headers
Steve Langasek | 30 May 2002 22:39
Favicon

Re: Stablising the winbind interface for squid's NTLM code

On Thu, May 30, 2002 at 07:38:00AM +1000, Andrew Bartlett wrote:

> > An oft-requested feature for FreeTDS (an LGPL client library for MS SQL
> > and Sybase servers) is domain login support.  It would be nice to be
> > able to leverage the Samba team's work in the NTLMSSP department, rather
> > than reimplementing it from the ground-up.  Is there any chance that
> > this (or a) standalone binary might be useful for the client side of
> > NTLMSSP authentication?

> I'm not currently proposing the creation of a client-side, but doing it
> in samba would not pose a particular problem.  Of course it is one thing
> to propose, quite another to actually implement...  But I do think that
> this work (particularly the server end, but also the client) should live
> in the samba tree.

I can think of plenty of areas where this would be useful on the client
side as well as on the server side -- Unix web /browsers/ being yet
another example.  I'll probably wait until you've got something cooking
in CVS for the server side, and then try to look at a client-side
implementation.

Steve Langasek
postmodern programmer
Permalink | Reply | 0 comments |
headers
Giorgos Keramidas | 30 May 2002 23:18
Picon
Favicon
Gravatar

Re: Microsoft's Dfs - GPL LICENSE ISSUE

On 2002-05-30 07:27 -0500, David W. Chapman Jr. wrote:
> > > > It is GPL code. I don't think it can be used in the FreeBSD kernel
> > > > (correct me if I'm wrong Steve).
> > >
> > > I don't think this will be a problem.  We currently have a GPL math
> > > emulator in our kernel, just not enabled by default
> > >
> > > options         GPL_MATH_EMULATE        #Support for x87 emulation via
> > >                                         #new math emulator
> > >
> > > If it can be loaded as a kernel module it will be even less of a
> > > problem, but I don't know the specifics about the program in question.
> >
> > Uhmm that's not entirely true.
> > There is a problem. When you distribute a kernel in which that module
> > has been linked (statically or dynamically) you have to release the
> > whole kernel under the GPL terms if you distribute it in binary form
>
> Even if it has been dynamically linked after the fact and the kernel
> was not originally distributed with this module?

Pardon my somewhat flamebait-like style, but "bullfeathers".

Greg Lehey has researched this exact topic a bit more, and his views,
backed up with some statements by Richard Stallman, can be found in an
old article of daemonnews.  It makes things pretty clear, and you can
find it at:

http://ezine.daemonnews.org/200202/dadvocate.html
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jeremy Allison | 30 May 2002 23:32
Picon
Favicon

Re: Thanks for fixing oplock.c for Linux 2.0 in 2_2 CVS

On Thu, May 30, 2002 at 09:35:38AM +0200, Volker Lendecke wrote:
> On Wed, May 29, 2002 at 04:55:20PM -0700, Jeremy Allison wrote:
> > On Wed, May 29, 2002 at 04:48:27PM -0700, abartlet <at> samba.org wrote:
> > > 
> > > And are you saying that Win2k will never 'idle' a client connection?  I'm
> > > sure I've seen smbfs being 'idled' by NT before...
> > 
> > I don't think it ever drops the TCP connection on purpose.
> 
> I'm quite positive it does. I have seen sites with 'security = server' fail
> miserably after having changed to W2k on the DC due to disconnects from the DC.

No, I mean that the Win2k server service won't drop a client
connection on purpose if there's no traffic on it (it doesn't
idle connections).

Jeremy.
Permalink | Reply | 4 comments |
headers
Juergen Hasch | 30 May 2002 23:40
Picon
Favicon

Warning in trans2.c under AIX

When compiling Samba 2_2 CVS under AIX 4.3.3 using gcc or xlc_r, I get the following warnings:

smbd/trans2.c: In function `get_lanman2_dir_entry':
smbd/trans2.c:759: warning: right shift count >= width of type
smbd/trans2.c:759: warning: right shift count >= width of type
smbd/trans2.c:759: warning: right shift count >= width of type
smbd/trans2.c:759: warning: right shift count >= width of type
smbd/trans2.c: In function `call_trans2qfilepathinfo':
smbd/trans2.c:2025: warning: right shift count >= width of type
smbd/trans2.c:2025: warning: right shift count >= width of type
smbd/trans2.c:2025: warning: right shift count >= width of type
smbd/trans2.c:2025: warning: right shift count >= width of type

The first offending line in smbd/trans2.c is:
	SOFF_T(p,0,sbuf.st_blocks*STAT_ST_BLOCKSIZE); /* Number of bytes used on disk - 64 Bit */

sbuf.st_blocks is of type blksize_t which is defined as int with only 32 bits and STAT_ST_BLOCKSIZE=512.

The SOFF_T macro is defined as:
#define SOFF_T(p, ofs, v) (SIVAL(p,ofs,(v)&0xFFFFFFFF), SIVAL(p,(ofs)+4,(v)>>32))

The value passed to SOFF_T needs to be a 64 bit value, attached is a patch I use to silence the compiler.

...Juergen
Attachment (trans2.c.patch): text/x-diff, 989 bytes
Permalink | Reply | 0 comments |
headers
Tim Potter | 30 May 2002 09:13
Picon
Favicon

taking back the 'restrict anonymous' parameter

I'm thinking about taking back the restrict anonymous parameter and
using it to do Good Things.  Previously in HEAD and currently in 2.2 it
stops people connecting to shares anonymously but I think Mr Bartlett 
removed it because it was either buggy or didn't do anything useful.

I propose that this parameter act like the RestrictAnonymous registry
setting, i.e it prevents anonymous access to the SAMR pipe and anonymous
access to the NetShareEnum RPC when set to 1.  When set to 2, it
disallows anonymous access to all RPC pipes.

Any objections?  There's still some more testing and coding to be done.
This may be a good opportunity to implement security descriptors on
pipes.

Tim.
Permalink | Reply | 3 comments |
headers
Jeremy Allison | 31 May 2002 01:37
Picon
Favicon

Re: taking back the 'restrict anonymous' parameter

On Thu, May 30, 2002 at 05:13:20PM +1000, Tim Potter wrote:
> I'm thinking about taking back the restrict anonymous parameter and
> using it to do Good Things.  Previously in HEAD and currently in 2.2 it
> stops people connecting to shares anonymously but I think Mr Bartlett 
> removed it because it was either buggy or didn't do anything useful.
> 
> I propose that this parameter act like the RestrictAnonymous registry
> setting, i.e it prevents anonymous access to the SAMR pipe and anonymous
> access to the NetShareEnum RPC when set to 1.  When set to 2, it
> disallows anonymous access to all RPC pipes.
> 
> Any objections?  There's still some more testing and coding to be done.
> This may be a good opportunity to implement security descriptors on
> pipes.

Hurrah for Tim ! Good idea :-).

Jeremy.
Permalink | Reply | 1 comment |
headers
Richard Bollinger | 31 May 2002 01:36
Picon

Re: Thanks for fixing oplock.c for Linux 2.0 in 2_2 CVS

Please see:  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q297684

Which says in part...
SYMPTOMS
When you perform drive mapping from a Windows 2000-based client computer to either a Microsoft
Windows NT or Windows 2000 network share, the drive mapping may be disconnected after 15 minutes
of inactivity and Windows Explorer may display a red "X" on the icon of the mapped drive.
However, if you attempt to access or browse the mapped drive, it reconnects quickly.

CAUSE
This behavior can occur because both Windows NT Server version 4.0 and Windows 2000 Server can
drop idle connections after a specified time-out period, which by default is 15 minutes, so that
server resources are not wasted on unused sessions. The connection can be re-established very
quickly at a later time, if required.

RESOLUTION
To resolve this behavior, use a command to change the default time-out period on the Windows NT
Server 4.0 or Windows 2000 Server: At a command prompt, type: net config server
/autodisconnect:30 .

The valid value range to configure this setting from a command line is from -1 through 65,535
minutes. To disable Autodisconnect, set it to -1 .

Rich Bollinger

----- Original Message -----
From: "Jeremy Allison" <jra <at> samba.org>
To: "Volker Lendecke" <Volker.Lendecke <at> SerNet.DE>
Cc: "Jeremy Allison" <jra <at> samba.org>; <abartlet <at> samba.org>; "Andrew Bartlett"
<abartlet <at> pcug.org.au>; "Richard Bollinger" <rabollinger <at> attbi.com>; "Samba Technical"
(Continue reading)

Permalink | Reply | 3 comments |
headers
Nathaniel N. Petersen | 31 May 2002 01:26
Picon

Profile creation

SAMBA VERSION: 2.2.4
ERROR(S): Profile Creation

I have recently been assigned to create a Samba PDC.  Earlier in the 
week, I thought I was successful.  I was able to log in, load (or create) 
the test user's .ntprofile, etc.  Went home that night, happy as could be.
Came back the next day - and nothing was working correctly.  The systems 
could not find the domain.  The domain was not reporting any errors in the 
logs (including, and most importantly, log.nmbd and log.smbd).  

I reported this to my supervisor, and he asked what version of Samba I
was using.  I told him version 2.2.3a.  Well, he says that I shouldn't
use an "alpha" version of Samba.  So I nuke samba off the system (after
making backups of smb.conf and other vital files).  So I download and
compile from the source.  I included the needed "--with" options in
Configure.  Came back after a cup of coffee to test the install.

Here is were things get bad.  I set up my smb.conf file, recreate my
smbpasswd, etc.  I start to add computers using the "blind" method.  All
things seem good (was able to add all the computers I wanted).  I was
able to log on using my test account, and my profile was loaded properly
for WinNT4, Win2K, and WinXP.  (Note: this .ntprofile/ was saved back
when things worked fine.)

So as a final test, I back up my .ntprofile/ and then delete it to
simulate the creation for a new user.  I go to log on with the WinNT4
system, and get the error:

"A domain controller for your domain could not be contacted. You have
been logged on using cached account information.  Changes to your
(Continue reading)

Permalink | Reply | 4 comments |
headers
Dennis Lattka | 31 May 2002 01:50

oplock error

I'm getting file corruption due to oplock errors. Running Linux RH 7.2, 
samba-2.2.4 and Win2k SP2 clients. Have tried turning oplocks off but 
that was a disaster. Mainly MSoffice 2k  and DB files get corrupted. 
This is creating serious problems.
Error message :

[2002/05/30 14:30:10, 0] smbd/oplock.c:oplock_break(761)
  oplock_break: receive_smb timed out after 30 seconds.
  oplock_break failed for file user/dnitzahn/Expense reports/More May 
travel 3.xls (dev = 7441, inode = 18166407, file_id = 64).
[2002/05/30 14:30:10, 0] smbd/oplock.c:oplock_break(833)
  oplock_break: client failure in oplock break in file 
user/dnitzahn/Expense reports/More May travel 3.xls
  reply_lockingX: Error : oplock break from client for fnum = 13268 and 
no oplock granted on this file (user/dnitzahn/Expense reports/More May 
travel 3.xls).
Permalink | Reply | 0 comments |
headers
Jeremy Allison | 31 May 2002 02:30
Picon
Favicon

Re: Thanks for fixing oplock.c for Linux 2.0 in 2_2 CVS

On Thu, May 30, 2002 at 07:36:21PM -0400, Richard Bollinger wrote:
> Please see:  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q297684

Ah - this is very interesting, thanks for pointing this out.

Using the registry setting here :

\System\CurrentControlSet\Services\LanmanServer\Parameters

autodisconnect

and setting it to 1 (meaning 1 minute) I have perfectly
reproduced this client problem with Win98 client, W2K
server.

I thought they might have some heuristics to avoid running
into this bug themselves when talking to a Win98 client 
but no - it's just that their timeout on autodisconnect
is much longer......

This means we're completely the same as a W2K server in
this respect - we probably need to add a big warning message
to the timeout parameter on the man page, but I don't think
any code changes would help.

Jeremy.
Permalink | Reply | 2 comments |

Gmane