Samba Traffic #6 For 5 Jan 2000

By Peter Samuelson

Table Of Contents

Introduction

This was an odd week. Both the samba and samba-ntdom lists were much quieter than usual, for one thing. Perhaps most people, between holidays and panicked last-minute Y2K work, had better things to do than discuss Samba. After all, everyone already knows Samba is Y2K-compliant and has been for a long time, quite possibly from Day 1.

The samba-technical list would have been fairly quiet, too, except for one huge thread (180 posts and counting). That one is about how to map a Unix UID/GID to a Windows NT SID/RID and back. Luke Leighton has one approach he'd like to try; Jeremy Allison sees this as a complicated solution in the face of a rather simple problem, and believes that where the complexity is really desired, it can and should be implemented outside Samba proper. In any case, the thread will not be covered further in this issue since it is still quite active. Look for a full summary in an upcoming issue of KC Samba.

In other news, it would seem the Samba Team is celebrating Y2K by rearranging their list archive site. The change itself is a Good Thing (the new layout, with far fewer files per directory, is much more scalable), but it breaks most of the hyperlinks in KC Samba issues 1-5. Fear not; all KC samba links have been fixed.

Mailing List Stats For This Week

We looked at 304 posts in 745K.

There were 95 different contributors. 37 posted more than once. 31 posted last week too.

The top posters of the week were:

 

1. SAMBA_TNG CVS Branch Malfunctions
22 Dec 1999 - 29 Dec 1999 (11 posts) Archive Link: "Latest Samba-TNG seems not to compile ..."
People: Luke LeightonMichael GlaucheRichard Sharpe

Richard Sharpe noticed that the SAMBA_TNG branch of CVS code did not compile. Luke Leighton, who has been doing most of the updates in that branch, claimed that it worked fine. But Chris Sorisio confirmed the problem, posting a log from a failed compile. Luke replied, "hm, this is weird. i don't get this error. please check out a new copy. do not do cvs update." No dice, said Chris. Luke was puzzled, and was forced to assume that the public anonymous CVS tree, which happens to be only a mirror of a private CVS tree, was out of sync somehow. "have to ask andrew to deal with that when he can."

Michael Glauche had a request for the meantime: "can you make a tarball of your version ? could make some diff then, to see where the problem is ..." Luke did so, making it available via FTP.

Finally, a day later, Luke posted the announcement: "the public cvs is now consistent again with the private cvs. those people who had compiler errors on cvs branch SAMBA_TNG should find that they can now use the latest cvs instead of an out-of-date one." End of problem, end of thread.

 

2. More on Tridge's New Database Module
24 Dec 1999 - 30 Dec 1999 (10 posts) Archive Link: "Database code"
People: Luke LeightonAndrew TridgellChris HertelJerry CarterJeremy Allison

As discussed in Issue #5, Section #5 (sm19991230_5.html#5) , Andrew Tridgell just wrote a small key-value database module for some of Samba's internal structures. Luke Leighton was curious about what it could do:

can your database code provide the following functionality:

  • two unique, primary keys
  • atomic addition of entries

i need to create a table of SID-uid one-to-one mappings. the SIDs must be unique and a primary key field. the uids must be unique and a primary key field.

additions to the table need to be atomic.

Tridge answered yes to both questions, with the following explanation about the two keys:

you need to do this for a store:

  • lock database (tdb_writelock())
  • tdb_store() the record for the secondary key mapping it to the primary key
  • tdb_store() the main record
  • unlock database (tdb_writeunlock())

I don't want to build in multi-key directly to tdb as I want tdb to stay really simple, instead use the above simple wrapper to do multi-key.

Luke wasn't sure the above was quite the same thing; he wanted independent primary keys that could all index into the table efficiently. Tridge explained again what he meant, ending with "just add error checking to the above, stir and simmer over a hot debugger for 10 minutes. Voila, database-al-la-2key."

Chris Hertel grumbled: "I'm just a little annoyed that I wrote an entirely similar system a year or so ago and was told it wasn't useful/needed. Urq." Tridge explained that as he understood it, Chris's code couldn't handle multiple simultaneous writers. He added that this was the same reason he hadn't just used the dbm, ndbm or gdbm packages.

That got Jerry Carter thinking about the ever-popular Berkeley DB package now maintained by Sleepycat Software. Had Tridge looked at that? Yes, he replied: "I did consider Sleepycat, but apart from the minor license issues (which I'm sure could be worked around) it looked a bit heavy-weight for many of the small database modules that we have in Samba. It is about 70k lines of code in total, whereas tdb is less than 1k." Chris Hertel and Jeremy Allison both mentioned the licensing issue as well.

(ed. [] Berkeley DB 2.x has a somewhat unusual hybrid of a license: it uses the original BSD license from DB 1.x, but adds GPL-like restrictions that prohibit distribution without providing source code. It is DFSG/OSD-compliant but not strictly GPL-compatible, thanks to the world-famous BSD advertising clause.)

 

3. Password Changing in Win98 Not Encrypted!
29 Dec 1999 (2 posts) Archive Link: "Possible bug changing smb password from Win98"
People: Shirish KaleleJeremy Allison

Shirish Kalele found a security hole in Windows98 that happened to trigger a Samba bug:

I think I might have found a possible bug in the SetUserPassword Remote API code in Samba 2.0.6. [...]

I traced the problem to the api_SetUserPassword function in smbd/ipc.c. Win98 (even with password encryption set), sends the username, old and new passwords in cleartext for the SetUserPassword call over the LANMAN pipe. So what should happen is that the old password sent is hashed and tested against the smbpasswd file entry for the user and then new NT and LM hashes should be generated for the entry from the new password sent again in cleartext.

However, from the code, it appears that first if the old plaintext password is verified, the new password is set using the unix passwd program (no modification to smbpasswd!?) Otherwise, it is assumed that the old password in the remote API call is the LM hash of the password encrypted with the key.. And the code tries to check this and of course, fails because the username, old and new passwords are all sent in plaintext..

That got Jeremy Allison's attention: "Ah. I had no idea Win98 did anything this dumb :-). Can you send me your traces, this definately looks like a bug I need to fix."

 

4. Various Posts
28 Dec 1999 - 31 Dec 1999 (11 posts) Archive Link: "(various)"
People: Ross LordMichael GlaucheLen HaroldJerry CarterGiulio OrseroVolker LendeckeMichael Tokarev

This week had a lot of frequently asked questions (frequently asked this week alone, in a few cases). Here is the usual sampling:

Thread: Which branch for CVS? (http://samba.org/listproc/samba-ntdom/old/8065.html)
Problem: Ross Lord asked, "Which branch do I need to check out for the latest PDC code? I do not need the separated funcionality of the various rpcclient stuff, I just need PDC funtions."
Solution: J.W. Fox knew it was SAMBA_TNG, but Michael Glauche noted "which is broken at the moment .." and gave the URL for Luke's stopgap tarball. (Note that the actual CVS branch is working again now.)

Thread: Stumped on roaming profiles (http://samba.org/listproc/samba-ntdom/old/8070.html)
Problem: Len Harold wrote, "I can't make roaming profiles work correctly without adding the users to the domain admin group. The start menu folders are read but not the NTUSERS.DAT file."
Solution: Jerry Carter theorized: "Sounds like a messed up ACL setting on the default ntuser.dat that everyone gets. Might want to double check these."

Thread: Guest user - different password (http://samba.org/listproc/samba-ntdom/old/8077.html)
Problem: Stefano Colombo had some trouble getting "guest users" to work in Samba without passwords.
Solution: Giulio Orsero posted a smb.conf snippet: "
security = user
map to guest = bad user
guest account = apsf (or another user)

[myshare]
path = /path/dir
guest ok = yes
writable = yes
"
He further explained, "User which don't provide a good userid will be mapped to the guest user and will be able to access the share."

Thread: CVS SAMBA-TNG compiling errors (http://samba.org/listproc/samba-ntdom/old/8094.html)
Problem: Somebody reported a compile error with smbmount on Slackware Linux, kernel 2.2.6.
Solution: Giulio Orsero again: "I think the latest smbmount (>= 2.0.6) wants at least 2.2.12 headers."

Thread: symlink'ed files (http://samba.org/listproc/samba-technical/old/5350.html)
Problem: Damien Mascord had questions about Samba and symlinks; specifically, how to preserve a symlink when editing its target in Microsoft Word.
Solution: As Michael Tokarev pointed out, this is not specifically a Windows or Samba problem, but is a side effect of the way many apps save files: by first renaming the old file, then saving a new copy, then erasing the old one. This method has the advantage that if the app or the OS crashes in the middle, the old file is not lost. He also noted that Emacs, unlike Word, offers a configuration option for which way (of many) to save a file.

(ed. [] Editor's note: the Emacs variables in question are make-backup-files, backup-by-copying and three others.)

Thread: problem with credentials (http://samba.org/listproc/samba-technical/old/5382.html)
Problem: Michael Reinelt could not convince NT to connect to a given share with a different username/password than other shares.
Solution: Volker Lendecke recognized this frequently asked question right away: "You hit a limitation of NT: You can not connect to a single server with two different user ids. One way to resolve this is to connect to \\ip-address\share, or use the 'netbios name' and 'netbios aliases' to be visible under several names."

Thread: cp --recursive (http://samba.org/listproc/samba/December1999/0485.html)
Problem: Pedro Fradique da Silva had mounted an NT share on Linux using smbfs and tried to copy a whole directory tree using cp -R *.mdb /home. It didn't recurse into the tree.
Solution: This is a Unix shell globbing question. Travis Low suggested
find /mnt/tmp -name '*.mdb' -exec cp {} /home
Nicholas Tang didn't think that would do the Right Thing, and suggested the tried-and-true tar+untar solution:
cd /home
tar -cplf - `find /tmp/mnt -name '*.mdb' -print` | tar -xf -

(ed. []

Editor's note: the above has a small bug. It should be:
cd /tmp/mnt
tar cplf - `find . -name \*.mdb` | tar xf - -C /home

The following tarless solution might work too, but we haven't tried it:
cd /tmp/mnt
find . -name \*.mdb |
  sed 's:\(.*\)/\(.*\):mkdir -p /home/\1; cp -a \1/\2 /home/\1/:' |
  sh

)

 

 

 

 

 

 

Sharon And Joy
 

Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at kernel.org. All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License, version 2.0.