Samba Traffic #31 For 2 Nov 2000

Editor: Zack Brown

By John Quirk  and  Zack Brown

Samba Homepage (http://samba.org) | Samba List Archives (http://marc.theaimsgroup.com/#samba)

Table Of Contents

Introduction

Want to help write KC Samba? See the KC Authorship page (../author.html) the KC Samba homepage (index.html) , and the Thread Summary FAQ (../summaryfaq.html) . Send any questions to the KCDevel mailing list. (mailto:kcdevel@zork.net)

Mailing List Stats For This Week

We looked at 327 posts in 1380K.

There were 126 different contributors. 60 posted more than once. 0 posted last week too.

The top posters of the week were:

1. New FAQ For 2.2

19 Oct 2000 - 26 Oct 2000 (5 posts) Archive Link: "Samba FAQ"

Summary By John Quirk

People: Anders C . ThorsenDavid BannonJohn Quirk

Anders C . Thorsen stated, " As many other of you, I've been finding myself irritated over reading the same questions over and over again. There is a official FAQ at samba.org/samba/docs/FAQ (http://us5.samba.org/samba/docs/FAQ) . I'm unaware of how often this FAQ is updated, etc. " He went on to suggest, "My idea is to: Create a simple xml file format (similar to the kernel Cousines) which each entry is added with. Each entry contains Question, Answer and a longer desctiption if neccesary, author, e-mail, updated date, rev. no, language and separate sections for samba-urls (url's to other doc. at samba.org pages), and external URL's. So instead of trying to redo Lars' and David Bannon's work on respectively samba TNG and samba 2.0.x it would simply reference it." David Bannon replied that as far as updating the existing FAQ:

I'm doing so at this very moment. I'm particularly addressing Samba 2.2.0, ie not the various development streams. Its being written in yodl so it can be translated to other formats although this is currently under review (or at least I hope it under review).

Have a look at http://bioserve.latrobe.edu.au/samba for a draft of both PDC HowTo and FAQ. Comments are very welcome.

David went to say he liked the idea of the KC's but said that the SAMBA one was not very PDC focused. John Quirk asked " Do you mean that SAMBA KC seems to be not covering PDC issues? As contributor to KC-SAMBA I value input on the direction of the KC-SAMBA. "

David replied that it was awhile since he had a look and that we had improved our coverage of PDC issues and then added, " I would like to urge all subscribers to have a look at the concept and maybe support it. I used to belong to a DecUnix Admin list where anyone who posted a question was expected to summarise the answers and post the summary in a particular format. The result was a brilliant reference and very easy to browse through. " David also went on to repeat the link to his FAQ and to include KC samba pages.

(ed. [John Quirk] I have had a look at David's pages and they are excellent reference. )

Anders C . Thorsen also posted an outline for an XML spec for the FAQs and asked for comments, but no one has as yet replied.

2. Win2k Joining Domain Problems In 2.2 Snapshot

20 Oct 2000 (2 posts) Archive Link: "Win2000 joing 2.2.0 snapshot domain"

Summary By John Quirk

People: Chris TooleyDavid BannonJean Francois Micouleau

Chris Tooley asked:

If I try to follow the Preliminary information on the site that David Bannon posted I get an error saying that the Windows 2000 box can't find a PDC on the Domain. If I go to System Properties and try to use the wizard to add the machine to the domain it asks for a Username and Password. I've set the "Domain Admin Users" feild equal to Administrator, so I try using Administrator's login and password. When I do I get the following error:

"The following error occured when attempting to join the domain "SAMBANET":"

"The credentials supplied conflict with an existing set of credentials."

Anyone know what that means?

To which David Bannon replied:

I think it is fair to say that the new code to allow W2K (and NT) to create a machine account from the newly joining client is not quite working yet. I just rechecked out SAMBA_2_2 and did not see any fixes in the relevant areas. Jean Francois Micouleau is aware of the problem and working on it although he is under some pressure elsewhere.

I suggest that people wanting to test these functions cool it until JFM (or someone else) announces that the problems have been fixed.

3. Problems With Win9X Profiles In 2.2 Snapshot

29 Oct 2000 - 30 Oct 2000 (7 posts) Archive Link: "BUG - SAMBA_2_2 Win9X profiles are broken"

Summary By John Quirk

People: D DaviesRichard SharpeJeremy Allison

D Davies stated:

Hi, this 'feature' is clearly broken in this branch. I have a freshly updated checkout of SAMBA_2_2 and am certain, that the 'logon home' smb.conf param is broken.

The solution presented in the smb.conf distributed with SAMBA_2_2 does not work. It suggests to use:

logon home = \\%L\%U\profile

-> but this doesnt work.

He went on to say he had tried all the various methods and nothin worked. Richard Sharpe replied " As it happens, I have just compiled up Samba 2.2.0, so I will try this out and check it ... " About an hour later Richard confirmed it was broken and added:

OK, I have found the problem. standard_sub_basic in lib/substitute.c does not substitute %U, which gets left in the string that is sent to the client.

I am testing a fix now, which is to add the code to translate %U using sesssetup_user, a global, but I wonder if there is a better way.

Richard prosted a fix in a few hours later, Jeremy Allison later reviewed the patch and:

Actually I'm afraid this isn't correct, as it causes %U to work in standard_sub_basic() which we specifically removed as the username is not always valid in this context/

The solution used in the PDC logon code is to call standard_sub_advanced() after getting the lp_logon_XX() variables.

I'm committing this fix at the moment.

Thanks a *lot* for the analysis though !

The thread ended with this.

4. Bugs On Big-Endian Machines

29 Oct 2000 (10 posts) Archive Link: "Big Endian archtectures"

Summary By Zack Brown

People: Gerald CarterGreg Dickie

Gerald Carter asked how many folks used Samba on big-endian machines, and warned, "I've got a bad feeling that there are a lot of big endian related rpc struct parsing errors. Can anyone confirm or dispell my fears?" Greg Dickie confirmed, "I've been testing HEAD on IRIX and there are issues there. Haven't seen any cvs commits that would fix'em either." Elsewhere, Jim McDonough also confirmed the problem on AIX and PPCLinux, and there was a bit of technical discussion, including patches, although it looks like more work may be needed.

5. Authentication And User/Group List For Sharing Win98 Resources

29 Oct 2000 - 31 Oct 2000 (7 posts) Archive Link: "Can Samba Provide a User List for Win98 Sharing"

Summary By Zack Brown

People: Larry JamesTracey MaruJames W. Beauchamp

Larry James asked, "I'm read a few messages that seems to suggest that Samba-tng can provide authentication and user/group list for sharing Win98 resources. However, there's nothing clear in the documentation of how to do it." Tracey Maru replied, "A properly setup tng current will do this. Just put the ip of your tng server in the 98 machine as ac provider." Larry tried this, but with no success, and James W. Beauchamp gave him a pointer to a Samba-TNG (http://www.kneschke.de/projekte/samba_tng/index.php3) page, and also another (http://www.samba-tng.org) , where the issues were discussed in depth. This was a big help, and Larry actually got something working. But he ran into configuration difficulties, and no one came to the rescue.

6. Preventing Users From Executing Files On NT

31 Oct 2000 - 2 Nov 2000 (8 posts) Archive Link: "Honouring eXecute permissions on NT?"

Summary By Zack Brown

People: Phil MayersShawn WrightMartin Radford

Shawn Wright noticed that removing the execute bit from a file on Red Hat, would still allow NT to execute the file. Phil Mayers explained, "You're going about it the wrong way - "execute" permissions don't make sense in NT. If you don't want them to execute the file, deny them read permission, not execute. Ideally, put them in a seperate directory and deny them read permission on the directory (and execute, which equates to traverse)." Unfortunately, as Shawn explained, this solution wouldn't work for him. He described, "The idea is to prevent students from executing programs they download and store on the network." Phil went on:

But it's not hard for them to store the binaries on the network, and copy them to the local machine TEMP directory at login, and run them from there. I did just that very thing as a (naughty) undergraduate here at Imperial, to get around the execute permissions thing...

I've just tried using Samba's "Security" support (network permission setting) and NT doesn't seem to honour the execute ACL bit on that share. Even if it did, the user will be listed as the file's owner, and can change the permissions back at will. I understand what you're trying to do, but I can't see a way of doing it.

Shawn and Martin Radford both felt that Phil had been using an insecure box. Martin said, "I imagine the intent is to make it difficult, or at least time-consuming, for the users to run unauthorised executables because they're having to work around the administrator's settings all the time. And at least some users won't find out what they need to do." And Shawn touted, "There is nowhere on the local drive that a user can create a file with eXecute permissions under on our locked down NT install."

 

 

 

 

 

 

Sharon And Joy
 

Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at kernel.org. All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License version 2.0.