Nabble - Samba

Samba + Vscan

2009-12-20T09:34:48Z

Hi

I am trying install Samba-Vscan. When run *make* show this message

[root@LinuxDefault samba-vscan]# make --debug
GNU Make 3.81
Copyright (C) 2006 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

*This program built for i686-redhat-linux-gnu*
*Reading makefiles...*
*Updating goal targets....*
* File `default' does not exist.*
* File `all' does not exist.*
* File `oav' does not exist.*
* File `vscan-oav.so' does not exist.*
* File `global/vscan-message.po' does not exist.*
* Must remake target `global/vscan-message.po'.*
*Compiling global/vscan-message.c with -fPIC*
*global/vscan-message.c: In function âvscan_send_warning_messageâ:*
*global/vscan-message.c:82: error: too many arguments to function
âcli_initialiseâ*
*global/vscan-message.c:82: error: wrong type argument to unary exclamation
mark*
*make: *** [global/vscan-message.po] Error 1*

*Somebody know about this message error ? How I can resolve this problem ? *

*Plus information *

The process *configure * run without any problems

./configure --with-samba-souce=/opt/source/samba-3.0.34/source/
--with-samba-version=/opt/source/samba-3.0.34/source/include/version.h
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking for library containing strerror... none required
checking whether gcc and cc understand -c and -o together... yes
checking build system type... i686-pc-linux-gnu
checking host system type... i686-pc-linux-gnu
checking target system type... i686-pc-linux-gnu
checking config.cache system type... same
checking how to run the C preprocessor... gcc -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking stdio.h usability... yes
checking stdio.h presence... yes
checking for stdio.h... yes
checking for inet_aton... yes
checking ability to build shared libraries... true
checking linker flags for shared libraries... -shared
checking compiler flags for position-independent code... -fPIC
checking for suffix of position-independent code... po
checking whether building shared libraries actually works... yes
checking for Samba Version... "3.0.34"
configure: WARNING: you specified
--with-samba-version="/opt/source/samba-3.0.34/source/include/version.h"
configure: WARNING: this will have no effect because the used
configure: WARNING: SAMBA Version "3.0.34" already
configure: WARNING: includes the SAMBA_VERSION_{MAJOR,MINOR,RELEASE}
define's
checking whether to use libclamav... no
checking whether use libmksd as builtin... auto
checking libmksd.h usability... no
checking libmksd.h presence... no
checking for libmksd.h... no
checking for mksd_connect in -lmksd... no
checking whether to use libmksd as builtin or system... builtin
checking whether use libkavdc as builtin... auto
checking kavclient.h usability... no
checking kavclient.h presence... no
checking for kavclient.h... no
checking for KAVConnect in -lkavdc... no
checking for KAVConnect in /usr/lib/kavdclib.so... no
checking whether to use libkavdc as builtin or system... builtin
checking whether to build Symantec module... no
checking whether to build only libmksd and libkavdc as shared libs... no
checking for filetype support... auto
checking magic.h usability... yes
checking magic.h presence... yes
checking for magic.h... yes
checking for magic_load in -lmagic... yes
checking whether to use filetype support... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating include/vscan-config.h

** Configuration summary for samba-vscan 0.3.6 :

Compile samba-vscan for Samba : "3.0.34"
Compile samba-vscan with sources in: ../../../source
Compile samba-vscan backends : oav sophos fprotd fsav trend icap mksd
kavp clamav nai antivir
Use GLOBAL_LIBS : -lmagic
Use libmksd as : builtin
Use libkavdc as : builtin

Now type "make" to build all mentioned backends.
Or "make <backend> {<backend>}" to build only specific backend(s).
On *BSD systems please use GNU make (gmake) instead of BSD make (make).

Thanks for all .

--
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx

P Antes de imprimir pense em sua responsabilidade e comprometimento com o
Meio Ambiente. Before printing this message, think about your ecologic
responsability and environment commitment.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Re: of SupportedEncTypes and msDS-SupportedEncryptionTypes

2009-12-20T09:23:08Z

Hi Matthieu,

Thanks for the follow-up questions regarding the supported encryption types blog entry from September. One of the Open Specification Documentation support team will be in touch with you shortly.

Best regards,
Tom Jebo
Microsoft Open Specification Documentation Support

-----Original Message-----
From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
Sent: Sunday, December 20, 2009 7:01 AM
To: cifs-protocol@...; Interoperability Documentation Help; pfif@...
Subject: of SupportedEncTypes and msDS-SupportedEncryptionTypes

Hello,

Back in august and september we discuss in case SRX090808600017 about supportedEncTypes and I was quite happy with your answer.

I'm coming back on this subject for two details:

* this blog entry (of msdn)
http://blogs.msdn.com/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx
says :" Although this attribute is present in all the computer objects of the domain regardless of the version of the OS the physical machines have installed, not all of them are aware of its existence hence, older versions (2003 and earlier) do not populate it at any time." It means that when I join a w2k8 domain with a XP workstation that the DC will create a computer object for this XP workstation and set the msDS-SupportedEncryptionTypes attribute ? if so to which value ? On my tests when I join a w2k3 server to a w2k8 domain the attribute SupportedEncryptionTypes is not set. Can this point be clarified and if possible written in a formal document

This entry also state: "

When the KDC checks the attribute to decide what encryption algorithm to use in order to encrypt the ticket, it could find basically two scenarios:

1) The attribute is populated

2) The attribute is empty

If the attribute is populated, then the deal is done since the KDC can determine the best common algorithm to encrypt the ticket with the value present.

However, if the attribute is empty then the KDC will have to work harder being the next step to check another attribute. This attribute is defined in MS-ADA3 (section 2.341) and described in MS-ADTS (section
2.2.15) and it's called userAccountControl. This attribute is also a 4 byte Bit Mask that defines many aspects of the account but the only one the KDC is interested in is the DK (ADS_UF_USE_DES_KEY_ONLY ) bit.

This bit defines what legacy encryption method will be used:

1) If the bit is set, then only DES will be used

2) If the bit is NOT set, then DES and RC4 can be used

This check is especially relevant in domains that have Win7 and Windows Server 2008 R2 machines joined because those two newer OSs disable their bit by default so older DES is not an option for them."

* What is the exact meaning of ADS_UF_USE_DES_KEY_ONLY ? if a w2k8 server acting as a domain member within a w2k8 domain has this DK bit set, will the DC not use AES but only DES with it ?

* "This check is especially relevant in domains that have Win7 and Windows Server 2008 R2 machines joined because those two newer OSs disable their bit by default so older DES is not an option for them.", well it seems that a w2k3 server member of w2k8 domain do not have this bit set also (userAccountControl=4096 => only WT flag set).

* Also neither MS-LSAD nor MS-NRPC talk about the link between the attribute msDS-SupportedEncryptionTypes stored in the AD and the fact that it's returned as SupportedEncTypes in NETLOGON_DOMAIN_INFO call.
I can understand that it can be called "secret" of implementation but when after a workstation tries to update this attribute to let the DC know what are the supported encoding it's better to clarify the link.

Thank you for help with clarifying those points.

Matthieu.

_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol

From forum: Samba - cifs-protocol

Re: Patch for supported encoding

2009-12-20T04:03:04Z

On 19/12/2009 04:13, Andrew Bartlett wrote:

> On Sat, 2009-12-19 at 01:05 +0300, Matthieu Patou wrote:
>
>> On 19/12/2009 00:05, Andrew Bartlett wrote:
>>
>>> On Sat, 2009-12-05 at 18:04 +0300, Matthieu Patou wrote:
>>>
>>>
>>>> Hello,
>>>>
>>>> Please find attach a patch that try to reintroduced a good default value
>>>> for default encoding (my change was overwritten by tridge in september).
>>>>
>>>>
>>> Can you give the commit it was overwritten by?
>>>
>>> The next step is to honour this stuff in the KDC
>>>
>>> Andrew Bartlett
>>>
>>>
>>>
>> commit c94e3ff0
>>
> Given that, the only way to get your change back in is to have a torture
> test that passes against Windows 2008R2, and to work with tridge to
> determine the situation he originally needed this for. The test should
> handle the case before we set the supported encryption types, then
> setting it and checking it changes from that value.
>
> These changes were made to get the bidirectional vampire code working,
> so we should not revert things lightly.

Well after talking to tridge it's like this that w2k8(r1/r2) answer so
we should stick to it. I'll ask a written confirmation from Microsoft as
the documentation is not very clear (well this point is missing) and I
made a different interpretation. Sorry for the noise.

Matthieu.

From forum: Samba - samba-technical

of SupportedEncTypes and msDS-SupportedEncryptionTypes

2009-12-20T04:01:26Z

Hello,

Back in august and september we discuss in case SRX090808600017 about
supportedEncTypes and I was quite happy with your answer.

I'm coming back on this subject for two details:

* this blog entry (of msdn)
http://blogs.msdn.com/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx
says :" Although this attribute is present in all the computer objects
of the domain regardless of the version of the OS the physical machines
have installed, not all of them are aware of its existence hence, older
versions (2003 and earlier) do not populate it at any time." It means
that when I join a w2k8 domain with a XP workstation that the DC will
create a computer object for this XP workstation and set the
msDS-SupportedEncryptionTypes attribute ? if so to which value ? On my
tests when I join a w2k3 server to a w2k8 domain the attribute
SupportedEncryptionTypes is not set. Can this point be clarified and if
possible written in a formal document

This entry also state: "

When the KDC checks the attribute to decide what encryption algorithm to
use in order to encrypt the ticket, it could find basically two scenarios:

1) The attribute is populated

2) The attribute is empty

If the attribute is populated, then the deal is done since the KDC can
determine the best common algorithm to encrypt the ticket with the value
present.

However, if the attribute is empty then the KDC will have to work harder
being the next step to check another attribute. This attribute is
defined in MS-ADA3 (section 2.341) and described in MS-ADTS (section
2.2.15) and it’s called userAccountControl. This attribute is also a 4
byte Bit Mask that defines many aspects of the account but the only one
the KDC is interested in is the DK (ADS_UF_USE_DES_KEY_ONLY ) bit.

This bit defines what legacy encryption method will be used:

1) If the bit is set, then only DES will be used

2) If the bit is NOT set, then DES and RC4 can be used

This check is especially relevant in domains that have Win7 and Windows
Server 2008 R2 machines joined because those two newer OSs disable their
bit by default so older DES is not an option for them."

* What is the exact meaning of ADS_UF_USE_DES_KEY_ONLY ? if a w2k8
server acting as a domain member within a w2k8 domain has this DK bit
set, will the DC not use AES but only DES with it ?

* "This check is especially relevant in domains that have Win7 and
Windows Server 2008 R2 machines joined because those two newer OSs
disable their bit by default so older DES is not an option for them.",
well it seems that a w2k3 server member of w2k8 domain do not have this
bit set also (userAccountControl=4096 => only WT flag set).

* Also neither MS-LSAD nor MS-NRPC talk about the link between the
attribute msDS-SupportedEncryptionTypes stored in the AD and the fact
that it's returned as SupportedEncTypes in NETLOGON_DOMAIN_INFO call.
I can understand that it can be called "secret" of implementation but
when after a workstation tries to update this attribute to let the DC
know what are the supported encoding it's better to clarify the link.

Thank you for help with clarifying those points.

Matthieu.
_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol

From forum: Samba - cifs-protocol

Re: Samba + Cups 2200 Laserjet printer

2009-12-20T02:00:50Z

Well, i think its time for me to go back to server 08.

Just got another issue with my backup batch script. It cant seem to check if
the files have changed it just copies them all across on each boot.

Cheers for the help though, much appreciated.

On Sun, Dec 20, 2009 at 10:23 PM, Scott Marshall <s.dwag.nz@...>wrote:

> When i go to http://192.168.1.1:631/ i get a 403. Any idea's?
>
> Ive changed the localhost to the ip of the server (.1 as above).
>
>
> On Sun, Dec 20, 2009 at 10:03 PM, Scott Marshall <s.dwag.nz@...>wrote:
>
>> Sorry about that, used gmal's reply without thinking.
>>
>>
>> On Sun, Dec 20, 2009 at 8:42 PM, Jack Downes <jax@...> wrote:
>>
>>> First off, please reply to the list.
>>>
>>> Okay, so you'll need to make sure that your cups.conf is setup to not
>>> listen only to localhost. you'll several sections on making cups listen
>>> to what port and which IP... you'll see "Listen localhost:631" near the
>>> top of your cups.conf file which is in /etc/cups (on several distros
>>> anyway), edit that to match your IP. Cups.org has tons of info how to
>>> do this.
>>>
>>> As to the groups and such that I'm talking about...
>>> Here's what i have setup for our outfit:
>>> [printers]
>>> comment = Cupsys based printer
>>> path = /var/spool/samba
>>> create mask = 0700
>>> guest ok = Yes
>>> printable = Yes
>>> browseable = No
>>>
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/KRH_drivers
>>> valid users = @wheel, jax, admincis
>>> force user = nobody
>>> force group = nogroup
>>> read only = No
>>>
>>> So, as you can see, I've got it set so that anyone can print, but that
>>> only admins and myself can update/change drivers. Makes it easy and
>>> keeps the general users away from the drivers.
>>>
>>> I'd suggest you put a valid users = scott in your [printers] section and
>>> make sure that your windows username/password matches the
>>> username/password in your linux setup. Make sure that you create the
>>> same user with smbpasswd as well. you can sync those together pretty
>>> easily. I'm pretty sure you can also limit by IP if you like:
>>> hosts deny = 10.17.1.0/24, 10.6.27.5
>>>
>>> or whatever ... Hopefully this helps.
>>>
>>> Jack
>>>
>>> Scott Marshall wrote:
>>> > I tried the address you stated (editing it where needed). It didnt
>>> > seem to work for me.
>>> >
>>> > Is there some thing i should be doing to activate/get this address to
>>> > work?
>>> >
>>> > As for samba, the printer is under the right group and i have
>>> > installed the drivers manually on the machines yet i still cannot
>>> print.
>>> >
>>> >
>>> > Cheers for the help
>>> > Scott
>>> >
>>> > On Sun, Dec 20, 2009 at 7:23 AM, Jack Downes <jax@...
>>> > <mailto:jax@...>> wrote:
>>> >
>>> > So, unless you are using windows 2k or older, is there really a
>>> > point to
>>> > installing the printer via //server/hplj2200 ?
>>> >
>>> > Just use the windows[XP|Vista|7] printer wizard dialog and add a
>>> > network
>>> > printer. At that point you can use the url which if the name is
>>> the
>>> > same, would be http://server:631/printers/hplj2200. If you are
>>> > the only
>>> > one doing this, then it'll be fine. You'll need to have the
>>> drivers
>>> > handy though. And you can lock CUPS down via client IP, or client
>>> > username, or it can depend on SAMBA auth as well.
>>> >
>>> > If you still want to use SAMBA for printing, take a look at
>>> > groups. As
>>> > I recall you can specify which users & which groups can
>>> > read/write/see/whatever the printer much the same as you can for
>>> > regular
>>> > shares. I think there's a PrinterAdmins group that you'll need to
>>> > setup
>>> > if you want to push a driver to the printer.
>>> >
>>> > Good luck!
>>> > Jack
>>> >
>>> > Scott Marshall wrote:
>>> > > Hi all,
>>> > >
>>> > > Hoping some one can help me out here.
>>> > >
>>> > > I have a 2200dn laser printer working on a centos 5 server
>>> > (using webmin for
>>> > > configuration).
>>> > >
>>> > > I have added it via webmin as a samba printer share with
>>> > permissions to my
>>> > > account.
>>> > >
>>> > > Security is set to "user level" not "share level" (the default).
>>> > >
>>> > > I can access my samba shares fine, download and upload to them.
>>> > >
>>> > > I can also see the printer, but what i cannot do is print.
>>> > >
>>> > > When i try and add the printer via my general PCL5 drivers it
>>> > asks me for a
>>> > > username and password. I am currently logged into the computer
>>> > so i would of
>>> > > thought it didn't need it and i cannot enter in the username or
>>> > password
>>> > > because i am already logged in.
>>> > >
>>> > > I cannot figure out if it is possible to have the samba server
>>> > share my
>>> > > printer by default to everyone with any security level yet not
>>> > open up my
>>> > > shares to everyone.
>>> > >
>>> > >
>>> > > Cheers
>>> > > Scott
>>> > >
>>> >
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions: https://lists.samba.org/mailman/options/samba
>>> >
>>> >
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Re: Samba + Cups 2200 Laserjet printer

2009-12-20T01:23:09Z

When i go to http://192.168.1.1:631/ i get a 403. Any idea's?

Ive changed the localhost to the ip of the server (.1 as above).

On Sun, Dec 20, 2009 at 10:03 PM, Scott Marshall <s.dwag.nz@...>wrote:

> Sorry about that, used gmal's reply without thinking.
>
>
> On Sun, Dec 20, 2009 at 8:42 PM, Jack Downes <jax@...> wrote:
>
>> First off, please reply to the list.
>>
>> Okay, so you'll need to make sure that your cups.conf is setup to not
>> listen only to localhost. you'll several sections on making cups listen
>> to what port and which IP... you'll see "Listen localhost:631" near the
>> top of your cups.conf file which is in /etc/cups (on several distros
>> anyway), edit that to match your IP. Cups.org has tons of info how to
>> do this.
>>
>> As to the groups and such that I'm talking about...
>> Here's what i have setup for our outfit:
>> [printers]
>> comment = Cupsys based printer
>> path = /var/spool/samba
>> create mask = 0700
>> guest ok = Yes
>> printable = Yes
>> browseable = No
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/KRH_drivers
>> valid users = @wheel, jax, admincis
>> force user = nobody
>> force group = nogroup
>> read only = No
>>
>> So, as you can see, I've got it set so that anyone can print, but that
>> only admins and myself can update/change drivers. Makes it easy and
>> keeps the general users away from the drivers.
>>
>> I'd suggest you put a valid users = scott in your [printers] section and
>> make sure that your windows username/password matches the
>> username/password in your linux setup. Make sure that you create the
>> same user with smbpasswd as well. you can sync those together pretty
>> easily. I'm pretty sure you can also limit by IP if you like:
>> hosts deny = 10.17.1.0/24, 10.6.27.5
>>
>> or whatever ... Hopefully this helps.
>>
>> Jack
>>
>> Scott Marshall wrote:
>> > I tried the address you stated (editing it where needed). It didnt
>> > seem to work for me.
>> >
>> > Is there some thing i should be doing to activate/get this address to
>> > work?
>> >
>> > As for samba, the printer is under the right group and i have
>> > installed the drivers manually on the machines yet i still cannot print.
>> >
>> >
>> > Cheers for the help
>> > Scott
>> >
>> > On Sun, Dec 20, 2009 at 7:23 AM, Jack Downes <jax@...
>> > <mailto:jax@...>> wrote:
>> >
>> > So, unless you are using windows 2k or older, is there really a
>> > point to
>> > installing the printer via //server/hplj2200 ?
>> >
>> > Just use the windows[XP|Vista|7] printer wizard dialog and add a
>> > network
>> > printer. At that point you can use the url which if the name is the
>> > same, would be http://server:631/printers/hplj2200. If you are
>> > the only
>> > one doing this, then it'll be fine. You'll need to have the drivers
>> > handy though. And you can lock CUPS down via client IP, or client
>> > username, or it can depend on SAMBA auth as well.
>> >
>> > If you still want to use SAMBA for printing, take a look at
>> > groups. As
>> > I recall you can specify which users & which groups can
>> > read/write/see/whatever the printer much the same as you can for
>> > regular
>> > shares. I think there's a PrinterAdmins group that you'll need to
>> > setup
>> > if you want to push a driver to the printer.
>> >
>> > Good luck!
>> > Jack
>> >
>> > Scott Marshall wrote:
>> > > Hi all,
>> > >
>> > > Hoping some one can help me out here.
>> > >
>> > > I have a 2200dn laser printer working on a centos 5 server
>> > (using webmin for
>> > > configuration).
>> > >
>> > > I have added it via webmin as a samba printer share with
>> > permissions to my
>> > > account.
>> > >
>> > > Security is set to "user level" not "share level" (the default).
>> > >
>> > > I can access my samba shares fine, download and upload to them.
>> > >
>> > > I can also see the printer, but what i cannot do is print.
>> > >
>> > > When i try and add the printer via my general PCL5 drivers it
>> > asks me for a
>> > > username and password. I am currently logged into the computer
>> > so i would of
>> > > thought it didn't need it and i cannot enter in the username or
>> > password
>> > > because i am already logged in.
>> > >
>> > > I cannot figure out if it is possible to have the samba server
>> > share my
>> > > printer by default to everyone with any security level yet not
>> > open up my
>> > > shares to everyone.
>> > >
>> > >
>> > > Cheers
>> > > Scott
>> > >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Re: Samba + Cups 2200 Laserjet printer

2009-12-19T23:42:17Z

First off, please reply to the list.

Okay, so you'll need to make sure that your cups.conf is setup to not
listen only to localhost. you'll several sections on making cups listen
to what port and which IP... you'll see "Listen localhost:631" near the
top of your cups.conf file which is in /etc/cups (on several distros
anyway), edit that to match your IP. Cups.org has tons of info how to
do this.

As to the groups and such that I'm talking about...
Here's what i have setup for our outfit:
[printers]
comment = Cupsys based printer
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/KRH_drivers
valid users = @wheel, jax, admincis
force user = nobody
force group = nogroup
read only = No

So, as you can see, I've got it set so that anyone can print, but that
only admins and myself can update/change drivers. Makes it easy and
keeps the general users away from the drivers.

I'd suggest you put a valid users = scott in your [printers] section and
make sure that your windows username/password matches the
username/password in your linux setup. Make sure that you create the
same user with smbpasswd as well. you can sync those together pretty
easily. I'm pretty sure you can also limit by IP if you like:
hosts deny = 10.17.1.0/24, 10.6.27.5

or whatever ... Hopefully this helps.

Jack

Scott Marshall wrote:

> I tried the address you stated (editing it where needed). It didnt
> seem to work for me.
>
> Is there some thing i should be doing to activate/get this address to
> work?
>
> As for samba, the printer is under the right group and i have
> installed the drivers manually on the machines yet i still cannot print.
>
>
> Cheers for the help
> Scott
>
> On Sun, Dec 20, 2009 at 7:23 AM, Jack Downes <jax@...
> <mailto:jax@...>> wrote:
>
> So, unless you are using windows 2k or older, is there really a
> point to
> installing the printer via //server/hplj2200 ?
>
> Just use the windows[XP|Vista|7] printer wizard dialog and add a
> network
> printer. At that point you can use the url which if the name is the
> same, would be http://server:631/printers/hplj2200. If you are
> the only
> one doing this, then it'll be fine. You'll need to have the drivers
> handy though. And you can lock CUPS down via client IP, or client
> username, or it can depend on SAMBA auth as well.
>
> If you still want to use SAMBA for printing, take a look at
> groups. As
> I recall you can specify which users & which groups can
> read/write/see/whatever the printer much the same as you can for
> regular
> shares. I think there's a PrinterAdmins group that you'll need to
> setup
> if you want to push a driver to the printer.
>
> Good luck!
> Jack
>
> Scott Marshall wrote:
> > Hi all,
> >
> > Hoping some one can help me out here.
> >
> > I have a 2200dn laser printer working on a centos 5 server
> (using webmin for
> > configuration).
> >
> > I have added it via webmin as a samba printer share with
> permissions to my
> > account.
> >
> > Security is set to "user level" not "share level" (the default).
> >
> > I can access my samba shares fine, download and upload to them.
> >
> > I can also see the printer, but what i cannot do is print.
> >
> > When i try and add the printer via my general PCL5 drivers it
> asks me for a
> > username and password. I am currently logged into the computer
> so i would of
> > thought it didn't need it and i cannot enter in the username or
> password
> > because i am already logged in.
> >
> > I cannot figure out if it is possible to have the samba server
> share my
> > printer by default to everyone with any security level yet not
> open up my
> > shares to everyone.
> >
> >
> > Cheers
> > Scott
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

RE: rsync hangs on big transfer Debian 5.0.3 pulling from WinXP SP3/Cygwin 1.5.25

2009-12-19T22:42:51Z

rsync:

I received three copies of my message from each of three lists. If
everyone else receives three copies, I apologize for the extraneous
copies. :-(

Does anybody know why, and how to prevent such?

TIA,

David

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

From forum: Samba - rsync

RE: rsync hangs on big transfer Debian 5.0.3 pulling from WinXP SP3/ Cygwin 1.5.25

2009-12-19T21:37:22Z

Debian Users, Cygwin, & Rsync:

I'm having trouble with rsync invoked on Debian 5.0.3 pulling files from
Windows XP SP3/ Cygwin 1.5.25. I posted to the Debian User and Cygwin
mailing lists [1] and thought I was done two days ago, but I wasn't --
after several hours of use of the Windows machine, rsync would again
hang on Debian.

To summarize, rsync pulls in perhaps 1,000 files from C:\Documents and
Settings, and then hangs indefinitely.

Adding the --timeout parameter seemed to fix the problem last night, but
it's back again tonight.

I've tried adding ten levels of verboseness to rsync (-vvvvvvvvvv), but
no additional information is produced beyond three (-vvv). I don't see
any clues in /var/log on either machine. Are there any other means for
giving visibility to what's going on, other than compiling a debugging
version, running rsync in a debugger, etc.?

A new cygcheck.txt and console session are attached.

Any suggestions?

TIA,

David

Ref:

[1] http://lists.debian.org/debian-user/2009/12/msg00991.html

2009-12-19 20:52:19 dpchrist@a64x2deb ~/a64x2deb/tigerbackup/daily
$ /usr/bin/rsync -rt -vvv --stats --timeout=300 --delete --backup --backup-dir='/mnt/q/backup-old/holgerdanske.com/p43400e/cygdrive/c/documents_and_settings/' --delete-excluded --exclude='My Documents/accounts/' --exclude-from='/usr/local/share/perl/5.10.0/Dpchrist/Tigerbackup/winxp_Documents-and-Settings.exclude' 'Administrator@...:/cygdrive/c/documents_and_settings/' '/mnt/q/backup/holgerdanske.com/p43400e/cygdrive/c/documents_and_settings/' >rsync.out
io timeout after 300 seconds -- exiting
rsync error: timeout in data send/receive (code 30) at io.c(239) [receiver=3.0.3]
rsync: connection unexpectedly closed (137 bytes received so far) [generator]
rsync error: error in rsync protocol data stream (code 12) at io.c(635) [generator=3.0.3]

2009-12-19 21:03:02 dpchrist@a64x2deb ~/a64x2deb/tigerbackup/daily
$ tail -n 20 rsync.out
recv_generator(dpchrist/My Documents/home/.cvsignore,17101)
dpchrist/My Documents/home/.cvsignore is uptodate
recv_generator(dpchrist/My Documents/home/.signature-dc2008.txt,17102)
dpchrist/My Documents/home/.signature-dc2008.txt is uptodate
recv_generator(dpchrist/My Documents/home/.signature-pe.txt,17103)
dpchrist/My Documents/home/.signature-pe.txt is uptodate
recv_generator(dpchrist/My Documents/home/.signature.txt,17104)
dpchrist/My Documents/home/.signature.txt is uptodate
recv_generator(dpchrist/My Documents/home/.vimrc,17105)
dpchrist/My Documents/home/.vimrc is uptodate
recv_generator(dpchrist/My Documents/home/Makefile,17106)
dpchrist/My Documents/home/Makefile is uptodate
recv_generator(dpchrist/My Documents/home/home-unix.tar.gz,17107)
dpchrist/My Documents/home/home-unix.tar.gz is uptodate
recv_generator(dpchrist/My Documents/home/home-win32.tar.gz,17108)
dpchrist/My Documents/home/home-win32.tar.gz is uptodate
recv_generator(dpchrist/My Documents/home/CVS,17109)
recv_generator(dpchrist/My Documents/home/home.tmp,17110)
_exit_cleanup(code=30, file=io.c, line=239): about to call exit(30)
_exit_cleanup(code=12, file=io.c, line=635): about to call exit(12)

Cygwin Configuration Diagnostics
Current System Time: Sun Dec 20 05:13:08 2009

Windows XP Professional Ver 5.1 Build 2600 Service Pack 3

Path: C:\cygwin\usr\local\bin
C:\cygwin\bin
C:\cygwin\bin
C:\cygwin\usr\X11R6\bin
c:\WINDOWS\system32
c:\WINDOWS
c:\WINDOWS\System32\Wbem
C:\cygwin\bin
C:\cygwin\usr\sbin

Output from C:\cygwin\bin\id.exe (nontsec)
UID: 500(Administrator) GID: 513(None)
0(root) 513(None) 544(Administrators)
545(Users) 1006(Debugger Users)

Output from C:\cygwin\bin\id.exe (ntsec)
UID: 500(Administrator) GID: 513(None)
0(root) 513(None) 544(Administrators)
545(Users) 1006(Debugger Users)

SysDir: C:\WINDOWS\system32
WinDir: C:\WINDOWS

USER = 'Administrator'
PWD = '/home/Administrator'
CYGWIN = 'ntsec'
HOME = '/home/Administrator'
MAKE_MODE = 'unix'

HOMEPATH = '\Documents and Settings\Administrator\My Documents'
CPAN_AUTHORID = 'DPCHRIST'
MANPATH = ':/home/Administrator/local/man'
HOSTNAME = 'p43400e'
RELEASE_ROOT = '/mnt/z/data/released'
TERM = 'cygwin'
SHELL = '/bin/bash'
PROCESSOR_IDENTIFIER = 'x86 Family 15 Model 4 Stepping 1, GenuineIntel'
WINDIR = 'C:\WINDOWS'
SSH_CLIENT = '127.0.0.1 1163 22'
CVSROOT = 'dpchrist@...:/cvs/dpchrist'
OLDPWD = '/home/Administrator'
USERDOMAIN = 'P43400E'
SSH_TTY = '/dev/tty0'
OS = 'Windows_NT'
ALLUSERSPROFILE = 'C:\Documents and Settings\All Users'
TEMP = '/cygdrive/c/WINDOWS/TEMP'
COMMONPROGRAMFILES = 'C:\Program Files\Common Files'
PAGER = '/usr/bin/less'
PROCESSOR_LEVEL = '15'
FTP_PASSIVE = '1'
MAIL = '/var/spool/mail/Administrator'
SYSTEMDRIVE = 'C:'
EDITOR = 'vim'
LANG = 'C'
USERPROFILE = 'C:\Documents and Settings\Administrator'
TZ = 'America/Los_Angeles'
PS1 = '\D{%Y-%m-%d %H:%M:%S} \u@\h \w\n\$ '
LOGONSERVER = '\\P43400E'
PROCESSOR_ARCHITECTURE = 'x86'
HISTCONTROL = 'ignoredups'
SHLVL = '1'
OSTYPE = 'cygwin'
PATHEXT = '.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH'
HOMEDRIVE = 'c:'
COMSPEC = 'C:\WINDOWS\system32\cmd.exe'
LESS = '-R'
LOGNAME = 'Administrator'
TMP = '/cygdrive/c/WINDOWS/TEMP'
SYSTEMROOT = 'C:\WINDOWS'
PRINTER = 'HP LaserJet P2050 Series PCL6'
CVS_RSH = 'ssh'
PROCESSOR_REVISION = '0401'
SSH_CONNECTION = '127.0.0.1 1163 127.0.0.1 22'
INFOPATH = '/usr/local/info:/usr/share/info:/usr/info:'
PROGRAMFILES = 'C:\Program Files'
NUMBER_OF_PROCESSORS = '2'
COMPUTERNAME = 'P43400E'
_ = '/usr/bin/cygcheck'

HKEY_CURRENT_USER\Software\Cygnus Solutions
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin\mounts v2
HKEY_CURRENT_USER\Software\Cygnus Solutions\Cygwin\Program Options
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2
(default) = '/cygdrive'
cygdrive flags = 0x00000022
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/
(default) = 'C:\cygwin'
flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/bin
(default) = 'C:\cygwin/bin'
flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/usr/lib
(default) = 'C:\cygwin/lib'
flags = 0x0000000a
HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\Program Options

a: fd N/A N/A
c: hd NTFS 76316Mb 31% CP CS UN PA FC p43400e
d: cd N/A N/A

C:\cygwin / system binmode
C:\cygwin/bin /usr/bin system binmode
C:\cygwin/lib /usr/lib system binmode
. /cygdrive system binmode,cygdrive

Found: C:\cygwin\bin\awk.exe
Found: C:\cygwin\bin\bash.exe
Found: C:\cygwin\bin\cat.exe
Found: C:\cygwin\bin\cp.exe
Not Found: cpp (good!)
Not Found: crontab
Found: C:\cygwin\bin\find.exe
Not Found: gcc
Not Found: gdb
Found: C:\cygwin\bin\grep.exe
Found: C:\cygwin\bin\kill.exe
Not Found: ld
Found: C:\cygwin\bin\ls.exe
Found: C:\cygwin\bin\make.exe
Found: C:\cygwin\bin\mv.exe
Not Found: patch
Found: C:\cygwin\bin\perl.exe
Found: C:\cygwin\bin\rm.exe
Found: C:\cygwin\bin\sed.exe
Found: C:\cygwin\bin\ssh.exe
Found: C:\cygwin\bin\sh.exe
Found: C:\cygwin\bin\tar.exe
Found: C:\cygwin\bin\test.exe
Not Found: vi
Found: C:\cygwin\bin\vim.exe

61k 2009/03/02 C:\cygwin\bin\cygbz2-1.dll - os=4.0 img=1.0 sys=4.0
"cygbz2-1.dll" v0.0 ts=2009/3/2 2:52
7k 2003/10/19 C:\cygwin\bin\cygcrypt-0.dll - os=4.0 img=1.0 sys=4.0
"cygcrypt-0.dll" v0.0 ts=2003/10/19 8:57
1075k 2009/11/05 C:\cygwin\bin\cygcrypto-0.9.8.dll - os=4.0 img=1.0 sys=4.0
"cygcrypto-0.9.8.dll" v0.0 ts=2009/11/5 17:46
943k 2007/12/17 C:\cygwin\bin\cygdb-4.5.dll - os=4.0 img=1.0 sys=4.0
"cygdb-4.5.dll" v0.0 ts=2007/12/17 13:12
1296k 2007/12/17 C:\cygwin\bin\cygdb_cxx-4.5.dll - os=4.0 img=1.0 sys=4.0
"cygdb_cxx-4.5.dll" v0.0 ts=2007/12/17 13:12
118k 2008/05/09 C:\cygwin\bin\cygexpat-1.dll - os=4.0 img=1.0 sys=4.0
"cygexpat-1.dll" v0.0 ts=2008/5/9 5:03
40k 2009/03/01 C:\cygwin\bin\cygform-8.dll - os=4.0 img=1.0 sys=4.0
"cygform-8.dll" v0.0 ts=2009/3/1 2:40
42k 2009/11/21 C:\cygwin\bin\cygform-9.dll - os=4.0 img=1.0 sys=4.0
"cygform-9.dll" v0.0 ts=2009/11/21 5:34
42k 2009/03/12 C:\cygwin\bin\cyggcc_s-1.dll - os=4.0 img=1.0 sys=4.0
"cyggcc_s-1.dll" v0.0 ts=2009/3/6 11:54
19k 2009/02/26 C:\cygwin\bin\cyggdbm-4.dll - os=4.0 img=1.0 sys=4.0
"cyggdbm-4.dll" v0.0 ts=2009/2/26 7:55
8k 2009/02/26 C:\cygwin\bin\cyggdbm_compat-4.dll - os=4.0 img=1.0 sys=4.0
"cyggdbm_compat-4.dll" v0.0 ts=2009/2/26 7:56
24k 2009/06/23 C:\cygwin\bin\cyghistory6.dll - os=4.0 img=1.0 sys=4.0
"cyghistory6.dll" v0.0 ts=2009/6/23 13:20
270k 2009/04/23 C:\cygwin\bin\cygicons-0.dll - os=4.0 img=1.0 sys=4.0
"cygicons-0.dll" v0.0 ts=2009/4/23 3:25
982k 2009/05/30 C:\cygwin\bin\cygiconv-2.dll - os=4.0 img=1.0 sys=4.0
"cygiconv-2.dll" v0.0 ts=2009/5/30 19:38
190k 2009/09/15 C:\cygwin\bin\cygidn-11.dll - os=4.0 img=1.0 sys=4.0
"cygidn-11.dll" v0.0 ts=2009/9/8 12:17
37k 2003/08/10 C:\cygwin\bin\cygintl-2.dll - os=4.0 img=1.0 sys=4.0
"cygintl-2.dll" v0.0 ts=2003/8/10 22:50
31k 2005/11/20 C:\cygwin\bin\cygintl-3.dll - os=4.0 img=1.0 sys=4.0
"cygintl-3.dll" v0.0 ts=2005/11/20 2:04
31k 2009/06/07 C:\cygwin\bin\cygintl-8.dll - os=4.0 img=1.0 sys=4.0
"cygintl-8.dll" v0.0 ts=2009/6/7 22:42
83k 2007/06/06 C:\cygwin\bin\cygmagic-1.dll - os=4.0 img=1.0 sys=4.0
"cygmagic-1.dll" v0.0 ts=2007/6/6 11:41
21k 2009/03/01 C:\cygwin\bin\cygmenu-8.dll - os=4.0 img=1.0 sys=4.0
"cygmenu-8.dll" v0.0 ts=2009/3/1 2:38
21k 2009/11/21 C:\cygwin\bin\cygmenu-9.dll - os=4.0 img=1.0 sys=4.0
"cygmenu-9.dll" v0.0 ts=2009/11/21 5:33
24k 2008/10/30 C:\cygwin\bin\cygminires.dll - os=4.0 img=1.2 sys=4.0
"cygminires.dll" v0.0 ts=2008/10/31 0:53
66k 2009/03/01 C:\cygwin\bin\cygncurses++-8.dll - os=4.0 img=1.0 sys=4.0
"cygncurses++-8.dll" v0.0 ts=2009/3/1 2:50
335k 2009/11/21 C:\cygwin\bin\cygncurses++-9.dll - os=4.0 img=1.0 sys=4.0
"cygncurses++-9.dll" v0.0 ts=2009/11/21 5:44
237k 2009/03/01 C:\cygwin\bin\cygncurses-8.dll - os=4.0 img=1.0 sys=4.0
"cygncurses-8.dll" v0.0 ts=2009/3/1 2:36
190k 2009/11/21 C:\cygwin\bin\cygncurses-9.dll - os=4.0 img=1.0 sys=4.0
"cygncurses-9.dll" v0.0 ts=2009/11/21 5:31
11k 2009/03/01 C:\cygwin\bin\cygpanel-8.dll - os=4.0 img=1.0 sys=4.0
"cygpanel-8.dll" v0.0 ts=2009/3/1 2:38
11k 2009/11/21 C:\cygwin\bin\cygpanel-9.dll - os=4.0 img=1.0 sys=4.0
"cygpanel-9.dll" v0.0 ts=2009/11/21 5:32
181k 2008/09/07 C:\cygwin\bin\cygpcre-0.dll - os=4.0 img=1.0 sys=4.0
"cygpcre-0.dll" v0.0 ts=2008/9/7 4:36
302k 2008/09/07 C:\cygwin\bin\cygpcrecpp-0.dll - os=4.0 img=1.0 sys=4.0
"cygpcrecpp-0.dll" v0.0 ts=2008/9/7 4:36
7k 2008/09/07 C:\cygwin\bin\cygpcreposix-0.dll - os=4.0 img=1.0 sys=4.0
"cygpcreposix-0.dll" v0.0 ts=2008/9/7 4:36
1543k 2008/07/03 C:\cygwin\bin\cygperl5_10.dll - os=4.0 img=1.0 sys=4.0
"cygperl5_10.dll" v0.0 ts=2008/6/30 17:06
22k 2002/06/09 C:\cygwin\bin\cygpopt-0.dll - os=4.0 img=1.0 sys=4.0
"cygpopt-0.dll" v0.0 ts=2002/6/9 6:45
155k 2009/06/23 C:\cygwin\bin\cygreadline6.dll - os=4.0 img=1.0 sys=4.0
"cygreadline6.dll" v0.0 ts=2009/6/23 13:20
232k 2009/11/05 C:\cygwin\bin\cygssl-0.9.8.dll - os=4.0 img=1.0 sys=4.0
"cygssl-0.9.8.dll" v0.0 ts=2009/11/5 17:46
46k 2009/11/21 C:\cygwin\bin\cygtic-9.dll - os=4.0 img=1.0 sys=4.0
"cygtic-9.dll" v0.0 ts=2009/11/21 5:31
22k 2009/03/29 C:\cygwin\bin\cygwrap-0.dll - os=4.0 img=1.0 sys=4.0
"cygwrap-0.dll" v0.0 ts=2009/3/29 7:09
65k 2009/03/02 C:\cygwin\bin\cygz.dll - os=4.0 img=1.0 sys=4.0
"cygz.dll" v0.0 ts=2009/3/2 1:19
1829k 2008/06/12 C:\cygwin\bin\cygwin1.dll - os=4.0 img=1.0 sys=4.0
"cygwin1.dll" v0.0 ts=2008/6/12 18:35
Cygwin DLL version info:
DLL version: 1.5.25
DLL epoch: 19
DLL bad signal mask: 19005
DLL old termios: 5
DLL malloc env: 28
API major: 0
API minor: 156
Shared data: 4
DLL identifier: cygwin1
Mount registry: 2
Cygnus registry name: Cygnus Solutions
Cygwin registry name: Cygwin
Program options name: Program Options
Cygwin mount registry name: mounts v2
Cygdrive flags: cygdrive flags
Cygdrive prefix: cygdrive prefix
Cygdrive default prefix:
Build date: Thu Jun 12 19:34:46 CEST 2008
CVS tag: cr-0x5f1
Shared id: cygwin1S4

Service : exim
Display name : Exim
Description : Mail Transfer Agent
Current State : Stopped
Command : /usr/bin/exim -bdf -q15m
stdin path : /dev/null
stdout path : /var/log/exim/cygrunsrv_out.log
stderr path : /var/log/exim/cygrunsrv_err.log
Environment : CYGWIN="ntsec notraverse"
Process Type : Own Process
Startup : Automatic
Dependencies : Tcpip
Account : LocalSystem

Service : sshd
Display name : CYGWIN sshd
Current State : Running
Controls Accepted : Stop
Command : /usr/sbin/sshd -D
stdin path : /dev/null
stdout path : /var/log/sshd.log
stderr path : /var/log/sshd.log
Environment : CYGWIN="ntsec"
Process Type : Own Process
Startup : Automatic
Dependencies : tcpip
Account : LocalSystem

Cygwin Package Information
Last downloaded files to: C:\cygwin\setup
Last downloaded files from: ftp://mirrors.kernel.org/sourceware/cygwin/

Package Version
_update-info-dir 00834-1
alternatives 1.3.30c-3
ash 20040127-4
base-files 3.7-1
base-passwd 2.2-1
bash 3.2.49-22
bzip2 1.0.5-3
coreutils 6.10-2
crypt 1.1-1
csih 0.2.0-1
cvs 1.12.13-1
cygrunsrv 1.34-1
cygutils 1.3.4-1
cygwin 1.5.25-15
cygwin-doc 1.4-4
diffutils 2.8.7-1
editrights 1.01-2
expat 2.0.1-1
file 4.21-1
findutils 4.4.0-3
gawk 3.1.6-1
gettext 0.17-4
grep 2.5.3-1
groff 1.19.2-2
gzip 1.3.12-2
less 382-1
libbz2_1 1.0.5-3
libdb4.5 4.5.20.2-2
libexpat1 2.0.1-1
libexpat1-devel 2.0.1-1
libgcc1 4.3.2-2
libgdbm4 1.8.3-9
libiconv2 1.13-1
libidn11 1.15-1
libintl2 0.12.1-3
libintl3 0.14.5-1
libintl8 0.17-4
libncurses8 5.5-4
libncurses9 5.7-6
libpcre0 7.8-1
libpopt0 1.6.4-4
libreadline6 5.2.14-12
libwrap0 7.6-6
login 1.10-1
make 3.81-2
man 1.6e-1
minires 1.02-1
ncurses 5.7-6
openssh 5.1p1-10
openssl 0.9.8l-1
perl 5.10.0-5
perl_manpages 5.10.0-5
rebase 3.0-2
rsync 3.0.4-1
run 1.1.12-2
sed 4.1.5-2
tar 1.21-1
termcap 5.7_20091114-4
terminfo 5.7_20091114-4
terminfo0 5.5_20061104-3
texinfo 4.13-3
time 1.7-2
tzcode 2009k-1
unzip 5.52-3
vim 7.2-3
wget 1.11.4-3
which 2.20-1
whois 4.7.32-1
zip 3.0-2
zlib 1.2.3-3
zlib-devel 1.2.3-3
zlib0 1.2.3-3
Use -h to see help about each section

--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

From forum: Samba - rsync

Access Denied w/LDAP backend

2009-12-19T20:53:58Z

When I connect to a Samba Member Server in my home network, I am
prompted for credentials and am able establish a session(I have not
yet joined the client machines to the domain). I see a list of shares
and am able to browse down into them as I expect, based on the
appropriate permissions. I can read the contents of files as well. If
I attempt to make any changes (file creation, deletion, renaming,
etc), I'm told that 'access is denied'.

I suspect that the issue has to do with mapping the domain user to the
posix user.

This is a small home network with a Samba PDC and a ldap sam. There
are two member servers and both posix and domain logons work with the
same password as expected. I started with a NT4 PDC configured as I
wanted it and vampired it into Samba+ldap. I made additional changes
once the ldap schema was established and may have broken something.

I have turned up the log level, but nothing obviously wrong is
apparent to me. There is an administrator account in the directory,
but the root user is a local posix account. That part of the config is
not finalized - I'm not sure that's relevant. I'm attaching a
sanitized dump of the ldap structure.

Where should I be looking next? I'm stumped so far.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Re: mythtv : WriteAudio: buffer underrun

2009-12-19T20:14:24Z

Thanks,
I'm stumped I was monitoring the CPU (AMD 3200+) and its sitting around 5-20% so no
probs there, memory ok too (I have 2Gb RAM ), MythTV is running with Realtime priority
So it beats me why just CD-Audio is a problem, normal MP3 playback is fine.

Note I ran Gnome Mplayer and it runs without any issue, so just a MythTV problem

Paul

On 20/12/2009 12:26 PM, steve jenkin wrote:

> Paul wrote on 20/12/09 8:04 AM:
>> Hi,
>> Looking for some advise on how to verify my audio setup on MythTV is
>> 100% ok.
>> Note I've been running a Mythbox for at least 3 years on various
>> versions of Fedora , currently F10.
>>
>> I've been struck with these alot this past few months.
>> but now I tried to play an audio CD using MythTV which I don't normally
>> do, but none-the-less it still works but the audio start pausing
>> outputing these msgs
>>
>> WriteAudio: buffer underrun
>>
>> what the heck does this mean, and how do I fix it?
>
> Paul,
>
> I've no idea about Myth and playing audio through linux :-(
>
> But I know in other contexts with a buffer 'underrun' is:
> - the buffer source (reader process) wasn't able to keep up
> with the output. The buffer was emptied.
>
> This means your box was busy doing other stuff, or if not, doesn't have
> the grunt to play audio (unlikely).
>
> This could be due, in my naivety not knowledge, to:
> a) not enough CPU cycles
> b) not enough RAM
> c) CPU prioritising other tasks higher than audio
>
> How to distinguish these?
> Sorry, don't know :-(
>
> Usual approaches are rebooting (to untangle memory pools), increasing
> debug levels and looking in logs, stopping/pausing other tasks.
>
> First step in any process is being able to reliably reproduce it...
>
> HTH
> s
>
>>
>> any clues anyone?
>> Or can anyone run this test and get playback ok?
>>
>> thanks
>> Paul
>
>

--
linux mailing list
linux@...
https://lists.samba.org/mailman/listinfo/linux

From forum: Samba - linux

Re: OpenOffice

2009-12-19T13:41:46Z

2009/12/19 keith sayers <keiths@...>:
> Would anyone here be familiar with Open Office - in particular Base and Calc? I am
> having an interesting time figuring out how they work and would much appreciate swapping
> notes with someone more learned.

I have some experience with Calc and Writer, not so much with Base.
Every time I've tried to use Base I got the impression that it wasn't
quite ready for primetime.

Was there anything in particular you wanted to ask about?

Cheers,
BJ
--
linux mailing list
linux@...
https://lists.samba.org/mailman/listinfo/linux

From forum: Samba - linux

mythtv : WriteAudio: buffer underrun

2009-12-19T13:04:02Z

Hi,
Looking for some advise on how to verify my audio setup on MythTV
is 100% ok.
Note I've been running a Mythbox for at least 3 years on various
versions of Fedora , currently F10.

I've been struck with these alot this past few months.
but now I tried to play an audio CD using MythTV which I don't normally
do, but none-the-less it still works but the audio start pausing
outputing these msgs

WriteAudio: buffer underrun

what the heck does this mean, and how do I fix it?

any clues anyone?
Or can anyone run this test and get playback ok?

thanks
Paul
--
linux mailing list
linux@...
https://lists.samba.org/mailman/listinfo/linux

From forum: Samba - linux

Re: --timeout not honoured

2009-12-19T11:47:37Z

On Fri, Dec 18, 2009 at 4:29 AM, Fabian Cenedese <Cenedese@...> wrote:
> 13:18:52 write(4, "\367\344\356\325UUM3\273*<17\7\256D\255\225x0\345^{\203"..., 4092) = 4092
> 13:18:52 time(NULL) = 1261138732
> 13:18:52 select(5, NULL, [4], [4], {60, 0}) = 0 (Timeout)
> 13:19:52 time(NULL) = 1261138792
> 13:19:52 write(2, "io timeout after 9720 seconds --"..., 40) = 40

That looks like it's the sending side. It appears that the sender
writes out a bunch of data to the socket (fd 4), does a select
attempting to write more data, and when that times out after 30
seconds, the lack of any reads since the start of the rsync process
causes rsync to time (this is because rsync currently bases its
timeout on last reception of data).

Sadly, the I/O code in 3.0.x (and 2.x) does not have the sender
attempt to read data from the generator while it is trying to output a
bunch of data, so even if the generator sent a keep-alive message to
the sender, the sender was not even trying to read it. Thus, if the
NAS is so slow that the sending side ever pauses for 30 seconds
waiting to output more data, it may timeout inappropriately. This
situation will be fixed in the (future) 3.1.0 release, which has a
much-improved I/O setup.

In the meantime, you might try using --bwlimit, but if that doesn't
help (or is undesirable), you may need to either stop specifying
--timeout, or switch the client side to using the latest git (or
nightly) 3.1.0dev release.

The 3.1.0dev release should avoid the timeout issue even when it is
sending to an older rsync, since its sender will (#1) pay attention to
the generator, and (#2) assume that any I/O over the socket is good
I/O, and not timeout if I/O is succeeding. The 3.1.0dev code is
looking good so far, but may yet contain some errors that need to be
shaken out. Care should be taken when using it. I will also see
about a simple fix for the upcoming 3.0.7 release, which may be a
better choice for you in the near term.

..wayne..
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

From forum: Samba - rsync

Re: [PATCH] Output %p as unsigned in snprintf replacement.

2009-12-19T10:46:34Z

On Thu, Dec 03, 2009 at 11:25:22PM +0100, Peter Rosin wrote:
> Attached is a patch to output %p as an unsigned variable.
>
> Please CC me if there are questions, I'm not subscribed...

Thanks, pushed. Will be in 3.5ff.

Volker

attachment0 (196 bytes) Download Attachment

From forum: Samba - samba-technical

Re: Samba + Cups 2200 Laserjet printer

2009-12-19T10:23:29Z

So, unless you are using windows 2k or older, is there really a point to
installing the printer via //server/hplj2200 ?

Just use the windows[XP|Vista|7] printer wizard dialog and add a network
printer. At that point you can use the url which if the name is the
same, would be http://server:631/printers/hplj2200. If you are the only
one doing this, then it'll be fine. You'll need to have the drivers
handy though. And you can lock CUPS down via client IP, or client
username, or it can depend on SAMBA auth as well.

If you still want to use SAMBA for printing, take a look at groups. As
I recall you can specify which users & which groups can
read/write/see/whatever the printer much the same as you can for regular
shares. I think there's a PrinterAdmins group that you'll need to setup
if you want to push a driver to the printer.

Good luck!
Jack

Scott Marshall wrote:

> Hi all,
>
> Hoping some one can help me out here.
>
> I have a 2200dn laser printer working on a centos 5 server (using webmin for
> configuration).
>
> I have added it via webmin as a samba printer share with permissions to my
> account.
>
> Security is set to "user level" not "share level" (the default).
>
> I can access my samba shares fine, download and upload to them.
>
> I can also see the printer, but what i cannot do is print.
>
> When i try and add the printer via my general PCL5 drivers it asks me for a
> username and password. I am currently logged into the computer so i would of
> thought it didn't need it and i cannot enter in the username or password
> because i am already logged in.
>
> I cannot figure out if it is possible to have the samba server share my
> printer by default to everyone with any security level yet not open up my
> shares to everyone.
>
>
> Cheers
> Scott
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Samba + Cups 2200 Laserjet printer

2009-12-19T07:58:45Z

Hi all,

Hoping some one can help me out here.

I have a 2200dn laser printer working on a centos 5 server (using webmin for
configuration).

I have added it via webmin as a samba printer share with permissions to my
account.

Security is set to "user level" not "share level" (the default).

I can access my samba shares fine, download and upload to them.

I can also see the printer, but what i cannot do is print.

When i try and add the printer via my general PCL5 drivers it asks me for a
username and password. I am currently logged into the computer so i would of
thought it didn't need it and i cannot enter in the username or password
because i am already logged in.

I cannot figure out if it is possible to have the samba server share my
printer by default to everyone with any security level yet not open up my
shares to everyone.

Cheers
Scott
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Issue Joining Win7 to Samba Domain (tried wiki instructions)

2009-12-19T05:17:40Z

I have similar problem. I can join to domain but can't log in to user
account.

Samba 3.4.3
Windows 7 Professional x64

From WinXP workstation everything works great.

> Last time I saw something like this, it was because the client (Win XP)
> did not have a WINS server set, and couldn’t find the domain. Can you
> ping the server from the problem client - by IP address and by name? Is
> its firewall blocking any SMB ports?

ping [serwerip] - works OK.
ping [serverhostname] - works OK.

"ipconfig /all" on workstation displays [domainname] on DNS suffix search
list.
I've modified local DNS server configuration (new zone, new A record) to
handle "[serverhostname].[domainname]" requests.

ping [serverhostname].[domainname] - works OK.

Still - I can't log in to user account.

--
Maciej Czub
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Re: [PATCH] Proposed merge of some NTLMSSP crypto

2009-12-19T02:32:46Z

On Friday 11 December 2009 11:32:38 Andrew Bartlett wrote:

> To be clear, while I understand your suggestion, the next patch I do
> won't follow the steps you propose, but I'll mention here when it's
> done, and it can be accepted, rejected or reworked (Kai has offered to
> help on that) on it's merits at that time.

Ok, so after a solid 7 hours of watching code compile or fixing it if it
doesn't compile,

http://gitweb.samba.org/?p=kai/samba/wip.git;a=shortlog;h=refs/heads/ntlmssp-
compile

(or the ntlmssp-compile branch in git://git.samba.org/kai/samba/wip.git) Has a
patchset that at least compiles at every step. I'm not sure if the code
actually works (as in passes make test), as that would have taken even longer.

Just as a comparison, I'd like to take the final version these patches arrive
at and try to reach the same stage using the steps metze proposed. That should
allow us to compare which method generates the more readable patches in what
time-scale. I'll drop an email to samba-technical once I'm done with that.

Cheers,
Kai

--
Kai Blin
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
Will code for cotton.

signature.asc (204 bytes) Download Attachment

From forum: Samba - samba-technical

Re: LDAP_SERVER_SD_FLAGS_OID control and search request

2009-12-19T01:42:46Z

Hi Sebastian,
> Hi Matthieu,
>
> If I have understood your question correctly, the answer for it can be found in section 3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID of MS-ADTS.
>
> The version online, already has this information on the section (http://msdn.microsoft.com/en-us/library/cc223323(PROT.10).aspx ).
>
> Please let me know if this addresses your question or if I have misunderstood your request.
>
>
I read this page, maybe it's implicit that if this control is specified
then the nTSecurityDescriptor must be returned with requested parts
(accordingly to what has been requested) even if the this attribute has
not been requested explicitly in the attribute list.
If so can you state it clearly, because as far as I understand (and see)
nTSecurityDescriptor is not returned by default if you do not explicitly
request it.

Matthieu.

> Thanks and regards,
>
> Sebastian Canevari
> Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 7100 N Hwy 161, Irving, TX - 75039
> "Las Colinas - LC2"
> Tel: +1 469 775 7849
> e-mail: sebastc@...
>
>
> -----Original Message-----
> From: Sebastian Canevari
> Sent: Friday, December 18, 2009 1:55 PM
> To: Matthieu Patou; cifs-protocol@...; Interoperability Documentation Help; pfif@...
> Subject: RE: LDAP_SERVER_SD_FLAGS_OID control and search request
>
> Hi Matthieu,
>
> I'll be helping you with this issue.
>
> Thanks and regards,
>
>
>
> Sebastian Canevari
> Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
> Tel: +1 469 775 7849
> e-mail: sebastc@...
>
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
> Sent: Friday, December 18, 2009 10:36 AM
> To: cifs-protocol@...; Interoperability Documentation Help; pfif@...
> Subject: LDAP_SERVER_SD_FLAGS_OID control and search request
>
> Hello,
>
> While testing ADUC I found that this tool is using the control LDAP_SERVER_SD_FLAGS_OID when requesting object with no attributes (ie.
> CN=Users,DC=home,DC=matws,DC=net) and expect to receive the nTSecurityDescriptor.
> Of course if you do not provide this control the nTSecurityDescriptor is not returned.
>
> I tested this behavior with w2k3r2 and it is how this server behave.
>
> Can you confirm that it's the expected behavior for this control and if possible can you document it if it's not already done.
>
> Regards.
>
> Matthieu.
>
>
>

_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol

From forum: Samba - cifs-protocol

OpenOffice

2009-12-19T01:39:33Z

Would anyone here be familiar with Open Office - in particular Base and Calc? I am
having an interesting time figuring out how they work and would much appreciate swapping
notes with someone more learned.

__________________________________________________________________
Keith Sayers keiths@...
6 Clambe Place
CHARNWOOD, ACT 2615 http://www.apex.net.au/~keiths
__________________________________________________________________
--
linux mailing list
linux@...
https://lists.samba.org/mailman/listinfo/linux

From forum: Samba - linux

Re: Cannot see server in win Neighborhood (again)

2009-12-18T18:59:19Z

Are you listening on port 139, or only on port 445?

Microsoft had a great idea when they implemented SMB over TCP on port 445 and eliminated the ancient and inefficient NETBIOS over TCP, or NetBT (on port 139). Unfortunately, they didn't think it all the way through - you still need NETBIOS to populate the network neighborhood, so if your Samba server only listens on port 445, you won't get happy in your network neighborhood.

In Vista and Windows 7, this problem is fixed: they now use UPnP (renamed to Network Discovery) to populate the network neighborhood (and do a lot of other neat stuff). Samba does not yet support UPnP, though.

Bottom line: even though Samba supports turning off NetBT, DON'T.

This problem is exacerbated if you are using an IPv6 network, because Microsoft no longer even supports NETBIOS at all.

> -----Original Message-----
> From: samba-bounces@... [mailto:samba-
> bounces@...] On Behalf Of Matias Morawicki
> Sent: Friday, December 18, 2009 7:16 AM
> To: samba@...
> Subject: [Samba] Cannot see server in win Neighborhood (again)
>
> Hello u all, sorry to bring this issue back again, but I´ve been
> searching and trying all the advices suggested in previous posts and I
> still can´t see the samba server in the win network neighborhood.
>
> I can see the samba shares from win via net view \\servername
>
> but if I issue a plain "net view" samba won´t show up. only the win
> machines, the same i can see on the Neighborhood...
>
> I´ve tried stopping iptables, different smb.conf from the simple
> examples of t first chapters of samba by example, to plenty of
> options... that´s why I´m not including my smb.conf, because I´ve
> tried many variations, always with the same results. I even tried a
> working smb.conf from another linux box which was showing in win
> Neighborhood...
>
> and when I select local master = no Samba would stay without master!
> I issue smbclient -L servername -U% and the master section remains
> empty.
>
> It´s like samba is not being able to "talk" to the rest of the
> workgroup. (of course they are all in the same workgroup)
>
> Btw, the server is a Centos 5.3, with samba 3.2.15 (it also happened
> with the default samba, so I´ve upgraded just in case...)
>
> I hope someone can point me some directions...
>
> thanks in advance!!
>
> Matias
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Re: Patch for supported encoding

2009-12-18T17:13:50Z

On Sat, 2009-12-19 at 01:05 +0300, Matthieu Patou wrote:

> On 19/12/2009 00:05, Andrew Bartlett wrote:
> > On Sat, 2009-12-05 at 18:04 +0300, Matthieu Patou wrote:
> >
> >> Hello,
> >>
> >> Please find attach a patch that try to reintroduced a good default value
> >> for default encoding (my change was overwritten by tridge in september).
> >>
> > Can you give the commit it was overwritten by?
> >
> > The next step is to honour this stuff in the KDC
> >
> > Andrew Bartlett
> >
> >
> commit c94e3ff0

Given that, the only way to get your change back in is to have a torture
test that passes against Windows 2008R2, and to work with tridge to
determine the situation he originally needed this for. The test should
handle the case before we set the supported encryption types, then
setting it and checking it changes from that value.

These changes were made to get the bidirectional vampire code working,
so we should not revert things lightly.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.

signature.asc (196 bytes) Download Attachment

From forum: Samba - samba-technical

srvtools -- are these really useful?

2009-12-18T15:46:43Z

I have installed 3.4.3 on a CentOS 5.4 box as a PDC with tdbsam
for a backend. All seems to be working as expected in the
Samba world.

With the intention of getting ordinary maintenance off of
my back, I downloaded and installed usrmgr and srvmgr in
/root/bin.

When I launch either of them from a WinXP workstation member
while logged into the domain as root, the domain is not found.
I can find the domain from the menu and look at various settings,
but cannot do much of anything that can be made permanent.

Question: Have I omitted some critical setting to make these
tools useful? Should I not be able to add users to
groups, for example?

What follows is some output that shows thing to be configured
correctly. I think.

root@foobar {~} net rpc group MEMBERS "Domain Admins"
Enter root's password:
PS2\root
PS2\b0fh

root@foobar {~} net groupmap list
... cut several local groups from this list ...
Domain Users (S-1-5-21-2487701501-27877076-1099799052-513) -> staff
Domain Guests (S-1-5-21-2487701501-27877076-1099799052-514) -> nobody
Domain Admins (S-1-5-21-2487701501-27877076-1099799052-512) -> wheel
Administrators (S-1-5-32-544) -> 10000
Users (S-1-5-32-545) -> 10001

Note: I'm not sure what the groups Administrators and Users are about.

root@foobar {~} net rpc rights list
Enter root's password:
SeMachineAccountPrivilege Add machines to domain
SeTakeOwnershipPrivilege Take ownership of files or other objects
SeBackupPrivilege Back up files and directories
SeRestorePrivilege Restore files and directories
SeRemoteShutdownPrivilege Force shutdown from a remote system
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeDiskOperatorPrivilege Manage disk shares

Note: I see no priv to add users to an existing group?

Thank you for your time,
Ray

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

[PATCH] DsReplGetInfo() - infoType == DS_REPL_INFO_NEIGHBORS

2009-12-18T15:46:36Z

Hi!

This is the patch for the implementation of the DsGetReplInfo()
MS-DRSR 4.1.13) for the case infoType == DS_REPL_INFO_NEIGHBORS
(request information about the repsFrom neighbors of the target DC).
There is also a torture test for this call.

On the tests I made using smbtorture (with RPC-DSGETINFO test) it
looks like the values on the fields of the reply message are consistent
with what Windows 2008 fill in those fields.

I'm planning to send one patch for each of the infoTypes. I can't
implement some of them now, because the information needed is
not available yet on drs. The next patch will be for infoType
DS_REPL_INFO_REPSTO.

Best Regards,

Erick Nogueira do Nascimento
Institute of Computing
Campinas State University

0001-s4-drs-DsGetReplInfo-for-infoType-DS_REPL_INFO.patch (42K) Download Attachment

From forum: Samba - samba-technical

Re: LDAP_SERVER_SD_FLAGS_OID control and search request

2009-12-18T14:26:20Z

Hi Matthieu,

If I have understood your question correctly, the answer for it can be found in section 3.1.1.3.4.1.11 LDAP_SERVER_SD_FLAGS_OID of MS-ADTS.

The version online, already has this information on the section (http://msdn.microsoft.com/en-us/library/cc223323(PROT.10).aspx ).

Please let me know if this addresses your question or if I have misunderstood your request.

Thanks and regards,

Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc@...

-----Original Message-----
From: Sebastian Canevari
Sent: Friday, December 18, 2009 1:55 PM
To: Matthieu Patou; cifs-protocol@...; Interoperability Documentation Help; pfif@...
Subject: RE: LDAP_SERVER_SD_FLAGS_OID control and search request

Hi Matthieu,

I'll be helping you with this issue.

Thanks and regards,

Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc@...

-----Original Message-----
From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
Sent: Friday, December 18, 2009 10:36 AM
To: cifs-protocol@...; Interoperability Documentation Help; pfif@...
Subject: LDAP_SERVER_SD_FLAGS_OID control and search request

Hello,

While testing ADUC I found that this tool is using the control LDAP_SERVER_SD_FLAGS_OID when requesting object with no attributes (ie.
CN=Users,DC=home,DC=matws,DC=net) and expect to receive the nTSecurityDescriptor.
Of course if you do not provide this control the nTSecurityDescriptor is not returned.

I tested this behavior with w2k3r2 and it is how this server behave.

Can you confirm that it's the expected behavior for this control and if possible can you document it if it's not already done.

Regards.

Matthieu.

_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol

From forum: Samba - cifs-protocol

Re: Patch for supported encoding

2009-12-18T14:05:07Z

On 19/12/2009 00:05, Andrew Bartlett wrote:

> On Sat, 2009-12-05 at 18:04 +0300, Matthieu Patou wrote:
>
>> Hello,
>>
>> Please find attach a patch that try to reintroduced a good default value
>> for default encoding (my change was overwritten by tridge in september).
>>
> Can you give the commit it was overwritten by?
>
> The next step is to honour this stuff in the KDC
>
> Andrew Bartlett
>
>

commit c94e3ff0

@@ -1124,8 +1133,7 @@ static NTSTATUS
dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
struct netr_DomainInformation *domain_info;
struct netr_LsaPolicyInformation *lsa_policy_info;
struct netr_OsVersionInfoEx *os_version;
- uint32_t default_supported_enc_types =
- ENC_CRC32|ENC_RSA_MD5|ENC_RC4_HMAC_MD5;
+ uint32_t default_supported_enc_types = 0xFFFFFFFF;
int ret1, ret2, i;
NTSTATUS status;

Matthieu.

From forum: Samba - samba-technical

Re: FW: Group Policy questions

2009-12-18T14:01:19Z

Hello Sebastian and Hongwei,

Sorry for being silent on this.

So if I try to sum up we agreed that:

* in order to allow modification of ACL on files sdeffectiverights must
have the flag DACL_SECURITY_INFORMATION set, and the ACL must have the
SE_DACL_PROTECTED set in the control flags.
* in order to avoid a warning message ACL of Policy object must be
synchronized with ACL in the files following this logic for the translation:

The specific rights in access mask for Active Directory object
are defined in 5.1.3.2 of MS-ADTS as follows.

#define RIGHT_DS_CREATE_CHILD 0x00000001
#define RIGHT_DS_DELETE_CHILD 0x00000002
#define RIGHT_DS_LIST_CONTENTS 0x00000004
#define ACTRL_DS_SELF 0x00000008
#define RIGHT_DS_READ_PROPERTY 0x00000010
#define RIGHT_DS_WRITE_PROPERTY 0x00000020
#define RIGHT_DS_DELETE_TREE 0x00000040
#define RIGHT_DS_LIST_OBJECT 0x00000080
#define RIGHT_DS_CONTROL_ACCESS 0x00000100

The specific rights in access mask for a file or directory object
are defined as
(http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx )

#define FILE_READ_DATA ( 0x0001 )
#define FILE_LIST_DIRECTORY ( 0x0001 )
#define FILE_WRITE_DATA ( 0x0002 )
#define FILE_ADD_FILE ( 0x0002 )
#define FILE_APPEND_DATA ( 0x0004 )
#define FILE_ADD_SUBDIRECTORY ( 0x0004 )
#define FILE_CREATE_PIPE_INSTANCE ( 0x0004 )
#define FILE_READ_EA ( 0x0008 )
#define FILE_WRITE_EA ( 0x0010 )
#define FILE_EXECUTE ( 0x0020 )
#define FILE_TRAVERSE ( 0x0020 )
#define FILE_DELETE_CHILD ( 0x0040 )
#define FILE_READ_ATTRIBUTES ( 0x0080 )
#define FILE_WRITE_ATTRIBUTES ( 0x0100 )

The generic access rights that are common to all objects are

#define DELETE (0x00010000L)
#define READ_CONTROL (0x00020000L)
#define WRITE_DAC (0x00040000L)
#define WRITE_OWNER (0x00080000L)
#define SYNCHRONIZE (0x00100000L)
#define STANDARD_RIGHTS_ALL (0x001F0000L)

The following logic is used by GPMC to convert a access mask for
DS object to a access mask for SYSVOL.

DSAccessMask as Input;
SYSVOLAccessMask as Output;
SYSVOLAccessMask = DSAccessMask;
SYSVOLAccessMask&= STANDARD_RIGHTS_ALL ;

if ((DSAccessMask& RIGHT_DS_READ_PROPERTY) AND
(DSAccessMask& RIGHT_DS_LIST_CONTENTS))
SYSVOLAccessMask |= (SYNCHRONIZE | FILE_LIST_DIRECTORY |
FILE_READ_ATTRIBUTES | FILE_READ_EA |
FILE_READ_DATA | FILE_EXECUTE);

if (DSAccessMask& RIGHT_DS_WRITE_PROPERTY)
SYSVOLAccessMask |= (SYNCHRONIZE | FILE_WRITE_DATA |
FILE_APPEND_DATA | FILE_WRITE_EA |
FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |
FILE_ADD_SUBDIRECTORY);

if (DSAccessMask& RIGHT_DS_CREATE_CHILD)
SYSVOLAccessMask |= (FILE_ADD_SUBDIRECTORY |
FILE_ADD_FILE);

if (DSAccessMask& RIGHT_DS_DELETE_CHILD)
SYSVOLAccessMask |= FILE_DELETE_CHILD;

* All ACE for allowed object are wipped out when "translating" AD ACL to
File ACL
* For the following ACE OI and CI flags are always set in the resulting
file ACE:

ACCESS_ALLOWED_ACE_TYPE
ACCESS_DENIED_ACE_TYPE
SYSTEM_AUDIT_ACE_TYPE

Am I right ?

For the part that are "hardcoded" like this will it change any time soon
? Also do you plan to document this in any kind of document ? if so
which and when ?

Regards.
Matthieu.

On 12/12/2009 01:00, Sebastian Canevari wrote:

> Hi Matthieu,
>
> With regards to ACCESS_ALLOWED_OBJECT_ACE, we do wipe it in the process. That's hardcoded.
>
> With regards to the RU...
>
> I need further clarification on what you are actually seeing.
>
> It is my understanding and that since prew2k clients will not download policies, the ACEs will be cleared if they contain that well known SID.
>
> We are still investigating but please let me know if that explains what you are seeing.
>
>
> Thanks!
>
>
> Sebastian Canevari
> Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 7100 N Hwy 161, Irving, TX - 75039
> "Las Colinas - LC2"
> Tel: +1 469 775 7849
> e-mail: sebastc@...
>
>
> -----Original Message-----
> From: Sebastian Canevari
> Sent: Thursday, December 10, 2009 2:19 PM
> To: 'Matthieu Patou'
> Cc: Hongwei Sun; cifs-protocol@...; pfif@...
> Subject: RE: FW: [cifs-protocol] Group Policy questions
>
> Hi Matthieu,
>
> With regards of the OI and CI flags, we always set those flags on if the ACE type is any of the following 3 types:
>
> ACCESS_ALLOWED_ACE_TYPE
> ACCESS_DENIED_ACE_TYPE
> SYSTEM_AUDIT_ACE_TYPE
>
> This is hardcoded.
>
> I'll provide you with the answer to your other question soon.
>
> Thanks and regards,
>
> Sebastian
>
>
> Sebastian Canevari
> Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
> Tel: +1 469 775 7849
> e-mail: sebastc@...
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
> Sent: Friday, December 04, 2009 3:32 PM
> To: Sebastian Canevari
> Cc: Hongwei Sun; cifs-protocol@...; pfif@...
> Subject: Re: FW: [cifs-protocol] Group Policy questions
>
> On 04/12/2009 23:00, Sebastian Canevari wrote:
>
>> Hi Matthieu,
>>
>> Just a clarification to ask you for:
>>
>> We are discussing with Hongwei and the PGs if it is that you are seeing GPMC "expect" the inheritance to happen OR if it is that you are dumping the ACLs and "seeing" the flags always.
>>
>>
>>
> What I see if when I dump the SD of the files modified by GPMC after it realize that there was a mismatch between the SD in AD and the SD in the Policy folder.
> Note: it was with XP sp2 as a client.
>
> Matthieu.
>
>> Please clarify because we were under the impression that we had to look into the client tool, but if the latter is what your question means, then we need to look into AD.
>>
>> Thanks and regards,
>>
>>
>>
>> Sebastian Canevari
>> Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N
>> Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
>> Tel: +1 469 775 7849
>> e-mail: sebastc@...
>>
>>
>> -----Original Message-----
>> From: Sebastian Canevari
>> Sent: Thursday, December 03, 2009 4:18 PM
>> To: 'Matthieu Patou'; cifs-protocol@...; Interoperability
>> Documentation Help; pfif@...
>> Subject: RE: FW: [cifs-protocol] Group Policy questions
>>
>> Hi Matthieu,
>>
>> We are still actively working on this and I do have the PG engaged.
>>
>> Please accept my apologies if we are delaying a little longer than expected. I guess we can say that the holidays affected the timing a little without trying to use that as an excuse.
>>
>> I'll keep you posted as soon as I have news.
>>
>> Thanks and regards,
>>
>> Sebastian
>>
>>
>> Sebastian Canevari
>> Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
>> Tel: +1 469 775 7849
>> e-mail: sebastc@...
>>
>>
>> -----Original Message-----
>> From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
>> Sent: Thursday, December 03, 2009 4:05 PM
>> To: Sebastian Canevari; cifs-protocol@...; Interoperability
>> Documentation Help; pfif@...
>> Subject: Re: FW: [cifs-protocol] Group Policy questions
>>
>> Hello sebastian
>>
>>
>>
>>> And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the "SDDL_AUTO_INHERITED">control in the SDDL ?
>>>
>>>
>> Any news on this ?
>> More exactly my question is why this flag appear on each ACE ?
>>
>> Also do you plan to document this in a WSPP document ?
>>
>> Regards.
>> Matthieu.
>> On 13/11/2009 02:40, Sebastian Canevari wrote:
>>
>>
>>> Hi Matthieu,
>>>
>>>
>>> I'll be working with you on these questions.
>>>
>>> I will keep you updated.
>>>
>>> Thanks!
>>>
>>> Sebastian
>>>
>>>
>>>
>>> Sebastian Canevari
>>> Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N
>>> Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
>>> Tel: +1 469 775 7849
>>> e-mail: sebastc@...
>>>
>>>
>>> -----Original Message-----
>>> From: Hongwei Sun
>>> Sent: Wednesday, November 11, 2009 9:35 PM
>>> To: Matthieu Patou
>>> Cc: cifs-protocol@...; pfif@...; Sebastian Canevari
>>> Subject: RE: FW: [cifs-protocol] Group Policy questions
>>>
>>> Matthieu,
>>>
>>> I double checked the logic and your assumption is right. The return value for SYSVOL access mask should be assigned to the input value first. For your other questions, since I am out of office , Sebastian will work on them and let you know.
>>>
>>> Thanks!
>>>
>>> Hongwei
>>>
>>> -----Original Message-----
>>> From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
>>> Sent: Wednesday, November 11, 2009 12:22 AM
>>> To: Hongwei Sun
>>> Cc: cifs-protocol@...; pfif@...
>>> Subject: Re: FW: [cifs-protocol] Group Policy questions
>>>
>>> Hello Hongwei,
>>>
>>> I've been working on the translation function, I am getting quite similar ACL right now but I have some remarks and questions.
>>>
>>> The pseudo code contains this:
>>>
>>> DSAccessMask as Input;
>>> SYSVOLAccessMask as Output;
>>>
>>> SYSVOLAccessMask&= STANDARD_RIGHTS_ALL ;
>>>
>>> I have impression that it should be
>>>
>>> DSAccessMask as Input;
>>> SYSVOLAccessMask as Output;
>>>
>>> SYSVOLAccessMask = DSAccessMask;
>>> SYSVOLAccessMask&= STANDARD_RIGHTS_ALL ;
>>>
>>>
>>> Maybe the third line is implied in this kind of pseudo code.
>>>
>>> Also it seems to me that GPMC is discarding any ACL of type ACCESS_ALLOWED_OBJECT_ACE (OA) and also everything related to SID SID_BUILTIN_PREW2K (RU).
>>>
>>> And last but not least question, it seems that GPMC whats to have OI and CI flags on every ACL entries is it due to the presence of the "SDDL_AUTO_INHERITED" control in the SDDL ?
>>>
>>> Thanks for your answers.
>>>
>>> Matthieu.
>>>
>>> On 29/10/2009 05:31, Hongwei Sun wrote:
>>>
>>>
>>>
>>>> Matthieu,
>>>>
>>>> I keep receiving the message from our e-mail server about the undeliverable e-mail to one of the address(cifs-protocol@...), which is in your original e-mail. In order to make sure you receive the email, I just forward it again.
>>>>
>>>> If you already received it, please let me know if it resolved your issue.
>>>>
>>>> Thanks!
>>>>
>>>> Hongwei
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Hongwei Sun
>>>> Sent: Monday, October 26, 2009 6:14 PM
>>>> To: Matthieu Patou; cifs-protocol@...; pfif@...
>>>> Subject: RE: [cifs-protocol] Group Policy questions
>>>>
>>>> Matthieu,
>>>>
>>>> Matthieu,
>>>>
>>>> The attached GPMC log shows the problem of inconsistency
>>>> between ACLs of the policy object and that of SYSVOL folders. The
>>>> log shows that
>>>>
>>>> [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE]
>>>> CGPMGPO::IsAclConsistent():Checking Aces for SID
>>>> S-1-5-21-2212615479-2695158682-2101375467-512
>>>> [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE]
>>>> GetSysvolPermissionsFromDSPermissions: DS access mask is 0xf00ff ......
>>>> [6bc.678] 10/25/2009 00:55:47:359 [VERBOSE]
>>>> CGPMGPO::IsAclConsistent(): ACLs not consistent for
>>>> SID<S-1-5-21-2212615479-2695158682-2101375467-512>. Mask: Expected
>>>> 0x1f01ff, Found 0xf00ff
>>>>
>>>> The access mask for the ace of Active Directory policy object is 0xf00ff. When the GPMO converts the access mask to a corresponding file system access mask, it expects 0x1f01ff. For SYSVOL, you set the access mask to 0xf00ff. They don't match and that is why inconsistency is declared. In the SYSVOL access mask you set, you missed 0x100000(SYNCHRONIZE) and 0x100(FILE_WRITE_ATTRIBUTES).
>>>>
>>>> Since AD objects and SYSVOL file/folder objects are different objects, their specific rights in access mask are not one-to-one matched. The following are the definitions of bits for both objects.
>>>>
>>>> The specific rights in access mask for Active Directory object are defined in 5.1.3.2 of MS-ADTS as follows.
>>>>
>>>> #define RIGHT_DS_CREATE_CHILD 0x00000001
>>>> #define RIGHT_DS_DELETE_CHILD 0x00000002
>>>> #define RIGHT_DS_LIST_CONTENTS 0x00000004
>>>> #define ACTRL_DS_SELF 0x00000008
>>>> #define RIGHT_DS_READ_PROPERTY 0x00000010
>>>> #define RIGHT_DS_WRITE_PROPERTY 0x00000020
>>>> #define RIGHT_DS_DELETE_TREE 0x00000040
>>>> #define RIGHT_DS_LIST_OBJECT 0x00000080
>>>> #define RIGHT_DS_CONTROL_ACCESS 0x00000100
>>>>
>>>> The specific rights in access mask for a file or directory
>>>> object are defined as
>>>> (http://msdn.microsoft.com/en-us/library/aa364399(VS.85).aspx )
>>>>
>>>> #define FILE_READ_DATA ( 0x0001 )
>>>> #define FILE_LIST_DIRECTORY ( 0x0001 )
>>>> #define FILE_WRITE_DATA ( 0x0002 )
>>>> #define FILE_ADD_FILE ( 0x0002 )
>>>> #define FILE_APPEND_DATA ( 0x0004 )
>>>> #define FILE_ADD_SUBDIRECTORY ( 0x0004 )
>>>> #define FILE_CREATE_PIPE_INSTANCE ( 0x0004 )
>>>> #define FILE_READ_EA ( 0x0008 )
>>>> #define FILE_WRITE_EA ( 0x0010 )
>>>> #define FILE_EXECUTE ( 0x0020 )
>>>> #define FILE_TRAVERSE ( 0x0020 )
>>>> #define FILE_DELETE_CHILD ( 0x0040 )
>>>> #define FILE_READ_ATTRIBUTES ( 0x0080 )
>>>> #define FILE_WRITE_ATTRIBUTES ( 0x0100 )
>>>>
>>>> The generic access rights that are common to all objects are
>>>>
>>>> #define DELETE (0x00010000L)
>>>> #define READ_CONTROL (0x00020000L)
>>>> #define WRITE_DAC (0x00040000L)
>>>> #define WRITE_OWNER (0x00080000L)
>>>> #define SYNCHRONIZE (0x00100000L)
>>>> #define STANDARD_RIGHTS_ALL (0x001F0000L)
>>>>
>>>>
>>>> The following logic is used by GPMC to convert a access mask for DS object to a access mask for SYSVOL.
>>>>
>>>> DSAccessMask as Input;
>>>> SYSVOLAccessMask as Output;
>>>>
>>>> SYSVOLAccessMask&= STANDARD_RIGHTS_ALL ;
>>>>
>>>> if ((DSAccessMask& RIGHT_DS_READ_PROPERTY) AND
>>>> (DSAccessMask& RIGHT_DS_LIST_CONTENTS))
>>>> SYSVOLAccessMask |= (SYNCHRONIZE | FILE_LIST_DIRECTORY |
>>>> FILE_READ_ATTRIBUTES | FILE_READ_EA |
>>>> FILE_READ_DATA | FILE_EXECUTE);
>>>>
>>>> if (DSAccessMask& RIGHT_DS_WRITE_PROPERTY)
>>>> SYSVOLAccessMask |= (SYNCHRONIZE | FILE_WRITE_DATA |
>>>> FILE_APPEND_DATA | FILE_WRITE_EA |
>>>> FILE_WRITE_ATTRIBUTES | FILE_ADD_FILE |
>>>> FILE_ADD_SUBDIRECTORY);
>>>>
>>>>
>>>> if (DSAccessMask& RIGHT_DS_CREATE_CHILD)
>>>> SYSVOLAccessMask |= (FILE_ADD_SUBDIRECTORY |
>>>> FILE_ADD_FILE);
>>>>
>>>>
>>>> if (DSAccessMask& RIGHT_DS_DELETE_CHILD)
>>>> SYSVOLAccessMask |= FILE_DELETE_CHILD;
>>>>
>>>>
>>>> Please let me know if this solves your problem. I will file a request to update the document accordingly.
>>>>
>>>> Thanks!
>>>>
>>>> Hongwei
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
>>>> Sent: Sunday, October 25, 2009 5:48 AM
>>>> To: cifs-protocol@...; Hongwei Sun; Interoperability
>>>> Documentation Help; pfif@...
>>>> Subject: Re: [cifs-protocol] Group Policy questions
>>>>
>>>> Hello hongwei,
>>>>
>>>> On 10/20/2009 01:05 PM, Matthieu Patou wrote:
>>>>
>>>>
>>>>
>>>>
>>>>> Hi Hongwei,
>>>>> For the moment it's quite clear why we fail as we do not set any
>>>>> ACL by default on the sysvol volume.
>>>>> I will already fix this + the sDRightsEffective attribute and I'll
>>>>> see if it do the job.
>>>>>
>>>>>
>>>>>
>>>>>
>>>> I worked a little bit on the ACL and still face "unsynchronized" ACL despite the fact that now our Policy folder are created with the same ACL as in AD.
>>>>
>>>> Let's take the following
>>>> policy:{7557D70F-14C9-4EA5-8369-10AE7C2C31D3}
>>>>
>>>> I face the message that the ACL is unconsitent with the one stored
>>>> in the AD, after clicking on yes GPMC changed the ACL for
>>>>
>>>> O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479
>>>> -
>>>> 2
>>>> 695158682-2101375467-512D:PAI(A;OICI;0x001f01ff;;;S-1-5-21-221261547
>>>> 9
>>>> -
>>>> 2695158682-2101375467-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2
>>>> 6
>>>> 9
>>>> 5158682-2101375467-519)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695
>>>> 1
>>>> 5
>>>> 8682-2101375467-512)(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158
>>>> 6
>>>> 8
>>>> 2-2101375467-512)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(
>>>> A
>>>> ;
>>>> OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001f01bf;;;BA
>>>> )
>>>> (
>>>> A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-519)S:
>>>> A
>>>> I
>>>> (OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d
>>>> 0
>>>> -
>>>> a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f8036
>>>> 7
>>>> c
>>>> 1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>
>>>> Before it was:
>>>> O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479
>>>> -
>>>> 2
>>>> 695158682-2101375467-512D:PAI(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21
>>>> -
>>>> 2
>>>> 212615479-2695158682-2101375467-512)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S
>>>> -
>>>> 1
>>>> -5-21-2212615479-2695158682-2101375467-519)(A;;RPWPCCDCLCLORCWOWDSDD
>>>> T
>>>> S
>>>> W;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;RPWPCCDCLCLORC
>>>> W
>>>> O
>>>> WDSDDTSW;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;CIIO;RPW
>>>> P
>>>> C
>>>> CDCLCLORCWOWDSDDTSW;;;CO)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCL
>>>> O
>>>> R
>>>> C;;;AU)(OA;;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;RPLCLORC
>>>> ;
>>>> ;
>>>> ;ED)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)(A;CIID;RPWPCRCCDCLCLORCWOWD
>>>> S
>>>> D
>>>> DTSW;;;S-1-5-21-2212615479-2695158682-2101375467-519)(A;CIID;LC;;;RU
>>>> )
>>>> S
>>>> :AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-
>>>> 1
>>>> 1
>>>> d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f8
>>>> 0
>>>> 3
>>>> 67c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>
>>>>
>>>> And if I request the nTSecurityDescriptor for this object in the AD I get:
>>>> {7557D70F-14C9-4EA5-8369-10AE7C2C31D3}
>>>> O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479
>>>> -
>>>> 2
>>>> 695158682-2101375467-512D:PAI(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21
>>>> -
>>>> 2
>>>> 212615479-2695158682-2101375467-512)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S
>>>> -
>>>> 1
>>>> -5-21-2212615479-2695158682-2101375467-519)(A;;RPWPCCDCLCLORCWOWDSDD
>>>> T
>>>> S
>>>> W;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;;RPWPCCDCLCLORC
>>>> W
>>>> O
>>>> WDSDDTSW;;;S-1-5-21-2212615479-2695158682-2101375467-512)(A;CIIO;RPW
>>>> P
>>>> C
>>>> CDCLCLORCWOWDSDDTSW;;;CO)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCL
>>>> O
>>>> R
>>>> C;;;AU)(OA;;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;RPLCLORC
>>>> ;
>>>> ;
>>>> ;ED)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)(A;CIID;RPWPCRCCDCLCLORCWOWD
>>>> S
>>>> D
>>>> DTSW;;;S-1-5-21-2212615479-2695158682-2101375467-519)(A;CIID;LC;;;RU
>>>> )
>>>> S
>>>> :AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-
>>>> 1
>>>> 1
>>>> d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f8
>>>> 0
>>>> 3
>>>> 67c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>
>>>>
>>>> Which looks like the ACL that were present for the file.
>>>> I also made a tcpdump capture (attached to this mail) and it's clear that the nTSecurityDescriptor is like the one just above. (packet 927).
>>>>
>>>> So what's going on, with an ACL that is the same when stored in the AD, transmitted through LDAP and stored in the file we have at the end GPMC that change the value but it's hard to understand how it construct this ACL.
>>>>
>>>> I attached also the GPMC log when I clicked on "OK" so that the ACL in AD and ACL for the file are synchronized (well from GPMC point of view).
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> I will try to use also the same SSDL as in w2k3 to see if I have
>>>>> the same resulting delagation or not.
>>>>>
>>>>> For the moment I have some tests to do before going back to you.
>>>>>
>>>>> Regards.
>>>>> Matthieu.
>>>>> On 10/20/2009 03:11 AM, Hongwei Sun wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Matthieu,
>>>>>>
>>>>>> For Problem #1, only the SE_DACL_PROTECTED(0x1000) has to be set
>>>>>> for ControlFlag in Security Descriptor in order to pass the step 2
>>>>>> in consistency testing. This is translated to "P" flag in SDDL.
>>>>>> With this said, it is normal to have D:PAI since this will
>>>>>> indicate that the SE_DACL_PROTECTED bit is set. It seems that your
>>>>>> Security Descriptor is right in this regard. We have to get more
>>>>>> information to see why the consistency checking fails. Could you
>>>>>> enable GPMC logging as described in my previous mail? Please
>>>>>> enable VERBOSE for Gpmgmttracelevel.
>>>>>>
>>>>>> Just for your reference, you can also use ldp.exe to display the
>>>>>> security descriptor of a policy object in SSDL string format and
>>>>>> parsed display format.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Hongwei
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
>>>>>> Sent: Saturday, October 17, 2009 11:33 AM
>>>>>> To: Hongwei Sun
>>>>>> Cc: pfif@...; cifs-protocol@...
>>>>>> Subject: Re: Group Policy questions
>>>>>>
>>>>>> Hello Hongwei,Matthieu,
>>>>>> Thank you for the answers. I have a few more questions:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> After testing, I think that I have some information to help you
>>>>>>> resolve all the problems.
>>>>>>>
>>>>>>> Problem #1:
>>>>>>>
>>>>>>> As described in the following link
>>>>>>> (http://support.microsoft.com/default.aspx?scid=kb;en-us;828760 )
>>>>>>> , GPMO will check the consistency between ACLs in GPO in Active
>>>>>>> Directory and ACLs of policy folders in SYSVOL when a GPO object
>>>>>>> is clicked in GPMC. The logic is something like the following:
>>>>>>>
>>>>>>> 1. Get the security descriptor (SD) for GOP in AD and folders in
>>>>>>> SYSVOL
>>>>>>>
>>>>>>> 2. Check both security descriptors to make sure they are DACL
>>>>>>> protected (PD bit in Control flag is set). If not, ACL
>>>>>>> consistency check will fail.
>>>>>>>
>>>>>>> 3. For every permission in AD DACL, there should be the same
>>>>>>> permission in SYSVOL DACL. If all permissions have be checked
>>>>>>> through in AD ACL and there is still extra permission in SYSVOL
>>>>>>> ACL, ACLs are not consistent.
>>>>>>>
>>>>>>> Looking at the your attached SSDL of the new policy, it doesn't
>>>>>>> have PD bit set. (D:PAI means DI bit is set, which is not DACL protected).
>>>>>>> This will fail the second step of consistency checking.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> I did an extraction of a W2K3 policy and got the following SDDL:
>>>>>>
>>>>>> O:S-1-5-21-3208502064-746857408-2662927446-512G:S-1-5-21-320850206
>>>>>> 4
>>>>>> -
>>>>>> 746857408-2662927446-512
>>>>>>
>>>>>> D:PAI
>>>>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-266
>>>>>> 2
>>>>>> 9
>>>>>> 27446-512)
>>>>>>
>>>>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-266
>>>>>> 2
>>>>>> 9
>>>>>> 27446-519)
>>>>>>
>>>>>> (A;;RPWPCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3208502064-746857408-26629
>>>>>> 2
>>>>>> 7
>>>>>> 446-512)
>>>>>>
>>>>>> (A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
>>>>>> (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
>>>>>> (A;CI;RPLCLORC;;;AU)
>>>>>> (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
>>>>>> (A;CI;RPLCLORC;;;ED)
>>>>>> S:AI
>>>>>> (OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6
>>>>>> -
>>>>>> 1
>>>>>> 1d0-a285-00aa003049e2;WD)
>>>>>>
>>>>>> (OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6
>>>>>> -
>>>>>> 1
>>>>>> 1d0-a285-00aa003049e2;WD)
>>>>>>
>>>>>> (OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)
>>>>>>
>>>>>> And you say that we should not have AI flag (because it's related
>>>>>> to SE_DACL_AUTO_INHERITED aka DI bit) just the P flag (because
>>>>>> it's related to DE_DACL_PROTECTED aka PD bit) right ?
>>>>>> But the above SDDL seems to show the opposite, I can't exclude the
>>>>>> fact that we have bugs when reading ACL and/or when converting
>>>>>> them into SDDL but before to trying to check this I would like to
>>>>>> be sure of which flag we should see.
>>>>>>
>>>>>> I even tweaked XCACLS.vbs (attached to this email) from
>>>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;828760 to
>>>>>> make it show the value of the control and it appear that the ACL
>>>>>> for the c:\windows\sysvol has both PD and DI bit sets
>>>>>>
>>>>>> ie.
>>>>>> Directory: C:\WINDOWS\SYSVOL
>>>>>>
>>>>>> ControlFlags: 37892
>>>>>>
>>>>>> Do gpmc pass some controls while making its LDAP request because I
>>>>>> had a look at the delegated permission through GPMC and through
>>>>>> dsa.msc they are really different (a lot of inherited from parents objects).
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Problem #2:
>>>>>>>
>>>>>>> In GPMO, if the attribute sDRightsEffective of selected GPO
>>>>>>> object has DACL_SECURITY_INFORMATION bit (0x04) set, users will
>>>>>>> be prompted for ACL correction if ACLs inconsistency between AD
>>>>>>> GPO and SYSVOL is detected when a GPO node is selected. You
>>>>>>> should check the attribute for the GOP object in AD.
>>>>>>>
>>>>>>> Problem #3:
>>>>>>>
>>>>>>> This is basically the same logic as in (2). The "Add" and "Remove"
>>>>>>> buttons in Delegation dialog are enabled only when the attribute
>>>>>>> sDRightsEffective of selected GPO object has
>>>>>>> DACL_SECURITY_INFORMATION (0x04) bit set. You should check the
>>>>>>> attribute for the GOP object in AD.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Yeah for this it seems that the obvious problem is the lack of
>>>>>> sDRightsEffective in SAMBA 4.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Debugging Information:
>>>>>>>
>>>>>>> By the way, you can follow the instruction in this link
>>>>>>> (http://technet.microsoft.com/en-us/library/cc737379(WS.10).aspx
>>>>>>> ) to enable GPMC logging, if you want to troubleshoot the issues
>>>>>>> related to operations in GPMC. For example, the logging will show
>>>>>>> you in which step the consistency checking fails.
>>>>>>> You can look for the text "CGPMGPO::IsAclConsistent()" in the
>>>>>>> logs generated.
>>>>>>>
>>>>>>> If you need more information, please let us know.
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Matthieu.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> cifs-protocol mailing list
>>>>> cifs-protocol@...
>>>>> https://lists.samba.org/mailman/listinfo/cifs-protocol
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>
>

_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol

From forum: Samba - cifs-protocol

Re: [s4] Passwords work

2009-12-18T13:20:51Z

On Fri, 2009-12-18 at 10:38 +0100, Matthias Dieter Wallnöfer wrote:

> I would like to inform you (s4 developers) that my password work has
> been finished. The "samdb_set_password" call is cleaned up (only the
> essential instructions) and all the other checks moved to the
> "password_hash" LDB module.
> The reason for this is that AD supports the password handling not only
> over the RPCs or KERBEROS ("samdb_set_password" in our case) but also
> directly by LDAP attribute manipulation. With my patchset we should
> always be safe now regarding the policies (since previously we weren't
> on direct LDAP changes).
> To be interoperable with the "real AD" I implemented the behaviour
> according to MS-ADTS 3.1.1.3.1.5. In addition to the specification which
> seems to allow password changes only by the "unicodePwd" and
> "userPassword" attribute, my patch supports them also through
> "clearTextPassword" and "dBCSPwd" (if LANMAN auth is enabled). I added
> this for completeness and it didn't make a lot of difference to
> implement also this.
> The tree is located at
> http://repo.or.cz/w/Samba/mdw.git/shortlog/refs/heads/passwords and
> passes "make test".

Thankyou so much for your persistence with this work. This looks really
good, and I look forward to merging it!

The things I would suggest need to be done before we merge:
- Tests: - we need tests of the LDAP password set and change behaviour
- unicodePwd - we need to get rid of the 'autodetection' between
"password" and 16 byte hash value. This I think should be replaced with
a control indicating 'hash values being set' (which scripts such as the
upgradeprovision and parts of the SAMR password change code could then
set).

I also just need to look over the patch more carefully, with a
particular eye to security holes.

Thanks!

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.

signature.asc (196 bytes) Download Attachment

From forum: Samba - samba-technical

Re: Patch for supported encoding

2009-12-18T13:05:13Z

On Sat, 2009-12-05 at 18:04 +0300, Matthieu Patou wrote:
> Hello,
>
> Please find attach a patch that try to reintroduced a good default value
> for default encoding (my change was overwritten by tridge in september).

Can you give the commit it was overwritten by?

The next step is to honour this stuff in the KDC

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.

signature.asc (196 bytes) Download Attachment

From forum: Samba - samba-technical

Disabling Roaming Profile Support Removes Logon (Home) Drive

2009-12-18T12:47:21Z

This is my first attempt at setting up a PDC (Ubuntu Server 9.10 + Samba 3.4.3). I'm keeping it simple - no AD support or LDAP just a basic NT4 domain.

I have everything configured and working well - I can join Windows clients to the domain and access shares etc. However I realized that roaming profiles were enabled, which I don't want, so I modifed the config to set logon home = and logon path = . As expected, it stopped the roaming profiles but it also removed the logon (home) drive which had worked previously.

Is there any way to disable roaming profiles but keep the logon drive?

logon script = logon.cmd
logon path =
logon drive = H:
logon home =

Thanks.

From forum: Samba - samba-technical

Re: new user can't log

2009-12-18T12:36:58Z

The database from ldap was a copy from another domain, that existed in
another network. i've done a slapcat in the old domain and did a slapadd
in this new one (both domain have the same name). But this happened
about 2 years ago. After a samba and ldap upgrade via apt-get, the
duplicated domains message start to pop (abouth 3 months ago). Just now
i've solved, but now, this =S.

I'll try some of the stuff you guys sugested me.

tks and sorry for my poor english.

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarneiro@... <mailto:lscarneiro@...>
http://www.veltrac.com.br <http://www.veltrac.com.br/>
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/

David Whitney escreveu:

> Unless I've blown my memory on Windows internals, each user's SID is
> comprised of the domain's SID, then a "self-refential" RID portion. That
> means a user from the domain DOMINIOS should NOT have what amounts to a
> "prefix" that looks as though it came from a different domain. But unless
> I'm mistaken, your logs are telling you exactly that - the domain portion of
> the group and user SID's indicate different domains, and that indicates a
> problem.
>
> One theory is that perhaps your domain was created, groups and users were
> created, but then for some reason your domain SID changed, and perhaps that
> led to your described duplicate domain entry (?) problem.
>
> Anyway, I'd take a look at the SIDS of other users and groups and see if
> this problem exists for other users or groups on your domain.
>
> -David
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

new user can't log

2009-12-18T12:16:31Z

Unless I've blown my memory on Windows internals, each user's SID is
comprised of the domain's SID, then a "self-refential" RID portion. That
means a user from the domain DOMINIOS should NOT have what amounts to a
"prefix" that looks as though it came from a different domain. But unless
I'm mistaken, your logs are telling you exactly that - the domain portion of
the group and user SID's indicate different domains, and that indicates a
problem.

One theory is that perhaps your domain was created, groups and users were
created, but then for some reason your domain SID changed, and perhaps that
led to your described duplicate domain entry (?) problem.

Anyway, I'd take a look at the SIDS of other users and groups and see if
this problem exists for other users or groups on your domain.

-David
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

From forum: Samba - General

Re: LDAP_SERVER_SD_FLAGS_OID control and search request

2009-12-18T11:55:28Z

Hi Matthieu,

I'll be helping you with this issue.

Thanks and regards,

Sebastian Canevari
Senior Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc@...

-----Original Message-----
From: Matthieu Patou [mailto:mat+Informatique.Samba@...]
Sent: Friday, December 18, 2009 10:36 AM
To: cifs-protocol@...; Interoperability Documentation Help; pfif@...
Subject: LDAP_SERVER_SD_FLAGS_OID control and search request

Hello,

While testing ADUC I found that this tool is using the control LDAP_SERVER_SD_FLAGS_OID when requesting object with no attributes (ie.
CN=Users,DC=home,DC=matws,DC=net) and expect to receive the nTSecurityDescriptor.
Of course if you do not provide this control the nTSecurityDescriptor is not returned.

I tested this behavior with w2k3r2 and it is how this server behave.

Can you confirm that it's the expected behavior for this control and if possible can you document it if it's not already done.

Regards.

Matthieu.

_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol

From forum: Samba - cifs-protocol

Re: [Pfif] SMB1 Trans2SetPathInfo() FileEndOfFileInformation is not enforcing share modes

2009-12-18T11:22:01Z

My pleasure - this was - and is - a very interesting topic!

By the way, I will be continuing my study of SMB_INFO_PASSTHROUGH and the Nt*Info calls. I expect to post a blog entry on the 'Microsoft Open Specification Support Team Blog' (http://blogs.msdn.com/OpenSpecification/) sometime in January.

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL: +1(980) 776-8200
CELL: +1(704) 661-5438
FAX: +1(704) 665-9606

-----Original Message-----
From: Tim Prouty [mailto:tim.prouty@...]
Sent: Friday, December 18, 2009 2:07 PM
To: Bill Wesse
Cc: Zachary Loafman; pfif@...; cifs-protocol@...
Subject: Re: [Pfif] SMB1 Trans2SetPathInfo() FileEndOfFileInformation is not enforcing share modes

Bill, Thank you for diving into this issue and bringing clarity to how
others should be implementing this. I sincerely appreciate your
dilligence!

-Tim

On Dec 18, 2009, at 5:38 AM, Bill Wesse wrote:

> Good morning Tim - development has responded to the TDI - thank you
> very much for finding and reporting this - as well as for the
> opportunity for us to improve our implementation and documentation!
> Please let me know if this answers your question satisfactorily; if
> so, I will consider your question resolved.
>
> ==========
>
> The behavior exhibited on SMB1 regarding not receiving a sharing
> violation when doing a set of FileEndOfFileInformation when write
> sharing is disallowed is a bug in our server implementation.
>
> This is something we will pursue fixing, and the behavior does not
> exist for the FID-based set info in SMB1 or the set-info command in
> SMB2. We are investigating the best path to fix the issue and then
> update the documentation accordingly. It seems to exist inside the
> Path-based SetInfo path.
>
> ==========
>
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> TEL: +1(980) 776-8200
> CELL: +1(704) 661-5438
> FAX: +1(704) 665-9606
>
> -----Original Message-----
> From: Bill Wesse
> Sent: Wednesday, December 16, 2009 2:05 PM
> To: 'Tim Prouty'
> Cc: pfif@...; cifs-protocol@...
> Subject: RE: [Pfif] SMB1 Trans2SetPathInfo()
> FileEndOfFileInformation is not enforcing share modes
>
> Indeed it is possible; NtQueryInformationFile with standard
> information levels does translate into passthrough levels on the
> wire (for SMB).
>
> But, as I mentioned, I am still working on the test code, and
> haven't invoked NtSetInformationFile or other functions yet; I am
> iterating on test cases to gather error return information (which is
> a subject always dear to everyone's heart!). Of course, named pipes,
> directories and the various flavors of junction points do complicate
> this somewhat...
>
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> TEL: +1(980) 776-8200
> CELL: +1(704) 661-5438
> FAX: +1(704) 665-9606
>
>
> -----Original Message-----
> From: Tim Prouty [mailto:tim.prouty@...]
> Sent: Wednesday, December 16, 2009 1:59 PM
> To: Bill Wesse
> Cc: pfif@...; cifs-protocol@...
> Subject: Re: [Pfif] SMB1 Trans2SetPathInfo()
> FileEndOfFileInformation is not enforcing share modes
>
> Thank you for the update! So if I understand what you're saying, it
> is possible for a windows app to cause the the smb client to send the
> passthrough levels over the wire using NtQueryInformationFile?
>
> -Tim
>
> On Dec 16, 2009, at 10:55 AM, Bill Wesse wrote:
>
>> Good day Tim. I have just filed a Technical Documentation Issue
>> (TDI) against the share mode issue requesting document update /
>> guidance concerning SMB_INFO_PASSTHROUGH.
>>
>> My examination of our implementation indicates this situation should
>> exist for all SET_PATH_INFORMATION information levels with
>> SMB_INFO_PASSTHROUGH. I have not examined
>> TRANS2_SET_FILE_INFORMATION or TRANS2_SET_FS_INFORMATION.
>>
>> [MS-SMB] and [MS-FSCC] provide no guidance concerning share
>> circumvention for this or any other SMB_COM_TRANSACTION2
>> subcommand / information level with SMB_INFO_PASSTHROUGH, other than
>> to say 'the client is requesting a native Windows NT operating
>> system information level' ([MS-SMB] 6 Appendix A: Product Behavior,
>> note <155>).
>>
>> Also, I have nearly completed a test app (C++) to exercise these as
>> much as possible - NtQueryInformationFile indeed uses
>> SMB_INFO_PASSTHROUGH values. I intend to profile Windows behavior
>> against the information levels, and will provide all of that to you
>> as soon as I can.
>>
>> Regards,
>> Bill Wesse
>> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
>> 8055 Microsoft Way
>> Charlotte, NC 28273
>> TEL: +1(980) 776-8200
>> CELL: +1(704) 661-5438
>> FAX: +1(704) 665-9606
>>
>> -----Original Message-----
>> From: Bill Wesse
>> Sent: Wednesday, December 09, 2009 10:56 AM
>> To: 'Tim Prouty'
>> Cc: pfif@...; cifs-protocol@...
>> Subject: RE: [Pfif] SMB1 Trans2SetPathInfo()
>> FileEndOfFileInformation is not enforcing share modes
>>
>> Tim, - thanks for the updated smbtorture. I have reproduced the
>> truncated SMB error response - see frames 132 & 133 in the attached
>> capture. I will create a new case for this, and begin debugging
>> today (after verifying whether or not this happens against older
>> Windows versions).
>>
>> Frame: Number = 133, Captured Frame Length = 102, MediaType =
>> ETHERNET
>> + Ethernet: Etype = Internet IP
>> + (IPv4),DestinationAddress:[00-15-5D-04-7B-03],SourceAddress:
>> [00-15-5D-
>> + 04-7B-09]
>> + Ipv4: Src = 192.168.0.10, Dest = 192.168.0.21, Next Protocol = TCP,
>> + Packet ID = 1552, Total IP Length = 88
>> + Tcp: Flags=...AP..., SrcPort=Microsoft-DS(445), DstPort=47152,
>> + PayloadLen=36, Seq=3281756320 - 3281756356, Ack=267797329, Win=510
>> + (scale factor 0x8) = 130560
>> + SMBOverTCP: Length = 32
>> - Smb: R - DOS OS Error, (124) INVALID_LEVEL
>> Protocol: SMB
>> Command: Transact2 50(0x32)
>> + DOSError: DOS OS Error - (124) INVALID_LEVEL
>> - SMBHeader: Response, TID: 0x0800, PID: 0x77C9, UID: 0x0800, MID:
>> 0x0008
>> + Flags: 136 (0x88)
>> + Flags2: 34819 (0x8803)
>> PIDHigh: 0 (0x0)
>> SecuritySignature: 0x0
>> Unused: 0 (0x0)
>> TreeID: 2048 (0x800)
>> ProcessID: 30665 (0x77C9)
>> UserID: 2048 (0x800)
>> MultiplexID: 8 (0x8)
>>
>> Regards,
>> Bill Wesse
>> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
>> 8055 Microsoft Way
>> Charlotte, NC 28273
>> TEL: +1(980) 776-8200
>> CELL: +1(704) 661-5438
>> FAX: +1(704) 665-9606
>>
>>
>> -----Original Message-----
>> From: Tim Prouty [mailto:tim.prouty@...]
>> Sent: Tuesday, December 08, 2009 12:55 PM
>> To: Bill Wesse
>> Cc: pfif@...; cifs-protocol@...
>> Subject: Re: [Pfif] SMB1 Trans2SetPathInfo()
>> FileEndOfFileInformation is not enforcing share modes
>>
>> Thank you for your diligence on this Bill and the answers you have
>> provided. I have some responses inline below.
>>
>> On Dec 8, 2009, at 6:07 AM, Bill Wesse wrote:
>>
>>> Is #3 actually correct behavior that other servers should implement?
>>> If so, can the cases where share modes are not enforced be
>>> enumerated
>>> in the documentation?
>>>
>>> Response:
>>>
>>> #3 is correct behavior. Sending an SMB_COM_TRANSACTION2 request for
>>> SET_PATH_INFORMATION with SMB_INFO_PASSTHROUGH +
>>> FileEndOfFileInformation is functionally equivalent to a remote call
>>> to NtSetInformationFile.
>>>
>>> NtSetInformationFile sends an IRP_MJ_SET_INFORMATION request to the
>>> file system driver in question; this does not involve the usual I/O
>>> Manager ShareMode checks.
>>
>>
>> I share the same sentiment as Zach on this behavior, but it is
>> definitely useful to know how windows handles this. Are there plans
>> for this to be documented anywhere or does it receive documentation
>> exemption since this is passthrough-speceific?
>>
>>
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ====================================================================
>>> Question:
>>>
>>> If a client can send a particular info level and windows implements
>>> it, then we have a compatibility problem if we choose not to support
>>> it. What I would really like to know is if other SMB
>>> implementations
>>> need to circumvent share-mode checks for this pass through level
>>> (and
>>> maybe others?).
>>>
>>> Response:
>>>
>>> This should be the case for all supported SMB_INFO_PASSTHROUGH
>>> levels,
>>> as they run through the same essential logic.
>>>
>>> However, I have additional testing to perform before I can
>>> completely
>>> confirm this.
>>
>>
>> I am interested to know the results of your testing. I believe
>> there are some tests in RAW-OPLOCKS that use the rename passthrough
>> level to test oplocks, but implicitly rely on share modes not being
>> enforced for the rename passthrough. RAW-OPLOCK-BATCH19, 20 and 21
>> are good ones to look at.
>>
>>
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> =
>>> ====================================================================
>>> Question:
>>>
>>> 1. Packet 40 appears to have the WordCount and ByteCount truncated,
>>> making the packet smaller than normal minimum size of 35? Is this
>>> intended behavior that other servers should implement?
>>>
>>> Additionally a DOS Error is returned instead of a standard NT_STATUS
>>> error. MS-CIFS does say that a DOS error or an NT_STATUS error may
>>> be
>>> returned, but I don't see any indication in the documentation of
>>> when
>>> a DOS error should be returned instead of an NT_STATUS error. Is it
>>> possible to make this explicit in the docs or is this a case where
>>> it's purposefully left ambiguous?
>>>
>>> Response:
>>>
>>> The WordCount/ByteCount truncation against the Dos INVALID_LEVEL
>>> error
>>> problem
>>> (trans2setpathinfo_against_win7_2.pcap) you saw did not reproduce
>>> with
>>> my clients (who succeeded against the call).
>>>
>>> I have attached a zip file with your trace
>>> (trans2setpathinfo_against_win7_2.pcap), and my equivalent trace
>>> (test_trans2setpathinfo_Win7.pcap). Mine does not have that second
>>> Set
>>> EOF call. Do I need a newer build of smbtorture (my current one from
>>> you is samba.2009.12.01.tar.gz)?
>>
>>
>> In comparing the pcaps, it does indeed appear that the version of
>> smbtorture you're running doesn't include the most recent version of
>> RAW-SFILEIFNO-END-OF-FILE. Packet 54 in your trace corresponds to
>> packet 33 in my trace which is sending the SNIA CIFS EOF level
>> rather than the passthrough. Packet 39 in my trace is the
>> setpathinfo EOF passthrough level that is actually getting the
>> strange error, and there is no corresponding packet in your trace.
>>
>> I'll get you the most recent code drop in a private channel.
>>
>> -Tim
>>
>

_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol

From forum: Samba - cifs-protocol