Table Of Contents
|1.||11 Feb 2000 - 10 Mar 2000||(33 posts)||"Using Samba" Online Text|
|2.||5 Mar 2000 - 7 Mar 2000||(5 posts)||Multiple Sets of Credentials|
|3.||5 Mar 2000 - 6 Mar 2000||(8 posts)||Russian Character Sets|
|4.||5 Mar 2000 - 7 Mar 2000||(11 posts)||Undeleting Samba Files|
|5.||6 Mar 2000 - 9 Mar 2000||(14 posts)||Samba on AIX|
|6.||8 Mar 2000||(1 post)||Patch for Testparm|
|7.||9 Mar 2000 - 10 Mar 2000||(10 posts)||Crypt() Returning NULL|
|8.||10 Mar 2000||(5 posts)||"Valid Users" Parameter|
In last week's issue (section 4 (sm20000309_15.html#4) ) we quoted some less-than-flattering comments about HP and its stance on free software. (And, believe it or not, there were a lot more that we didn't quote.) Matt inAmsterdam wrote in to give another perspective, as it were:
What few people know is that HP donated machines and $100,000 US to the FSF/GNU project quite early in their life. HP also ship a debugger based on GDB, install gzip as default with HP-UX and encourage porting of gcc and a whole bunch of other tools.
All major vendors are bad in some way. I don't think HP are any worse than others.
Mailing List Stats For This Week
We looked at 392 posts in 839K.
There were 164 different contributors. 62 posted more than once. 45 posted last week too.
The top posters of the week were:
1. "Using Samba" Online Text
11 Feb 2000 - 10 Mar 2000 (33 posts) Archive Link: "Using Samba in XML form"
People: Andy Oram, Peter Samuelson, Dave Collier-Brown, Jeremy Allison, Jay Ts, , Don McCall, Using Samba
[The usual policy for these newsletters is to wait for threads to
wrap up before covering them. This family of threads, which comprises
almost all of the
samba-docs list for the past month or
two, shows no sign of ever wrapping up, so perhaps a snapshot summary
Months ago, when O'Reilly & Associates released their opus Using Samba, they did so under an open content license (http://www.oreilly.com/catalog/samba/chapter/licenseinfo.html) , allowing anyone to republish the book, including modified copies, in electronic form. (See Issue #1, Section #7 (22 Nov 1999: Format(s) of maintained documentation) .) More recently, Andy Oram of O'Reilly announced: "Production and tools staff at O'Reilly have been working for some time on producing clean XML (DocBook DTD) of the Using Samba book. This is important because both the Samba team and O'Reilly need a single, canonical source for the book, which can be kept under CVS control, updated easily, and used to produce output in various formats (HTML, etc.). I've even seen a complaint on some mailing list (or maybe it was slashdot) that the book wasn't in XML; the poster was right to complain. But finally we've got it." He included download instructions, then continued: "The files don't yet contain a bunch of fixes that Jay Ts <email@example.com> generously made to an HTML version of the book. If anybody would like to take his changes and put them in the XML file, please speak up and accept our thanks." Finally: "The next step is creating more human-readable files (HTML, PostScript, PDF) from the DocBook XML. I've asked tools people at O'Reilly to tell me where tools can be found to do that. Once we've solved that problem, the Samba team should be able to enter fixes and quickly recreate correct HTML and other files. Furthermore, I'll make sure O'Reilly and the team keep in touch so fixes reported to one side reach the other. This is the way things SHOULD work, and soon they WILL."
I had two suggestions:
Suggestion #1: Assuming this is the case, the current XML is suboptimal, in that it uses one line per paragraph. This makes it really hard to use with `diff', `cvs', `emacs', `vi', and most other Unix tools. May I suggest that it be broken up into lines of no longer than 70 characters (except where unavoidable, i.e. strange metadata)?
Suggestion #2: the "’" character is really awkward. Is there any way we could switch to just using a regular apostrophe (') instead?
Andy agreed on both counts. The single-line paragraphs, he said, were just left over from the FrameMaker conversion. So, with that encouragement, I set out to break all the lines. Between figuring out what the whitespace rules were for DocBook-XML, getting DocBook tools up and running on my own machine, and finding time at all, it took longer than one would think. Eventually, though, I had a status report:
I just managed to browbeat Perl into spitting out properly-broken lines. I guess I'm not as good with Perl as I thought I was. All in all it might have been faster to do it all by hand! Anyway, I think that stage is done. What I've got now is probably fit to hit the CVS archive; what's left to do can be merged in afterward, if we want.
So I am putting this up for download. I'll be using my own box, http://samba.cadcamlab.org/using/ (page is under construction). I'll include the Perl hack I used to do the conversion, as well as the hacked infrastructure I came up with to generate HTML from source. (It basically works, but so far I can't convince `jade' that SGML != XML, so there are a lot of parse warnings. Also, nobody told me that converting full-length book from DocBook to HTML was supposed to take so long on a P166MMX running Linux! Need to upgrade....)
Next up is merging in the jayts fixes, then my own fixes, which I believe will be pretty minor. I will do these as two separate diff files, to make them easy to review. Actually I may split them into multiple diff files, if I discover enough discrete classes of changes to make. That is, after all, how CVS is typically used, and makes it easy to accept or reject any particular class.
Dave Collier-Brown (one of the original authors) agreed that my small-patches approach would be easier for him to deal with. "My short-term task is applying additional bug-fixes to the page proofs, so that when O'Reilly need to do their next printing, all they have to do is substitute, for example, new-page-93 for old-page-93. Their long-term task is making sure they can print quality books from xml inputs. (Maybe for samba 3.0 (;-))"
Several days later, I finished the "jayts merge" and posted an announcement. Dave agreed to review my diffs and wanted to know what XML software I was using.
Meanwhile, Jeremy Allison had this to say: "I spoke with Andrew in Malmo about shipping "Using Samba" with 2.0.7, and we agreed it was probably the right thing to do (although it will make the tarball bigger). The problem is there are some new features (keywords, behaviour etc.) in 2.0.7 that aren't up to date in the HTML source in the CVS tree. I'd like to get someone to maintain the HTML in the source tree, but obviously don't want to change the HTML directly as this is a generated format. Is there someone willing to update the book and re-checkin the HTML for 2.0.7, or shall I just ship another snapshot and worry about this later ?"
Dave came up with a short list of what Samba changes needed to be documented in the book. I noted that the book actually needed updates for 2.0.6 as well, as it was published against 2.0.5. A short discussion followed about how to mark updates in the book so that one can easily see what has recently changed. Dave liked the idea of edge-bars in the margins but wasn't sure it was practical. Don McCall suggested a simple errata section. Jay wanted to use technology: "Even better, it would be nice to have the whole thing in CVS in such a way that a site visitor could fill out a form providing their version number of Samba, and download the edition of the book that corresponds to the Samba version they have."
This reminded me of another issue: "Andy, how do you guys at O'Reilly render HTML from the DocBook? My (Debian) SGML tools can produce HTML (although I did have to sacrifice a pig and two goats first), but the source HTML ends up looking quite different from yours. (I like yours better.) I ask because of Jeremy's wish to put the text in the main Samba CVS archive, to ship with 2.0.7. It would actually be feasible to edit the XML directly and then regenerate HTML, IF we had the tool O'Reilly uses for this. (I'm over half done merging in the jayts version, should finish in the next day or two.) If not, we probably need to edit the HTML and synch up the DocBook by hand." No answer so far, but elsewhere I posted an alternate plan: "I've got XML source that I can't, at the moment, use to generate anything useful with. I can get HTML, and it's even pretty good HTML, technically -- but the filenames seem to be randomly generated (you can't just rename them, as they have hyperlinks to each other) and the HTML source looks horrible. (It looks a little like PostScript out of a word processor, if any of you know what I mean.) Given a finite amount of time, I think I can learn DSSSL (the stylesheet language used by Jade) and fix up the DocBook stylesheet to produce HTML that I'd actually be proud of. I've started."
That brings us up pretty much to the present. We still have not updated the text for Samba 2.0.6 and 2.0.7 (it's on my to-do list) and we still aren't sure what, if anything, will ship with the 2.0.7 tarball. Everything I've done on this so far is up on http://samba.cadcamlab.org/using/. Stay tuned.
2. Multiple Sets of Credentials
5 Mar 2000 - 7 Mar 2000 (5 posts) Archive Link: "Users and shares"
People: Anthony Goonetilleke, Peter Samuelson, John Malmberg,
Anthony Goonetilleke posted a question to the
"I know this question has
probably been asked several thousand times but I cannot find an
appropriate answer. Can someone tell me how I can enable a single NT
workstation user (SP5 encrypted passwords) connect to several Unix
users home dirs, while prompting for a password each time."
"From the same Unix host?
NT has a limitation where it won't knowingly connect to the same
machine with two different sets of credentials. I think you can
accomplish this with the `
netbios aliases': set up several
aliases for the same Unix machine, and get each home directory from a
different one. That may be the best you can do."
John Malmberg didn't agree about the limitation. "I find this curious, as I use two NT Resource kit utilities to do just that on a regular basis from a Windows NT Workstation. The VDESK utility, and the SU service. There is no problem with connecting using multiple users from the same workstation to the same or different share points on the a specific server. In addition, the connect to share dialog box in NT has a "Connect AS" option." I explained what I meant, and he answered, "However even with out using resource kit utilities, a service can log into the same server as a the logged in user, and have access under it's own security context. This can be demonstrated with the schedule service. So it seems that that restriction is in the client explorer shell of Windows, and not something that is inherent in either NT server or NT workstation."
3. Russian Character Sets
5 Mar 2000 - 6 Mar 2000 (8 posts) Archive Link: "Windows-1251 character set"
People: Alexander Javoronkov, Sergei Makarov, Michael Tokarev, Jean-Marc Desperrier, Alexander Viro,
This thread was more than a little confusing, at least for this
American who has never dealt much with i18n, locales and code pages.
Alexander Javoronkov had a question for
I've got Win'98 with Russian (windows-1251) locale & samba-2.0.6 with
"client code page = 866".
I want to store russian filenames on my Samba server in windows-1251
character set. I've browsed through
smb.conf.5 and saw
that there's a keyword "
character set = ..." that rules
over charsets that are used to convert between DOS and standard UNIX
codepages. Furthermore, I've noticed
that is definitely used for this purpose.
He quoted from that
file, and continued:
"Seems like I
should add support for "
character set = windows-1251" the
same way, but... I have no clues about what numbers to put in
update_map for cp866->win1251 translation."
Sergei Makarov replied,
What's wrong with 866? Have you tried to use it?
character set = KOI8-R
client code page = 866
These settings work fine here for any Russian version of Win9X or NT with SAMBA 2.0.x
Alexander was unconvinced. He explained the situation with his files: "Since they're in cp866, the only way to access it is via old-style ftp.exe from Windows/dos. My LAN clients are accessing archive just fine via Samba - no problems here. My goal is: Windows clients using CuteFTP, Netscape and stuff should access those files and store them named properly." Evidently he was not interested in console access to the machine, only remote access. Michael Tokarev replied, "Aargh! You hit a more common problem with interoperablity between os and with national characters. The only accurate solution for this I know is to define some standard (like ascii was) dealing with intl chars, for example, unicode, and to setup _all_ programs (ftp, browsers, archivers etc) so them use that standard 8-(..." Then he posted an answer to Alexander's original question, i.e. how to add the other code page into Samba.
Meanwhile, Jean-Marc Desperrier decided to confuse the issue just a
"According to the values,
I found with regedit, koi8-r and codepage 1251 are in fact the same.
cp866 seems to be the OEM dos codepage of IBM."
"I don't think that regedit can
"know" anything about codepages :), and there is no info about
this in registry... If your registry have same setup for 1251 and
koi8-r, than your registry was set up incorrectly... Koi-8 is
very different from any other russian charset... Moreother,
(russian) letters in koi-8 arranged non-alphabetically, unlike in cp866
and 1251 and others."
there is a list of values that "maps" between the symbolic name and the
codepage value. It has two mappings for koi, one is "codepage 0x4E3"
(1251), and the other is "InternetEncoding 0x5182" (20866).
is in fact more explicit. It says cp20866 (koi8-r) is the same family
as cp1251, but not that it's the same thing."
[Ah. Good to get that cleared up. (: But while we're on the subject
of Cyrillic character encodings, I can't help quoting the ever-quotable
4. Undeleting Samba Files
5 Mar 2000 - 7 Mar 2000 (11 posts) Archive Link: "network recycle bin"
People: Jan van Rensburg, Carey Sinclair, Peter Samuelson, Matt Geddes, , Lars Kneschke
Jan van Rensburg wondered aloud on
"is it possible to have a "network recycle bin"
for samba shares? then every time when a user accidently delete files
the admin doesn't have to do a restore from tapes..."
Wimmer and Carey Sinclair both expressed interest in something like
this. Carey explained,
"Our Novell guys
continually hassle us for not being able to provide such a simple
Having nothing better to do (right!), I hacked up and posted a proof-of-concept patch:
recycle bin = /some/directory" into which deleted files go.
~Nwhere N is the first available nonnegative integer.
/some/directorymust be on the same filesystem as the share, and must be writable by all necessary users. Sticky bit recommended.
Lars Kneschke liked it and asked if the "samba gurus" could think about integrating something like it. Matt Geddes answered, "Sounds very good and I think that when it has been tested it should be included as long as we can turn it off when we want to." I replied too: "Don't anyone start thinking about it yet, of course! As soon as I add in a hierarchical namespace and (possibly) the ability to cross mount points, I think I'll be satisfied. (A little error handling might be nice, too. (: ) I just got tired of hacking on it for tonight...." So far, I haven't had a chance to add those features, but what's out there does at least work.
5. Samba on AIX
6 Mar 2000 - 9 Mar 2000 (14 posts) Archive Link: "Samba on AIX"
People: Steven Poughkeepsie, Peter Samuelson, David Lee,
Steven Poughkeepsie of IBM, continuing an earlier discussion on
"I'm working for IBM's ITSO to produce a Redbook about running Samba on
AIX. The book will be an installation, function, and sizing guide.
I've spoken with someone here about shared library support on AIX. He
suggested > AIX 4.2.1 should now treat shared libraries much like
Solaris. I'll post his recomendations later. Do you know of any other
issues concerning running Samba on AIX? (Anyone?)"
I answered that we have been running Samba on AIX for quite awhile and have had no problems except an oplock bug in the 1.9.18 series. I then noted, "I made a simple source modification to allow smbd and nmbd to run as SRC subsystems -- basically a "standalone mode but do not fork" flag. (I'm getting good at these, having done the same to sshd and apache.)" Several people asked me for details on the SRC patch so I explained and posted it. (The SRC, or System Resource Controller, is the standard way to manage daemons on AIX.)
David Lee, the author of the
utmpx support which has
been integrated into Samba 2.0.7, had an AIX issue:
One such report mentions that:
"...AIX has the include files for utmpx, but doesn't actually implement it (as of AIX 4.2.1)".
I have no first-hand knowledge of AIX, but you might like to note this report. Indeed, perhaps you could check it and see whether you can devise a check for this condition in the "configure" (or ideally, "configure.in") file.
I confirmed that this seemed to be true
through AIX 4.3.3. Then, while I was at it, I found another minor
issue to keep Steven busy:
"Figure out how
to convince Samba to work with IBM's peculiar little virtual tty
needs this in order to implement the `
unix password sync'
option. I think it's similar to Unix98 /dev/ptmx, but I'm not
sure because I got tired of fiddling with this a year or two ago. (We
don't really need password sync around here anyway.)"
6. Patch for Testparm
8 Mar 2000 (1 post) Archive Link: "Patch to testparm - for makefile usage "
People: Peter Polkinghorne,
Peter Polkinghorne posted a rather useful little patch for the
"Rationale: It is useful to be able to use testparm as a simple checker
smb.conf files. However dumping the entire service
definition is not so helpful. So the following little patch adds a
"-q" flag to stop the service dump. I use it in the makefile when I
version check the components on the CoW machine (Centre of the World)
before distributing to the servers."
7. Crypt() Returning NULL
9 Mar 2000 - 10 Mar 2000 (10 posts) Archive Link: "passdb/pass_check.c"
People: Alex Olugbile, Peter Samuelson, James Sutherland, Dave Collier-Brown, Steve Langasek,
Alex Olugbile found a Samba bug and posted to
"I have found
that the strcmp attempt in
password_check(...) may fail
and cause an internal error when crypt returns NULL. I have repeatedly
experienced this "INTERNAL ERROR" under Linux (2.2.13), where
crypt returns NULL. I've have modified my own build to
check for NULL, but is there a patch for this problem, thank
I was surprised.
"Not that I don't
believe you, but when does
crypt() return NULL?"
also wondered how the error should be handled. James Sutherland posted
a few ideas for why this might happen:
"if, for example, the first two chars (the salt) are invalid? Equally,
it may need to allocate some temporary workspace. The UFC (Ultra-Fast
Crypt) implementation uses a rather big lookup table - it could,
perhaps, be trying to initialise this and failing?"
Later, James followed up on this:
a quick look at the UFC implementation for glibc, I can't see any
reason why the code would return NULL. ALL the workspace is static
(for performance reasons, I suspect). Also, there aren't really any
invalid arguments: you just pass two string pointers. Any string will
do; if the string is too short, it is padded with nulls. If the
pointer you pass is invalid, things go pear-shaped (it just calls
strncpy() cast to void!) but it still can't return NULL.
The return value is ALWAYS a pointer to the static results buffer, if
the function returns at all (rather than segfaulting). The one
exception might be if MD5 passwords are being used - I haven't looked
into that implementation yet."
Dave Collier-Brown had a little light to shed on the subject:
"The spec actually says "Otherwise it returns a
null pointer and sets errno to indicate the error", and the errno
that's expected is
ENOSYS, for "I don't have crypt". As
long as an implementor uses a different errno for different failures,
we'll survive it."
Steve Langasek was the pragmatist of the day:
"Given that there are some implementations that will return
NULL, however broken they are, it seems advisable to always check the
return value before proceeding, IMHO."
"Either that, or provide our own
crypt() which does not return NULL under any
circumstances? (UFC is LGPLed; including a copy shouldn't be a problem
legally, but it does seem like rather a cumbersome approach.)"
All this for one stupid little segmentation fault....
8. "Valid Users" Parameter
10 Mar 2000 (5 posts) Archive Link: "[samba-tng] "invalid users = root" causes tng to fail."
People: Luke Leighton, Karl Denninger,
Luke Leighton posted the following instructions to
if you add this to the global section, or if you do not have
valid users = root ....", TNG at present will FAIL to
i will investigate this and find a solution. in the mean-time,
copy each "
valid users" / "
users" set into each
i realise this is a pain, and it probably explains a lot of the "it works for him but not for me" issues.
which brings us to another possible approach to debug these TNG
issues: keep the
smb.conf really simple, and
expand upwards from there.
Karl Denninger clarified,
users = root" does NOT have to be there. Its NOT in my
smb.conf, and TNG now DOES work."
correct. actually, what i've done, because it's
become_vuser() and only used in dce/rpc daemons, is to
check_vuser_ok() which means that valid users
and invalid users doesn't apply to the msrpc services, any more.
if anyone really wants to be able to deny or permit access to msrpc services, let me know, and i'll arrange something.
the ultimate intention is to have security descriptors on a
per-pipe basis, allowing a clear, fine-grained access control that
will have sensible defaults such as, allow all access to everyone
anonymously (just like nt) except to
\PIPE\svcctl, which will have user-only-access and
administrator-only-access or some-such.
Karl answered, "Isn't there a potential problem if you can do msrpc things in general?" To which Luke said, "it's a long story, karl. pipes themselves are the "first line of defence". from thereon, it's a per-function permission issue, on a case-by-case basis."
Sharon And Joy
Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at kernel.org. All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License version 2.0.