Samba Traffic #16 For 15 Mar 2000

By Peter Samuelson

Table Of Contents


In last week's issue (section 4 (sm20000309_15.html#4) ) we quoted some less-than-flattering comments about HP and its stance on free software. (And, believe it or not, there were a lot more that we didn't quote.) Matt inAmsterdam wrote in to give another perspective, as it were:

What few people know is that HP donated machines and $100,000 US to the FSF/GNU project quite early in their life. HP also ship a debugger based on GDB, install gzip as default with HP-UX and encourage porting of gcc and a whole bunch of other tools.

All major vendors are bad in some way. I don't think HP are any worse than others.

Thanks, Matt!

Mailing List Stats For This Week

We looked at 392 posts in 839K.

There were 164 different contributors. 62 posted more than once. 45 posted last week too.

The top posters of the week were:

1. "Using Samba" Online Text

11 Feb 2000 - 10 Mar 2000 (33 posts) Archive Link: "Using Samba in XML form"

People: Andy OramPeter SamuelsonDave Collier-BrownJeremy AllisonJay TsDon McCallUsing Samba

[The usual policy for these newsletters is to wait for threads to wrap up before covering them. This family of threads, which comprises almost all of the samba-docs list for the past month or two, shows no sign of ever wrapping up, so perhaps a snapshot summary is appropriate.]

Months ago, when O'Reilly & Associates released their opus Using Samba, they did so under an open content license ( , allowing anyone to republish the book, including modified copies, in electronic form. (See Issue #1, Section #7  (22 Nov 1999: Format(s) of maintained documentation) .) More recently, Andy Oram of O'Reilly announced: "Production and tools staff at O'Reilly have been working for some time on producing clean XML (DocBook DTD) of the Using Samba book. This is important because both the Samba team and O'Reilly need a single, canonical source for the book, which can be kept under CVS control, updated easily, and used to produce output in various formats (HTML, etc.). I've even seen a complaint on some mailing list (or maybe it was slashdot) that the book wasn't in XML; the poster was right to complain. But finally we've got it." He included download instructions, then continued: "The files don't yet contain a bunch of fixes that Jay Ts <> generously made to an HTML version of the book. If anybody would like to take his changes and put them in the XML file, please speak up and accept our thanks." Finally: "The next step is creating more human-readable files (HTML, PostScript, PDF) from the DocBook XML. I've asked tools people at O'Reilly to tell me where tools can be found to do that. Once we've solved that problem, the Samba team should be able to enter fixes and quickly recreate correct HTML and other files. Furthermore, I'll make sure O'Reilly and the team keep in touch so fixes reported to one side reach the other. This is the way things SHOULD work, and soon they WILL."

I had two suggestions:

Suggestion #1: Assuming this is the case, the current XML is suboptimal, in that it uses one line per paragraph. This makes it really hard to use with `diff', `cvs', `emacs', `vi', and most other Unix tools. May I suggest that it be broken up into lines of no longer than 70 characters (except where unavoidable, i.e. strange metadata)?

Suggestion #2: the "&rsquo;" character is really awkward. Is there any way we could switch to just using a regular apostrophe (') instead?

Andy agreed on both counts. The single-line paragraphs, he said, were just left over from the FrameMaker conversion. So, with that encouragement, I set out to break all the lines. Between figuring out what the whitespace rules were for DocBook-XML, getting DocBook tools up and running on my own machine, and finding time at all, it took longer than one would think. Eventually, though, I had a status report:

I just managed to browbeat Perl into spitting out properly-broken lines. I guess I'm not as good with Perl as I thought I was. All in all it might have been faster to do it all by hand! Anyway, I think that stage is done. What I've got now is probably fit to hit the CVS archive; what's left to do can be merged in afterward, if we want.

So I am putting this up for download. I'll be using my own box, (page is under construction). I'll include the Perl hack I used to do the conversion, as well as the hacked infrastructure I came up with to generate HTML from source. (It basically works, but so far I can't convince `jade' that SGML != XML, so there are a lot of parse warnings. Also, nobody told me that converting full-length book from DocBook to HTML was supposed to take so long on a P166MMX running Linux! Need to upgrade....)

Next up is merging in the jayts fixes, then my own fixes, which I believe will be pretty minor. I will do these as two separate diff files, to make them easy to review. Actually I may split them into multiple diff files, if I discover enough discrete classes of changes to make. That is, after all, how CVS is typically used, and makes it easy to accept or reject any particular class.

Dave Collier-Brown (one of the original authors) agreed that my small-patches approach would be easier for him to deal with. "My short-term task is applying additional bug-fixes to the page proofs, so that when O'Reilly need to do their next printing, all they have to do is substitute, for example, new-page-93 for old-page-93. Their long-term task is making sure they can print quality books from xml inputs. (Maybe for samba 3.0 (;-))"

Several days later, I finished the "jayts merge" and posted an announcement. Dave agreed to review my diffs and wanted to know what XML software I was using.

Meanwhile, Jeremy Allison had this to say: "I spoke with Andrew in Malmo about shipping "Using Samba" with 2.0.7, and we agreed it was probably the right thing to do (although it will make the tarball bigger). The problem is there are some new features (keywords, behaviour etc.) in 2.0.7 that aren't up to date in the HTML source in the CVS tree. I'd like to get someone to maintain the HTML in the source tree, but obviously don't want to change the HTML directly as this is a generated format. Is there someone willing to update the book and re-checkin the HTML for 2.0.7, or shall I just ship another snapshot and worry about this later ?"

Dave came up with a short list of what Samba changes needed to be documented in the book. I noted that the book actually needed updates for 2.0.6 as well, as it was published against 2.0.5. A short discussion followed about how to mark updates in the book so that one can easily see what has recently changed. Dave liked the idea of edge-bars in the margins but wasn't sure it was practical. Don McCall suggested a simple errata section. Jay wanted to use technology: "Even better, it would be nice to have the whole thing in CVS in such a way that a site visitor could fill out a form providing their version number of Samba, and download the edition of the book that corresponds to the Samba version they have."

This reminded me of another issue: "Andy, how do you guys at O'Reilly render HTML from the DocBook? My (Debian) SGML tools can produce HTML (although I did have to sacrifice a pig and two goats first), but the source HTML ends up looking quite different from yours. (I like yours better.) I ask because of Jeremy's wish to put the text in the main Samba CVS archive, to ship with 2.0.7. It would actually be feasible to edit the XML directly and then regenerate HTML, IF we had the tool O'Reilly uses for this. (I'm over half done merging in the jayts version, should finish in the next day or two.) If not, we probably need to edit the HTML and synch up the DocBook by hand." No answer so far, but elsewhere I posted an alternate plan: "I've got XML source that I can't, at the moment, use to generate anything useful with. I can get HTML, and it's even pretty good HTML, technically -- but the filenames seem to be randomly generated (you can't just rename them, as they have hyperlinks to each other) and the HTML source looks horrible. (It looks a little like PostScript out of a word processor, if any of you know what I mean.) Given a finite amount of time, I think I can learn DSSSL (the stylesheet language used by Jade) and fix up the DocBook stylesheet to produce HTML that I'd actually be proud of. I've started."

That brings us up pretty much to the present. We still have not updated the text for Samba 2.0.6 and 2.0.7 (it's on my to-do list) and we still aren't sure what, if anything, will ship with the 2.0.7 tarball. Everything I've done on this so far is up on Stay tuned.

2. Multiple Sets of Credentials

5 Mar 2000 - 7 Mar 2000 (5 posts) Archive Link: "Users and shares"

People: Anthony GoonetillekePeter SamuelsonJohn Malmberg

Anthony Goonetilleke posted a question to the samba list: "I know this question has probably been asked several thousand times but I cannot find an appropriate answer. Can someone tell me how I can enable a single NT workstation user (SP5 encrypted passwords) connect to several Unix users home dirs, while prompting for a password each time."

I answered, "From the same Unix host? NT has a limitation where it won't knowingly connect to the same machine with two different sets of credentials. I think you can accomplish this with the `netbios aliases': set up several aliases for the same Unix machine, and get each home directory from a different one. That may be the best you can do."

John Malmberg didn't agree about the limitation. "I find this curious, as I use two NT Resource kit utilities to do just that on a regular basis from a Windows NT Workstation. The VDESK utility, and the SU service. There is no problem with connecting using multiple users from the same workstation to the same or different share points on the a specific server. In addition, the connect to share dialog box in NT has a "Connect AS" option." I explained what I meant, and he answered, "However even with out using resource kit utilities, a service can log into the same server as a the logged in user, and have access under it's own security context. This can be demonstrated with the schedule service. So it seems that that restriction is in the client explorer shell of Windows, and not something that is inherent in either NT server or NT workstation."

3. Russian Character Sets

5 Mar 2000 - 6 Mar 2000 (8 posts) Archive Link: "Windows-1251 character set"

People: Alexander JavoronkovSergei MakarovMichael TokarevJean-Marc DesperrierAlexander Viro

This thread was more than a little confusing, at least for this American who has never dealt much with i18n, locales and code pages. Alexander Javoronkov had a question for samba-technical:

I've got Win'98 with Russian (windows-1251) locale & samba-2.0.6 with

"client code page = 866".

I want to store russian filenames on my Samba server in windows-1251 character set. I've browsed through smb.conf.5 and saw that there's a keyword "character set = ..." that rules over charsets that are used to convert between DOS and standard UNIX codepages. Furthermore, I've noticed lib/charcnv.c file that is definitely used for this purpose.

He quoted from that file, and continued: "Seems like I should add support for "character set = windows-1251" the same way, but... I have no clues about what numbers to put in update_map for cp866->win1251 translation."

Sergei Makarov replied,

What's wrong with 866? Have you tried to use it?

character set = KOI8-R
client code page = 866

These settings work fine here for any Russian version of Win9X or NT with SAMBA 2.0.x

Alexander was unconvinced. He explained the situation with his files: "Since they're in cp866, the only way to access it is via old-style ftp.exe from Windows/dos. My LAN clients are accessing archive just fine via Samba - no problems here. My goal is: Windows clients using CuteFTP, Netscape and stuff should access those files and store them named properly." Evidently he was not interested in console access to the machine, only remote access. Michael Tokarev replied, "Aargh! You hit a more common problem with interoperablity between os and with national characters. The only accurate solution for this I know is to define some standard (like ascii was) dealing with intl chars, for example, unicode, and to setup _all_ programs (ftp, browsers, archivers etc) so them use that standard 8-(..." Then he posted an answer to Alexander's original question, i.e. how to add the other code page into Samba.

Meanwhile, Jean-Marc Desperrier decided to confuse the issue just a little more: "According to the values, I found with regedit, koi8-r and codepage 1251 are in fact the same. cp866 seems to be the OEM dos codepage of IBM." Michael disagreed: "I don't think that regedit can "know" anything about codepages :), and there is no info about this in registry... If your registry have same setup for 1251 and koi8-r, than your registry was set up incorrectly... Koi-8 is very different from any other russian charset... Moreother, (russian) letters in koi-8 arranged non-alphabetically, unlike in cp866 and 1251 and others." Jean-Marc clarified: "In HKEY_LOCAL_MACHINE_/SOFTWARE/CLASSES/MIME/Database/charset/, there is a list of values that "maps" between the symbolic name and the codepage value. It has two mappings for koi, one is "codepage 0x4E3" (1251), and the other is "InternetEncoding 0x5182" (20866). HKEY_LOCAL_MACHINE_/SOFTWARE/CLASSES/MIME/Database/codepage/ is in fact more explicit. It says cp20866 (koi8-r) is the same family as cp1251, but not that it's the same thing."

[Ah. Good to get that cleared up. (: But while we're on the subject of Cyrillic character encodings, I can't help quoting the ever-quotable Alexander Viro:

Now, what I would like to know is the name of person who keeps insisting that iso8859-5 is One True Way(tm). May he implement the full OSI stack and be forced to use it.
(Seen on linux-kernel.)]

4. Undeleting Samba Files

5 Mar 2000 - 7 Mar 2000 (11 posts) Archive Link: "network recycle bin"

People: Jan van RensburgCarey SinclairPeter SamuelsonMatt GeddesLars Kneschke

Jan van Rensburg wondered aloud on samba-ntdom: "is it possible to have a "network recycle bin" for samba shares? then every time when a user accidently delete files the admin doesn't have to do a restore from tapes..." Hayden Wimmer and Carey Sinclair both expressed interest in something like this. Carey explained, "Our Novell guys continually hassle us for not being able to provide such a simple 'Novell' feature."

Having nothing better to do (right!), I hacked up and posted a proof-of-concept patch:

Lars Kneschke liked it and asked if the "samba gurus" could think about integrating something like it. Matt Geddes answered, "Sounds very good and I think that when it has been tested it should be included as long as we can turn it off when we want to." I replied too: "Don't anyone start thinking about it yet, of course! As soon as I add in a hierarchical namespace and (possibly) the ability to cross mount points, I think I'll be satisfied. (A little error handling might be nice, too. (: ) I just got tired of hacking on it for tonight...." So far, I haven't had a chance to add those features, but what's out there does at least work.

5. Samba on AIX

6 Mar 2000 - 9 Mar 2000 (14 posts) Archive Link: "Samba on AIX"

People: Steven PoughkeepsiePeter SamuelsonDavid Lee

Steven Poughkeepsie of IBM, continuing an earlier discussion on samba-technical, said: "I'm working for IBM's ITSO to produce a Redbook about running Samba on AIX. The book will be an installation, function, and sizing guide. I've spoken with someone here about shared library support on AIX. He suggested > AIX 4.2.1 should now treat shared libraries much like Solaris. I'll post his recomendations later. Do you know of any other issues concerning running Samba on AIX? (Anyone?)"

I answered that we have been running Samba on AIX for quite awhile and have had no problems except an oplock bug in the 1.9.18 series. I then noted, "I made a simple source modification to allow smbd and nmbd to run as SRC subsystems -- basically a "standalone mode but do not fork" flag. (I'm getting good at these, having done the same to sshd and apache.)" Several people asked me for details on the SRC patch so I explained and posted it. (The SRC, or System Resource Controller, is the standard way to manage daemons on AIX.)

David Lee, the author of the utmpx support which has been integrated into Samba 2.0.7, had an AIX issue:

One such report mentions that:

"...AIX has the include files for utmpx, but doesn't actually implement it (as of AIX 4.2.1)".

I have no first-hand knowledge of AIX, but you might like to note this report. Indeed, perhaps you could check it and see whether you can devise a check for this condition in the "configure" (or ideally, "") file.

I confirmed that this seemed to be true through AIX 4.3.3. Then, while I was at it, I found another minor issue to keep Steven busy: "Figure out how to convince Samba to work with IBM's peculiar little virtual tty implementation (/dev/ptc, /dev/pts/). Samba needs this in order to implement the `unix password sync' option. I think it's similar to Unix98 /dev/ptmx, but I'm not sure because I got tired of fiddling with this a year or two ago. (We don't really need password sync around here anyway.)"

6. Patch for Testparm

8 Mar 2000 (1 post) Archive Link: "Patch to testparm - for makefile usage "

People: Peter Polkinghorne

Peter Polkinghorne posted a rather useful little patch for the testparm utility: "Rationale: It is useful to be able to use testparm as a simple checker for smb.conf files. However dumping the entire service definition is not so helpful. So the following little patch adds a "-q" flag to stop the service dump. I use it in the makefile when I version check the components on the CoW machine (Centre of the World) before distributing to the servers." No replies.

7. Crypt() Returning NULL

9 Mar 2000 - 10 Mar 2000 (10 posts) Archive Link: "passdb/pass_check.c"

People: Alex OlugbilePeter SamuelsonJames SutherlandDave Collier-BrownSteve Langasek

Alex Olugbile found a Samba bug and posted to samba-technical: "I have found that the strcmp attempt in password_check(...) may fail and cause an internal error when crypt returns NULL. I have repeatedly experienced this "INTERNAL ERROR" under Linux (2.2.13), where crypt returns NULL. I've have modified my own build to check for NULL, but is there a patch for this problem, thank you"

I was surprised. "Not that I don't believe you, but when does crypt() return NULL?" I also wondered how the error should be handled. James Sutherland posted a few ideas for why this might happen: "if, for example, the first two chars (the salt) are invalid? Equally, it may need to allocate some temporary workspace. The UFC (Ultra-Fast Crypt) implementation uses a rather big lookup table - it could, perhaps, be trying to initialise this and failing?"

Later, James followed up on this: "From a quick look at the UFC implementation for glibc, I can't see any reason why the code would return NULL. ALL the workspace is static (for performance reasons, I suspect). Also, there aren't really any invalid arguments: you just pass two string pointers. Any string will do; if the string is too short, it is padded with nulls. If the pointer you pass is invalid, things go pear-shaped (it just calls strncpy() cast to void!) but it still can't return NULL. The return value is ALWAYS a pointer to the static results buffer, if the function returns at all (rather than segfaulting). The one exception might be if MD5 passwords are being used - I haven't looked into that implementation yet."

Dave Collier-Brown had a little light to shed on the subject: "The spec actually says "Otherwise it returns a null pointer and sets errno to indicate the error", and the errno that's expected is ENOSYS, for "I don't have crypt". As long as an implementor uses a different errno for different failures, we'll survive it."

Steve Langasek was the pragmatist of the day: "Given that there are some implementations that will return NULL, however broken they are, it seems advisable to always check the return value before proceeding, IMHO." Alternatively, said James, "Either that, or provide our own crypt() which does not return NULL under any circumstances? (UFC is LGPLed; including a copy shouldn't be a problem legally, but it does seem like rather a cumbersome approach.)"

All this for one stupid little segmentation fault....

8. "Valid Users" Parameter

10 Mar 2000 (5 posts) Archive Link: "[samba-tng] "invalid users = root" causes tng to fail."

People: Luke LeightonKarl Denninger

Luke Leighton posted the following instructions to samba-ntdom and samba-technical:

if you add this to the global section, or if you do not have "valid users = root ....", TNG at present will FAIL to operate.

i will investigate this and find a solution. in the mean-time, copy each "valid users" / "invalid users" set into each [share], ok?

i realise this is a pain, and it probably explains a lot of the "it works for him but not for me" issues.

which brings us to another possible approach to debug these TNG issues: keep the smb.conf really simple, and expand upwards from there.

Karl Denninger clarified, ""valid users = root" does NOT have to be there. Its NOT in my smb.conf, and TNG now DOES work." Luke agreed:

correct. actually, what i've done, because it's become_vuser() and only used in dce/rpc daemons, is to disable check_vuser_ok() which means that valid users and invalid users doesn't apply to the msrpc services, any more.

if anyone really wants to be able to deny or permit access to msrpc services, let me know, and i'll arrange something.

the ultimate intention is to have security descriptors on a per-pipe basis, allowing a clear, fine-grained access control that will have sensible defaults such as, allow all access to everyone anonymously (just like nt) except to \PIPE\winreg and \PIPE\svcctl, which will have user-only-access and administrator-only-access or some-such.

Karl answered, "Isn't there a potential problem if you can do msrpc things in general?" To which Luke said, "it's a long story, karl. pipes themselves are the "first line of defence". from thereon, it's a per-function permission issue, on a case-by-case basis."







Sharon And Joy

Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License version 2.0.