I eventually got Samba-TNG to > view as a server on the network. Huge credit to all you guys for being > able to sort all this out. > > Now the problem is this: On the network we a have an NT server BG01 which > is PDC for the BGDOMAIN domain. The Samba-TNG box is set up as ICTSERVER > which is a PDC for the ICTDOMAIN domain. > > I can browse ICTSERVER from BG01 no problem (and vice-versa) - but I > haven't had much luck with viewing user lists from ICTDOMAIN on BG01. When > I use the NT User Manager and try and select ICTDOMAIN, ICTDOMAIN does not > appear in the list. BUT if I type in ICTDOMAIN directly and hit OK then I > get the message "Access is denied". Also, the eventlog > command in rpcclient (when pointed at the NT box) doesn't seem to read > back the NT event log and then typing enumusers results in a core dump. So > it could be that I have set something up wrong here? Do I need to set up a > domain trust relationship? > > I am using Samba-TNG CVSd about 2 days before the 0.6 pre-alpha release. > > Cheers, > > Mark. > > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lk at netuse.de Tue Feb 29 07:22:26 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 and locking in configure script. References: <38BA0509.A265DAF7@xavier.sa.edu.au> Message-ID: <38BB73B2.904F9EC6@netuse.de> Matthew Geddes wrote: > > Hi guys, > > tried compiling tng 0.7 and the configure script tells me that there is > no locking available and because this is a bad thing it won't continue. > It's on a RH 6.0 box that has successfully compiled every other prealpha > tarball. Watch my email about the bug in configure, that's also your problem! Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lkcl at samba.org Tue Feb 29 07:28:32 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: <38BAD256.47DD6EC4@siac.com> Message-ID: you don't explain the exact procedure you are using. null On Tue, 29 Feb 2000, Michael Breuer wrote: > Same as 0.6 ... network password is never correct. I have log 100 & > DEBUG_PASSWORD. The log claims 'null' credentials. The attempt to > validate the password (smb) attempts to validate as 'root' (uid 0) > from the 'null' data. Needless to say, the check fails. If anyone > needs these logs (or pieces of them), let me know. 1) do you have a "root" account in the smbpasswd file? 2) are you using it in the network contril panel? explain the exact procedure (i.e a series of steps you use to join the domain) otherwise there's nothing anyone can do to help you, we can only save or delete your message. please, people, be more specific. time and time and time and time again, i have to repeat and repeat and repeat this: if your report doesn't contain specific instructions and information, it's completely useless. "i can't join the domain". well, which domain? how does it not join? how are you _attempting_ to join? did you type the username / password in the network control panel dialog? did you know that you should do this? does the trust account already exist? does the unix account (myworkstation$) exist? are you using ldap, smbpasswd or samtdb or mysql or nt5ldap as the password back-end? these are just a _few_ of the issues i can think of when someone says, "i can't join the domain", and i'm really sorry, michael, it's nothing personal, but it's really exasperating to be repeating this quite so many times [a day]. after three years, i'd have thought people would get it by now. never mind, please don't take this personally: i'm a little bit... hmmm... stressed isn't quite the word. transitional phase coming up, reduced tolerance levels. sorry ppl. luke From lk at netuse.de Tue Feb 29 09:30:35 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:49 2003 Subject: FW: TNG configure error References: Message-ID: <38BB91BB.64D6D31B@netuse.de> Sander Striker wrote: > > Oops, forgot to paste in the error: > > checking configure summary > ERROR: No locking available. Running Samba would be unsafe > configure: error: summary failure. Aborting config > > Hi, > > I just did a fresh cvs checkout this morning, but I get a configure error > that wasn't present before. A few days ago everything configured/compiled > fine. I didn't do any modifications to my system. > I'm running RH6.0, kernel 2.2.14. Hello Sander! currently i checkout old samba tng versions, to see where the error was first seen. It was between 25. and 27 february. I think i'll found the bug soon. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From isyn at isi.wat.waw.pl Tue Feb 29 11:31:47 2000 From: isyn at isi.wat.waw.pl (isyn@isi.wat.waw.pl) Date: Tue Dec 2 02:28:49 2003 Subject: Browser problems...? Message-ID: Does Windows NT running in my net can make any browser problems. I have Linux Samba server and stations with Win95 an WIN NT, and of course I have problems:) -- ROBERT MAGIER From p.mayers at ic.ac.uk Tue Feb 29 12:15:38 2000 From: p.mayers at ic.ac.uk (Mayers, P J) Date: Tue Dec 2 02:28:49 2003 Subject: Linux as an NT CLIENT Message-ID: <0846B011B9A4D111A1EE006097DA4FCE02F8134B@icex1.cc.ic.ac.uk> Yes, still need a passwd/NIS entry. IIRC there was something under development called winbind, which is the equivalent for ypbind for an NT domain, rather than NIS. Very nice. But it was dependent on SURS, and hence probably TNG. Again, I don't know the progress. Luke? Cheers, Phil -----Original Message----- From: Jay Thomas To: Multiple recipients of list SAMBA-NTDOM Sent: 2/29/00 1:01 AM Subject: Re: Linux as an NT CLIENT Jonathan Hutchins wrote: > > On Sat, 19 Feb 2000, Jonathan Hutchins wrote: > > >> What are the critical steps in getting a Samba machine to join the > >> domain and access shares? > > And Luke Kenneth Casson Leighton rather sparsely replied: > > > pam_ntdom. > > Which migh possibly be a compile-time option? Not currently doc'ed as a > configuration keyword. > > >From the looks of the list, there are some problems with the > authenticate-the-linux-user-from-the-NT-PDC code, yet Jason Holland says "I > have several samba boxes joined and authenticating to NT PDC's". > > There appears to about 1/3 of a page of documentation on this. I'd gladly > write a HOWTO if someone could take the time to elaborate a bit more. I've > got most of the rest of the functionality of an NT Client working, just need > the authenticate-from-NT part. Do you need to have a passwd file entry for each user when they authenticate of a NT-PDC? Anyone got this to work w/ HPUX 10.20 or 11? (they seem to have an older PAM version than is standard) From p.mayers at ic.ac.uk Tue Feb 29 12:18:48 2000 From: p.mayers at ic.ac.uk (Mayers, P J) Date: Tue Dec 2 02:28:49 2003 Subject: TNG = No local account? :) Message-ID: <0846B011B9A4D111A1EE006097DA4FCE02F8134C@icex1.cc.ic.ac.uk> No, you still need local user account (in NIS, or /etc/passwd), unless you use the "create user" script command (or something like that - can't remember the exact name). This will get samba to call a particular script to dynamically create users on the unix machine. Kind-of neat. Cheers, Phil -----Original Message----- From: Matthew Geddes To: Multiple recipients of list SAMBA-NTDOM Sent: 2/29/00 12:46 AM Subject: Re: TNG = No local account? :) "Scott." wrote: > > Would TNG allow me to authenticate users against a PDC even if they don't > have a local account on the samba server? the samba box is a print server > and i want anyone with an account on the PDC to be able to print. > > if not, what's the best way to do this? pam_smb/ntdom ? > > ====---- - - - - - - - - - ____ __ > Scott Fritzinger | \ | |/\ /\ > Computing Helpdesk Specialist | \| < O O > > Helpdesk: (775) 784.4320 | |\ | \o/ > Office: (775) 784.6500 x338 |__| \ ___|evada WolfPack You can have the Samba server act as a Member server. You will need a Unix account on the machine, but this can be disabled. Samba will pass all auth requests to the PDC you specify. To find out more, check out Lars Kneschke's Samba TNG FAQ (http://www.kneschke.de/projekte/samba_tng). Matt -- "Our goal for the next release of Windows 2000 is to have zero bugs." - Lucovsky, Microsoft From joachim at additive-net.de Tue Feb 29 12:34:23 2000 From: joachim at additive-net.de (Joachim Gabbert) Date: Tue Dec 2 02:28:49 2003 Subject: subscribe Message-ID: <4.2.2.20000229133233.00aac5a0@atlas.rz.additive-net.de> subscribe ------------------------------------------------------ ADDITIVE GmbH Tel: +49-6172-5905-25 Rohrwiesenstrasse 2 Fax: +49-6172-77613 61381 Friedrichsdorf v.d.H http://www.additive-net.de ------------------------------------------------------ From lk at netuse.de Tue Feb 29 14:10:03 2000 From: lk at netuse.de (Lars Kneschke) Date: Tue Dec 2 02:28:49 2003 Subject: anybody else having trouble with tng cvs, configure, and locking? References: <38BB14B9.ACD142CF@xavier.sa.edu.au> Message-ID: <38BBD33B.789D15E7@netuse.de> Matthew Geddes wrote: > > Gregory Leblanc wrote: > > > > It's entirely possible that I've fouled something up on my machine when I > > did a rebuild, but I've done two more re-installs of RH6.1 since then, and > > can't figure it out. I did a checkout of samba tng this morning, and when I > > run configure --prefix=/opt/samba, it zips (well, ponders) through a zillion > > checks, but pukes on the check for locking. To be more specific > > 'checking configure summary > > ERROR: No locking available. Running Samba would be unsafe > > configure: error: summary failure. Aborting config' > > > > Seems to me that I'm probably broken, but how? Thanks, > > Greg > > Me three. Same problem on SuSE 6.2 and two seperate RH 6.0 boxes. I had > a look further up on the reams of configure output and found that it > barfs at the fcntl and 64-bit fcntl locking lines (well not really barf > as such, more a line with a 'no' on the end). There was a bug in the configure script. The configure script wants to evaluate "$CPP $CPPFLAGS test.c". But $CPP and $CPPFLAGS were empty. And shells can't execute test.c. That's why the test had failed. Cu -- Lars Kneschke NetUSE Kommunikationstechnologie GmbH Siemenswall, D-24107 Kiel, Germany Fon: +49 431 386435 00 -- Fax: +49 431 386435 99 From lauffer at ph-freiburg.de Tue Feb 29 14:25:33 2000 From: lauffer at ph-freiburg.de (Stephan Lauffer) Date: Tue Dec 2 02:28:49 2003 Subject: Browser problems...? In-Reply-To: Message-ID: Hi Robert! > Does Windows NT running in my net can make any browser problems. > I have Linux Samba server and stations with Win95 an WIN NT, and of course > I have problems:) I need a little bit more infos. In deed, there could be problems. It?s always a good idea if you?ll add the global section of samba to your mail an describe the network config. In special cases the logfiles from nmbd were needed. Liebe Gruesse, Stephan Lauffer [ Paedagogische Hochschule Freiburg - Systemtechnik - Germany ] [ Abteilung ZIK: WWW ] [ Tel.: 0761 - 682 447 Mobil: 0172 - 7145 197 ] From mbreuer at siac.com Tue Feb 29 14:48:20 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 - can't join domain References: Message-ID: <38BBDC34.13082BB2@siac.com> Ok... sorry. First, let me note that with the same machines & configuration I was able to join the domain in 0.5. That said... I installed 0.7 and selected "network identity" on a W2K workstation. I entered the name of the samba domain and hit "OK." When prompted for the userid/password of a user authorized to join the machine to the domain, I entered the samba administrator id and password (Administrator). According to the logs, the "credentials" were 'null' and the ID mapped to root (uid=0). I tried a different account (also with administrator access to both the ws and samba --- and with same passwords). Same message. For fun, I added "root" to smbpasswd (with samedit) and set the password to match the root password of the unix system. Also no luck. Luke Kenneth Casson Leighton wrote: > you don't explain the exact procedure you are using. null > > On Tue, 29 Feb 2000, Michael Breuer wrote: > > > Same as 0.6 ... network password is never correct. I have log 100 & > > DEBUG_PASSWORD. The log claims 'null' credentials. The attempt to > > validate the password (smb) attempts to validate as 'root' (uid 0) > > from the 'null' data. Needless to say, the check fails. If anyone > > needs these logs (or pieces of them), let me know. > > 1) do you have a "root" account in the smbpasswd file? > > 2) are you using it in the network contril panel? > > explain the exact procedure (i.e a series of steps you use to join the > domain) otherwise there's nothing anyone can do to help you, we can only > save or delete your message. > > please, people, be more specific. time and time and time and time again, > i have to repeat and repeat and repeat this: if your report doesn't > contain specific instructions and information, it's completely useless. > > "i can't join the domain". > > well, which domain? > > how does it not join? > > how are you _attempting_ to join? > > did you type the username / password in the network control panel dialog? > > did you know that you should do this? > > does the trust account already exist? > > does the unix account (myworkstation$) exist? > > are you using ldap, smbpasswd or samtdb or mysql or nt5ldap as the > password back-end? > > these are just a _few_ of the issues i can think of when someone says, "i > can't join the domain", and i'm really sorry, michael, it's nothing > personal, but it's really exasperating to be repeating this quite so many > times [a day]. after three years, i'd have thought people would get it by > now. > > never mind, please don't take this personally: i'm a little bit... hmmm... > stressed isn't quite the word. transitional phase coming up, reduced > tolerance levels. > > sorry ppl. > > luke From mca198 at ecs.soton.ac.uk Tue Feb 29 15:03:34 2000 From: mca198 at ecs.soton.ac.uk (Mark Cave-Ayland) Date: Tue Dec 2 02:28:49 2003 Subject: Multiple NT domains and Samba-TNG In-Reply-To: Message-ID: On Wed, 1 Mar 2000, Luke Kenneth Casson Leighton wrote: > 1) cvs update -- always. a report for something that is out-of-date by > more than about... four hours is almost always _also_ out-of-date. Have just done that..... > 2) do a net use \\thesambaserver\ipc$ > /user:THESAMBASERVERSDOMAIN\anadminaccountonthesamadomain Before the CVS update, this returned "The command completed succesfully" but I still got the "Access Denied" message in User Manager. After the CVS update: NT returns "System Error 240 occured. The request was cancelled" In fact, now I can't browse the domain at all.... typing in \\ictserver into the run box prompts me with a dialog box saying "Unknown username or incorrect password". Typing in my SMB username and password does nothing and keeps bringing the dialog box up. Going back to the Samba-TNG box: smbclient //ictserver/test -U mca gives the error "session request setup failed". I think I've done something very wrong here.... > 3) no, trust relationships aren't exactly working properly (due to the use > of a SURS algorithm that doesn't support anything more than its own > domain) try it, you might get lucky... Haven't looked into this yet. Cheers, Mark. From lkcl at samba.org Tue Feb 29 16:51:13 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: err broke In-Reply-To: <000a01bf8272$969df480$0201a8c0@trt.cx> Message-ID: On Wed, 1 Mar 2000, Jason Jensen wrote: > ok.. using rpcclient i could not only add all the trust account and > users.. but i could join the domain SAMBA with win2k.. but i can't > access ANY file shares. NOT ONE.. not even share listing.. NOTHING.. > seems like smb is broke.. can anyone conferm this? I also do NOT have > administrator privleges on my workstation..?? i don't know why! my > user temper is part of the "Domain Admins" group. uhhh.... hmmm... ok, i have a root problem. i.e if the user logging in isn't root, you can't log in. oops! From lkcl at samba.org Tue Feb 29 16:56:25 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: Linux as an NT CLIENT In-Reply-To: <0846B011B9A4D111A1EE006097DA4FCE02F8134B@icex1.cc.ic.ac.uk> Message-ID: On Wed, 1 Mar 2000, Mayers, P J wrote: > Yes, still need a passwd/NIS entry. IIRC there was something under > development called winbind, which is the equivalent for ypbind for an NT > domain, rather than NIS. Very nice. But it was dependent on SURS, and hence > probably TNG. Again, I don't know the progress. yeah, tim's working on it. actually, absolutely _Everything_ is dependent on a decent SURS implementation, and we don't have one. and no, dammit, the current one _isn't_ good enough. however, as i was explaining to tim (it took a couple of days, and his code got a _lot_ simpler when he got it), it's not the responsibility of samba, pam_ntdom, pam_smb, winbind, pam_smbpass, or anything BUT surs itself to solve the problem of mapping uids/gids and sids. luke > > -----Original Message----- > From: Jay Thomas > To: Multiple recipients of list SAMBA-NTDOM > Sent: 2/29/00 1:01 AM > Subject: Re: Linux as an NT CLIENT > > Jonathan Hutchins wrote: > > > > On Sat, 19 Feb 2000, Jonathan Hutchins wrote: > > > > >> What are the critical steps in getting a Samba machine to join the > > >> domain and access shares? > > > > And Luke Kenneth Casson Leighton rather sparsely > replied: > > > > > pam_ntdom. > > > > Which migh possibly be a compile-time option? Not currently doc'ed as > a > > configuration keyword. > > > > >From the looks of the list, there are some problems with the > > authenticate-the-linux-user-from-the-NT-PDC code, yet Jason Holland > says "I > > have several samba boxes joined and authenticating to NT PDC's". > > > > There appears to about 1/3 of a page of documentation on this. I'd > gladly > > write a HOWTO if someone could take the time to elaborate a bit more. > I've > > got most of the rest of the functionality of an NT Client working, > just need > > the authenticate-from-NT part. > > Do you need to have a passwd file entry for each user when they > authenticate of > a NT-PDC? > > Anyone got this to work w/ HPUX 10.20 or 11? (they seem to have an older > PAM version than is standard) > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From muchos at ip6seguridad.com Tue Feb 29 17:33:10 2000 From: muchos at ip6seguridad.com (muchos) Date: Tue Dec 2 02:28:49 2003 Subject: i need to know a few things about Sama TNg 0.6 + Netscape LDAP 4.1 + PDC Message-ID: <20000229173310.A8389@ip6seguridad.com> I'm not configure LDAP, but i know that netscape directory have a parameter or something that is called "ntuser", someone knows if it is enought for samba authentification? I read Samba-PDC LDAP TNG howto made by Ignacio Coupeau at University of Navarra, but i find it a bit confuse or may be not clear for me. Well, i want to know if i must use smbpasswd if all the accounts are in the ldap server now, and i must add a machines account in the smbpasswd or in ldap directory? I think that my smb.conf is ok (i pasted below), but i don't know the requirements of LDAP (Netscape server) I'm using the Netscape LDAP with that parameter and Samba TNG 0.6 as a PDC --------------------------------------------------------------------------------------- [global] # LDAP ldap suffix = "o=Root_Ldap" ldap bind as = "uid=root, o=Root_Ldap" ldap passwd file = /usr/local/samba/private/ldappasswd ldap server = localhost ldap port = 389 # DOMAIN SERVER domain groups = ROOT_NT workgroup = ROOT_NT server string = Servidor Primario de Dominios domain master = yes domain logons = yes preferred master = yes comment = Linux sever Samba 2.1 # PRINTERS GLOBAL SETUP load printers = yes printcap name = /etc/printcap # LOG SETUP log file = /var/log/samba/log.%m max log size = 500 # PASSWORD SETUP security = user encrypt passwords = yes smb passwd file = /etc/smbpasswd unix password sync = yes passwd program = /bin/passwd %u password level = 0 # OPTIONS socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Netbios Setup logon script = %U.bat logon path = \\%L\profiles\%U netbios name = diablo logon path = \\diablo\profiles\%U # Options map to guest = never null passwords = no os level = 34 wins support = yes dead time = 0 debug level = 20 admin users = smbadmin # SHARES PARA EL PDC [homes] comment = Directorios Personales browseable = no writeable = yes public = no only user = no path = /home/samba/profiles/ create mode = 0600 directory mode = 070 [netlogon] comment = Servicio Autentificacion path = /home/samba/netlogon guest ok = yes writable = no share modes = no browsable = no [profiles] comment = Perfil de Usuario path = /home/samba/profiles create mode = 0600 directory mode = 0700 writable = yes browsable = no # SHARED OPCIONALES -- ========================================================================= Gabriel D?iaz L?opez de la Llave Ip6 Seguridad S.L gabidiaz@ip6seguridad.com c: Zurbaran 28 tlf : 91 700 01 84 ext 165 28010 Madrid fax : 91 700 01 73 http://www.ip6seguridad.com ========================================================================= From lkcl at samba.org Tue Feb 29 17:04:58 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: <38BBDC34.13082BB2@siac.com> Message-ID: On Tue, 29 Feb 2000, Michael Breuer wrote: > Ok... sorry. no problem. > First, let me note that with the same machines & configuration I was > able to join the domain in 0.5. That said... I installed 0.7 and > selected "network identity" on a W2K workstation. I entered the name > of the samba domain and hit "OK." When prompted for the > userid/password of a user authorized to join the machine to the > domain, I entered the samba administrator id and password > (Administrator). According to the logs, the "credentials" were 'null' > and the ID mapped to root (uid=0). I tried a different account (also > with administrator access to both the ws and samba --- and with same > passwords). Same message. For fun, I added "root" to smbpasswd (with > samedit) and set the password to match the root password of the unix > system. Also no luck. hmm.... ok, 'cos i'm doing exactly that, and it works. hmm: can you take a look in the logs, at level 100, for "status: C000" or maybe "status:c0000"? this last error code will say what's failing. then let me know what you think it might be, from the info proceeding the error-status-code. thx. From lkcl at samba.org Tue Feb 29 17:07:09 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: Multiple NT domains and Samba-TNG In-Reply-To: Message-ID: ok, delete the following: /usr/local/samba/var/locks/* On Tue, 29 Feb 2000, Mark Cave-Ayland wrote: > On Wed, 1 Mar 2000, Luke Kenneth Casson Leighton wrote: > > > 1) cvs update -- always. a report for something that is out-of-date by > > more than about... four hours is almost always _also_ out-of-date. > > Have just done that..... > > > 2) do a net use \\thesambaserver\ipc$ > > /user:THESAMBASERVERSDOMAIN\anadminaccountonthesamadomain > > Before the CVS update, this returned "The command completed succesfully" > but I still got the "Access Denied" message in User Manager. > > After the CVS update: NT returns "System Error 240 occured. The request > was cancelled" > > In fact, now I can't browse the domain at all.... typing in \\ictserver > into the run box prompts me with a dialog box saying "Unknown username or > incorrect password". Typing in my SMB username and password does nothing > and keeps bringing the dialog box up. > > Going back to the Samba-TNG box: smbclient //ictserver/test -U mca gives > the error "session request setup failed". > > I think I've done something very wrong here.... > > > 3) no, trust relationships aren't exactly working properly (due to the use > > of a SURS algorithm that doesn't support anything more than its own > > domain) try it, you might get lucky... > > Haven't looked into this yet. > > > Cheers, > > Mark. > > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mbreuer at siac.com Tue Feb 29 17:38:25 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 - can't join domain References: Message-ID: <38BC0411.C07475E0@siac.com> Looks like 0018 status : c0000017 (both smb and netlogon) The smb log also contains ERROR: unbecome root depth is 0 (from lib/set_uid.c:354). Luke Kenneth Casson Leighton wrote: > On Tue, 29 Feb 2000, Michael Breuer wrote: > > > Ok... sorry. > > no problem. > > > First, let me note that with the same machines & configuration I was > > able to join the domain in 0.5. That said... I installed 0.7 and > > selected "network identity" on a W2K workstation. I entered the name > > of the samba domain and hit "OK." When prompted for the > > userid/password of a user authorized to join the machine to the > > domain, I entered the samba administrator id and password > > (Administrator). According to the logs, the "credentials" were 'null' > > and the ID mapped to root (uid=0). I tried a different account (also > > with administrator access to both the ws and samba --- and with same > > passwords). Same message. For fun, I added "root" to smbpasswd (with > > samedit) and set the password to match the root password of the unix > > system. Also no luck. > > hmm.... ok, 'cos i'm doing exactly that, and it works. hmm: can you take > a look in the logs, at level 100, for "status: C000" or maybe > "status:c0000"? > > this last error code will say what's failing. then let me know what you > think it might be, from the info proceeding the error-status-code. > > thx. From lkcl at samba.org Tue Feb 29 17:50:26 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: <38BC0411.C07475E0@siac.com> Message-ID: damn, damn - ok, i bet the two are related. ok. become_root() ... become_root() ... unbecome_root() - really does unbecome root ... samr_drect_query_userinfo() - fails because it's not root ... unbecome_root() - fails because we're already non-root. dammit. i'm not certain as to how to eliminate this, because according to some people we should _only_ be running as root, which is a security risk if we do it at the moment because there is no checking otheerwise on file access inside the msrpc code. i could "fix" this by doing an increment on become_root() instead of root_depth = 1 do root_depth++... > Looks like 0018 status : c0000017 (both smb and netlogon) > > The smb log also contains ERROR: unbecome root depth is 0 (from lib/set_uid.c:354). > > Luke Kenneth Casson Leighton wrote: > > > On Tue, 29 Feb 2000, Michael Breuer wrote: > > > > > Ok... sorry. > > > > no problem. > > > > > First, let me note that with the same machines & configuration I was > > > able to join the domain in 0.5. That said... I installed 0.7 and > > > selected "network identity" on a W2K workstation. I entered the name > > > of the samba domain and hit "OK." When prompted for the > > > userid/password of a user authorized to join the machine to the > > > domain, I entered the samba administrator id and password > > > (Administrator). According to the logs, the "credentials" were 'null' > > > and the ID mapped to root (uid=0). I tried a different account (also > > > with administrator access to both the ws and samba --- and with same > > > passwords). Same message. For fun, I added "root" to smbpasswd (with > > > samedit) and set the password to match the root password of the unix > > > system. Also no luck. > > > > hmm.... ok, 'cos i'm doing exactly that, and it works. hmm: can you take > > a look in the logs, at level 100, for "status: C000" or maybe > > "status:c0000"? > > > > this last error code will say what's failing. then let me know what you > > think it might be, from the info proceeding the error-status-code. > > > > thx. > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From holm at informatik.umu.se Tue Feb 29 17:51:28 2000 From: holm at informatik.umu.se (=?ISO-8859-1?Q?=C5ke?= Holmlund) Date: Tue Dec 2 02:28:49 2003 Subject: err broke Message-ID: <200002291751.SAA13113@jupiter.informatik.umu.se> > On Wed, 1 Mar 2000, Jason Jensen wrote: > > > ok.. using rpcclient i could not only add all the trust account and > > users.. but i could join the domain SAMBA with win2k.. but i can't > > access ANY file shares. NOT ONE.. not even share listing.. NOTHING.. > > seems like smb is broke.. can anyone conferm this? I also do NOT have > > administrator privleges on my workstation..?? i don't know why! my > > user temper is part of the "Domain Admins" group. > > uhhh.... hmmm... > > ok, i have a root problem. > > i.e if the user logging in isn't root, you can't log in. > > oops! Maybe this, in some way, is related to my problem. Setup: Samba-tng cvs:ed running on Solaris 7, sparc using ldap. Samba running as PDC, NT 4 sp5 NOT member of the domain. When i try to map a network drive, from \\pdc\username, the ONLY accesses made to the ldap-server is searches for nobody (objectclass sambaAccount, sambaGroup and sambaAlias). nobody does NOT exist in the ldap database. These seraches occurs before the username/password dialog pops up. No matter what usernam/password i try, no connection seems to be made to the ldap server from samba. All i get is "SMB LM/NT Password did not match!" messages in the log.smb file. If i add nobody (with samedit) to ldap samba still ONLY searches for nobody and nobodys rid in ldap. For me these problems started som after the lsarpcd crasches were fixed last week. ----------------------------------------------------------------------------- ?ke Holmlund Tel: +46 - 90 786 57 16 Ume? University Fax: +46 - 90 786 65 50 Dept of informatics Email: holm@informatik.umu.se SE-901 87 Ume? Sweden From ssamalin at ionet.net Tue Feb 29 18:04:11 2000 From: ssamalin at ionet.net (ssamalin@ionet.net) Date: Tue Dec 2 02:28:49 2003 Subject: NT printer share not found Message-ID: <200002291804.MAA21580@ionet.net> If I do an "smbclient -L winhost" no winhost shares are listed. How can I debug this? I'm trying to print from linux to an nt printer. From s.striker at striker.nl Tue Feb 29 18:23:20 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: Message-ID: >damn, damn - ok, i bet the two are related. > >ok. > >become_root() >... >become_root() >... >unbecome_root() - really does unbecome root >... >samr_drect_query_userinfo() - fails because it's not root >... >unbecome_root() - fails because we're already non-root. > >dammit. > >i'm not certain as to how to eliminate this, because according to some >people we should _only_ be running as root, which is a security risk if we >do it at the moment because there is no checking otheerwise on file access >inside the msrpc code. I guess people are suggesting running as root and when doing file access checking something like: become_user(); check_access(file); unbecome_user(); >i could "fix" this by doing an increment on become_root() instead of >root_depth = 1 do root_depth++... For now, and for me personally, this is a good fix. Make sure to keep it all symmetric though. It's very easy to forget an unbecome_root() :-) Sander From ssamalin at ionet.net Tue Feb 29 18:17:35 2000 From: ssamalin at ionet.net (ssamalin@ionet.net) Date: Tue Dec 2 02:28:49 2003 Subject: netshareenum failed Message-ID: <200002291817.MAA12230@ionet.net> I just did an smbclient and the debug said netshareenum failed. Any idea why? How can I debug that? I'm trying to print on an nt printer from linux. From timothy_d_cole at md.northgrum.com Tue Feb 29 18:21:53 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 - can't join domain Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB563223@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: Luke Kenneth Casson Leighton [SMTP:lkcl@samba.org] > Sent: Tuesday, February 29, 2000 12:51 > To: Multiple recipients of list SAMBA-NTDOM > Subject: Re: TNG 0.7 - can't join domain > > i'm not certain as to how to eliminate this, because according to some > people we should _only_ be running as root, which is a security risk if we > do it at the moment because there is no checking otheerwise on file access > inside the msrpc code. > > i could "fix" this by doing an increment on become_root() instead of > root_depth = 1 do root_depth++... > You'll have to be _real_ careful doing that, though -- it's entirely possible that some code, somewhere, expects that it can always safely do non-rooty things after it's called unbecome_root()... if that's been getting called from code that itself becomes root... From lkcl at samba.org Tue Feb 29 18:24:34 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:49 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: Message-ID: On Tue, 29 Feb 2000, Sander Striker wrote: > >damn, damn - ok, i bet the two are related. > > > >ok. > > > >become_root() > >... > >become_root() > >... > >unbecome_root() - really does unbecome root > >... > >samr_drect_query_userinfo() - fails because it's not root > >... > >unbecome_root() - fails because we're already non-root. > > > >dammit. > > > >i'm not certain as to how to eliminate this, because according to some > >people we should _only_ be running as root, which is a security risk if we > >do it at the moment because there is no checking otheerwise on file access > >inside the msrpc code. > > I guess people are suggesting running as root and when doing file access > checking something like: > become_user(); check_access(file); unbecome_user(); > > >i could "fix" this by doing an increment on become_root() instead of > >root_depth = 1 do root_depth++... > > For now, and for me personally, this is a good fix. Make sure to keep > it all symmetric though. It's very easy to forget an unbecome_root() :-) it always is. i get nervous when i see more than one function call wrapped with a become_root(), unbecome_root(). From SC4211 at email.mot.com Tue Feb 29 18:35:25 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:50 2003 Subject: automount, samba, desktop.ini issues Message-ID: <38BC116D.EDCCF7A2@email.mot.com> Program: update_links.pl Author: Ryan Wyler Problem this program solves: Windows machines taking a LONG time to browse shares of automount points which include directories that are inaccessable to the samba server. Explanation: We have our samba shares setup to mount the unix automount directories. The problem is there are MANY automount directories that the sambaserver does not have access to automount because it is sensitive data and only shared out to specific netgroups/servers. When a Windows machine tries to browse the folders in the automount point windows attempts to go into EVERY SINGLE directory and pull out a desktop.ini file. This is a problem because there are several directories that the client will stall on because the server does not have access to the directories. So windows will request the desktop.ini file several times, and the server will attempt to mount the directory several times per each request. This results in a windows machine pulling up the directory in around 15 or 20 minutes! Solution: I came up with an idea. I made a directory called '/samba_links'. I wrote this script to go through ALL the automaps and create directories and links back to the correct location for all the directories that the server can mount. This way if a client will never request a desktop.ini file from a folder that is unmountable to the samba server. Instalation: This has ONLY been tested with NIS, not NIS+. This has been written for Solaris on a Solaris 2.6 machine. For linux it may need some tweeks but it possiably will work as is. Just throw this script in cron to run once a night or whenever you feel it should run. Example Setup: Crontab looks like (runs every morning at 1:00am): 0 1 * * * /opt/samba/bin/update_links.pl > /dev/null 2>&1 auto.master would look like: /projects auto.projects -rw,retry=3,nobrowse auto.projects would look like (server names accessable / unaccessable): project1 accessable:/export/project1 project2 accessable:/export/project2 project3 unaccessable:/export/project1 The directories that this script would create in that case would be: /samba_links /samba_links/projects Because the server 'unaccessable' is "unaccessable" the ONLY links that would be created in this case would be: /samba_links/projects/project1 -> /projects/project1 /samba_links/projects/project2 -> /projects/project2 Example smb.conf share: [projects] comment = Project Areas browseable = yes path = /samba_links/projects writable = yes Note: When you edit this, don't forget to use VI .. =) ALWAYS do the ':set ts=2' to change the tabspaces over to two spaces instead of 8 spaces. -- Ryan Wyler - ryan@nhorizon.net TekSystems U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] -------------- next part -------------- A non-text attachment was scrubbed... Name: update_links.pl Type: application/x-perl Size: 6455 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000229/e594ab83/update_links.bin From p.mayers at ic.ac.uk Tue Feb 29 18:54:38 2000 From: p.mayers at ic.ac.uk (Mayers, P J) Date: Tue Dec 2 02:28:50 2003 Subject: Linux as an NT CLIENT Message-ID: <0846B011B9A4D111A1EE006097DA4FCE02F81357@icex1.cc.ic.ac.uk> I'm well aware of the need for s SURS implementation. In fact, if/when the API settles down, pulling the SID->uid/gid mapping out of an LDAP directory is something I'd like to look at. Cheers, Phil -----Original Message----- From: Luke Kenneth Casson Leighton To: Multiple recipients of list SAMBA-NTDOM Sent: 29/02/00 16:58 Subject: RE: Linux as an NT CLIENT On Wed, 1 Mar 2000, Mayers, P J wrote: > Yes, still need a passwd/NIS entry. IIRC there was something under > development called winbind, which is the equivalent for ypbind for an NT > domain, rather than NIS. Very nice. But it was dependent on SURS, and hence > probably TNG. Again, I don't know the progress. yeah, tim's working on it. actually, absolutely _Everything_ is dependent on a decent SURS implementation, and we don't have one. and no, dammit, the current one _isn't_ good enough. however, as i was explaining to tim (it took a couple of days, and his code got a _lot_ simpler when he got it), it's not the responsibility of samba, pam_ntdom, pam_smb, winbind, pam_smbpass, or anything BUT surs itself to solve the problem of mapping uids/gids and sids. luke > > -----Original Message----- > From: Jay Thomas > To: Multiple recipients of list SAMBA-NTDOM > Sent: 2/29/00 1:01 AM > Subject: Re: Linux as an NT CLIENT > > Jonathan Hutchins wrote: > > > > On Sat, 19 Feb 2000, Jonathan Hutchins wrote: > > > > >> What are the critical steps in getting a Samba machine to join the > > >> domain and access shares? > > > > And Luke Kenneth Casson Leighton rather sparsely > replied: > > > > > pam_ntdom. > > > > Which migh possibly be a compile-time option? Not currently doc'ed as > a > > configuration keyword. > > > > >From the looks of the list, there are some problems with the > > authenticate-the-linux-user-from-the-NT-PDC code, yet Jason Holland > says "I > > have several samba boxes joined and authenticating to NT PDC's". > > > > There appears to about 1/3 of a page of documentation on this. I'd > gladly > > write a HOWTO if someone could take the time to elaborate a bit more. > I've > > got most of the rest of the functionality of an NT Client working, > just need > > the authenticate-from-NT part. > > Do you need to have a passwd file entry for each user when they > authenticate of > a NT-PDC? > > Anyone got this to work w/ HPUX 10.20 or 11? (they seem to have an older > PAM version than is standard) > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From timothy_d_cole at md.northgrum.com Tue Feb 29 18:56:14 2000 From: timothy_d_cole at md.northgrum.com (Cole, Timothy D.) Date: Tue Dec 2 02:28:50 2003 Subject: TNG 0.7 - can't join domain Message-ID: <51FBD4A8EFD9D111BA7300A0C927DADB563224@xcgmd008.md.essd.northgrum.com> > -----Original Message----- > From: Sander Striker [SMTP:s.striker@striker.nl] > Sent: Tuesday, February 29, 2000 13:17 > To: Multiple recipients of list SAMBA-NTDOM > Subject: RE: TNG 0.7 - can't join domain > > I guess people are suggesting running as root and when doing file access > checking something like: > become_user(); check_access(file); unbecome_user(); > *cough* race conditions *cough* [ btw ... access(2) does NOT necessarily reflect the actual access you will get under all circumstances anyway ] Anyway, if you take the root-unless-doing-file-access route, you really should do: become_user(); do_stuff_to_file_here_and_now(); unbecome_user(); Honestly, though, in a daemon that very rarely actually does anything on behalf of a particular user, it might make more sense to just run as some no-access user most of the time (still have to start as root, though), and treat root as just another user to become (externally). internally, it'd be something like (pseudocode): void push_security_context(uid_t uid) { do_push_security_context(); /* saves old uid, groups, etc */ setuid(0); /* switch back to root */ do_init_security_context(uid); /* initgroups, setuid(), etc */ } void pop_security_context() { setuid(0); /* switch back to root */ do_pop_security_context(); /* restores old uid, groups, etc */ } From p.mayers at ic.ac.uk Tue Feb 29 18:59:06 2000 From: p.mayers at ic.ac.uk (Mayers, P J) Date: Tue Dec 2 02:28:50 2003 Subject: i need to know a few things about Sama TNg 0.6 + Netscape LDA P 4.1 + PDC Message-ID: <0846B011B9A4D111A1EE006097DA4FCE02F81358@icex1.cc.ic.ac.uk> The LDAP account entries must have a particular format - namely the sambaAccount / sambaGroup objectclass entries in Ignacio's FAQ. Re-read the FAQ. Then modify the account entries to have that objectclass and all required properties You'll need to add: objectclass: sambaAccount uid: ntuid: rid: uidNumber: Amongst others. Also, the users will still need to be in the local (Unix) system password database - presumably using nss_ldap (ftp://ftp.padl.com/pub) or NIS or something. Cheers, Phil -----Original Message----- From: muchos To: Multiple recipients of list SAMBA-NTDOM Sent: 29/02/00 17:13 Subject: i need to know a few things about Sama TNg 0.6 + Netscape LDAP 4.1 + PDC I'm not configure LDAP, but i know that netscape directory have a parameter or something that is called "ntuser", someone knows if it is enought for samba authentification? I read Samba-PDC LDAP TNG howto made by Ignacio Coupeau at University of Navarra, but i find it a bit confuse or may be not clear for me. Well, i want to know if i must use smbpasswd if all the accounts are in the ldap server now, and i must add a machines account in the smbpasswd or in ldap directory? I think that my smb.conf is ok (i pasted below), but i don't know the requirements of LDAP (Netscape server) I'm using the Netscape LDAP with that parameter and Samba TNG 0.6 as a PDC ------------------------------------------------------------------------ --------------- [global] # LDAP ldap suffix = "o=Root_Ldap" ldap bind as = "uid=root, o=Root_Ldap" ldap passwd file = /usr/local/samba/private/ldappasswd ldap server = localhost ldap port = 389 # DOMAIN SERVER domain groups = ROOT_NT workgroup = ROOT_NT server string = Servidor Primario de Dominios domain master = yes domain logons = yes preferred master = yes comment = Linux sever Samba 2.1 # PRINTERS GLOBAL SETUP load printers = yes printcap name = /etc/printcap # LOG SETUP log file = /var/log/samba/log.%m max log size = 500 # PASSWORD SETUP security = user encrypt passwords = yes smb passwd file = /etc/smbpasswd unix password sync = yes passwd program = /bin/passwd %u password level = 0 # OPTIONS socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # Netbios Setup logon script = %U.bat logon path = \\%L\profiles\%U netbios name = diablo logon path = \\diablo\profiles\%U # Options map to guest = never null passwords = no os level = 34 wins support = yes dead time = 0 debug level = 20 admin users = smbadmin # SHARES PARA EL PDC [homes] comment = Directorios Personales browseable = no writeable = yes public = no only user = no path = /home/samba/profiles/ create mode = 0600 directory mode = 070 [netlogon] comment = Servicio Autentificacion path = /home/samba/netlogon guest ok = yes writable = no share modes = no browsable = no [profiles] comment = Perfil de Usuario path = /home/samba/profiles create mode = 0600 directory mode = 0700 writable = yes browsable = no # SHARED OPCIONALES -- ======================================================================== = Gabriel D?iaz L?opez de la Llave Ip6 Seguridad S.L gabidiaz@ip6seguridad.com c: Zurbaran 28 tlf : 91 700 01 84 ext 165 28010 Madrid fax : 91 700 01 73 http://www.ip6seguridad.com ======================================================================== = From mbreuer at siac.com Tue Feb 29 19:19:23 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:50 2003 Subject: TNG 0.7 - can't join domain References: Message-ID: <38BC1BBB.CA4D2675@siac.com> Update... I have managed to join the domain... here's how: 1) I deleted the workstation entry from smbpasswd. 2) I recreated the workstation account (rpcclient). 3) I deleted and recreated the workstation account for the NT PDC where the workstation was currently joined. 4) On the NT PDC, I "reset" the computer account in active directory for the samba computer [Note: There is no current working trust relationship between the systems... I've just mounted shares and played with settings] 5) I deleted and re-created the "root" account for the samba server. 6) I reset the system root password (/etc/passwd) to match the samba password 7) I joined the domain using the "root" account. Note that I could not join using any other account. Note: I'm not sure if *all* of these steps were necessary. I had failed attempts to join after steps 2, 3, 4 and 6. Luke Kenneth Casson Leighton wrote: > damn, damn - ok, i bet the two are related. > > ok. > > become_root() > ... > become_root() > ... > unbecome_root() - really does unbecome root > ... > samr_drect_query_userinfo() - fails because it's not root > ... > unbecome_root() - fails because we're already non-root. > > dammit. > > i'm not certain as to how to eliminate this, because according to some > people we should _only_ be running as root, which is a security risk if we > do it at the moment because there is no checking otheerwise on file access > inside the msrpc code. > > i could "fix" this by doing an increment on become_root() instead of > root_depth = 1 do root_depth++... > > > Looks like 0018 status : c0000017 (both smb and netlogon) > > > > The smb log also contains ERROR: unbecome root depth is 0 (from lib/set_uid.c:354). > > > > Luke Kenneth Casson Leighton wrote: > > > > > On Tue, 29 Feb 2000, Michael Breuer wrote: > > > > > > > Ok... sorry. > > > > > > no problem. > > > > > > > First, let me note that with the same machines & configuration I was > > > > able to join the domain in 0.5. That said... I installed 0.7 and > > > > selected "network identity" on a W2K workstation. I entered the name > > > > of the samba domain and hit "OK." When prompted for the > > > > userid/password of a user authorized to join the machine to the > > > > domain, I entered the samba administrator id and password > > > > (Administrator). According to the logs, the "credentials" were 'null' > > > > and the ID mapped to root (uid=0). I tried a different account (also > > > > with administrator access to both the ws and samba --- and with same > > > > passwords). Same message. For fun, I added "root" to smbpasswd (with > > > > samedit) and set the password to match the root password of the unix > > > > system. Also no luck. > > > > > > hmm.... ok, 'cos i'm doing exactly that, and it works. hmm: can you take > > > a look in the logs, at level 100, for "status: C000" or maybe > > > "status:c0000"? > > > > > > this last error code will say what's failing. then let me know what you > > > think it might be, from the info proceeding the error-status-code. > > > > > > thx. > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mbreuer at siac.com Tue Feb 29 19:26:55 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:50 2003 Subject: TNG: nmblib.c loops Message-ID: <38BC1D7F.14124FD@siac.com> Using rpclient and attempting to log in to a W2K server, nmblib.c loops at line 1008 (according to the log output of rpcclient). Scenario: I was experimenting with making samba a BDC to a W2K PDC. I set up my smb.conf file as-per the FAQ. When I ran rpcclient to connect to the PDC, rpclient hung. With log level 100, I see many many messages of: [2000/02/29 14:19:47, 100] libsmb/nmblib.c:(1008) receive_packet: 4 0 (approx 14/second). Interspersed occasionally (about every 2 seconds) are: [2000/02/29 14:19:46, 4] libsmb/nmblib.c:(109) nmb packet from (137) header: id=2862 opcode=Query(0) response=No header: flags: bcast=Yes rec_avail=No rec_des=Yes trunc=No auth=No header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0 question: q_name=<20> q_type=32 q_class=1 [2000/02/29 14:19:46, 5] libsmb/nmblib.c:(752) Sending a packet of len 50 to (162.69.72.47) on port 137 From pkennedy at loudcloud.com Tue Feb 29 19:45:39 2000 From: pkennedy at loudcloud.com (Paul Kennedy) Date: Tue Dec 2 02:28:50 2003 Subject: i need to know a few things about Sama TNg 0.6 + Netscape LDAP 4.1 + PDC References: <20000229173310.A8389@ip6seguridad.com> Message-ID: <38BC21E3.506544C5@loudcloud.com> muchos wrote: > I'm not configure LDAP, but i know that netscape directory have a parameter or > something that is called "ntuser", someone knows if it is enought for samba > authentification? The Netscape Directory Server defines different schema from Samba for NT user attributes. Netscape's schema is used by the Netscape NT Directory Synchronization Service, to propagate NT users and groups to the LDAP server and from then on keep the SAM and LDAP directory synchronized. In order to use Samba with the Netscape Directory Server 4.0 or later, you'll need to add the following schema to the file NSHOME/slapd-'your-serverid-here'/slapd.user_oc.conf objectclass sambaAccount requires ObjectClass, uid, uidNumber, ntuid, rid allows gidNumber, grouprid, nickname, userpassword, ou, description, lmPassword, ntPassword, pwdLastSet, smbHome, homeDrive, script, profile, workstations, acctFlags, pwdCanChange, pwdMustChange, logonTime, logoffTime, kickoffTime, cn objectclass sambaGroup requires cn, rid allows ntuid, member, description objectclass sambaBuiltin requires cn, sid allows ntuid, rid, member, description objectclass sambaConfig requires id allows nextrid and add these attribute definitions to the file NSHOME/slapd-'your-serverid-here'/slapd.user_at.conf attribute uidNumber cis attribute ntUid cis attribute rid cis attribute nextRid cis attribute grouprid cis attribute nickname cis attribute lmpassword cis attribute ntpassword cis attribute pwdLastSet cis attribute smbHome cis attribute homeDrive cis attribute script cis attribute profile cis attribute workstations cis attribute acctFlags cis attribute pwdCanChange cis attribute pwdMustChange cis attribute sid cis attribute id cis attribute logonTime cis attribute logoffTime cis attribute kickoffTime cis Then restart the server, these config files are read once only, at server startup. Then you should re-read Ignacio Coupeau's very helpful note. Pk. > > > I read Samba-PDC LDAP TNG howto made by Ignacio Coupeau at University of > Navarra, but i find it a bit confuse or may be not clear for me. > > Well, i want to know if i must use smbpasswd if all the accounts are in the ldap > server now, and i must add a machines account in the smbpasswd or in ldap > directory? > > I think that my smb.conf is ok (i pasted below), but i don't know the > requirements of LDAP (Netscape server) > > I'm using the Netscape LDAP with that parameter and Samba TNG 0.6 as a PDC > > --------------------------------------------------------------------------------------- > [global] > > # LDAP > ldap suffix = "o=Root_Ldap" > ldap bind as = "uid=root, o=Root_Ldap" > ldap passwd file = /usr/local/samba/private/ldappasswd > ldap server = localhost > ldap port = 389 > > # DOMAIN SERVER > domain groups = ROOT_NT > workgroup = ROOT_NT > server string = Servidor Primario de Dominios > domain master = yes > domain logons = yes > preferred master = yes > comment = Linux sever Samba 2.1 > > # PRINTERS GLOBAL SETUP > load printers = yes > printcap name = /etc/printcap > > # LOG SETUP > log file = /var/log/samba/log.%m > max log size = 500 > > # PASSWORD SETUP > security = user > encrypt passwords = yes > smb passwd file = /etc/smbpasswd > unix password sync = yes > passwd program = /bin/passwd %u > password level = 0 > # OPTIONS > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > # Netbios Setup > logon script = %U.bat > logon path = \\%L\profiles\%U > netbios name = diablo > logon path = \\diablo\profiles\%U > # Options > map to guest = never > null passwords = no > os level = 34 > wins support = yes > dead time = 0 > debug level = 20 > admin users = smbadmin > > # SHARES PARA EL PDC > > [homes] > comment = Directorios Personales > browseable = no > writeable = yes > public = no > only user = no > path = /home/samba/profiles/ > create mode = 0600 > directory mode = 070 > > [netlogon] > comment = Servicio Autentificacion > path = /home/samba/netlogon > guest ok = yes > writable = no > share modes = no > browsable = no > [profiles] > comment = Perfil de Usuario > path = /home/samba/profiles > create mode = 0600 > directory mode = 0700 > writable = yes > browsable = no > > # SHARED OPCIONALES > > -- > ========================================================================= > Gabriel D?iaz L?opez de la Llave > Ip6 Seguridad S.L gabidiaz@ip6seguridad.com > c: Zurbaran 28 tlf : 91 700 01 84 ext 165 > 28010 Madrid fax : 91 700 01 73 > http://www.ip6seguridad.com > ========================================================================= From ctooley at joslyn.org Tue Feb 29 19:50:18 2000 From: ctooley at joslyn.org (Chris Tooley) Date: Tue Dec 2 02:28:50 2003 Subject: Printing with 2.0.6 Message-ID: <000401bf82ee$353423a0$1900a8c0@joslyn.org> I have a Samba 2.0.6 (from the RPM for RedHat 6.1) setup as a login server. This machine shares out several printers (2 HP LaserJet 4V's and a Lexmark Optra K 1220) that are used throughout the building. Lately when I added the second HP LaserJet I am having a lot of trouble. The 2nd LJ doesn't work at all, as it shows up continually in offline mode, and the orginal LJ shows up as paused. Some machines can print to it (all the clients are 95 or 98 and range from 95 orginal version to 98 SE) and some can't print in paused mode. Now the Lexmark is showing up as paused and no one can print to it. I can print using the lpr command to all the printers and can ftp files to them and watch the printer spit them out. The connection works and the printer works, so I think it may be Samba. Any ideas? Enclosed is a copy of my smb.conf, printcap, and "ls -al -R /usr/spool/lpd". If any more information is needed please let me know. Chris Tooley Software Specialist Joslyn Art Museum 2200 Dodge St Omaha, NE 68102 (402)342-3300 ext 247 (402)342-0091 fax -------------- next part -------------- A non-text attachment was scrubbed... Name: printcap.dat Type: application/octet-stream Size: 914 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000229/4364bec7/printcap.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: lsoflpd.dir Type: application/x-director Size: 1834 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000229/4364bec7/lsoflpd.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smb.conf Type: application/octet-stream Size: 2245 bytes Desc: not available Url : http://lists.samba.org/archive/samba-ntdom/attachments/20000229/4364bec7/smb.obj From patl at cag.lcs.mit.edu Tue Feb 29 19:49:58 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:50 2003 Subject: TNG 0.7 - can't join domain References: <38BAD256.47DD6EC4@siac.com> Message-ID: I am having similar problems... Luke Kenneth Casson Leighton writes: > 1) do you have a "root" account in the smbpasswd file? Yes. > 2) are you using it in the network contril panel? Yes. > please, people, be more specific. time and time and time and time > again, i have to repeat and repeat and repeat this: if your report > doesn't contain specific instructions and information, it's > completely useless. It would help if someone would document the correct procedure. Lars Knesche's FAQ still says to use "smbpasswd -m" which is wrong, and the only other documentation is loosely spread across the hundreds of messages each week to this mailing list. I am still not sure what I am supposed to be doing, so all of efforts are attempts to make the thing work at all, not to locate problems. (I can't tell what is a problem if I do not know what is supposed to work.) > well, which domain? I named it "TEST". > how does it not join? When I try to join the domain from the Network Control panel dialog, it says that the account I am using does not have permission or that the password is wrong or somesuch. I did not write it down because I had no idea that this was supposed to work in the first place; I went right on to try something else. > did you type the username / password in the network control panel > dialog? Yes. "root" plus password. > did you know that you should do this? No, I was shooting in the dark. > does the trust account already exist? Yes. I created it using the rpcclient "adduser" command. (Which itself took a good half hour to figure out.) Was that wrong? > does the unix account (myworkstation$) exist? Yes. > are you using ldap, smbpasswd or samtdb or mysql or nt5ldap as the > password back-end? smbpasswd > these are just a _few_ of the issues i can think of when someone > says, "i can't join the domain", and i'm really sorry, michael, it's > nothing personal, but it's really exasperating to be repeating this > quite so many times [a day]. after three years, i'd have thought > people would get it by now. Could someone please document *once*, in one place, the precise set of steps we are supposed to be using? And actually try it yourself in the process? As near as I can tell, the procedure goes something like this: 1) Make sure root account exists in smbpasswd (use "smbpasswd -a" if not) 2) Make sure machine account (MACHINE$) exists in /etc/passwd 3) (Is this step even right??) Use rpcclient to create the machine account in smbpasswd. (rpcclient with what args, exactly? What does the % in "rpcclient -S . -U root%" mean, anyway?) 4) Use the network control panel to join the workstation to the domain, using the root login and password. 5) (Optional, for better security) Use rpcclient blah blah to randomize the trust account password I had a ton of trouble getting this to work, but I did not carefully record all of the problems because I did not know what I was supposed to be doing in the first place... In the end, I edited smbpasswd by hand, joined the domain *without* creating the machine account from Network Properties, and used rpcclient to reset the trust account password. Not exactly a streamlined process. - Pat From lkcl at samba.org Tue Feb 29 19:55:36 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:50 2003 Subject: Linux as an NT CLIENT In-Reply-To: <0846B011B9A4D111A1EE006097DA4FCE02F81357@icex1.cc.ic.ac.uk> Message-ID: luke howard has already written a sursldap, it's incredibly simple: it's a switch statement around two function calls. so it's been done. luke On Wed, 1 Mar 2000, Mayers, P J wrote: > I'm well aware of the need for s SURS implementation. In fact, if/when the > API settles down, pulling the SID->uid/gid mapping out of an LDAP directory > is something I'd like to look at. > > Cheers, > Phil > > -----Original Message----- > From: Luke Kenneth Casson Leighton > To: Multiple recipients of list SAMBA-NTDOM > Sent: 29/02/00 16:58 > Subject: RE: Linux as an NT CLIENT > > On Wed, 1 Mar 2000, Mayers, P J wrote: > > > Yes, still need a passwd/NIS entry. IIRC there was something under > > development called winbind, which is the equivalent for ypbind for an > NT > > domain, rather than NIS. Very nice. But it was dependent on SURS, and > hence > > probably TNG. Again, I don't know the progress. > > yeah, tim's working on it. > > actually, absolutely _Everything_ is dependent on a decent SURS > implementation, and we don't have one. > > and no, dammit, the current one _isn't_ good enough. however, as i was > explaining to tim (it took a couple of days, and his code got a _lot_ > simpler when he got it), it's not the responsibility of samba, > pam_ntdom, > pam_smb, winbind, pam_smbpass, or anything BUT surs itself to solve the > problem of mapping uids/gids and sids. > > luke > > > > > -----Original Message----- > > From: Jay Thomas > > To: Multiple recipients of list SAMBA-NTDOM > > Sent: 2/29/00 1:01 AM > > Subject: Re: Linux as an NT CLIENT > > > > Jonathan Hutchins wrote: > > > > > > On Sat, 19 Feb 2000, Jonathan Hutchins wrote: > > > > > > >> What are the critical steps in getting a Samba machine to join > the > > > >> domain and access shares? > > > > > > And Luke Kenneth Casson Leighton rather sparsely > > replied: > > > > > > > pam_ntdom. > > > > > > Which migh possibly be a compile-time option? Not currently doc'ed > as > > a > > > configuration keyword. > > > > > > >From the looks of the list, there are some problems with the > > > authenticate-the-linux-user-from-the-NT-PDC code, yet Jason Holland > > says "I > > > have several samba boxes joined and authenticating to NT PDC's". > > > > > > There appears to about 1/3 of a page of documentation on this. I'd > > gladly > > > write a HOWTO if someone could take the time to elaborate a bit > more. > > I've > > > got most of the rest of the functionality of an NT Client working, > > just need > > > the authenticate-from-NT part. > > > > Do you need to have a passwd file entry for each user when they > > authenticate of > > a NT-PDC? > > > > Anyone got this to work w/ HPUX 10.20 or 11? (they seem to have an > older > > PAM version than is standard) > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 29 20:09:24 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:50 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: <38BC1BBB.CA4D2675@siac.com> Message-ID: ok, fantastic: thx 4 help on this, michael. On Tue, 29 Feb 2000, Michael Breuer wrote: > Update... I have managed to join the domain... here's how: > > 1) I deleted the workstation entry from smbpasswd. > 2) I recreated the workstation account (rpcclient). > 3) I deleted and recreated the workstation account for the NT PDC where the workstation > was currently joined. > 4) On the NT PDC, I "reset" the computer account in active directory for the samba > computer > [Note: There is no current working trust relationship between the systems... I've just > mounted shares and played with settings] > 5) I deleted and re-created the "root" account for the samba server. > 6) I reset the system root password (/etc/passwd) to match the samba password > 7) I joined the domain using the "root" account. Note that I could not join using any > other account. > > Note: I'm not sure if *all* of these steps were necessary. I had failed attempts to > join after steps 2, 3, 4 and 6. > > Luke Kenneth Casson Leighton wrote: > > > damn, damn - ok, i bet the two are related. > > > > ok. > > > > become_root() > > ... > > become_root() > > ... > > unbecome_root() - really does unbecome root > > ... > > samr_drect_query_userinfo() - fails because it's not root > > ... > > unbecome_root() - fails because we're already non-root. > > > > dammit. > > > > i'm not certain as to how to eliminate this, because according to some > > people we should _only_ be running as root, which is a security risk if we > > do it at the moment because there is no checking otheerwise on file access > > inside the msrpc code. > > > > i could "fix" this by doing an increment on become_root() instead of > > root_depth = 1 do root_depth++... > > > > > Looks like 0018 status : c0000017 (both smb and netlogon) > > > > > > The smb log also contains ERROR: unbecome root depth is 0 (from lib/set_uid.c:354). > > > > > > Luke Kenneth Casson Leighton wrote: > > > > > > > On Tue, 29 Feb 2000, Michael Breuer wrote: > > > > > > > > > Ok... sorry. > > > > > > > > no problem. > > > > > > > > > First, let me note that with the same machines & configuration I was > > > > > able to join the domain in 0.5. That said... I installed 0.7 and > > > > > selected "network identity" on a W2K workstation. I entered the name > > > > > of the samba domain and hit "OK." When prompted for the > > > > > userid/password of a user authorized to join the machine to the > > > > > domain, I entered the samba administrator id and password > > > > > (Administrator). According to the logs, the "credentials" were 'null' > > > > > and the ID mapped to root (uid=0). I tried a different account (also > > > > > with administrator access to both the ws and samba --- and with same > > > > > passwords). Same message. For fun, I added "root" to smbpasswd (with > > > > > samedit) and set the password to match the root password of the unix > > > > > system. Also no luck. > > > > > > > > hmm.... ok, 'cos i'm doing exactly that, and it works. hmm: can you take > > > > a look in the logs, at level 100, for "status: C000" or maybe > > > > "status:c0000"? > > > > > > > > this last error code will say what's failing. then let me know what you > > > > think it might be, from the info proceeding the error-status-code. > > > > > > > > thx. > > > > > > > Luke Kenneth Casson Leighton > > Samba and Network Development > > Samba Web site > > Internet Security Systems, Inc. > > Macmillan Technical Publishing > > > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From patl at cag.lcs.mit.edu Tue Feb 29 20:15:42 2000 From: patl at cag.lcs.mit.edu (Patrick J. LoPresti) Date: Tue Dec 2 02:28:50 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: "Sander Striker"'s message of "Wed, 1 Mar 2000 05:17:56 +1100" References: Message-ID: "Sander Striker" writes: > For now, and for me personally, this is a good fix. Make sure to > keep it all symmetric though. It's very easy to forget an > unbecome_root() :-) How about making an "AS_ROOT" macro which you could use like this: AS_ROOT { stuff (); } I am envisioning something like this: #define AS_ROOT for (int _i = 1 ; become_root(_i) ; _i = 0) (Where become_root() takes an argument for whether to "become" or "unbecome", and it returns its argument.) The only problem with this macro is that it uses a C++-ism. If you need straight C, you could define two macros which you would use like this: BECOME_ROOT stuff(); UNBECOME_ROOT #define BECOME_ROOT { become_root(); #define UNBECOME_ROOT unbecome_root(); } This is no easier to use than the current scheme, but it will give a compile-time error (unbalanced curlies) if you screw up. Just a thought. - Pat From lkcl at samba.org Tue Feb 29 20:18:54 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:50 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: Message-ID: > Yes. I created it using the rpcclient "adduser" command. (Which > itself took a good half hour to figure out.) Was that wrong? no, it's not wrong. > Could someone please document *once*, in one place, the precise set of > steps we are supposed to be using? And actually try it yourself in > the process? As near as I can tell, the procedure goes something like > this: > > 1) Make sure root account exists in smbpasswd (use "smbpasswd -a" if > not) yep. do a touch private/smbpasswd if it doesn't exist, that's a long-standing bug, sorry. > 2) Make sure machine account (MACHINE$) exists in /etc/passwd > > 3) (Is this step even right??) Use rpcclient to create the machine > account in smbpasswd. (rpcclient with what args, exactly? What > does the % in "rpcclient -S . -U root%" mean, anyway?) rquivalent to -U root -N (no password). sort-of. strictly speaking it shouldn't be done, it 's a security risk. > 4) Use the network control panel to join the workstation to the > domain, using the root login and password. > > 5) (Optional, for better security) Use rpcclient blah blah to > randomize the trust account password at this stage, that's a complication and it only works on nt4. > hand, joined the domain *without* creating the machine account from > Network Properties, and used rpcclient to reset the trust account > password. Not exactly a streamlined process. *sigh*... From s.striker at striker.nl Tue Feb 29 20:37:09 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:50 2003 Subject: TNG 0.7 - can't join domain In-Reply-To: <51FBD4A8EFD9D111BA7300A0C927DADB563224@xcgmd008.md.essd.northgrum.com> Message-ID: Hi, >> I guess people are suggesting running as root and when doing file access >> checking something like: >> become_user(); check_access(file); unbecome_user(); >> > *cough* race conditions *cough* heh heh > [ btw ... access(2) does NOT necessarily reflect the actual access >you will get under all circumstances anyway ] > > Anyway, if you take the root-unless-doing-file-access route, you >really should do: > > become_user(); do_stuff_to_file_here_and_now(); unbecome_user(); > > Honestly, though, in a daemon that very rarely actually does >anything on behalf of a particular user, it might make more sense to just >run as some no-access user most of the time (still have to start as root, >though), and treat root as just another user to become (externally). >internally, it'd be something like (pseudocode): > > void push_security_context(uid_t uid) { > do_push_security_context(); /* saves old uid, groups, etc */ > setuid(0); /* switch back to root */ > do_init_security_context(uid); /* initgroups, setuid(), etc */ > } > > void pop_security_context() { > setuid(0); /* switch back to root */ > do_pop_security_context(); /* restores old uid, groups, etc >*/ > } Hey, I agree with you. It's only that the discussion on how Luke's daemons should be run, is going on like for ages now... I'm just summarizing what the majority has said in my opinion. Sander From SC4211 at email.mot.com Tue Feb 29 20:46:08 2000 From: SC4211 at email.mot.com (Ryan Wyler) Date: Tue Dec 2 02:28:50 2003 Subject: swat, security=domain Message-ID: <38BC3010.98335F54@email.mot.com> I have security=domain. For swat configuring, is there a way to specify who can and can't login?? So far everything I've looked at seems that you have to login with root to do swat configurations. On this machine I want other people able to do swat configurations, but do not want to give them the root (actually I can't give them the root).. Is there ways around this?? I haven't found anything documented. Thanks. -- Ryan Wyler SC4211@email.mot.com Voice: (480) 732-4318 Motorola ITSS Pager: ryan.page@monitor.sat.mot.com U N I X [ Unix is very Friendly ... ... just pickier about who it makes friends with. ] From mbreuer at siac.com Tue Feb 29 20:55:57 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:50 2003 Subject: TNG: nmblib.c loops References: <38BC1D7F.14124FD@siac.com> Message-ID: <38BC325D.5099535E@siac.com> Update: this problem is limited to rpcclient when one specifies a FQDN. I'm guessing that there is a buffer overrun somewhere... looks like the name is truncated. Rpcclient worked (and did not loop) when I specified the host name without the dns suffix. Michael Breuer wrote: > Using rpclient and attempting to log in to a W2K server, nmblib.c loops > at line 1008 (according to the log output of rpcclient). > > Scenario: > > I was experimenting with making samba a BDC to a W2K PDC. I set up my > smb.conf file as-per the FAQ. When I ran rpcclient to connect to the > PDC, rpclient hung. With log level 100, I see many many messages of: > > [2000/02/29 14:19:47, 100] libsmb/nmblib.c:(1008) > receive_packet: 4 0 > > (approx 14/second). > > Interspersed occasionally (about every 2 seconds) are: > [2000/02/29 14:19:46, 4] libsmb/nmblib.c:(109) > nmb packet from (137) header: id=2862 > opcode=Query(0) response=No > header: flags: bcast=Yes rec_avail=No rec_des=Yes trunc=No auth=No > > header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0 > question: q_name=<20> q_type=32 q_class=1 > > [2000/02/29 14:19:46, 5] libsmb/nmblib.c:(752) > Sending a packet of len 50 to (162.69.72.47) on port 137 From lkcl at samba.org Tue Feb 29 21:16:15 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:50 2003 Subject: moving on. Message-ID: hi, i'm no longer working for iss, as of... about 2 hours. i have a new job to go to, more on that another time. i am therefore incommunicado, effectively, for at least a week. i am borrowing a portable, however it's very slow and i don't have a modem, and it's also the only computer i have access to, right now. so, i am taking an enforced break from samba development and email for a short while. lots of love, luke Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From lkcl at samba.org Tue Feb 29 21:23:37 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:50 2003 Subject: TNG: nmblib.c loops In-Reply-To: <38BC325D.5099535E@siac.com> Message-ID: never specified rpcclient with a fqdn. it _should_ truncate at the dot. however.... it _should_... detect a dns name and try to use it as a dns name and do a connection either to port 445 of to use *SMBSERVER. oops, thx for reminding me of this. On Wed, 1 Mar 2000, Michael Breuer wrote: > Update: this problem is limited to rpcclient when one specifies a FQDN. I'm guessing that there is a buffer overrun somewhere... > looks like the name is truncated. Rpcclient worked (and did not loop) when I specified the host name without the dns suffix. > > Michael Breuer wrote: > > > Using rpclient and attempting to log in to a W2K server, nmblib.c loops > > at line 1008 (according to the log output of rpcclient). > > > > Scenario: > > > > I was experimenting with making samba a BDC to a W2K PDC. I set up my > > smb.conf file as-per the FAQ. When I ran rpcclient to connect to the > > PDC, rpclient hung. With log level 100, I see many many messages of: > > > > [2000/02/29 14:19:47, 100] libsmb/nmblib.c:(1008) > > receive_packet: 4 0 > > > > (approx 14/second). > > > > Interspersed occasionally (about every 2 seconds) are: > > [2000/02/29 14:19:46, 4] libsmb/nmblib.c:(109) > > nmb packet from (137) header: id=2862 > > opcode=Query(0) response=No > > header: flags: bcast=Yes rec_avail=No rec_des=Yes trunc=No auth=No > > > > header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0 > > question: q_name=<20> q_type=32 q_class=1 > > > > [2000/02/29 14:19:46, 5] libsmb/nmblib.c:(752) > > Sending a packet of len 50 to (162.69.72.47) on port 137 > Luke Kenneth Casson Leighton Samba and Network Development Samba Web site Internet Security Systems, Inc. Macmillan Technical Publishing ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From mbreuer at siac.com Tue Feb 29 21:23:46 2000 From: mbreuer at siac.com (Michael Breuer) Date: Tue Dec 2 02:28:50 2003 Subject: TNG: 0.7 need ".rhosts" ??? Message-ID: <38BC38E2.7A130716@siac.com> When attempting to mount a share from a W2K workstation connection to a different domain than that controlled by the samba server, I can only connect if the user's home directory contains a ".rhosts" entry for the W2K workstation. In 2.x, no entry was necessary. In TNG 0.5, hosts.equiv worked. Now, only .rhosts. I'd be happy to provide additional info, but I'm not sure what is needed. From holm at informatik.umu.se Tue Feb 29 21:24:52 2000 From: holm at informatik.umu.se (holm@informatik.umu.se) Date: Tue Dec 2 02:28:50 2003 Subject: i need to know a few things about Sama TNg 0.6 + Netscape LDAP 4.1 + PDC (fwd) Message-ID: Sorry Gabriel, I ment to send this to the list not to You personally. > I'm not configure LDAP, but i know that netscape directory have a parameter or > something that is called "ntuser", someone knows if it is enought for samba > authentification? > > I read Samba-PDC LDAP TNG howto made by Ignacio Coupeau at University of > Navarra, but i find it a bit confuse or may be not clear for me. > > Well, i want to know if i must use smbpasswd if all the accounts are in the ldap > server now, and i must add a machines account in the smbpasswd or in ldap > directory? Aaa, this raises an interesting question! If you have a user defined in ldap with uid=joe, how do you add an sambaAccount to this user? Both samedit and smbpasswd -a fails because uid joe already exists! I think samedit/smbpasswd needs to be a little smarter here. Perhaps something like this: If the uid doesn't exist, no problem. If it exists, just add a sambaAccount object to the existing user. But what if the user already have an sambaAccount? Just add another one or what? By the way, does anybody know the status of the new (nt5ldap) schema? -------------------------------------------------------------------------- ?ke Holmlund Tel: +46 - 90 786 57 16 Ume? University Fax: +46 - 90 786 65 50 Dept of informatics Email: holm@informatik.umu.se SE-901 87 Ume? Sweden From dpe at clark.net Tue Feb 29 22:11:16 2000 From: dpe at clark.net (David Edwards) Date: Tue Dec 2 02:28:50 2003 Subject: moving on. In-Reply-To: Message-ID: On Wed, 1 Mar 2000, Luke Kenneth Casson Leighton wrote: > hi, i'm no longer working for iss, as of... about 2 hours. i have a new > job to go to, more on that another time. > > i am therefore incommunicado, effectively, for at least a week. i am > borrowing a portable, however it's very slow and i don't have a modem, and > it's also the only computer i have access to, right now. > > so, i am taking an enforced break from samba development and email for a > short while. Good luck, enjoy your time away, and rest your wrists. :) From pkennedy at loudcloud.com Tue Feb 29 22:43:24 2000 From: pkennedy at loudcloud.com (Paul Kennedy) Date: Tue Dec 2 02:28:50 2003 Subject: Problems joining a domain with a Samba-TNG PDC References: Message-ID: <38BC4B8C.AED8B497@loudcloud.com> Luke Kenneth Casson Leighton wrote: > paul, > > the passdb/ code is probably going recursive / infinite loop black hole > because of lib/domain_namemap.c > > check that there are no duplicate names in users and groups that could > cause domain_namemap to go recursive. > > either rename, remove or remap them ("doman group/alias/user/builtin map). Ok, so I think this was caused by this line in smb.conf > password server = millstreet > After removing this entry from the file, the Samba server is no longer consuming 100% cpu. Then I renamed my PC host from "paulpc" to "other" and made it join a workgroup named "workgroup". I then ran samedit and recreated the paulpc$ machine account samedit -S . -U root createuser paulpc$ This operation caused modification of the paulpc$ entry's lmpassword and ntpassword attribute values in LDAP. After a reboot, I changed the PC name back to paulpc, and made it rejoin the domain. I got a "Welcome to domain Airius" dialog. But in log.netlogon, (with debug level = 100) I see this, repeated 14 times: PANIC: internal error After rebooting paulpc, I try to logon to the domain Airius and fail. The message dialog which pops up says "The system cannot log you on to this domain because the systems computer account in it's primary domain is missing or the password on that account is incorrect". I see from log.netlogon that Samba is searching the LDAP server using a search filter containing "ntuid=nobody", another containing "cn=nobody*" and a third containing "cn=nobody". Now, I haven't created an entry in LDAP for this UNIX account, using samedit or smbpasswd, making an entry corresponding to the UNIX /etc/passwd entry. Should I have ? If I need to create this LDAP entry, what should the password be ? Other logfiles, log.lsarpc, log.smb, log.srvsvc, log.wkssvc also have entries indicating access by "nobody". Pk. > > > On Tue, 29 Feb 2000, Paul Kennedy wrote: > > > I'm getting pretty frustrated trying to get a Samba PDC working with an > > LDAP backend. Here's how I'm configuring my system. > > > > I am running Samba, built --with-ldap and installed from the latest > > Samba-TNG cvs source (as of Sunday Feb 27 2000 3pm PST) , on a host > > running RHL 2.2.12-20-smp, which is a HP Lpr Pentium III named > > millstreet.loudcloud.com. I am running all 8 daemons (nmbd, lsarpcd, > > smbd, etc) required for PDC support. > > > > [root@millstreet bin]# pdc-smb start > > Starting smbd... > > Starting nmbd... > > Starting srvsvcd... > > Starting wkssvcd... > > Starting lsarpcd... > > Starting samrd... > > Starting netlogond... > > Starting winregd... > > [root@millstreet bin]# > > > > For LDAP backend, I'm using Netscape Directory Server 4.12 on the same > > Linux host. > > > > I also have a PC with hostname PAULPC, running NT Server 4.0 SP5, which > > I am trying to make a member of the domain. > > > > The Linux host (PDC ) and PC (NT Server) are on different subnets. > > > > The Samba server's shares can be successfully viewed from other hosts. > > The problems arise when I try to add a new member to the domain. > > > > I've followed all but the out-of-date instructions at > > http://www.kneschke.de/projekte/samba_tng/faq/configuration.php3. In > > other words, I'm not using smbpasswd -m as directed there. Instead, I'm > > adding workstation accounts to the /etc/passwd file on the Linux system > > with /usr/sbin/useradd. > > > > In summary: > > Samba Domain name: AIRIUS > > Samba PDC Hostname: MILLSTREET > > NT Server: PAULPC > > > > [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c > > "NT Workstation Trust Account Samba" "millstreet\$" > > [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c > > "NT Workstation Trust Account Samba" "paulpc\$" > > [root@millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -d > > /h/paul -c "User Account" nelson -p o9Huu26 > > [root@millstreet slapd-millstreet]# cat /etc/passwd | grep $: > > millstreet$:x:10107:10107:NT Workstation Trust Account > > Samba:/home/millstreet$:/bin/false > > paulpc$:x:10108:10108:NT Workstation Trust Account > > Samba:/home/paulpc$:/bin/false > > [root@millstreet slapd-millstreet]# cat /etc/passwd | grep nelson > > nelson:x:10109:10109:User Account:/h/paul:/bin/false > > [root@millstreet slapd-millstreet]# > > > > > > [root@millstreet bin]# samedit -S . -U root > > Added interface ip=192.168.100.62 bcast=192.168.100.255 > > nmask=255.255.255.0 > > Enter Password: > > [root@.]$ > > [root@.]$ > > [root@.]$ createuser millstreet$ -j > > createuser millstreet$ -j > > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > > SAM Create Domain User > > Domain: AIRIUS Name: millstreet$ ACB: [W ] > > socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused > > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > > Create Domain User: OK > > Join MILLSTREET to Domain AIRIUS > > LSA_OPENSECRET: > > Set $MACHINE.ACC: OK > > [root@.]$ > > [root@.]$ > > [root@.]$ createuser paulpc$ > > createuser paulpc$ > > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > > SAM Create Domain User > > Domain: AIRIUS Name: paulpc$ ACB: [W ] > > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > > Create Domain User: OK > > [root@.]$ > > [root@.]$ > > [root@.]$ createuser nelson -p o9Huu26 > > createuser nelson -p o9Huu26 > > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > > SAM Create Domain User > > Domain: AIRIUS Name: nelson ACB: [U ] > > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused > > Create Domain User: OK > > [root@.]$ > > > > Normally the PC running NT Server is a member of a workgroup, but when I > > make it a member of my AIRIUS domain, reboot and try to login to the > > AIRIUS domain using the nelson credentials which I've added above, the > > Linux host immediately ramps up to 100% cpu usage, and quickly reports > > "too many files open" when I try to run any commands at any shell > > prompt. Eventually, the NT Server logon attempt fails and a dialog is > > raised containing the message "The system cannot log you on now because > > the domain AIRIUS is not ". > > > > Questions: > > > > 1) Is the above sequence of operations for joining a workstation/server > > to a domain correct ? > > > > 2) Has anyone experienced similar behaviour ? > > > > I can post any fragments of logfiles. Here are some fragments which look > > useful: > > > > >From log.lsarpc: > > > > Changed root to / > > msrpc_process: client_name: lsarpc my_name: millstreet > > api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd > > Doing \PIPE\lsarpc > > api_rpc_command: LSA_OPENPOLICY2 > > Doing \PIPE\lsarpc > > api_rpc_command: LSA_OPENSECRET > > Doing \PIPE\lsarpc > > api_rpc_command: LSA_CLOSE > > policy(pnum=1 ): Closing > > end of file from client > > Error getting policy state > > Error getting policy state > > Error getting policy rid > > policy(pnum=2 ): Closing > > Closing connections > > Server exit (normal exit) > > Changed root to / > > msrpc_process: client_name: lsarpc my_name: millstreet > > api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd > > Doing \PIPE\lsarpc > > api_rpc_command: LSA_OPENPOLICY2 > > > > > > >From log.nmb > > > > process_logon_packet: SAMLOGON request from PAULPC(192.168.1.87) for > > PAULPC$, returning logon svr \\MILLSTREET domain AIRIUS code 13 > > token=ffff > > process_logon_packet: Logon from 192.168.1.87: code = 7 > > process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87, > > reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff > > lm_20 token=ffff > > wins_process_name_registration_request: Unique name registration for > > name AIRIUS<1d> IP 192.168.1.87 > > wins_process_name_registration_request: Ignoring request to register > > name AIRIUS<1d> from IP > > 192.168.1.87.wins_process_name_registration_request: Group name > > registration for name __MSBROWSE__<01> IP 192.168.1.87 > > wins_process_name_registration_request: Adding IP 255.255.255.255 to > > group name __MSBROWSE__<01>. > > wins_process_name_query: name query for name AIRIUS<1b> from IP > > 192.168.1.87 > > wins_process_name_query: name query for name AIRIUS<1b> returning first > > IP 192.168.100.62. > > process_logon_packet: Logon from 192.168.1.87: code = 7 > > process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87, > > reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff > > lm_20 token=ffff > > > > : Negative DNS answer for *SMBSERVER > > add_name_to_subnet: Added netbios name *SMBSERVER<20> with first IP > > 0.0.0.0 ttl=3600 nb_flags= 4 to subnet WINS_SERVER_SUBNET > > DNS calling send_wins_name_query_response > > process_name_query_request: Name query from 192.168.100.62 on subnet > > 192.168.100.62 for name MILLSTREET<20> > > OK > > process_name_query_request: Name query from 192.168.100.62 on subnet > > 192.168.100.62 for name MILLSTREET<20> > > OK > > process_name_query_request: Name query from 192.168.100.62 on subnet > > 192.168.100.62 for name MILLSTREET<20> > > OK > > process_name_query_request: Name query from 192.168.100.62 on subnet > > 192.168.100.62 for name *SMBSERVER<20> > > wins_process_name_query: name query for name *SMBSERVER<20> from IP > > 192.168.100.62 > > wins_process_name_query: name query for name *SMBSERVER<20> returning > > DNS fail. > > process_name_query_request: Name query from 192.168.100.62 on subnet > > 192.168.100.62 for name MILLSTREET<20> > > OK > > process_name_query_request: Name query from 192.168.100.62 on subnet > > 192.168.100.62 for name MILLSTREET<20> > > OK > > process_name_query_request: Name query from 192.168.100.62 on subnet > > 192.168.100.62 for name *SMBSERVER<20> > > wins_process_name_query: name query for name *SMBSERVER<20> from IP > > 192.168.100.62 > > wins_process_name_query: name query for name *SMBSERVER<20> returning > > DNS fail. > > process_name_query_request: Name query from 192.168.100.62 on subnet > > 192.168.100.62 for name *SMBSERVER<20> > > > > > > > > Below is my smb.conf > > > > [global] > > ldap suffix = "o=airius.com, o=loudcloud.com" > > ldap bind as = "uid=admin, ou=Administrators, ou=TopologyManagement, > > o=NetscapeRoot" > > ldap passwd file = /usr/local/etc/samba/private/ldappasswd > > ldap server = millstreet.loudcloud.com > > ldap port = 389 > > > > workgroup = AIRIUS > > netbios name = MILLSTREET > > comment = Linux RedHat PDC Samba Server with LDAP backend > > security = user > > null passwords = yes > > encrypt passwords = yes > > password server = millstreet > > > > logon path = \\MERCURY\profiles\%G > > logon script = %U.bat > > logon drive = U: > > > > socket options = TCP_NODELAY > > keep alive = 60 > > dead time = 30 > > > > domain master = yes > > domain logons = yes > > > > wins support = yes > > name resolve order = wins lmhosts hosts bcast > > wins proxy = yes > > > > time server = yes > > > > name resolve order = wins lmhosts hosts bcast > > > > [netlogon] > > path = /usr/local/etc/samba/netlogon > > locking = no > > writeable = yes > > comment = Net Logon share > > guest ok = no > > browseable = yes > > > > [joffre] > > path = /tmp/samba > > locking = no > > writeable = yes > > comment = Joffre share > > guest ok = yes > > browseable = yes > > > > > > > > > > Luke Kenneth Casson Leighton > Samba and Network Development > Samba Web site > Internet Security Systems, Inc. > Macmillan Technical Publishing > > ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals From s.striker at striker.nl Tue Feb 29 22:56:16 2000 From: s.striker at striker.nl (Sander Striker) Date: Tue Dec 2 02:28:50 2003 Subject: moving on. Message-ID: Hi Luke, >hi, i'm no longer working for iss, as of... about 2 hours. i have a new >job to go to, more on that another time. > >i am therefore incommunicado, effectively, for at least a week. i am >borrowing a portable, however it's very slow and i don't have a modem, and >it's also the only computer i have access to, right now. Hmmm, guess someone should offer you some hardware. No, sorry, I'm not offering, I'm still in a buildup fase of my own. :-) >so, i am taking an enforced break from samba development and email for a >short while. > >lots of love, > >luke Good luck on your new job. Enjoy your week(s) during this development break. I guess you can post the "Hey guys, here's the code freeze" message now :-) Sander From JasonJensen at home.com Tue Feb 29 17:08:32 2000 From: JasonJensen at home.com (Jason Jensen) Date: Tue Dec 2 02:28:50 2003 Subject: problems Message-ID: <000c01bf82d7$9b458fb0$0201a8c0@trt.cx> Ok.. first.. i have NO idea how to setup a printer in the new printer setup.. i see a printers printr.. but i can't connect to it in win2k.. and i see a printers folder.. but the add new printer fails every time.. Also profiles are SO messed up.. i won't download a profile nor will it upload one.. i don't know what this is all about.. i compiled smb with the "configure --with-profiles" so? -------------- next part -------------- HTML attachment scrubbed and removed From lkcl at samba.org Tue Feb 29 23:18:12 2000 From: lkcl at samba.org (Luke Kenneth Casson Leighton) Date: Tue Dec 2 02:28:50 2003 Subject: Problems joining a domain with a Samba-TNG PDC In-Reply-To: <38BC4B8C.AED8B497@loudcloud.com> Message-ID: On Tue, 29 Feb 2000, Paul Kennedy wrote: > > > Luke Kenneth Casson Leighton wrote: > > > paul, > > > > the passdb/ code is probably going recursive / infinite loop black hole > > because of lib/domain_namemap.c > > > > check that there are no duplicate names in users and groups that could > > cause domain_namemap to go recursive. > > > > either rename, remove or remap them ("doman group/alias/user/builtin map). > > Ok, so I think this was caused by this line in smb.conf > > > password server = millstreet > > yepp!! that'll do it, that'll make tng a bdc. not very well, either :) a) i still need a surs impl. b) i've not tested that config, all sorts of horrible things could happen. the problem with a) is that the tng server as a bdc is neither authoritative for the unix uid/gid database NOR the sid-rid space, so the algorithm approach just falls arse-over-tit, so to speak. never mind, we'll get there. but not this week, sorry. > I then ran samedit and recreated the paulpc$ machine account > > samedit -S . -U root > createuser paulpc$ > > This operation caused modification of the paulpc$ entry's lmpassword and > ntpassword attribute values in LDAP. that's good! > After a reboot, I changed the PC name back to paulpc, and made it rejoin the > domain. I got a "Welcome to domain Airius" dialog. But in log.netlogon, > (with debug level = 100) I see this, repeated 14 times: > > PANIC: internal error oops, follow the FAQ instructions, do a gdb (recompile first etc) if there's a coredump. ppl who've done this b4, pls advise. thx. From jamied at meatball.net Fri Feb 18 02:58:40 2000 From: jamied at meatball.net (Jamie Dahl) Date: Tue Dec 2 02:33:23 2003 Subject: Windows NT Domain login on OpenBSD Message-ID: following the instructions in the O'reilly book, I am unable to create dummy user account (Computer Trust Account), OpenBSD doesnt like $'s in the username, Anyone here have a workaround to this? Jamie Dahl "Thousands of tired, nerve-shaken, over-civilized people are beginning to find out that going to the mountains is going home; that wilderness is a necessity; and that mountain parks and reservations are useful not only as fountains of timber and irrigating rivers, but as fountains of life." --John Muir