samba-technical Digest, Vol 111, Issue 5
Kums@Arise
kumss03 at gmail.com
Mon Mar 5 20:41:04 MST 2012
hi dude's i need to now about full samba config for redhat 5.3 server.plz
attch ...
2012/3/6 <samba-technical-request at lists.samba.org>
> Send samba-technical mailing list submissions to
> samba-technical at lists.samba.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.samba.org/mailman/listinfo/samba-technical
> or, via email, send a message with subject or body 'help' to
> samba-technical-request at lists.samba.org
>
> You can reach the person managing the list at
> samba-technical-owner at lists.samba.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of samba-technical digest..."
>
> Today's Topics:
>
> 1. Re: [Samba] V4 - New Install - Missing Zone File (JDFire)
> 2. Re: [Samba] V4 - New Install - Missing Zone File (Amitay Isaacs)
> 3. The meaning of a DENY ACE for BUILTIN\Administrators against
> WRITE_DAC | READ_CONTROL (Richard Sharpe)
> 4. Re: The meaning of a DENY ACE for BUILTIN\Administrators
> against WRITE_DAC | READ_CONTROL (Richard Sharpe)
> 5. [PATCH] handle endpoint registration and rpc_<service>_init()
> in the correct process (Andrew Bartlett)
> 6. Re: The meaning of a DENY ACE for BUILTIN\Administrators
> against WRITE_DAC | READ_CONTROL (Jeremy Allison)
> 7. Re: The meaning of a DENY ACE for BUILTIN\Administrators
> against WRITE_DAC | READ_CONTROL (Richard Sharpe)
> 8. Improving the speed of make test (Andrew Bartlett)
> 9. Re: Improving the speed of make test (Volker Lendecke)
> 10. Re: Enhance VFS rename op to rename AppleDouble file (Frank Lahm)
> 11. Error with "samba-tool domain join"ERROR(runtime): uncaught
> exception - (-1073741790, 'Access denied') (Manuel Alguacil Pay?n)
> 12. Re: [PATCH] smb2 FSCTL_SRV_COPYCHUNK support (David Disseldorp)
> 13. repost - how to debug samba4 not becoming DC (Greg Dickie)
> 14. Re: Improving the speed of make test (Jelmer Vernooij)
> 15. Re: Enhance VFS rename op to rename AppleDouble file
> (Jeremy Allison)
>
>
> ---------- Forwarded message ----------
> From: JDFire <jdfire at cox.net>
> To: Amitay Isaacs <amitay at gmail.com>
> Cc: "samba-technical at lists.samba.org" <samba-technical at lists.samba.org>
> Date: Sun, 4 Mar 2012 17:15:10 -0700
> Subject: Re: [Samba] V4 - New Install - Missing Zone File
> Amitay,
>
> On Mar 3, 2012, at 8:03 AM, Amitay Isaacs <amitay at gmail.com> wrote:
>
> > related to having wrong keytab for dns. Can you try a fresh provision
> > with the latest git tree and check if it works?
> >
> >
>
> Is there any way you could provide the steps for this? I want to make sure
> I follow directions to make sure I do it right.
>
> Regards,
> Jeremy
>
>
> ---------- Forwarded message ----------
> From: Amitay Isaacs <amitay at gmail.com>
> To: JDFire <jdfire at cox.net>
> Cc: "samba-technical at lists.samba.org" <samba-technical at lists.samba.org>
> Date: Mon, 5 Mar 2012 11:25:07 +1100
> Subject: Re: [Samba] V4 - New Install - Missing Zone File
> On Mon, Mar 5, 2012 at 11:15 AM, JDFire <jdfire at cox.net> wrote:
> > Amitay,
> >
> > On Mar 3, 2012, at 8:03 AM, Amitay Isaacs <amitay at gmail.com> wrote:
> >
> >> related to having wrong keytab for dns. Can you try a fresh provision
> >> with the latest git tree and check if it works?
> >>
> >>
> >
> > Is there any way you could provide the steps for this? I want to make
> sure I follow directions to make sure I do it right.
> >
> > Regards,
> > Jeremy
>
> Hi Jeremy,
>
> These are the same steps from Samba4 HOWTO.
>
> Assuming you have pulled the latest git and did make install with
> prefix /usr/local/samba,
>
> 1. Do a new provision
>
> # /usr/local/samba/sbin/provision \
> --realm=<realm> \
> --domain=<domain> \
> --adminpass=<password> \
> --server-role="domain controller"
>
> 2. Add following line to the "options" statement of named.conf
>
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
> 3. Add following line to named.conf
>
> include "/usr/local/samba/private/named.conf";
>
> 4. (Re)Start named and make sure /etc/resolv.conf uses local nameserver.
>
> 5. Start samba
>
> You can test if secure dynamic updates are working or not, by executing
>
> # /usr/local/samba/sbin/samba_dnsupdate --verbose
>
> If that works, then your DNS is set up correctly.
>
> Amitay.
>
>
>
> ---------- Forwarded message ----------
> From: Richard Sharpe <realrichardsharpe at gmail.com>
> To: samba-technical <samba-technical at lists.samba.org>
> Cc:
> Date: Sun, 4 Mar 2012 16:30:50 -0800
> Subject: The meaning of a DENY ACE for BUILTIN\Administrators against
> WRITE_DAC | READ_CONTROL
> Hi,
>
> What would it mean if there was a deny ACE in an ACL on a file that
> denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
>
> That is, what does Windows do?
>
> The next question is: Is the code that handles DENY entries in
> se_access_check in the Samba master branch correct? It does:
>
> bits_remaining |= explicitly_denied_bits;
>
> done:
> if (bits_remaining != 0) {
> *access_granted = bits_remaining;
> return NT_STATUS_ACCESS_DENIED;
> }
>
> This code would seem to override privileges, and I am not sure that
> that is the intent, especially given that Microsoft introduced Owner
> Rights in Server 2008.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
>
>
> ---------- Forwarded message ----------
> From: Richard Sharpe <realrichardsharpe at gmail.com>
> To: samba-technical <samba-technical at lists.samba.org>
> Cc:
> Date: Sun, 4 Mar 2012 16:38:38 -0800
> Subject: Re: The meaning of a DENY ACE for BUILTIN\Administrators against
> WRITE_DAC | READ_CONTROL
> 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
> > Hi,
> >
> > What would it mean if there was a deny ACE in an ACL on a file that
> > denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
>
> Hmmm, what I really meant was DENY WRITE OWNER ...
>
> > That is, what does Windows do?
> >
> > The next question is: Is the code that handles DENY entries in
> > se_access_check in the Samba master branch correct? It does:
> >
> > bits_remaining |= explicitly_denied_bits;
> >
> > done:
> > if (bits_remaining != 0) {
> > *access_granted = bits_remaining;
> > return NT_STATUS_ACCESS_DENIED;
> > }
> >
> > This code would seem to override privileges, and I am not sure that
> > that is the intent, especially given that Microsoft introduced Owner
> > Rights in Server 2008.
> >
> > --
> > Regards,
> > Richard Sharpe
> > (何以解憂?唯有杜康。--曹操)
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
>
>
> ---------- Forwarded message ----------
> From: Andrew Bartlett <abartlet at samba.org>
> To: Andreas Schneider <asn at cryptomilk.org>
> Cc: samba-technical at samba.org
> Date: Mon, 05 Mar 2012 12:58:30 +1100
> Subject: [PATCH] handle endpoint registration and rpc_<service>_init() in
> the correct process
> Andreas,
>
> The attached patches are the relevant parts of my s3fs-wip tree, which
> shows by passing make test that we do not need to register or initialise
> 'external' rpc services in dcesrv_ep_setup().
>
> Those services which are in the spoolssd and lsasd children are already
> initialised and registered to the endpoint mapper there, and when these
> services are handled externally to smbd (ie, in Samba4 for
> plugin_s4_dc), no initialisation of the s3 service implementation is
> desired or required.
>
> Similarly, it makes no sense to initialise the endpoint mapper except in
> the endpoint mapper's own forked child process, so I have removed this
> code (presumably left over from early development).
>
> Please let me know what you think,
>
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
> ---------- Forwarded message ----------
> From: Jeremy Allison <jra at samba.org>
> To: Richard Sharpe <realrichardsharpe at gmail.com>
> Cc: samba-technical <samba-technical at lists.samba.org>
> Date: Sun, 4 Mar 2012 18:25:14 -0800
> Subject: Re: The meaning of a DENY ACE for BUILTIN\Administrators against
> WRITE_DAC | READ_CONTROL
> On Sun, Mar 04, 2012 at 04:38:38PM -0800, Richard Sharpe wrote:
> > 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
> > > Hi,
> > >
> > > What would it mean if there was a deny ACE in an ACL on a file that
> > > denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
> >
> > Hmmm, what I really meant was DENY WRITE OWNER ...
> >
> > > That is, what does Windows do?
> > >
> > > The next question is: Is the code that handles DENY entries in
> > > se_access_check in the Samba master branch correct? It does:
> > >
> > > bits_remaining |= explicitly_denied_bits;
> > >
> > > done:
> > > if (bits_remaining != 0) {
> > > *access_granted = bits_remaining;
> > > return NT_STATUS_ACCESS_DENIED;
> > > }
> > >
> > > This code would seem to override privileges, and I am not sure that
> > > that is the intent, especially given that Microsoft introduced Owner
> > > Rights in Server 2008.
>
> Let's test it against Windows before we change any Samba code...
>
> Jeremy.
>
>
>
> ---------- Forwarded message ----------
> From: Richard Sharpe <realrichardsharpe at gmail.com>
> To: Jeremy Allison <jra at samba.org>
> Cc: samba-technical <samba-technical at lists.samba.org>
> Date: Sun, 4 Mar 2012 18:27:46 -0800
> Subject: Re: The meaning of a DENY ACE for BUILTIN\Administrators against
> WRITE_DAC | READ_CONTROL
> On Sun, Mar 4, 2012 at 6:25 PM, Jeremy Allison <jra at samba.org> wrote:
> > On Sun, Mar 04, 2012 at 04:38:38PM -0800, Richard Sharpe wrote:
> >> 2012/3/4 Richard Sharpe <realrichardsharpe at gmail.com>:
> >> > Hi,
> >> >
> >> > What would it mean if there was a deny ACE in an ACL on a file that
> >> > denies BUILTIN\Administrators WRITE_DAC | READ_CONTROL?
> >>
> >> Hmmm, what I really meant was DENY WRITE OWNER ...
> >>
> >> > That is, what does Windows do?
> >> >
> >> > The next question is: Is the code that handles DENY entries in
> >> > se_access_check in the Samba master branch correct? It does:
> >> >
> >> > bits_remaining |= explicitly_denied_bits;
> >> >
> >> > done:
> >> > if (bits_remaining != 0) {
> >> > *access_granted = bits_remaining;
> >> > return NT_STATUS_ACCESS_DENIED;
> >> > }
> >> >
> >> > This code would seem to override privileges, and I am not sure that
> >> > that is the intent, especially given that Microsoft introduced Owner
> >> > Rights in Server 2008.
> >
> > Let's test it against Windows before we change any Samba code...
>
> I agree with that, that is for sure. I am just raising the issue at
> this stage. Will test some time this week.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
>
>
> ---------- Forwarded message ----------
> From: Andrew Bartlett <abartlet at samba.org>
> To: samba-technical at samba.org
> Cc: jelmer at samba.org
> Date: Mon, 05 Mar 2012 18:36:57 +1100
> Subject: Improving the speed of make test
> Jelmer and others interested in selftest:
>
> A while back, I started doing some profiling to determine where the time
> is spent in 'make test', using 'perf'.
>
> I was surprised to find that 15% of our time is spent in routines
> associated with SHA1, due to adding users and kinit. Both of these run
> a *lot* of SHA1, because salting the password for the AES-based kerberos
> keys uses multiple thousands of rounds of SHA1, to make brute forcing
> the password hash harder.
>
> The fix is simple:
> - change acl.py and similar tests not to create a user for each unit
> test, but re-use one for the whole testsuite
> - kinit once at the start of make test, for all connections that should
> be made as administrator. Use that credential cache for all connections
> instead of $USERNAME and $PASSWORD
> - create another user if we ever need to modify the groups of the
> administrator (the cached PAC won't update).
>
> I've not got around to doing this yet, but as the python selftest
> rewrite is under way, I wanted to ensure this was catered for in the
> design.
>
> Andrew Bartlett
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
>
>
> ---------- Forwarded message ----------
> From: Volker Lendecke <Volker.Lendecke at SerNet.DE>
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: samba-technical at samba.org
> Date: Mon, 5 Mar 2012 09:23:54 +0100
> Subject: Re: Improving the speed of make test
> On Mon, Mar 05, 2012 at 06:36:57PM +1100, Andrew Bartlett wrote:
> > Jelmer and others interested in selftest:
> >
> > A while back, I started doing some profiling to determine where the time
> > is spent in 'make test', using 'perf'.
> >
> > I was surprised to find that 15% of our time is spent in routines
>
> Is that total time or CPU time? Quite some of the tests in
> the file server area look at or depend on timeout behaviour.
> The tests for share modes for example come to mind. With
> some care (independent file names), they could probably very
> well run in parallel and gain quite a bit of total time.
>
> With best regards,
>
> Volker
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
>
>
>
> ---------- Forwarded message ----------
> From: Frank Lahm <franklahm at googlemail.com>
> To: Jeremy Allison <jra at samba.org>
> Cc: samba-technical at lists.samba.org
> Date: Mon, 5 Mar 2012 11:43:28 +0100
> Subject: Re: Enhance VFS rename op to rename AppleDouble file
> Am 1. November 2011 19:47 schrieb Frank Lahm <franklahm at googlemail.com>:
> > 2011/10/17 Jeremy Allison <jra at samba.org>:
> >> On Mon, Oct 17, 2011 at 12:39:31PM +0200, Frank Lahm wrote:
> >>> Hi,
> >>>
> >>> 2011/10/8 Frank Lahm <franklahm at googlemail.com>:
> >>> > 2011/9/22 Frank Lahm <franklahm at googlemail.com>:
> >>> >> 2011/9/21 Volker Lendecke <Volker.Lendecke at sernet.de>:
> >>> >>> On Wed, Sep 21, 2011 at 09:48:54AM +0200, Frank Lahm wrote:
> >>> >>>> 2011/8/24 Frank Lahm <franklahm at googlemail.com>:
> >>> >>>> > wanted to bring this to your attention:
> >>> >>>> > <https://bugzilla.samba.org/show_bug.cgi?id=8398>
> >>> >>>>
> >>> >>>> any additional comments here ? Anything preventing a commit ?
> Thanks!
> >>> >>>
> >>> >>> Well, the become_root() as far as I can see is still in.
> >>> >>
> >>> >> Ok, as I'm not receiving direct response to my reasoning in the bug
> >>> >> report, I've modified the patch to call rename without becoming
> root.
> >>> >>
> >>> >>> This might be a reason not to put this patch in.
> >>> >>
> >>> >> Thanks for taking time.
> >>> >
> >>> > *ping*
> >>> >
> >>> > Thanks!
> >>>
> >>> please review and possibly commit. I can't really continue my work on
> >>> the Netatalk VFS module without this being committed first.
> >>
> >> Still working on this.. Should get committed this week.
> >
> > *ping*
>
> *ping*
>
> Thanks!
> -f
>
>
>
> ---------- Forwarded message ----------
> From: "Manuel Alguacil Payán" <malguacil at gmail.com>
> To: samba-technical at lists.samba.org
> Cc:
> Date: Mon, 5 Mar 2012 13:35:35 +0100
> Subject: Error with "samba-tool domain join"ERROR(runtime): uncaught
> exception - (-1073741790, 'Access denied')
> When I execute the following command:
>
> root# ./samba-tool domain join my.domain DC -Uadministrator
> --realm=my.realm
>
>
> I get the following error:
>
> DC -Uadministrator --realm=my.realm
> Finding a writeable DC for domain 'my.domain'
> Found DC myDC.my.domain
> Password for [my.domain\administrator]:
> Password for [my.domain\administrator]:
> workgroup is MYWRKGRP
> realm is my.realm
> checking sAMAccountName
> Adding CN=MYMACHINE,OU=Domain Controllers,DC=my.domain
> Adding
> CN=MYMACHINE,CN=Servers,CN=xxx,CN=Sites,CN=Configuration,DC=my.domain
> Adding CN=NTDS
>
> Settings,CN=MYMACHINE,CN=Servers,CN=xxx,CN=Sites,CN=Configuration,DC=my.domain*Join
> failed* - cleaning up
> checking sAMAccountName
> Deleted CN=MYMACHINE,OU=Domain Controllers,DC=my.domain
> Deleted
> CN=MYMACHINE,CN=Servers,CN=xxx,CN=Sites,CN=Configuration,DC=my.domain
> ERROR(runtime): uncaught exception - (-1073741790, '*Access denied*')
> File
>
> "*/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/*__init__.py",
> line 162, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 180, in run
> machinepass=machinepass)
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
> 966, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
> 871, in do_join
> ctx.join_add_objects()
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
> 467, in join_add_objects
> ctx.join_add_ntdsdsa()
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
> 416, in join_add_ntdsdsa
> ctx.DsAddEntry([rec])
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
> 326, in DsAddEntry
> ctx.drsuapi_connect()
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line
> 305, in drsuapi_connect
> (ctx.drsuapi_handle, ctx.bind_supported_extensions) =
> drs_utils.drs_DsBind(ctx.drsuapi)
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/drs_utils.py",
> line 144, in drs_DsBind
> (info, handle) = drs.DsBind(misc.GUID(drsuapi.DRSUAPI_DS_BIND_GUID),
> bind_info)
>
>
> In earlier versions of SAMBA4alpha18 this worked fine, but since two weeks
> ago, I cannot join any SAMBA to the domain.
>
> I got SAMBA from the GIT repository.
>
> --
> *
> **"Debo confesar que nací a una edad muy temprana."*
> * Julius Henry Marx (1890-1977)*
>
>
>
> ---------- Forwarded message ----------
> From: David Disseldorp <ddiss at suse.de>
> To: samba-technical <samba-technical at lists.samba.org>
> Cc:
> Date: Mon, 5 Mar 2012 15:44:47 +0100
> Subject: Re: [PATCH] smb2 FSCTL_SRV_COPYCHUNK support
> Hi,
>
> On Wed, 15 Feb 2012 09:29:32 -0800
> Jeremy Allison <jra at samba.org> wrote:
>
> > On Wed, Feb 15, 2012 at 04:05:39PM +0100, Volker Lendecke wrote:
> ...
> > > The _send/_recv
> > > model makes it possible to keep the main engine
> > > single-threaded but opens up the possibility to do a
> > > threaded implementation in the VFS. See for example the
> > > vfs_aio_pthread module that Jeremy added lately. It still
> > > uses the posix AIO based VFS calls, but I think those should
> > > be converted to pread_send/recv and pwrite_send/recv, hiding
> > > the ugliness of the Posix API in some default module.
> >
> > +1 for that. If we had pread[write]_send() and pread[write]_recv()
> > this code could become a lot simpler (and possibly on by default)
> > in smbd.
>
> Thanks for the feedback so far. I've push a new round of changes which
> add copy chunk _send and _recv VFS hooks, allowing for simplified async
> implementations. The existing vfs_default and vfs_btrfs copy chunk
> back-ends remain synchronous.
>
> A few other changes have been made since the previous push:
> - rebased to master
> - changed chunk limits to match Windows Server 2k8
> - squashed a number of commits
>
> Any further feedback, particularly regarding the async architecture,
> would be much appreciated.
>
> Cheers, David
>
>
> http://git.samba.org/?p=ddiss/samba.git;a=shortlog;h=refs/heads/smb2_copychunk_async_rb5
>
> The following changes since commit
> 14d31376aab703dbb14d1cd786baeaf84361cd96:
>
> s3-lsasd: Fix debug messages on registration failure (2012-03-05 09:50:17
> +0100)
>
> are available in the git repository at:
> git://git.samba.org/ddiss/samba.git smb2_copychunk_async_rb5
>
> David Disseldorp (9):
> s3-smb2: split ioctl handlers into separate functions
> s3-smb2: split ioctl handler code on device type
> s3-ioctl: fix smb2 named pipe ioctl handler
> s3-server: add smb2 FSCTL_SRV_REQUEST_RESUME_KEY support
> s3-vfs: add copy_chunk vfs hook
> s3-server: add support for smb2 FSCTL_SRV_COPYCHUNK
> s3-vfs: add vfs_btrfs module
> s3-server: remove smb2 ioctl error response assumption
> s4-torture: skip FSCTL_SRV_ENUM_SNAPS test when not supported
>
> examples/VFS/skel_opaque.c | 21 ++
> examples/VFS/skel_transparent.c | 22 ++
> libcli/smb/smb_constants.h | 2 +
> selftest/skip | 1 -
> source3/Makefile.in | 11 +
> source3/configure.in | 13 +
> source3/include/vfs.h | 25 ++-
> source3/include/vfs_macros.h | 10 +
> source3/modules/vfs_btrfs.c | 142 +++++++++++
> source3/modules/vfs_default.c | 65 +++++
> source3/modules/vfs_full_audit.c | 34 +++
> source3/modules/wscript_build | 9 +
> source3/selftest/tests.py | 2 +-
> source3/smbd/smb2_ioctl.c | 425
> ++++++---------------------------
> source3/smbd/smb2_ioctl_dfs.c | 119 ++++++++++
> source3/smbd/smb2_ioctl_filesys.c | 49 ++++
> source3/smbd/smb2_ioctl_named_pipe.c | 164 +++++++++++++
> source3/smbd/smb2_ioctl_network_fs.c | 433
> ++++++++++++++++++++++++++++++++++
> source3/smbd/smb2_ioctl_private.h | 54 +++++
> source3/smbd/vfs.c | 26 ++-
> source3/wscript | 11 +
> source3/wscript_build | 5 +
> source4/libcli/smb2/ioctl.c | 29 ++-
> source4/torture/smb2/ioctl.c | 68 +++++-
> 24 files changed, 1383 insertions(+), 357 deletions(-)
> create mode 100644 source3/modules/vfs_btrfs.c
> create mode 100644 source3/smbd/smb2_ioctl_dfs.c
> create mode 100644 source3/smbd/smb2_ioctl_filesys.c
> create mode 100644 source3/smbd/smb2_ioctl_named_pipe.c
> create mode 100644 source3/smbd/smb2_ioctl_network_fs.c
> create mode 100644 source3/smbd/smb2_ioctl_private.h
>
>
>
>
> ---------- Forwarded message ----------
> From: Greg Dickie <greg at justaguy.ca>
> To: samba-technical <samba-technical at lists.samba.org>
> Cc:
> Date: Mon, 05 Mar 2012 09:02:14 -0500
> Subject: repost - how to debug samba4 not becoming DC
>
> Hi,
>
> No response to my other posts. I'm just looking for a pointer of where
> I can look for the cause of my samba-tool domain join failing. Level 10
> debug seems to give ACCESS DENIED on rpc. Nothing interesting I can see
> in the event viewer on the DC.
>
> Any clues?
>
> Thanks,
> Greg
>
> --
> Greg Dickie
> just a guy
> 514-983-5400
>
>
>
>
> ---------- Forwarded message ----------
> From: Jelmer Vernooij <jelmer at samba.org>
> To: samba-technical at lists.samba.org
> Cc:
> Date: Mon, 05 Mar 2012 17:44:35 +0100
> Subject: Re: Improving the speed of make test
> On 03/05/2012 08:36 AM, Andrew Bartlett wrote:
>
>> Jelmer and others interested in selftest:
>>
>> A while back, I started doing some profiling to determine where the time
>> is spent in 'make test', using 'perf'.
>>
>> I was surprised to find that 15% of our time is spent in routines
>> associated with SHA1, due to adding users and kinit. Both of these run
>> a *lot* of SHA1, because salting the password for the AES-based kerberos
>> keys uses multiple thousands of rounds of SHA1, to make brute forcing
>> the password hash harder.
>>
>> The fix is simple:
>> - change acl.py and similar tests not to create a user for each unit
>> test, but re-use one for the whole testsuite
>> - kinit once at the start of make test, for all connections that should
>> be made as administrator. Use that credential cache for all connections
>> instead of $USERNAME and $PASSWORD
>> - create another user if we ever need to modify the groups of the
>> administrator (the cached PAC won't update).
>>
>> I've not got around to doing this yet, but as the python selftest
>> rewrite is under way, I wanted to ensure this was catered for in the
>> design.
>>
> Thanks.
>
> I think one of the other issues with selftest is also that we're running
> too much high level (functional) tests rather than unit tests. We can't
> possibly run all tests with all possible permutations of Samba
> configuration options.
>
> For example, is it useful to run all RPC tests against our own servers
> with and without the bigendian option? I can see the bigendian option being
> really useful when running tests against Windows, but our client and server
> code is generated from the same IDL - we won't find errors in the IDL this
> way. If we're trying to catch pidl bugs, I think just running rpc-echo with
> and without 'bigendian' should be sufficient, and more low-level tests for
> pidl.
>
> Cheers,
>
> Jelmer
>
>
>
> ---------- Forwarded message ----------
> From: Jeremy Allison <jra at samba.org>
> To: Frank Lahm <franklahm at googlemail.com>
> Cc: samba-technical at lists.samba.org, Jeremy Allison <jra at samba.org>
> Date: Mon, 5 Mar 2012 10:25:04 -0800
> Subject: Re: Enhance VFS rename op to rename AppleDouble file
> On Mon, Mar 05, 2012 at 11:43:28AM +0100, Frank Lahm wrote:
> > Am 1. November 2011 19:47 schrieb Frank Lahm <franklahm at googlemail.com>:
> > > 2011/10/17 Jeremy Allison <jra at samba.org>:
> > >> On Mon, Oct 17, 2011 at 12:39:31PM +0200, Frank Lahm wrote:
> > >>> Hi,
> > >>>
> > >>> 2011/10/8 Frank Lahm <franklahm at googlemail.com>:
> > >>> > 2011/9/22 Frank Lahm <franklahm at googlemail.com>:
> > >>> >> 2011/9/21 Volker Lendecke <Volker.Lendecke at sernet.de>:
> > >>> >>> On Wed, Sep 21, 2011 at 09:48:54AM +0200, Frank Lahm wrote:
> > >>> >>>> 2011/8/24 Frank Lahm <franklahm at googlemail.com>:
> > >>> >>>> > wanted to bring this to your attention:
> > >>> >>>> > <https://bugzilla.samba.org/show_bug.cgi?id=8398>
> > >>> >>>>
> > >>> >>>> any additional comments here ? Anything preventing a commit ?
> Thanks!
> > >>> >>>
> > >>> >>> Well, the become_root() as far as I can see is still in.
> > >>> >>
> > >>> >> Ok, as I'm not receiving direct response to my reasoning in the
> bug
> > >>> >> report, I've modified the patch to call rename without becoming
> root.
> > >>> >>
> > >>> >>> This might be a reason not to put this patch in.
> > >>> >>
> > >>> >> Thanks for taking time.
> > >>> >
> > >>> > *ping*
> > >>> >
> > >>> > Thanks!
> > >>>
> > >>> please review and possibly commit. I can't really continue my work on
> > >>> the Netatalk VFS module without this being committed first.
> > >>
> > >> Still working on this.. Should get committed this week.
> > >
> > > *ping*
> >
> > *ping*
>
> Thanks - completely forgot about this, sorry :-(.
>
> Keep pinging me until you see it in the git trees...
>
>
> _______________________________________________
> samba-technical mailing list
> samba-technical at lists.samba.org
> https://lists.samba.org/mailman/listinfo/samba-technical
>
>
More information about the samba-technical
mailing list