sone weired bugs

Luke Kenneth Casson Leighton lkcl at samba.org
Sun Jan 16 16:26:38 GMT 2000 

jens, i didn't realise how long this message was, i just kept going, and
going...

thanks very much!


On Mon, 17 Jan 2000, Jens Skripczynski wrote:

> Hi,
> 
> i think I ran over some strange bugs.
> Setup:
> SAMBA 3.0 with TNG.
> PDC: SHADOWLAND
> Domain: PRIVAT
> Client: TirNaOrg (NT4 SP4 German)
> 
> 1)
> I can connect to my Printer on shadowland by using \\shadowland\lp.
> But I did not configure a share named "lp" ?! Is this a bug or a feature ?

if you have a [printers] section, this is auto-generated from your
/etc/printcap file.

it's a feature, i hope it's a correct feature, i never use samba for
printing!
 
> 2)
> Most of the RPC to shadowland from TirNaOrg fail, some only when logged in as
> Domain User:
> \\PRIVAT\Jens: the IPC connect fails. I cannot open "network
> nei..."->"shadowland" =. The error "Auf \\shadowland kann nicht zugegriffen
> werden. \n Beim abgesetzten Proceduraufruf (RPC) ist ein Protokollfehler
> aufgetreten" Meaning something like "Cannot access \\shadowland. \n With the
> Procedure Call (RPC) a protocoll Error accured".

damn.  ok, can you send me all your configuration files, then?  i need to
repro your setup.

> But connecting as \\TIRNAORG\administrator:
> Everything works fine.

really????  interesting.

> I see the anonymous shares the Printers directory and
> my (configured) Printer "hp4p". 
> 
> -- Where can I trace this error ?
> 
> 2) The Usermanager fail to work:
> (Tried to translate) "With the Procedure Call (RPC) a protocoll Error accured.
> Do you want to select another Domain to administer".
> 
> 3) netlogond:
> The Logfile tells me the following:
> file_changed: Unable to stat file /usr/local/etc/samba/private/domaingroup.map. 
> Error was Permission denied

you need to store domaingroup.map in lib/ and make it world-readable and
definitely not writerable by anyone other than root.

alternatively, store it in /etc, this seems to be coming quite common...



> ">sudo ls -la /usr/local/etc/samba/private/"
> total 9
> drwx------   3 root     root         1024 Jan 14 22:57 .
> drwxr-xr-x   5 root     root         1024 Jan 13 22:37 ..
> -rw-------   1 root     root           46 Jan 13 22:37 PRIVAT.SHADOWLAND.mac

good.

> -rw-r--r--   1 root     root           42 Jan 13 22:33 PRIVAT.SID

good.  err, i think.  what is this file doing readable by all?

> -rw-r--r--   1 root     root           20 Jan 14 22:40 domaingroup.map
> -rw-r--r--   1 root     root           19 Jan 14 22:57 domainuser.map
> -rw-r--r--   1 root     root           29 Jan 13 20:40 localgroup.map

not good, these need to be in a world-readabl location.   this probably
explains why you can access things as root (administrator) but not as any
of your ordinary users.


> drwxr-xr-x   2 root     root         1024 Dec 17 16:57 old
> -rw-------   1 root     root          638 Jan 15 17:49 smbpasswd
> 
> As I run samba as root netlogon should find the file and access it...
> 
> Also after starting netlogond in the logfile the following line give me a
> headache:
> Added interface ip=192.168.0.254 bcast=192.168.0.255 nmask=255.255.255.0
> Added interface ip=10.0.0.254 bcast=10.0.0.255 nmask=255.255.255.0
> standard input is not a socket, assuming -D option
> create_pipe_socket: /var/lock/samba/.msrpc perms=448
> /var/lock/samba/.msrpc/NETL
> OGON perms=448
> *** Please someone examine create_pipe_socket and fix it ***
> *** if used other than for exclusive root access ***
> *** (see perms, which should be 0700 and 0600) ***
> *** there is a race condition to be exploited. ***
> --> remove on /var/lock/samba/.msrpc/NETLOGON failed <--
> waiting for a connection
> 
> 
> Why does he want to remove his own pipe/socket ? Even he does not fail to
> operate. What shall this logmessage tell me ?

it's telling me that someone needs to examine and fix this code.

the requirements are:

- to be able to kill off a daemon (e.g kill -9 netlogond) and restart it
from command-line (bin/netlogond) and have it reopen the unix socket
.../.msrpc/NETLOGON

i hacked up what i could understand, which ain't much.
 
> 3)
> Here is a log of smbd:
> ftp is my anonymous user.
> Jens is myself.
> LP is my Printer !
> 
> lib/access.c:check_access(258) Allowed connection from TirNaOrg.sc (10.0.0.3)
> smbd/password.c:pass_check_smb(504) Couldn't find user 'ftp' in smb_passwd file.
> smbd/password.c:pass_check_smb(504) Couldn't find user 'ftp' in smb_passwd file.
> smbd/password.c:pass_check_smb(532) pass_check_smb failed - invalid password for user [claudia]
> smbd/password.c:pass_check_smb(532) pass_check_smb failed - invalid password for user [jens]
> smbd/password.c:pass_check_smb(504) Couldn't find user 'lp' in smb_passwd file.
> rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(140) user session key not available (yet).
> rpc_server/srv_pipe_hnd.c:open_rpc_pipe_p(141) password-change operations may fail.
> 
> a) As user ftp is my anonymous user, why does samba complain about not being in
> the smbpasswd file ? 

is the anonymous user in the smbpasswd file?  if not, that's the reason
for your error!!!!  

you will need to use "guest ok = yes".

actually, what i _should_ do is set up the samba "Guest Account"
functionality as NT.

> b) I _did_ use the correct password ! Why does samba tell
> a invalid password ? Is this a wrong log message ?
> c) Why does samba suddenly look up a share name as a user ?
> 
> 4) All the socket daemons give the following error :
> *** Please someone examine create_pipe_socket and fix it ***
> *** if used other than for exclusive root access ***
> *** (see perms, which should be 0700 and 0600) ***
> *** there is a race condition to be exploited. ***
> 
> Isn't there a way to implement something similar to fetchmail or sshd
> who check at the start for the correct file perms ? 
> as dirmode 0700 root.root and 0600 root.root filemode shouldn't be possibly
> exploited. 

this code is also used by smb-agent.  smb-agent can be run _as_ an
ordinary user for the exclusive use _by_ and ordinary user.  its purpose
is similar to "net use \\server\share /user:" whereby it caches user/pass
for that connection, on your behalf.

i started out with ssh-agent's code, originally.

> 5) The changing of file permissions on samba shares does not work either.
> Again some RPC error...

there's no means to change file permissions in SAMBA_TNG.  that's about
1000 lines of code added by jeremy to 2.0.x.
 
> 6) When i configure the Profiles directory with a sticky bit (mode 1777)
> The TNG tree automatically makes a Profile directory under the Profile share
> when the user first logs in. The 3.0/tng combination fails.

????! !!!!  i don't get it.

> 7) How good are 3.0 and tng connected together. I mean after what amount of
> time are changes in the tng subtree avaible in the 3.0 ? Is it instantly
> because this pipe/socket stuff ? Or are there certain changes in the 3.0 tree
> to be done  for new features to work ?

the domain username map code i disabled in TNG in smbd, as it pulled in
far too much other code that i didn't want hanging around in smbd.  i
still haven't come up with a solution to this.

it _does_ mean, however, that using 3.0 and TNG for file sharing will be
more consistent, as 3.0 doesn't have domain username map _either_! :)

> Luke can you (if you have some spare time) maybe make a check list of things 
> working at tng, someone who is responsible for the head branch also.
> So one could check what works at the combination.

i'm going to ask if someone else could volunteer to maintain this, so that
even i can use it to tick things off!

basically, i'm relying heavily on you people to tell me what's working and
what isn't, while i continue to do tests myself.

More information about the samba-ntdom mailing list