acls and smb passwd file
COLLOT Jean-Yves
jean-yves.collot at cofiroute.fr
Fri Jul 25 14:51:26 GMT 2003
The problem here is that, for performance reasons, some kernel locks are
used by the SMBD process, and those locks are created when calling stat().
Unfortunately, stat() is called by other Samba components (such as
smbpasswd), and it takes (or tries to take) the same kernel locks, even if
there is no performance issues.
The result is that most, if not all, components of Samba/VMS does not work
properly if the user has not the CMKRNL privilege (and probably a couple of
other ones, such as SYSLCK).
I am going to work on this, in order for the locks to be taken only by the
SMBD processes.
JY Collot
-----Message d'origine-----
De : system manager [mailto:system at niuhep.physics.niu.edu]
Envoyé : vendredi 25 juillet 2003 07:34
À : samba-vms at lists.samba.org
Objet : acls and smb passwd file
Hello,
If I try to run samba_root:[bin]smbpasswd as a non-priv.ed user I get :
Error Lock Volume F11B$vUSER1 : insufficient privilege or object
protection violation
repeated ten times and then
Old SMB password:
New SMB password:
Retype new SMB password:
machine 127.0.0.1 rejected the session setup. Error
was
: Call returned zero bytes (EOF)
.
Failed to change password for MORPHIS
where it doesn't matter what I put in for the passwords, except that
if the two new passwords don't match it rejects me for that.
USER1 is the label of the disk that happens to be my default and of course
MORPHIS is my username.
This appears to occur in [.SOURCE.VMS]VMS_SUPPORT.C
in
char *getpass(char *prompt)
[big snip]
new_cache->label[volnamsize] = 0;
strcpy (new_cache->resname,"F11B$v");
strcat (new_cache->resname,new_cache->label);
for (i=0;i<18;i++) {
if (new_cache->resname[i] == 0)
new_cache->resname[i] = ' ';
}
/* Put this new cache in the list */
if (first_cache == NULL)
first_cache = new_cache;
else
{
cur_cache = first_cache;
while (cur_cache->next != NULL)
cur_cache = cur_cache -> next;
cur_cache->next = new_cache;
}
/* Get infos about the RSB of the volume lock */
cur_cache = new_cache;
}
sts = sys$cmkrnl (update_lock,0);
if ((sts & 1) != 1)
DEBUG(0,(" Error Lock Volume %s : %s\n",cur_cache->resname,
str_cache->resname, strerror(EVMSERR,sts)));
OTOH if I set proc/priv=nocmkrnl I get the same error messages
but the password successfully changes.
Changing permissions on the directory and teh file with passwords
doesn't seem to do any good.
Why is it trying to lock a volume?
Why is it trying to create cache based on where the user is sitting?
---------
when I run testparm I get:
WARNING: lock directory /samba_root/var/locks should have permissions 0755
for browsing to work
SAMBA_ROOT:[VAR]LOCKS.DIR;1 (RWE,RWE,RE,RW)
I tried changing it to w:re but no change.
---------
Perhaps this is entirely unrelated but if I do
$ mcr authorize sho system/all
system has the following identifier
SAMBA_ROOT %X80010017
which I saw during the install process.
When I do
$ dir/secu samba_root:[000000...]*.dir
I see something like the following (much edited)
Directory SAMBA_ROOT:[000000]
BIN.DIR;1 [SYSTEM] (RWE,RWE,RE,RE)
(DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:RW,WORLD:RE)
LIB.DIR;1 [SYSTEM] (RWE,RWE,RE,RE)
(DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:RW,WORLD:RE)
PRIVATE.DIR;1 [SYSTEM] (RWE,RWE,RE,RW)
(DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:RW,WORLD:RW)
SWAT.DIR;1 [SYSTEM] (RWE,RWE,RWE,)
(DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:RW,WORLD:RE)
TMP.DIR;1 [SYSTEM] (RWE,RWE,RE,RW)
(DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:RW,WORLD:RW)
VAR.DIR;1 [SYSTEM] (RWE,RWE,RE,RW)
(IDENTIFIER=*,OPTIONS=DEFAULT,ACCESS=READ+WRITE+CONTROL)
(DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:RW,WORLD:RW)
The files in [var] have the same identifier. The files in [swat]
look like:
SAM.AA01_GIF;1 [SYSTEM] (RWED,RWED,RE,)
(IDENTIFIER=%X80010031,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL)
If I do
UAF> sho /id/value=(id:%X10031)
%UAF-E-SHOWERR, unable to complete SHOW command
-SYSTEM-F-NOSUCHID, unknown rights identifier
------------------------------------
smb.conf
[global]
workgroup = PHYSICS
dead time = 10
map archive = no
printing = bsd
printcap name = /samba_root/lib/dummyprintcap.dat
load printers = yes
print command = print %f/queue=%p/delete/passall/name="""""%s"""""
lprm command = delete/entry=%j
security = user
smb passwd file = /samba_root/private/smbpasswd.dat
encrypt passwords = yes
default service = default
create mode = 0777
guest account = PCFS$ACCOUNT
log file = /samba_log/log.%m
socket options = TCP_NODELAY
lock directory = /samba_root/var/locks
share modes = yes
[homes]
comment = Home Directories
browseable = yes
read only = no
create mode = 0750
; path = /user1/%U/
[shr5]
comment = Disk
browseable = yes
read only = no
create mode = 0750
path = /shr5/%U/
[scr3]
comment = Disk
browseable = yes
read only = no
create mode = 0750
path = /scr3/%U
[printers]
comment = All Printers
browseable = no
printable = yes
public = yes
writable = no
create mode = 0700
PLEASE READ THIS IMPORTANT ETIQUETTE MESSAGE BEFORE POSTING:
http://www.catb.org/~esr/faqs/smart-questions.html
More information about the samba-vms
mailing list