[prev in list] [next in list] [prev in thread] [next in thread]
List: samba
Subject: SAMBA digest 1034
From: samba () arvidsjaur ! anu ! edu ! au
Date: 1996-08-23 16:57:10
[Download RAW message or body]
SAMBA Digest 1034
For information on unsubscribing and on what is appropriate to post to
this list see ftp://samba.anu.edu.au/pub/lists/samba.txt
Topics covered in this issue include:
1) Samba 1.9.16 finally released
by Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
2) changes from alpha26
by Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
3) smbclient & DEC Pathworks 4
by Bernd.Degel@aec.aeg.kn.DaimlerBenz.com (Bernd Degel)
4) New version of commsrv (former "comt") available
by J Wunsch <j@ida.interface-business.de>
5) Files on Samba shares get owner/group=nobody/nogroup
by "Kjell M. Egerdal" <Kjell.Egerdal@maxware.no>
6) smbstatus not showing all jobs 1.9.15p8
by Jason Boerner <jboerne@uswest.com>
7) Samba 1.9.16p1
by Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
8) WinNT Beta2 with Samba
by "Gregory Pyros, Pyros Pictures (714)833-0334" <gpyros@pyros.com>
9) Re: major security problem
by Todd Stedl <trstedl@u.washington.edu>
10) Re: SMBsesssetupX over and over - Win95 -> Solaris 2.5.1
by "Marty Leisner" <leisner@sdsp.mc.xerox.com>
11) access denied copying a file from Unix to Windows machine
by Brian Hopkins <wanker@televar.com>
12) nmbd strangeness with 1.9.16
by shaggy@ctron.com (Chris Taylor)
----------------------------------------------------------------------
Date: Thu, 22 Aug 1996 16:55:49 +1000
From: Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
To: samba@arvidsjaur.anu.edu.au
Subject: Samba 1.9.16 finally released
Message-ID: <96Aug22.170924+1000est.66046-187+3548@arvidsjaur.anu.edu.au>
I've finally released Samba 1.9.16. Its available from
ftp://samba.anu.edu.au/pub/samba and several mirror sites.
I'm sorry its taken so long for this release. A lot of restructuring,
particularly in nmbd, meant that it took a long time to get reasonably
stable.
Its possible (likely?) that there will be a 1.9.16p1 release before I
leave for the SMB workshop this Saturday. That will depend on the
feedback and bug reports we get from this release.
Thanks for your patience, and special thanks to all those people who
have helped by contributing patches, bug reports and ideas over the
last few months.
Cheers, Andrew
------------------------------
Date: Thu, 22 Aug 1996 17:00:05 +1000
From: Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
To: samba@arvidsjaur.anu.edu.au
Subject: changes from alpha26
Message-ID: <96Aug22.170931+1000est.66102-187+3557@arvidsjaur.anu.edu.au>
When I announced 1.9.16 I forgot to mention whats changed since
alpha26.
Basically, not much :-)
The main change was the addition of a timeout in open_socket_out() so
that having multiple password servers is practical. If the first one
is down then smbd won't sit around waiting for a connection for
minutes, it will give up after 5 seconds and try the next one.
This will also potentially help nmbd if it tries to sync browse lists
with a server that is down.
Cheers, Andrew
------------------------------
Date: Thu, 22 Aug 1996 14:29:48 +0200
From: Bernd.Degel@aec.aeg.kn.DaimlerBenz.com (Bernd Degel)
To: samba-bugs@arvidsjaur.anu.edu.au
Cc: samba@arvidsjaur.anu.edu.au
Subject: smbclient & DEC Pathworks 4
Message-ID: <199608221227.OAA18653@aec.aeg.kn.DaimlerBenz.com>
Hello Andrew,
a few months ago I posted my problem with DEC Pathworks 4 and smbclient to
samba-bugs. Meanwhile I got some input from two chaps (Ken Yap and Anders
Gytri) who told me that I have to use another protocol to connect to
Pathworks server.
After a tip from Ken I was able to detect the problem itself: smbclient is
sending a 'tconX' message when using the coreplus protocol which was
negotiated with our Pathworks server. But Ken told me that coreplus doesn't
support tconX !
The first version of the SMB protocol which supports tconX is the LANMAN1
protocol.
Therefore here is a patch for client.c (I used 1.9.16alpha23, but I think
later versions should be identical) :
[Snip]
--- samba-1.9.16alpha23/source/client.c Mon Aug 19 13:26:43 1996
+++ samba1.9.16a23/source/client.c Thu Aug 22 13:42:18 1996
@@ -3316,7 +3316,7 @@
strcpy(pword, ""); passlen=1;
}
- if (Protocol <= PROTOCOL_CORE) {
+ if (Protocol <= PROTOCOL_COREPLUS) {
set_message(outbuf,0,6 + strlen(service) + passlen + strlen(dev),True);
CVAL(outbuf,smb_com) = SMBtcon;
setup_pkt(outbuf);
[Snip]
Cheers, Bernd.
------------------------------
Date: Thu, 22 Aug 1996 14:43:19 +0200 (MET DST)
From: J Wunsch <j@ida.interface-business.de>
To: samba@anu.edu.au
Subject: New version of commsrv (former "comt") available
Message-ID: <199608221243.OAA09552@ida.interface-business.de>
Hello,
due to the public demand, i've updated my version of the ``commsrv''
server, a modem server for the COMt Windows shareware program. I've
finally cleaned it up a little towards better portability, fully
renamed it from `comt' to `commsrv', and also included a new -r option
to restrict the IP address range of peers that are allowed to invoke
the program via inetd.
Jeff Lightfood was kind enough to put it up for FTP on netcom's FTP
server:
ftp://ftp.netcom.com/pub/je/jeffml/commsrv.tar.gz
--
J"org Wunsch Unix support engineer
joerg_wunsch@interface-business.de http://www.interface-business.de/~j
------------------------------
Date: Thu, 22 Aug 1996 16:23:16 +0200
From: "Kjell M. Egerdal" <Kjell.Egerdal@maxware.no>
To: samba@arvidsjaur.anu.edu.au
Subject: Files on Samba shares get owner/group=nobody/nogroup
Message-ID: <"84384 96/08/22 16:24*/G=Kjell/S=Egerdal/PRMD=maxware/ADMD=telemax/C=no/"@MHS>
Hi,
I have just installed the new Samba (1.9.16) (yesterday I tried
1.9.16alpha21 with the same result) on a Sun SPARC with
SunOS 4.1.3_U1. Samba is compiled for SunOS 4 with
FLAGSM = -DSUNOS4 -DNETGROUP
My problem is:
>From my NT4 PC I browse the computer list. When trying to
browse the computer running Samba (called unn) I get a dialog:
Incorrect password or unknown username for:
\\Unn
and I can enter my user name and password and after entering
these the browse list pops up. I then maps a share from unn
(/opt) to drive letter J: - this looks ok. Next I creates a
file on J: (using: echo abc > z.z). Here is the problem:
The file z.z gets owner=nobody and group=nogroup (both are
defined with id=65534). (We want the file(s) to have owner
and group of the connected user).
Can anybody tell me what is wrong.
We run a very old version of Samba on another computer) and
this does not happen there.
I have also tried the same operations from Windows 95 with
the same result (= file gets wrong owner/group).
My smb.conf:
---------------
[global]
print command = /usr/ucb/lpr -r -P%p %s
lpq command = /usr/ucb/lpq -P%p
lprm command = /usr/ucb/lprm -P%p %j
printer name = lp
printcap name = /etc/printcap
guest account = nobody
security = user
password level = 1
status = yes
auto services = home odev opt mail4 mail5
load printers = no
revalidate = yes
case sensitive = no
preserve case = yes
workgroup = KTR
protocol = NT1
log file = /usr/local/samba/var/log.%m
max log size = 2048
[home]
path = /u
public = yes
only guest = no
writable = yes
printable = no
[odev]
comment = Development
path = /opt/odev
public = yes
only guest = no
writable = yes
printable = no
browseable = yes
hide dot files = no
[opt]
comment = Development
path = /opt
public = yes
only guest = no
writable = yes
printable = no
browseable = yes
[mail4]
comment = Development
path = /mail4
public = yes
only guest = no
writable = yes
printable = no
browseable = yes
[mail5]
comment = Development
path = /mail5
public = yes
only guest = no
writable = yes
printable = no
browseable = yes
[homes]
comment = Home Directories
read only = no
create mode = 0775
[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
public = yes
writable = no
create mode = 0700
; postscript = true
-----end of smb.conf----
If anybody is kind enough to help, I can send any kind of debug
dumps upon request - if needed.
TIA,
Kjell
Kjell M. Egerdal, MaXware AS
Internet: Kjell.Egerdal@maxware.no
X.400 : S=egerdal;P=maxware;A=telemax;C=no;
URL : http://www.maxware.no/~kme
------------------------------
Date: Thu, 22 Aug 1996 10:14:49 -0600 ()
From: Jason Boerner <jboerne@uswest.com>
To: Samba Mail List <samba@anu.edu.au>
Subject: smbstatus not showing all jobs 1.9.15p8
Message-ID: <Pine.WNT.3.93.960822101234.398H-100000@jboerne-nts1.uswc.uswest.com>
In my past 4 years of using this EXCELLENT product (thank you Andrew!), I
have never seen this before.
Any ideas over what would cause the following?
Thanks
<nowsun:/usr/local/samba/bin>46% smbstatus
Samba version 1.9.15p8
Service uid gid pid machine
----------------------------------------------
pcapps dhardy noshell 9130 148.157.46.16 (148.157.46.16) Thu
Aug 22 01:03:45 1996
seyoung seyoung noshell 9152 148.157.46.12 (148.157.46.12) Thu
Aug 22 01:43:24 1996
pcapps seyoung noshell 9152 148.157.46.12 (148.157.46.12) Thu
Aug 22 01:43:29 1996
No locked files
<nowsun:/usr/local/samba/bin>47% ps -e | grep smbd
7819 ? 0:02 smbd
746 ? 0:07 smbd
9130 ? 0:00 smbd
7820 ? 0:00 smbd
9152 ? 0:00 smbd
------------------------------
Date: Fri, 23 Aug 1996 02:31:22 +1000
From: Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
To: samba@arvidsjaur.anu.edu.au
Subject: Samba 1.9.16p1
Message-ID: <96Aug23.023132+1000est.65137-187+3996@arvidsjaur.anu.edu.au>
yep, a patch to 1.9.16 already!
This fixes the "socket is already connected" bug in 1.9.16 when using
smbclient. I never saw this problem myself, but I think I've fixed it
anyway. If not then you will see a 1.9.16p2 pretty soon :-)
Andrew
------------------------------
Date: Thu, 22 Aug 1996 09:47:12 -0700
From: "Gregory Pyros, Pyros Pictures (714)833-0334" <gpyros@pyros.com>
To: ni1!arvidsjaur.anu.edu.au!samba
Subject: WinNT Beta2 with Samba
Message-ID: <199608221647.JAA09119@pyros.com>
Samba-people:
I just wanted to thank all those who responded by e-mail to my query
on upgrading NT from 3.15 to 4.0 Beta2 while running Samba.
The typical response was that NT4.0 Beta2 would work, but NOT Beta1.
I have since upgraded to NT Beta2 with no Samba problems.
Other problems, but not with Samba! <g>
Thanks,
Greg Pyros
gpyros@pyros.com
------------------------------
Date: Thu, 22 Aug 1996 11:18:53 -0700 (PDT)
From: Todd Stedl <trstedl@u.washington.edu>
To: Andrew.Tridgell@anu.edu.au
Cc: pkelly@omen.ets.net, samba@arvidsjaur.anu.edu.au
Subject: Re: major security problem
Message-ID: <Pine.A32.3.92a.960822104759.89677A-100000@homer31.u.washington.edu>
On Thu, 22 Aug 1996, Andrew Tridgell wrote:
> Todd wrote:
> > I'm running Samba 1.9.15p8 with a NeXT machine as the server and an NT
> > 3.51 as the client. Everything works just peachy and I had no problems
> > connecting to services on the Next machine. In fact, I discovered it
> > was working a bit "too well."
>
> :-)
>
> > I created a service that allowed only my computer (the NT) as a host and
> > allowed only me as a valid user. To test it I logged on my NT as a
> > different user and tried to connect to the service and it refused my
> > connection as expected. However, when connecting to the service with
> > NT's filemanager you have the option of "Connect as". When I entered my
> > username (the only valid one the service would accept) it asked for a
> > password and after entering some bullshit for the password it logged me
> > on!
>
> ok. There are several possible explanations for this. None of them are
> security holes, although they might look like it at first glance if
> you don't understand SMB.
>
> 1) When you asked to connect again the NT client didn't actually send
> the password you typed, but instead sent the password you used when
> you originally logged into NT. That "password" dialog box can be
> deceptive as it makes you think that it will actually send that
> password. When connecting to a user level security server a Windows
> box (WfWg, NT or Win95) will normally supply the password that you
> used at the original login screen.
Not possible. I'll explain in detail what happened:
I logged into the NT machine as 'todd' and typed the appropriate
password. Then I opened file manager and connected to the Next machine
with a Samba service called 'euclid' where 'todd' is the only valid user.
(revalidate = no at this point and security = user). 'todd' has an
account on the Next machine with the same password as the NT machine, and
I was successfully connected to the euclid service.
Now, I logged off the NT machine and logged on as 'joe'. 'joe'
has an account on the NT but with a different password as 'todd', and
'joe' does not have an account on the Next machine. Again, I opened file
manager and tried to connect to the euclid service-- no luck at first, but
when I typed 'todd' in the 'Connect as:' line, it logged me right on! It
would bring up a password window, but I could type in anything and still
be connected as 'todd', even though I logged into the NT as 'joe' and have
a different password as 'todd'!
> 2) The NT client was still connected on port 139 and had already
> authorized itself as that username on the connection. When you asked
> to connect again it didn't send any password at all, instead it just
> asked to do a tree connect (SMBTconX) as the already authenticated
> user.
I'm not sure how this would have happened. When I don't specifically
disconnect from the euclid service, every time I log into NT it tells me
that it is "restoring the connection to euclid".
> I strongly suggest you read security_level.txt in the docs directory
> of the samba distribution. It explains all about SMB security levels.
>
> > This problem is especially dangerous if there is a [homes] section. As
> > long as a user has successfully connected to their home account, anyone
> > else could also as long as they connect as that user.
>
> No! You misunderstand how SMB works. Samba does SMB over a "connected"
> transport, TCP. The memory of a previous authentication is only done
> within that TCP connection. If someone attempted to connect from
> another client to the server using that username then they would have
> to authenticate themselves from scratch.
> Please, when reporting "severe security holes" don't make
> assumptions. If you think that by doing something on one box you have
> demonstrated that anyone can break in then _try_ to break in using
> that method. You will fail.
I did try it! Again, 'todd' has a home account on the Next machine while
'joe' does not. I logged in the NT as 'joe', but connected to the service
as 'todd', it asked me for a password, I typed in bullshit, and it logged
'joe' right into todd's account. And this was not a read-only viewing
either. 'joe' could delete and change any of 'todd's files at will.
The SMB security model is much more
> sophisticated than the one commonly used for telnet or ftp. Samba is
> very careful (paranoid actually) about ensuring that no one can do any
> file operations unless they have fully authenticated themselves. I'm
> not saying that there are no bugs, no software author can say that,
> but I am saying that the basic model that is used is not insecure, and
> that no one has yet demonstrated a real security hole in it.
Well, something is definitely wrong with the way I had things previously
set up. I'll take a look at that security file to better understand how
things work, but I had been using Samba for 6 months and everything seemed
to have been working fine until, as a whim, I tried to break into my own
account and I found it was easier than opening a door.
I brought this up not as a criticism of Samba but as a warning to everyone
that it's quite possible their system isn't as secure as they thought and
that they should look into its security more closely. If you want, I'll
send you a copy of the smb.conf file as I had it when I found it was
insecure. One final note-- the Next machine *is* running only NextOS 2.1,
but I had no problem compiling Samba on it using the Next 3.1 make. If
you want, I could put Samba on another Next I have which is running 3.1
and see if I come up with the same problems.
-Todd
------------------------------
Date: Thu, 22 Aug 1996 13:56:51 PDT
From: "Marty Leisner" <leisner@sdsp.mc.xerox.com>
To: stacey@sierraimaging.com
Cc: samba@arvidsjaur.anu.edu.au
Subject: Re: SMBsesssetupX over and over - Win95 -> Solaris 2.5.1
Message-ID: <9608222056.AA07375@gnu.mc.xerox.com>
> I'm having a problem where a net view \\host\user on my Win95 box
> causes an infinite loop of SMBsesssetupX messages in my Solaris 2.5.1
> smb log file. I've tried both the latest offical and latest alpha
> releases. Searching the SAMBA Digest archives comes up with at least
> two other people who experienced exactly the same problem, but as far
> as I can tell no one was able to help them out.
>
>
> Does anyone have any hints on what might be going wrong? (GUEST_SESSET=
> UP
> #define mods make no difference.) Thanks for any help,
>
> Stacey
> stacey@sierraimaging.com
>
I wish I knew...
I goes away for LANMAN1 protocol (set it in smb.conf).
I guess your using something > LANMAN1...
this is what I saw...
It stopped happening recently...
Its tempermental and only happened at home (never at work).
>
>
--
marty
leisner@sdsp.mc.xerox.com
Member of the League for Programming Freedom
------------------------------
Date: Thu, 22 Aug 1996 13:14:51 -0700
From: Brian Hopkins <wanker@televar.com>
To: samba@arvidsjaur.anu.edu.au
Subject: access denied copying a file from Unix to Windows machine
Message-ID: <321CBFBB.60F6@televar.com>
My unix server is SCO open serverV, using WFW 3.11 with microsofts tcp/ip
stack. Samba runs perfectly; i.e. the unix filesystems map perfectly in
file manager and the Unix printers are shared without any hassles.
Here is the rub. I can copy a file from my windows machine to the Unix
box (drag and drop in file manager), but when I try to drop the file back
from the Unix side to the windows machine I get this error "Error
copying file - file manager cannot copy E:\Autoexec.bat:Access is denied.
make sure the disk is not full or write protected." Drive E is my unix
drive. I can delete the file on the Unix machine, so it is obviously the
windows drive that appears to Samba to be write protected.
Any suggestions??
------------------------------
Date: Thu, 22 Aug 1996 18:39:52 -0400
From: shaggy@ctron.com (Chris Taylor)
To: samba@arvidsjaur.anu.edu.au
Subject: nmbd strangeness with 1.9.16
Message-ID: <321cdc09.1203270@dur-mail>
First, my computer: Sun SparcStation 5, 32 Mb RAM, SunOS 4.1.4. I compiled
the samba binaries with the defines SUNOS4, GETPWNAM, and
FAST_SHARE_MODES=1.
Here's my problem: I'm trying to configure samba to NOT perform browse or
domain control of any sort. I already have an NT WINS server and domain
controller available to me, and I don't want the the samba server to
interfere with them. I just want samba to announce its own shares and its
presence on the network, nothing more.
Here's the relevant parts of smb.conf:
[global]
security = user
domain controller = ctron_pdc
domain master = no
preferred master = no
wins proxy = no
wins server = dhcpserv
wins support = no
workgroup = DURHAM_RES
I looked through the current man page; from what I read, the above should
do what I need. I start nmbd from inetd with the arguments "-i 0"
(everything else where I work uses scope ID 0). Same for smbd.
Here's a sample of what shows up in log.nmb (debug level 4):
nmb packet from 134.141.62.207 header: id=39358 opcode=0 response=No
header: flags: bcast=Yes rec_avail=No rec_des=Yes trunc=No auth=No
header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0
question: q_name=NETWORK_MGMT(1b).0 q_type=32 q_class=1
Name query Search for NETWORK_MGMT(1b).0 from 134.141.62.207 - find_name on
local: NETWORK_MGMT(1b).0 134.141.62.207 search 7
find_name on WINS: NETWORK_MGMT(1b).0 134.141.62.207 search 7
subnet 255.255.255.255 Get_Hostbyname: Unknown host. NETWORK_MGMT
no recursion.
Nmbd repeats this non-stop, though with different workgroup names in each
instance. In fact, it takes up almost all of the computer's CPU time in
doing so.
Here's the kicker: about 10 minutes after starting nmbd, it forced an
election and took over as master browser! I stopped nmbd at that point.
I must confess ignorance of the inner workings of WINS, SMB, and its
associated parts. (yup -- learning as I go) I suspect I've misconfigured
something, and I'd appreciate any pointers to what i did wrong. On the
other hand, I didn't have this problem with version 1.9.15p8. For the new
version I only added to smb.conf the lines for wins server, wins proxy, and
wins support.
I can supply more detailed debugging info, if needed. Ideas, anyone?
--
Chris Taylor / My views do not represent \ PGP public key available
shaggy@ctron.com \ those of Cabletron. / via keyserver or request
------------------------------
End of SAMBA Digest 1034
************************
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic