Kernel Traffic
Latest | Archives | People | Topics
Wine
Latest | Archives | People | Topics
GNUe
Latest | Archives | People | Topics
Czech
Home | News | RSS Feeds | Mailing Lists | Authors Info | Mirrors | Stalled Traffic
 

Samba Traffic #18 For 29 Mar 2000

By Peter Samuelson

Table Of Contents

Introduction

If anyone is actually paying attention to the CVS stats, you'll notice that this week's numbers for commits are way down. This is mostly the result of my finally getting a chance to fix a long-known bug in my CVS reporting script. So, for all of you out there wondering how on earth Luke Leighton could type "cvs commit" 275 times in one week (see Issue #10) -- well, that week it was really only 81 times.

Also, apologies go out to Steven Pemberton of IBM, whom I have misidentified in the past as "Steven Poughkeepsie". My main mistake was misinterpreting mail metadata. I should have been more careful.

Mailing List Stats For This Week

We looked at 333 posts in 788K.

There were 159 different contributors. 57 posted more than once. 53 posted last week too.

The top posters of the week were:

1. Duplicate Names Between Users and Groups

17 Mar 2000 - 23 Mar 2000 (17 posts) Archive Link: "samba-tng-alpha-1.0.tar.gz"

People: Aaron BrooksKevin ColbyDavid BannonLuke LeightonMichael Breuer

This thread started with Luke's announcement of Samba-TNG alpha-1.0, covered last week. The discussion at that point quickly veered toward the issue that names of users and groups cannot clash in Samba, since (like Windows NT) Samba uses the same namespace for both. This could be a problem for a lot of people, since one common practice (at least in the Linux world) is for each user to have his own default group of the same name. Aaron Brooks had an idea to alleviate this: "What if the UN*X groups were translated into NT groups by changing their names with an appended string such as "_NTGROUP". (e.g. UN*X group "root" becomes "root_NTGROUP", "staff" becomes "staff_NTGROUP" and so on.)" Thinking a bit more, he added: "P.S. On second thought, rather than "_NTGROUP", I think "_SMBGROUP" would be more accurate." Luke Leighton independently came up with a similar scheme.

Kevin Colby was in favor of doing this: "Since this sort of fix almost seems unavoidably neccessary (tons of existing installations use identical user and group names), it would be nice to have a way of fixing this at the NT<->unix name mapping level." David Bannon wasn't, though: "I'd be a bit wary of doing this. I tried it when these sort of problems cropped up un the old 'head' branch. Went through the /etc/group file and uppercased all groups that had the same name as users. It produced a very long list of things that broke. Lots of systems use group names and don't expect to see them changed. Each one was easy enough to fix but I kept finding more....." But Michael Breuer pointed out that the proposed name mapping would only exist between Samba and the SMB client, and should not affect /etc/group or other Unix processes.

Elsewhere, Michael had suggested having a separate set of passwd and group files for use by Samba (much as some anonymous FTP servers do), but Luke shot that down: "each uid and gid must map one-to-one with a SID of the appropriate type. if this is not the case, then you run into serious problems as to how to resolve a uid to which SID was it that this uid represented again? i have sooo many to choose from... so, no, we can't do that."

2. UTMP Issues

17 Mar 2000 - 23 Mar 2000 (10 posts) Archive Link: "2.0.7pre2, utmp in particular"

People: Richard SharpeElrondDavid LeeGiulio Orsero

Several people have tried out the utmp support in Samba 2.0.7pre2 lately, with very mixed results so far. (utmp and wtmp are two files on most Unix systems that keep a record of current and past logins, respectively. Samba 2.0.7 will support logging incoming SMB connections this way.) utmp implementations, it seems, pose a significant portability hazard. One Freddie reported, on samba-technical, having to fix Samba for Debian Linux 2.1: "But... if we don't have utmpx.h (Debian 2.1, 2.0.38 kernel, glibc 2.0.7 doesn't), it doesn't try to set the ut_host field. So I added a single line to utmp_update() that writes it for me." He described where to insert the line, and concluded, "No idea if ut_host is a part of other systems' definition of struct utmp." . Richard Sharpe noted: "Sounds like an ifdef GLIBC20 is needed and a configure test for glibc2.0 vs glibc2.1 might be needed here."

Giulio Orsero noted that Samba 2.0.7pre1 did not correctly deal with utmp and wtmp files being in different directories. David Lee (initial author of the utmp support) noted that this bug had been fixed in a patch which, unfortunately, did not make it into 2.0.7pre2.

Elrond noted that the utmp portability wheel had already been invented: "GNU screen adds utmp entries since a long time, it might be worth looking at their code, or the code in xterm-implementations."

David gave a good summary of what shape the utmp support was currently in:

In Solaris 2.x, which is where I began the experimental utmp/utmpx implementation, the "ut_host" field only occurs in the x-files.

As people tried 2.0.7pre(1), all sorts of "interesting" system-specific wrinkles crawled out from under their utmp{,x} stones. (Memo to self: must work on my metaphors). Examples:

Samba's "--with-XYZ" things are deemed experimental anyway. This was the first pass at utmp{,x} support; utmp{,x} has shown itself to have many more flavours than might have been anticipated. So we should probably still regard it as "significantly under development" as it is tried on different systems.

But the fact that "utmp directory" does not have a sensible default is a different story. It was a shortcoming in the original utmp code I submitted, for which my apologies.

Under separate cover, he said, "Every OS seems to have its own quirks. Therefore every new OS for which utmp is tried will probably need a keen enthusiast to check, and if necessary adjust, Samba's new utmp code. That is, access to a C compiler, and time to edit, compile and test the source code." No reply to that, but the issue seems likely to stay alive for awhile.

3. TNG Problems, Old and New

18 Mar 2000 - 22 Mar 2000 (28 posts) Archive Link: "samba-tng-alpha-1.1.tar.gz"

People: Michael GlauchePhil MayersLuke LeightonMichael BreuerBill Jojo

As reported last week, Luke Leighton has released Samba-TNG-alpha-1.1. Predictably, a lot of people reported to samba-ntdom that, one way or another, they were unsuccessful in deploying it. Michael Glauche was one:

Ok .. perhaps ist a stupid FAQ error, but I don't get it: (tng 1.1 from today, fresh install)

/samedit -S . -U root
Added interface ip=0.0.0.0 bcast=0.255.255.255 nmask=255.0.0.0
Enter Password:
[root@.]$ createuser pranghlocal$
socket connect to /tmp/.msrpc/.samr/agent failed: Verbindungsaufbau abgelehnt
SAM Create Domain User
Domain: TESTWG Name: pranghlocal$ ACB: [W ]
socket connect to /tmp/.msrpc/.samr/agent failed: Verbindungsaufbau
abgelehnt
Create Domain User: FAILED
[root@.]$

there is NO /tmp/.msrpc .. its in /usr/local/samba/var/.msrpc, and there is NO .samr directory in that one. (there is a "samr" socket in there although)

Phil Mayers spotted the problem:

Well, you completely ignore the instructions to include the OS type, didn't you? I have had this problem on Linux machines - try adding an "interfaces" line with the network interfaces to your smb.conf. You'll see the:

> Added interface ip=0.0.0.0 bcast=0.255.255.255 nmask=255.0.0.0

line? Doesn't that indicate the interface detection is failing? Therefore, you will have to manually specify them. Give it a try:

interfaces = 192.168.1.0/24

Or whatever.

Michael duly reported his OS type (Linux 2.2.14 with glibc 2.1) and continued, "yes .. was one error, but that does not explain the socket errors, just trying something, more info later."

Luke explained the aforementioned socket errors: "the "agent" code is a redirector which i haven't written for the dce/rpc pipes, yet. i have written them for nmb UDP 137 traffic (not 138) and smb TCP 139/445 traffic. so, for now, please ignore "agent connect" errors." However, the last error Michael reported was significant: "this will occur if you do not have a workstation pranghlocal$ in /etc/passwd, or if you have an OS that cannot deal with unix usernames greater than 8 chars in length. try a workstation name of 8 chars: "pranghl$"" Michael sheepishly replied, "mea culpa. unix user did not exist ... :)"

Another problem was with support for Windows 2000 domain logons, as Michael Breuer reported: "I can't join w2k workstations to the domain and I can't run usrmgr. The error in both cases is that the W2K box could not "find the domain controller." [Verbage differs slightly, but meaning is the same.] TNG 1.1; IRIX 6.5.7f." He added, "The only messages in ANY log as a result of attempting to join the domain are nmbd log messages with "Unique-packed logon from <ip>: code = [7|12]." There are about the same number of 7s as 12s. However... I can browse the domain and logon to the domain from workstations which are already connected." Luke admitted that there was still some confusion with Samba's response to the GETDC (Get Domain Controller) RPC call, which apparently must be different depending on several factors, such as which operating system wants to know. As for Michael's log message, he said, "yes, those are the ones: i need to see those process_logon_packet requests, preferably a netmon trace. there are so many different cases i don't know where to begin. it's just not very obvious: all the packets look the same, yet are decoded differently!"

Bill Jojo was unhappy with Luke's decision to phase out the use of the smbpasswd -m command to manipulate computer accounts in an NT domain, and asked why it was necessary. Luke answered,

because

  1. having a default well-known workstation trust account password is a security risk: the trust account is used to encrypt user passwords.
  2. if you _must_ do this, you can use samedit's "createuser wkstaname$ -p wkstaname" to explicitly set the trust account password to the [very insecure] initial value.

oh, and it gets even better if you add a backup domain controller with the trust account password [as the bdc name]: then you run the risk of losing your entire SAM database to an attacker, as they pretend to be the BDC, using the default password and suck all user profile (plus passwords) group, alias and domain information off your PDC -- after all, that's what SAM synchronisation is supposed to do!!!

As for what to use instead, he said, "you can use samedit's createuser with -j to totally randomise the local workstation trust account password and this totally random value will be stored in the PDC's SAM database, too, so the workstation is synchronised with the PDC. this can be done just as well in an NT-only environment as it can in a mixed samba-NT environment."

4. How [Not] to Join a Domain Securely

20 Mar 2000 - 22 Mar 2000 (11 posts) Archive Link: "Problems logging onto domain"

People: Tom CrummeyLuke LeightonAaron BrooksRichard Sharpe

Tom Crummey was at a loss for the right way to join a domain controlled by Samba-TNG. He posted several details to samba-ntdom of what he had tried so far. One interesting bit:

I then went to an installation of samba-HEAD and typed:

  smbpasswd -a -m tompc$

I took the generated password line from the smbpasswd file on HEAD and put it into TNG. I could then log in on the workstation to the domain.

Luke explained, "you should be using a root account for the domain in the network control panel, not smbpasswd -a -m tompc$ or createuser tompc$. only use createuser tompc$ with the -j DOMAINNAME option, and only after you have actually joined tompc$ to the domain, and only as a security measure due to microsoft using an insecure trust account password. lars, please could you update the FAQ to reflect this."

Aaron Brooks was aghast. "What??? Am I reading this right? That to create a machine account password one needs to use the GUI and cannot do anything on the UN*X side? If so, that is TERRIBLE! Are we really taking a step that far backwards? Or am I reading this all wrong?" Luke calmly replied, "aaron, can i suggest that you examine NTBUGTRAQ archives for details on the security procedure to follow, if you are concerned about the internal security of your NT/samba network."

Later, Tom was still having sundry problems, possibly related to running Samba on 64-bit Solaris (32-bit Solaris seemed to work better). "I can't get the create account dialogue to work. It says that the account doesn't have sufficient priviledges to create the account. I've used root, Administrator and my account as I am a member of the Domain Administrators group." Then, four hours later, he posted an update:

This was fixed in the cvs update for 22/3/00 at 11:00am GMT. Also fixed is domain logins from NT SP4. Brilliant!!! Well done Luke.

Win 2000 still doesn't find the domain and cannot join it. I have packet dumps taken on Solaris, but they're probably no much use as they're decoded as SUN RPC packets....

Is netmon in the NT resource pack?

Richard Sharpe suggested Ethereal as an alternative to NetMon. Luke also answered Tom: "netmon is on the nt srv cd in the reskit directory. please do not use netmon v2, it's pathetic and i refuse to use it, therefore any files in netmon v2 format i cannot access, i have to use hexedit to examine them, which is better than nothing!!!"

5. Virtual Machines and Virtual X Servers

20 Mar 2000 - 21 Mar 2000 (7 posts) Archive Link: "VNC and VMWare"

People: Dan KaminskyElrondLuke LeightonVMWareSteve Langasek

This little thread, not strictly on-topic for samba-technical, was in response to Luke's earlier complaint about having to use the X Window System in order to run VMWare (a program for running one OS on a virtual machine within another OS; the vendor has donated several VMWare licenses to the Samba team to allow them to run Windows as a guest operating system on their Unix computers). Dan Kaminsky had a (possibly Linux-specific) suggestion: "You ought to try out XVNC and svncviewer--they make a beautiful combination. As you may(or may not) know, X...can occasionally lack a certain level of stability that servers require. svgalib is far more stable than XFree86, though it isn't nearly as fast. What I'll generally do on production servers that I still want to run X on is load up xvnc sessions on the machine, then do a loopback svncviewer to the session of choice. The best part is that I can run multiple, completely independant(even different users!), highly stable, and acceptably fast displays on one machine. You can most probably load a VMWare session into xvnc, and view it on any convenient machine or tty. Hope this helps!"

Later, explaining the concept further:

Lets say you're sitting at an actual honest to god Linux box. It's a server, so you can't run anything that might make it freeze. Plus, you have a tendancy to need to have multiple independent X sessions--you use VMWare to have multiple simultaneous child OS's available at any given time. Finally, you have several remote servers that you want to be able to call onscreen with the flick of an Alt-F#.

Solution is simple--instead of booting up X, start up as many local sessions of xvnc as you require and connect to both them and any remote servers you have on various Alt-F# tty's using svncviewer. In Alt-F1, you have your console root. F2 houses your KDE environment(svncviewer'd in), F3 has 98, F4 has NT, F5 has your remote sniffer server, and F6 is the screen of that girl over there you'd be hitting on if you weren't spending so much time figuring out svncviewer :-)

Elrond put in: "You know, that you can start X multiple times by doing startx -- :1 (or the like, I don't do this often, I have multple desktops) and that you still can switch between your X-sessions and normal consoles with Ctrl-Alt-F1? When I wrote applications for X, that tend to grab the mouse and keyboard and debug them, I ran the debugger on the console. ;)" Luke was delighted: "ok!!! i like it! i did startx, startx -- :1, startx -- :2, now i want to explore setting up #!/usr//bin/xinit -- :1 /usr/bin/vmware in the vmware scripts :)" Elrond knew how to do that last bit: "startx /usr/bin/vmware -- :1 .. but you wont have a windowmanger then..." Luke didn't need a window manager; VMWare would be the only application in the X session anyway.

Meanwhile, Steve Langasek had to disagree with Dan's initial comment about svgalib being more stable than XFree86. Steve hadn't seen an X server crash in a long time, while svgalib applications would frequently make a mess of his console either through poor support for the video card or through the application crashing. Dan shrugged, "In my experience, I'd be wary of running X on a production server, but I wouldn't think twice about using svncviewer."

6. Two More TNG Alpha Releases

21 Mar 2000 - 23 Mar 2000 (8 posts) Archive Link: "samba-tng-alpha-1.2.tar.gz"

People: Luke LeightonMichael Glauche

Luke is losing his edge, having only managed to get two alpha releases of Samba-TNG out the door this week. Release notes for alpha-1.2:

when using domain user map, when logging in and then accessing the samba server, i re-enabled map_nt_and_unix_username() to allow the nt username to be remapped to the unix username / share.

i think i also now have the GETDC request with enough correct rules in it to allow all the various spurious combinations to be supported. NT 5 wks now can be joined to domain; Nso can NT4 wksta; USRMGR findd the DC; even dial-up access correctly finds the domain!

i am not sure about win9x, though. there have been a couple of reports of user password changes failing.

one report of profiles working correctly, i still can't get it, though, which is still bugging me.

printing still out, except for that report of making a direct connection, successfully.

Michael Glauche still reported some failures which, after a bit of back-and-forth, Luke narrowed down to confusion between a local account and a domain account with the same username. (See Issue #7, Section #1 for a lively argument about whether and how Samba should recognize users from multiple domains. Currently, Samba takes the two-level NT hierarchy of workgroups/domains and users, and projects it onto a flat namespace of just users.)

Shortly thereafter, Luke rounded out the week with an Alpha-1.3 release:

due to some confusion about how to use samedit's createuser command, i put a warning / security message in whenever createuser hostname$ is used. it basically says, now you can join the workstation to the domain because you have just set the trust account to the insecure, well-known initial value, and you had best join the workstation to the domain ASAP for security reasons.

i also checked that profiles work: they do. it helps to have write permission to the directory that the profiles are to be stored in, i found.

one person reported the usual problem with profiles, namely that on logout, a connection is maintained to the profile share and the next user logging in, the workstation attempts to reuse the connection, which is not the right thing to do.

for this reason, and others, it is best to use 2.0 or cvs main for file serving.

That last warning underscores that -- however much more stable Samba-TNG is getting these days -- it is not on track to be released as the next Samba, as some have speculated. Instead, the Samba team has the daunting task of taking the best/most stable features from TNG and carefully merging them into the HEAD branch.

7. The Age-Old Samba Problem: Password Synchronization

22 Mar 2000 - 24 Mar 2000 (20 posts) Archive Link: "passwords"

People: Glenn MacGregorPhil MayersSander StrikerJean-François MicouleauMatt GeddesMichael HuletAaron BrooksPaul Warren

Glenn MacGregor asked a very-FAQ on samba-ntdom: "Is there a utility that reads the /etc/passwd or shadow file and makes a smbpasswd file w/ the correct passwords?"

Phil Mayers gave the standard short answer: "No, it's impossible. The passwords in /etc/passwd are not reversibly encrypted." There was some confusion at this point but it was cleared up with dispatch.

Meanwhile, Glenn had started Sander Striker thinking. "Is there a way to set the password in smbpasswd (or the samr db) the first time a user ever logs in? Meaning that if a user is marked [first time user], his password is checked in an alternative way(using pam?), and setting the password to this value if it is correct. Luke? There is a transitional fase parameter built into samba for such cases... (mind is really making squeeking sounds now :-) some faint memory tells me. It might however be disabled by now, it was a pretty long time ago. :-)" Jean-François Micouleau confirmed this: "added to samba at least 2 years ago: update encrypted password in smb.conf. It means you have to disable encypted password on the windows box as you need the clear text password to check against anything other than the NT/LM hashes." Yes, said Sander, that was what he was thinking of. "This gave me another idea though, which isn't very nice, but could/would do the trick. Whenever the 'first time user' (which has ofcourse to be defined and not disabled) logs in, the NT/LM hash is stored and used for further reference. This is a major security risk and should be done in a controlled environment. Also the time window for this should be very limited. If you don't trust everyone/anyone you can put the newly set hashes in a queue for nightly evaluation (or any other (idle) time for that matter), to crack the hash and check the password against /etc/passwd or equivalent. You would have to find a tool that does this for you... or write one :-)"

Matt Geddes said, "I was under the impression (in fact I believe I have an e-mail Luke posted on this very list) that the unix password sync option could be used even with encrypt passwords = yes. If this does work, you could expire all the Samba passwords and each user would need to change their password when they log in next (assuming you can do this under Samba)."

Michael Hulet had another approach: "OR you can setup a secure website, behind a firewall, accessible only from your local network, etc where users can change their passwords. We have a button for NT (samba), unix, or both. It uses their unix password for authentication so you can make the samba password whatever you want. The web idea was suggested on this list a couple of years ago. Since almost anyone can navigate a web page, it works for us."

Aaron Brooks shared a similar approach:

Well, it's not pretty or perfect but we have been using the atached Perl/Expect script pretty nicely here for the last few weeks. The CGI is used in a series of dynamic and moduled html pages so I can't attach all of that (it wouldn't be of use anyways). We are running SSL on the web server so the sessions are encrypted.

The Perl/Expect scripts are sort of hairy to go through but aren't really that bad. If you run in a different environment (RH6.1/Apache/PHP/NIS) you may have to do anything from changing the variables at the top of the script to reworking the expect statements. It might be nice at some point to create a config type file where you can put the Expect strings and swich on them acording to the versions of yppasswd and smbpasswd but we are just using this for here right now.

As for the running environment the script only needs the following:

He attached his script.

Finally, for completeness, Paul Warren gave this partial solution (in answer to a similar question in another thread, actually):

My solution was:

Let me know if you want full details, or the source for pam_smb_auth_sync.

Note that this solution, while clever, would not allow the user to use the standard Windows dialogs to change his password.

 

 

 

 

 

 

Sharon And Joy
 

Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at kernel.org. All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License version 2.0.