Samba Traffic #32 For 11 Nov 2000

Editor: Zack Brown

By John Quirk  and  Zack Brown

Samba Homepage (http://samba.org) | Samba List Archives (http://marc.theaimsgroup.com/#samba)

Table Of Contents

Introduction

Want to help write KC Samba? See the KC Authorship page (../author.html) , the KC Samba homepage (index.html) , and the Thread Summary FAQ (../summaryfaq.html) . Send any questions to the KCDevel mailing list. (mailto:kcdevel@zork.net)

Mailing List Stats For This Week

We looked at 224 posts in 1010K.

There were 103 different contributors. 39 posted more than once. 0 posted last week too.

The top posters of the week were:

1. Problems Logging In From Windows Clients

24 Oct 2000 - 1 Nov 2000 (13 posts) Archive Link: "wierd logon problems"

Summary By Zack Brown

People: Brian HawleyGerald Carter

In the samba-ntdom mailing list, Brian Hawley reported that his system, a Red Hat 6.1 server running Samba 2.0.5a with a few Windows 95/98 clients, had some problems logging people in. He described, "When a user types in their password and clicks OK, windows pops up an error that says something like "domain password not correct or access to domain server has been denied". They usually have to retype their password and click OK 2-4 more times before the server lets them in. This happens everyday for every user." It had worked for him earlier, and Brian didn't know what had changed, but he posted his 'smb.conf' file and some logfile data. Spire - Lim Poh Soon reported the identical problem under Mandrake 7.0 with Samba 2.0.6; Vladislav Breus also reported the same thing.

Gerald Carter and Ana Maria Escalante noticed that the 'domain master' variable in the config file had been set to "no", whereas it should have been "yes". Ana Maria added that she didn't know why the problem would have spontaneously appeared, but suggested Brian try changing the variable and restarting the daemons. Brian tried this (along with some other changes) and at first reported success. But a little while later he saw the problem come back again. More suggestions followed, including the possibility that his network hardware might be flakey. By the end of the thread, the problem had not been solved. He would restart the daemons, and then shortly thereafter, logins would start requiring several tries.

2. Samba As PDC

26 Oct 2000 - 2 Nov 2000 (16 posts) Archive Link: "PDC"

Summary By Zack Brown

People: Jayne GilmourSimon AllawayJames W. Beauchamp

In the samba-ntdom mailing list, someone asked when Samba would be usable as a PDC, and in the course of discussion Jayne Gilmour replied, "Samba 3.0 provides a reasonable PDC service for NT clients." Elsewhere, Simon Allaway said, "Samba 2.0.7 works extremely well as a PDC for Windows NT 4.0 clients. It will happily serve Win2k clients but" [not] "within the domain. I can't speak for Win9x clients as we don't use them here." James W. Beauchamp also replied to the original poster, saying, "Please see http://www.samba.org http://www.samba-tng.org for development schedules and possible solutions for your PDC needs."

3. DocBook Experiences

30 Oct 2000 - 4 Nov 2000 (17 posts) Archive Link: "Latest SGML/DocBook news"

Summary By Zack Brown

People: Gerald CarterDavid Collier-BrownDavid Bannon

In the samba-docs mailing list, Gerald Carter succeeded getting DocBook to produce HTML, PostScript, PDF, RTF, and TeX output. He summarized his reaction to DocBook after the ordeal, saying it was definitely hard to install, but did provide the desired output formats, supported international characters, and had the most momentum as a project. He also felt the SGML it used was tolerable. He summed up the goals of using DocBook:

David Bannon has already been working on consolidating some of the various FAQ's. Thanks David.

We have the man pages to convert.

Th biggest question in my mind is what to do with the dozens of smaller text files.... Of course, we could just consolidate everything into the O'Reilly book.

To that last, David Collier-Brown replied, "Bad idea: the O'Reilly book's problem space is a subset of the general documention tree's problem/solution space, specifically aimed at unix-literate but not windows-expert sysadmins." Elsewhere, Kai Blin also replied that installation wasn't really very difficult. There was also some discussion of possible alternative, particularly the format used by the Linux Documentation Project, but most people felt that format was out of date, and the LDP was migrating to DocBook anyway, so by the end of the thread it seemed that DocBook would be the way to go.

4. Swat Security Vulnerabilities

31 Oct 2000 - 6 Nov 2000 (13 posts) Archive Link: "Samba 2.0.7 SWAT vulnerabilities (fwd)"

Summary By John Quirk

People: MiahJeremy AllisonElrondRon Alexander

Miah of uberhax0r posted an alert about a vunerability in SWAT the full text of can be found at http://www.uberhax0r.net/~miah/swat (http://www.uberhax0r.net/~miah/swat) he also noted, " You guys really need a "security@samba.org" contact. "

This post kicked off a disccusion on the samba list as well the TNG lists. Jeremy Allison replied with:

First of all - the CGI logging code is not turned on, no distribution of Samba turns it on.

Yes it is broken, but it is *so* broken a better fix would be to just remove it altogether, not use the fix given (which Andrew has already pointed out introduces a race condition).

Failed auth logging should be done to syslog, and I'll make sure this goes into the 2.2 version of SWAT. I'll also just remove the CGI logging code.

...

The idea for a security@samba.org is a very good one though, I'll get to that once I'm back.

In the words of the HitchHikers Guide to the Galaxy, "DON'T PANIC" - especially over this so called "exploit" which requires the hacker to persuade the Samba admin to change source code and recompile and re-install swat before the "root" exploit is permissable. I the hacker can get the admin to do that I can think of easier "root" attempts. I won't repeat what Andrew said about this report :-) :-) :-).

Elrond from the TNG list also commented:

As you might have read on samba-technical, swat has a vulnerability.

This vulnerability is not tng specific, so you might want to check the samba-technical archive for details on the "normal" samba branch.

I can currently only recommend not using/enabling swat at all.

swat is not fully supported in TNG, it does not even compile under certain circumstances. We/I are currently not planing to put much work in it. So don't expect a fix soon.

I'm also considering disabling it alltogether for the time being.

This comment spawned a discusion on the merits of using SWAT in an expermintal enviroment such as TNG. Elrond finally commented, " If someone wants to do this, they can go ahead, I'll apply patches in this area. But I wont support this myself. I currently realy don't see the need for this stuff. If you want web-administration, you certainly want the "normal" samba " The samba list continued with Jeremy Allison posting a patch to the CVS " Ok - here is the patch against 2.0.7 that fixes the problem that SWAT distinguishes between users that exist and those that don't. This patch has been tested by the original reporter of the problem and confirmed to be a fix. "

Ron Alexander spotted a typo in the patch to which Jeremy replied thanks and that he would fix it in the CVS.

5. A patch to allow Windows 2K to samba domain

5 Nov 2000 - 8 Nov 2000 (11 posts) Archive Link: "Samba 2.2.0 with this patch allows Win2K to join domain"

Summary By John Quirk

People: Richard SharpeJean Francois MicouleauF.W.J.WiegerinckInge-Håvard Hunstad

Richard Sharpe posted this to samba-ntdom:

With the attached patch, my reasonably recent version of Samba 2.2.0 allows Win2K to join the domain.

I cannot see who applied the changes as I can't figure out how to get CVS to tell me the differences or history ...

As you can see, if you look at the patch, the changes are reasonably minor.

Jean Francois Micouleau on samba technical owned up with:

I and Tim.

I changed most of the rpc LSA functions to count the ending \0 in the unicode string, and Tim reverted it as it broke some other stuff.

Anyway, it looks like I need to look more deeply at the unicode string stuff and write a doc file to document how to use those functions.

Richard replied to Jean that he noticed it took a long to join but it final did. Jean replied:

yep. The workstation does a pause to wait for the snetlogon (secure netlogon) service to start on the server.

Btw, the same pause exists when a W2K wks joins an NT4 PDC server.

Meanwhile back on the Samba-ntdom "Stokes" tried the patch but ran into problems with this error message The credentials supplied conflict with an existing set of credentials. F.W.J.Wiegerinck wrote:

In my opinion this suggests that you already have an active session to your server. The same error will occure when you're trying to access 2 shares with 2 different usernames on the same server.

Maybe it helps when you have a clean boot from your workstation with no open sessions to any station in the network.

Inge-Håvard Hunstad added to the suggestion, "To see connections to other computers type "net use" in a cmd shell. Then you can do a "net use \\computername\sharename[\volume] /delete" to remove the connection. I have to say that usualy this works but not always...:)"

these two hints fixed "Stokes" problem. Stokes went onto report this error message The procedure number is out of range. Richard Sharpe noted:

OK, that was the original problem I got, and applying the patch to srv_lsa.c solved that problem and allowed me to join the domain.

I did it infront of 150 people at LinuxWorld in Malaysia today, so it must work!

6. Compile Errors For Head On IRIX

7 Nov 2000 - 8 Nov 2000 (2 posts) Archive Link: "HEAD does not compile on IRIX"

Summary By John Quirk

People: Tim PotterGreg Dickie

Greg Dickie report that his auto-build of the HEAD branch had failed with a warning and an error.

To the warning, Tim Potter replied, "This one doesn't make sense as the variable is actually used." The error, Tim identified as, "Sounds like the prototypes are out of date. I'll commit and updated version. "

 

 

 

 

 

 

Sharon And Joy
 

Kernel Traffic is grateful to be developed on a computer donated by Professor Greg Benson and Professor Allan Cruse in the Department of Computer Science at the University of San Francisco. This is the same department that invented FlashMob Computing. Kernel Traffic is hosted by the generous folks at kernel.org. All pages on this site are copyright their original authors, and distributed under the terms of the GNU General Public License, version 2.0.