Michael B Allen wrote: |>><shameless-plug-mode> |> |>On the subject of shameless plugs, | | | I look great in my tron costume: | | http://www.ioplex.com/~miallen/tron.jpg Hey Mike! You made it on fark.comhttp://forums.fark.com/cgi/fark/comments.pl?IDLink=1065431 (6th picture from the top) Congrats! cheers, jerry
Gerald (Jerry) Carter wrote: | Michael B Allen wrote: | |>><shameless-plug-mode> | |> | |>On the subject of shameless plugs, | | | | | | I look great in my tron costume: | | | | http://www.ioplex.com/~miallen/tron.jpg | | Hey Mike! You made it on fark.com
Hah! I met this guy. He was showing off his (brand new) costume at Penguicon last year. I did a Samba presentation. Kewl. Chris -)----- On Sun, Oct 31, 2004 at 07:53:35PM -0600, Gerald (Jerry) Carter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Gerald (Jerry) Carter wrote: > | Michael B Allen wrote: > | |>><shameless-plug-mode> > | |> > | |>On the subject of shameless plugs, > | | > | | > | | I look great in my tron costume: > | | > | | http://www.ioplex.com/~miallen/tron.jpg > | > | Hey Mike! You made it on fark.com(Continue reading)
On Sun, 31 Oct 2004 19:53:35 -0600 "Gerald (Jerry) Carter" <jerry <at> samba.org> wrote: > | Michael B Allen wrote: > | |>><shameless-plug-mode> > | |> > | |>On the subject of shameless plugs, > | | > | | > | | I look great in my tron costume: > | | > | | http://www.ioplex.com/~miallen/tron.jpg > | > | Hey Mike! You made it on fark.com(Continue reading)-- -- Greedo shoots first? Not in my Star Wars.
I have build samba+openldap PDC and wanted to setup NTLM auth on my
squid proxy. My system is FreeBSD 5.1 and samba version is 3.0.7.
In this setup ntlm_auth works as squid user and need
to open $LOCKDIR/winbindd_privileged/pipe.
As documented in winbindd man page "only users in the 'root' group will get this
access", but group permissions is r-x by default. When started,
winbindd checks ownership and permissions and it is impossible to
change it to my needs. It looks like a problem %)
I propose to change default permissions from 0750 to 0770 in
winbindd_util.c/open_winbindd_priv_socket(void)
{
if (_winbindd_priv_socket == -1) {
_winbindd_priv_socket = create_pipe_sock(
-- get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
++ get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0770);
DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
_winbindd_priv_socket));
...
This "patch" makes possible changing ownership on
.../winbindd_privileged/ to root:squid and makes system to work.
also I have found an error in Samba-Guide.pdf, Example 7.3.3
add user script = .../smbldap-useradd.pl -a -m '%u'
(Continue reading)
On Sunday 31 October 2004 21:59, rpv_muma wrote: > also I have found an error in Samba-Guide.pdf, Example 7.3.3 > > add user script = .../smbldap-useradd.pl -a -m '%u' > > key -a says to script to add sambaSamAccount objectClass records into > LDAP. After running "add user script" samba tries to add Samba > attributes too, and I get an error when adding users to domain(but > user was added). > > Users adds ok after key -a is removed. I fixed this in the source tree. Thanks for the heads up. - John T. -- -- John H Terpstra, CTO PrimaStasys Inc. Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
On Mon, 2004-11-01 at 15:59, rpv_muma wrote:
> I have build samba+openldap PDC and wanted to setup NTLM auth on my
> squid proxy. My system is FreeBSD 5.1 and samba version is 3.0.7.
>
> In this setup ntlm_auth works as squid user and need
> to open $LOCKDIR/winbindd_privileged/pipe.
> As documented in winbindd man page "only users in the 'root' group will get this
> access", but group permissions is r-x by default. When started,
> winbindd checks ownership and permissions and it is impossible to
> change it to my needs. It looks like a problem %)
I really don't see the problem. You should only change the groupid,
usually to 'squid'.
> I propose to change default permissions from 0750 to 0770 in
>
> winbindd_util.c/open_winbindd_priv_socket(void)
> {
> if (_winbindd_priv_socket == -1) {
> _winbindd_priv_socket = create_pipe_sock(
> -- get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0750);
> ++ get_winbind_priv_pipe_dir(), WINBINDD_SOCKET_NAME, 0770);
> DEBUG(10, ("open_winbindd_priv_socket: opened socket fd %d\n",
> _winbindd_priv_socket));
This change looks very dangerous to me. Why is write permission
required? Hundreds of sites have deployed Squid/ntlm_auth without this
change, and giving the 'privileged' group the right to delete the socket
would allow them more privileges than I certainly would prefer.
(Continue reading)
On Sun, Oct 31, 2004 at 10:08:39AM -0700, John H Terpstra wrote: > It is well known that Samba-3 with LDAP requires the use of nss_ldap to > resolve UIDs and GIDs for machine accounts as well as for users and groups. > There are two solutions to being able to resolve them correctly. The first is > to put all machine accounts in ou=Users (that is the simple and efficient > solution), the other is to set the search path for nss_base_passwd and > nss_base_shadow to point to the level of your directory from which both Users > and Machines can be found by recursively searching the directory. In this > case you must also use the "?sub" parameter in place of the "?one" parameter. There is a third option: just supply two nss_base_passwd directives. Starting with version 204, nss_ldap will search the first one and, if not found, the second one (and so on).
I have build samba+openldap PDC and found next error when deleting
users from domain:
[2004/11/01 19:31:23, 3] rpc_server/srv_samr_nt.c:smb_delete_user(3631)
> smb_delete_user: Running the command `/usr/local/etc/samba/smbldap-userdel.pl admin2' gave 0
[2004/11/01 19:31:23, 3] passdb/pdb_ldap.c:ldapsam_delete_sam_account(1516)
> ldapsam_delete_sam_account: Deleting user admin2 from LDAP.
[2004/11/01 19:31:23, 5] lib/smbldap.c:smbldap_search(963)
> smbldap_search: base => [dc=fsf,dc=tsu,dc=ru], filter =>
[(&(uid=admin2)(objectclass=sambaSamAccount))], scope => [2]
[2004/11/01 19:31:23, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(269)
> ldapsam_delete_entry: Entry must exist exactly once!
[2004/11/01 19:31:23, 5] rpc_server/srv_samr_nt.c:_samr_delete_dom_user(3678)
_samr_delete_dom_user:Failed to delete entry for user admin2.
....
[2004/11/01 19:31:23, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
>> 0014 status: NT_STATUS_CANNOT_DELETE
The main code which deletes users is rpc_server/srv_samr_nt.c:smb_delete_user
As we can see, smb_delete_user call executed first, it runs
smbldap-userdel.pl. This script delete full dn with sambaSamAccount
and posixAccount field from LDAP.
After this samba tries to delete sambaSamAccount object fields using backend
(pdb_delete_sam_account(sam_pass)), but where are no user at LDAP found ))
smb_delete_user call need to be after pdb_delete_sam_account, as I
think. I don`t know how it works with other than LDAP backends, so it need to be
checked by samba team.
/* delete the unix side */
(Continue reading)
After changing places of deleting unix and samba side LDAP records as
I wrote up we have following errors:
rpc_server/srv_samr_nt.c:smb_delete_user
/* and delete the samba side */
if (!pdb_delete_sam_account(sam_pass)) {
DEBUG(5,("_samr_delete_dom_user:Failed to delete entry for user %s.\n", pdb_get_username(sam_pass)));
pdb_free_sam(&sam_pass);
return NT_STATUS_CANNOT_DELETE;
}
/* delete the unix side */
smb_delete_user(pdb_get_username(sam_pass));
ldapsam_delete_sam_account: Deleting user admin3 from LDAP.
[2004/11/01 20:01:56, 5] lib/smbldap.c:smbldap_search(963)
smbldap_search: base => [dc=fsf,dc=tsu,dc=ru], filter =>
[(&(uid=admin3)(objectclass=sambaSamAccount))], scope => [2]
[2004/11/01 20:01:56, 10] passdb/pdb_ldap.c:ldapsam_delete_entry(305)
ldapsam_delete_entry: deleting attribute modifyTimestamp
[2004/11/01 20:01:56, 5] lib/smbldap.c:smbldap_modify(1009)
smbldap_modify: dn => [uid=admin3,ou=Users,dc=fsf,dc=tsu,dc=ru]
[2004/11/01 20:01:56, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(328)
ldapsam_delete_entry: Could not delete attributes for uid=admin3,ou=Users,dc=fsf,dc=tsu,dc=ru,
error: Constraint violation (
modifyTimestamp: no user modification allowed)
[2004/11/01 20:01:56, 5] rpc_server/srv_samr_nt.c:_samr_delete_dom_user(3671)
_samr_delete_dom_user:Failed to delete entry for user admin3.
...
(Continue reading)
RSS Feed449 | |
|---|---|
617 | |
501 | |
491 | |
565 | |
427 | |
752 | |
1197 | |
686 | |
613 | |
612 | |
978 | |
857 | |
755 | |
486 | |
424 | |
407 | |
319 | |
449 | |
501 | |
398 | |
323 | |
424 | |
500 | |
395 | |
403 | |
444 | |
422 | |
584 | |
462 | |
639 | |
560 | |
565 | |
457 | |
464 | |
464 | |
432 | |
563 | |
474 | |
550 | |
421 | |
376 | |
439 | |
405 | |
562 | |
495 | |
525 | |
385 | |
653 | |
445 | |
510 | |
402 | |
449 | |
385 | |
337 | |
349 | |
426 | |
534 | |
568 | |
517 | |
474 | |
427 | |
340 | |
398 | |
625 | |
349 | |
393 | |
650 | |
481 | |
518 | |
412 | |
596 | |
548 | |
492 | |
544 | |
716 | |
445 | |
388 | |
383 | |
577 | |
472 | |
587 | |
640 | |
474 | |
655 | |
309 | |
532 | |
596 | |
605 | |
390 | |
439 | |
570 | |
510 | |
488 | |
411 | |
582 | |
498 | |
383 | |
475 | |
348 | |
605 | |
489 | |
383 | |
380 | |
420 | |
450 | |
318 | |
345 | |
324 | |
420 | |
535 | |
412 | |
552 | |
434 | |
522 | |
563 | |
490 | |
480 | |
663 | |
554 | |
549 | |
830 | |
855 | |
705 | |
548 | |
423 | |
518 | |
844 | |
596 | |
649 | |
619 | |
689 | |
49 | |
1 | |
2 | |
1 | |
1 |
