Slashdot Mirror

Heh. I've actually met Martin personally, about a year ago while he was at Linuxconf-AU-Perth. He gave me a synopsis of his talk about distcc, which I finally got around to trying last week to build KDE from CVS. A very very cool app.

Then I had an amusing exchange with him on this very same topic, regarding this very same SPEWS listing :-). Unfortunately I got around to checking his final response too late, so when I realised who it was I didn't have a chance to say hi :).

So I'll tell you what I was going to tell him, which is just that I thought the nanae-denizens talking to him were actually quite decent and helpful. The main factor that added confusion is that a couple of the posters wrongly assumed the issue was about Datapipe, rather than an actual mistake on osirusoft's or SPEW's part (genuine mistakes are, seriously, quite rare). If Martin had been more familiar with nanae or with the way SPEWS works, he might have been able to get that point across more clearly.

But still, none of the replies were actually rude (by normal Usenet standards). None of them really flamed him. When he responded again and further muddied the waters from the real issue by making it clear that he didn't like the way SPEWS operates, a few people responded to the points that he made in a tone that could be read as mildly patronising. I suspect Martin didn't take that too well :), but, well, that tends to be the way things go when you pop into a group and start telling people they're wrong - without really researching the topic first.

And you've misrepresented what the nanae denizens actually said - they didn't say "we're not going to tell you which ISPs are good/bad", they tried to explain that it's just not that simple. There's too damn many ISPs, and (especially for the really big ones) their staff and policies change around too frequently.

Then, of course, SPEWS does actually provide a list, of sorts. You can query IP addresses belonging to an ISP and see if anything turns up. Spamhaus also provides a list of sorts, arranged a bit differently. Then, of course, you can always do a search through nana.sightings or nanae itself for the ISP's name. It's just part of the overall research that you might think about doing before investing significant money in an ISP contract.

And this advice specifically is extremely worth your attention.

As to the other links you provided - well, all I can say is that it's Usenet, for $DEITY's sake. Turn your sense of humour back on. :-)

When it comes to interoperability between Windows and *nix, the answer is usually Samba. For you, you need Winbind, which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.

Browsing the docs is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide online. In particular, see Chapter 21. Winbind: Use of Domain Accounts.

Good luck.

When it comes to interoperability between Windows and *nix, the answer is usually Samba. For you, you need Winbind, which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.

Browsing the docs is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide online. In particular, see Chapter 21. Winbind: Use of Domain Accounts.

Good luck.

When it comes to interoperability between Windows and *nix, the answer is usually Samba. For you, you need Winbind, which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.

Browsing the docs is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide online. In particular, see Chapter 21. Winbind: Use of Domain Accounts.

Good luck.

When it comes to interoperability between Windows and *nix, the answer is usually Samba. For you, you need Winbind, which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.

Browsing the docs is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide online. In particular, see Chapter 21. Winbind: Use of Domain Accounts.

Good luck.

When it comes to interoperability between Windows and *nix, the answer is usually Samba. For you, you need Winbind, which will authenticate against a Windows Domain's PDC, and can be hooked into PAM.

Browsing the docs is a very good idea. And, you can read The Official Samba-3 HOWTO and Reference Guide online. In particular, see Chapter 21. Winbind: Use of Domain Accounts.

Good luck.

Only thing that could not be addressed would be the subscription. I don't mind the subscription fee, myself since I opted for lifetime. To each his own.

TiVo hacking FAQ for those not in the know. Also, google 'TiVo HTTP' and you should find the web daemon.

ACT is *the capital* city of Australia, seat of federal government, part time home of australian pollies (politicians), home of australian federal public service, houses adf hq (moved from vic barracks in melbourne - my home), home of various australian intelligence agencies (asis, asio) , location for diplomatic embassies, etc. Also home of Australian National University, Andrew Tridgell of Samba and rsync fame.

Canberra is *not underfunded*. It is in a sense an *artifical* city created as a political compromise to house the australian capital - after a fight broke betweem Victoria and Sydney around federation around 1901. The solution Canberra, a territory created in the NSW outback. Its sole purpose it to house government and its associated functions.

as for being less influential ... in australia its the national capital and houses the federal government - q.e.d. As for the rest of the world ... what does it matter?

NTLM is documented and understood pretty well.

Incedentally the jCIFS NTLM HTTP authentication Servlet Filter for authentication of IE users (and I guess Mozilla users now) against NT domain controllers implements the protocol completely and is used regularly by consulting arms of many big companies like Oracle, IBM, RSA Security, Novell and in production by countless other organizations. I know of at least one commercial SSO product that use it.

Mike (author of jCIFS)

TiVo hacking faq on drive locking
Unlock program for Quantum TiVo hard drive

Supposedly the QUnlock.exe program will permanently unlock the drive, but then again it could be some kind of TiVo "locking" and not the hard drive password locking we're talking about.

The guys at RedHat didnt write the code, they just packaged it*. *Im talking about most packages. I understand that there are a few projects that are funded by RedHat and others done in house. The rest (and there are alot) are all open source developers. I personally would rather send the Samba guys pizza myself.

The network protocol it just something to get the (significantly reduced) data from point to point. There isn't too much a network protocol can do to speed up the process.

RTFM, idiot.

There are several things that a new network protocol can do to make a transfer faster. For example, rsync is heavily pipelined in both directions, and removes common information from headers of consecutive files. Neither of those optimizations would be possible in FTP or HTTP.

rsync was for years the only major application that aggressively utilized full duplex TCP sockets, and found several bugs in Linux, BSD, and Solaris kernels by doing so. Again this is a protocol design decision that gets more mileage out of the connection than is possible in other ways.

Have you ever even looked at an HTTP dump? The hundreds of bytes it takes to send the headers can accomodate several whole rsync-compressed files.
A recursive update of a changed tree is typically several times quicker with rsync than with either CVS or FTP. Nothing against those protocols; they were just designed with different purposes in mind.

Now you can reasonably question whether the space saving really justifies having a new protocol. If you're not convinced, don't run it. Many people do find it worthwhile. If you are super security-conscious then you probably shouldn't be offering anonymous or unencrypted service at all.

I tried very hard to find something funny to comment on in this announcement, but could not.

Feel free to mod me wayyy down! I have that syncing feeling.

seem to be responsible for this breakin. The information has already been posted to Bugtraq by a gentoo team member. Here is the post text:

Background

The rsync team has received evidence that a vulnerability in rsync was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server. While the forensic evidence we have is incomplete, we have pieced together the most likely way that this attack was conducted and we are releasing this advisory as a result of our investigations to date.

Our conclusions are that:

- rsync version 2.5.6 contains a heap overflow vulnerability that can be used to remotely run arbitrary code.
- While this heap overflow vulnerability could not be used by itself to obtain root access on a rsync server, it could be used in combination with the recently announced brk vulnerability in the Linux kernel to produce a full remote compromise.
- The server that was compromised was using a non-default rsyncd.conf option use chroot = no. The use of this option made the attack on the compromised server considerably easier. A successful attack is almost certainly still possible without this option, but it would be much more difficult.
Please note that this vulnerability only affects the use of rsync as a rsync server. To see if you are running a rsync server you should use the netstat command to see if you are listening on TCP port 873. If you are not listening on TCP port 873 then you are not running a rsync server.

New rsync release
-----------------

In response we have released a new version of rsync, version 2.5.7. This is based on the current stable 2.5.6 release with only the changes necessary to prevent this heap overflow vulnerability. There are no new features in this release.
We recommend that anyone running a rsync server take the following steps:
1) update to rsync version 2.5.7 immediately
2) if you are running a Linux kernel prior to version 2.4.23 then you should upgrade your kernel immediately. Note that some distribution vendors may have patched versions of the 2.4.x series kernel that fix the brk vulnerability in versions before 2.4.23. Check with your vendor security site to ensure that you are not vulnerable to the brk problem.
3) review your /etc/rsyncd.conf configuration file. If you are using the option use chroot = no then remove that line or change it to use chroot = yes. If you find that you need that option for your rsync service then you should disable your rsync service until you have discussed a workaround with the rsync maintainers on the rsync mailing list. The disabling of the chroot option should not be needed for any normal rsync server.

The patches and full source for rsync version 2.5.7 are available from http://rsync.samba.org/ and mirror sites. We expect that vendors will produce updated packages for their distributions shortly.

Credits
-------

The rsync team would like to thank the following individuals for their assistance in investigating this vulnerability and producing this response:
Timo Sirainen <tss iki.fi>
Mike Warfield <mhw wittsend.com>
Paul Russell <rusty samba.org>
Andrea Barisani <lcars gentoo.org>
Regards,

The rsync team

I rest my case.

It seems rsync never gives up any privileges (even though it could for the first 2 I think...). So I'd give it a fair chance that as they went in via rsync, it was already running as root and so they didn't even NEED the kernel hack.

Cooper
--
I don't need a pass to pass this pass!
- Groo The Wanderer -

I was going to post it here, but the moronic lameness filter won't let me. So you'll need to look at rsync.samba.org.

The rsync team has received evidence that a vulnerability in rsync was recently used in combination with a Linux kernel vulnerability to compromise the security of a public rsync server. While the forensic evidence we have is incomplete, we have pieced together the most likely way that this attack was conducted and we are releasing this advisory as a result of our investigations to date.[....]

...we'll get more people working on Samba ?

What you're asking for is a SAN.

I just installed a Network Appliance FAS250 in my server room. It speaks CIFS, NFS, and iSCSI.

By the way, you're wrong... Oracle will run perfectly using CIFS shares (I'm running it now, and have been for the past few months), and NetApp has plenty of documents in their tech library showing all the different ways to use attached storage with Oracle and many other pieces of software.

With respect to speed, it really depends on the network infrastructure. I've got a Cisco GigE switch attaching 6 machines directly to a GigE port on the NetApp Filer. It is literally twice as fast than the directly attached RAID 5 (caching, etc.) arrays that it replaced.

I think that Microsoft Exchange can be installed to a CIFS share, but if not, you should look at iSCSI. My company uses Lotus Notes 4.6.7 (sweet, merciful Christ, please put me out of my misery), and it works great from a CIFS share on the NetApp.

Microsoft has a free iSCSI Initiator for Windows that will mount an iSCSI device just like any other SCSI drive in Windows. You can find several iSCSI targets for linux here.

I have about 50 Mac's on our network (graphics department) that needed to talk with the new filer. Instead of installing a klugy piece of software to make the OS9 Macs talk to the SAN at $150/seat, I installed a linux box using samba to talk to the SAN through CIFS and netatalk (AppleTalk for linux) to re-share out the samba mounts. Becides some quirks (Mac's don't see the linux gateway in the AFP browse list, but can connect directly through IP), it works rather well.

Look at iSCSI, it does exactly what you're looking for.

John Terpstra, co-founder of the Samba-Team, will be speaking at the Southern California Linux Expo on November 22nd at the Los Angeles Convention Center in Los Angeles, California. John will be giving an overview of Samba 3 including the ability to integrate into an Active Directory enviroment. Autographed copies of "The Official Samba 3 Howto and Reference Guide" will be available for purchase. Regular priced and student priced tickets giving full access to the event are still available. Free expo only tickets are also available using the "FREE" promotional code on the orders page. The Southern California Linux Expo is a non-profit event organized by LUG volunteers.

Samba 3.0 has been in production use by some brave people for over half a year.

The 3.0.0 release was very good; the only major annoyance/bug is one dealing with Microsoft Office renaming files.

See this post for some detail.

There is a patch available that fixes that issue.

I'm running 3.0 and it works fine (but not so sure about 3.0.1pre2....)

pwdump does this:

http://us1.samba.org/samba/ftp/pwdump/

See the comments in pwdump.c.

HTML Version | PDF Version

HTML Version | PDF Version

While it is an excellent idea to financially support the Samba project, not only because of what they are doing but for how well they do it, but for those who are looking for who can't afford this book essentially the same document can be found here. Keep in mind this was the pre-release version of the published book. And I would just like to say thanks to the Samba team for all the excellent work they have done!!!

Do they include more info on delivering Pizza to Samba authors?

You mean Shadow Copy? Samba 3 has this functionality also.

Why not use something like ccache? Then you only need to recompile changed files. I think. I don't personally use it...

I dunno, but having a built-in Caching nameserver seems pretty useful to me. Makes web browsing faster, more convenient. One click install seems to be pretty much a linux only sort of thing, too. More directly related to the speed issue, the ability to compile everything from source means that you can do a shitload of optimizations to your system, and it'll probably run a lot faster. Plus, if you have a lot of network shares, Samba is faster, and a helluva lot nicer than windows for SMB shares. Plus, Linux has a Far nicer looking, more powerful windowing system than windows, to boot.

John Terpstra, co-founder of the Samba-Team, will be speaking at the Southern California Linux Expo on November 22nd at the Los Angeles Convention Center in Los Angeles, California. John will be giving an overview of Samba 3 including the ability to integrate into an Active Directory enviroment. Regular priced and student priced tickets giving full access to the event are still available. Free expo only tickets are also available using the "FREE" promotional code on the orders page. The Southern California Linux Expo is a non-profit event organized by LUG volunteers. [ Reply to This

Oh, and even if the PDF is saying it was produced
from MS Windows with the help of PDFmaker -- be assured that the original
document was written with the help of OpenOffice.org. vlendec should be
able to confirm this, since he is also one of the authors... ) ;-)

Don't forget the Biggest HOWTO in Samba history: Samba 3.0.0 HOWTO Read, and if you have questions or suggestions for improvements, please send them to JHT (the author).

Let's not forget he was also one of the first people to get to grips with TiVo hacking; see the TiVo ISA ethernet stuff for a start. Proper TiVo hardware & software hacking in the days before you could just buy a TurboNet from 9thTee...

your software if it's not enforcable? Who cares about Forbes negative light? BTW, I can see from the list of features in SCO's OpenServer that it includes Samba but I couldn't find the source code to download. Does anyone know where the source code is for Openserver?

Funny you should say that, saying as the leading tivo hacker now works on the storage tank.

A 2.5 x speed advantage can only mean one thing: misconfigured Windows machines.

I'll focus on the network cache consistancy problem since that's the one I've had problems with. I don't know about the general speed issue (what speed are you referring to? throughput? Resource availablility? Master Browser updates? connection speed and concurrency under a heavy user load? ) I have experienced all kinds of problems with a highly volitile network, with programmers running multiple OS's inside of virtual machines. These virtual OS's need to be frequently restarted, meaning the network is constantly gaining and droping objects.

A prime example of Microsoft's bad cache coherency problem is that if an object is deleted or removed from the network, the information can take over an hour to propogate through the entire network. The worst case isn't nearly as bad in the pure-Samba implementation, but the difficulty remains. This failure means that newly added resources aren't immediately visible on the network, or recently removed resources take a long time to be removed, and show up as errors when you try to access them. Or the object can be visible on some machines, but not available on others.

When there is a high level of volitility on the network (machines being frequently rebooted or shut down, network re-wiring, etc.) this can really plague any SMB or CIFS network, but is especially hard on Windows boxes, and more so the older your Windows implementation. Problems are exacerbated if either the LMB or LMB-backup system is the one going back up and down, because the Windows boxes will respond less-quickly to the problem; this results in further instability for the SMB network, since critical nodes are not available, propogate incorrect data, and take longer to reconfigure.

As you mentioned, the Samba boxes are faster than the Windows boxes, but not as big of a difference as you experience. You said you have "a LAN full of Win2000/XP boxes", which probably means they are on most or all of the time. Is it unreasonable to assume that the author has a more volitle network, or is otherwise more prone to speed impairment issues?

frob

Correct me if I'm wrong, but isn't that the first time that Apple ports software to Windows?!
Does it matter when we have Samba

Samba is not a file system, and as such is not in the benchmarks. RTFA and see http://samba.org

I have gotton no further response from Linksys, and the sources for the EFG80 have not been posted on their GPL source web site. I am fairly confident, however, that this is just a case of things moving slowly.

It would help if someone out there who has an EFG80 could verify that the sources are on the accompanying CD-ROM (and that they produce workable binaries).

Some vendors who use Samba will provide a test unit to the Team or access to a system at their end for use in the build farm, but that is certainly not a requirement. It just helps them, and us, keep everything working smoothly.

Chris -)-----

Samba doesn't use threads and shouldn't link to any thread libraries.

I have no idea how there could possibly be such a problem. If you can recreate this, it'd be a good idea to submit such a bug to BugZilla.

No problem: Get the source RPM and build it yourself. Go here, get the Samba 3.0 source RPM (SRPM) and build it using:

rpmbuild --rebuild

And it should compile you some nice RPMS to install (hint: look under /usr/src/redhat/RPMS).

heartbeat and openbrick is a very good idea. However I will suggest RSYNC instead of ftp.
RSYNC will help you re-start the transmission from where you left if the connection breaks.

You may be right, according to the Samba Gods, Apple Unicode gargles "The Big One":

See This Thread on samba-technical about it.

rproxy is a really interesting project, and back when I tried it over a 56K dial-up connection, it did actually work to speed things up. You sit an rproxy web cache at each end of the dial-up connection (so you need somewhere to deply your custom proxy to make it work, but bear with me...) and then request web pages as usual. Each end caches the pages that pass through it, but the clever part is that when you re-request a page, the proxy at the far end (on the fast connection) can fetch the page and compare with the last copy in the cache. Then it transmits only the differences using the rsync algorithm. Unforunately it's not being actively developed any more given the increasing availability of high-bandwidth connections, and the decreasing fraction of web traffic that is suitable for delta-compression. Shame, since it did seem to be a real "web accelerator" without any of the illusory techniques used by the garish banner-ad accelerators.

rproxy is a really interesting project, and back when I tried it over a 56K dial-up connection, it did actually work to speed things up. You sit an rproxy web cache at each end of the dial-up connection (so you need somewhere to deply your custom proxy to make it work, but bear with me...) and then request web pages as usual. Each end caches the pages that pass through it, but the clever part is that when you re-request a page, the proxy at the far end (on the fast connection) can fetch the page and compare with the last copy in the cache. Then it transmits only the differences using the rsync algorithm. Unforunately it's not being actively developed any more given the increasing availability of high-bandwidth connections, and the decreasing fraction of web traffic that is suitable for delta-compression. Shame, since it did seem to be a real "web accelerator" without any of the illusory techniques used by the garish banner-ad accelerators.

Pizza supply details

In case anyone missed it, you can donate to Samba here. .. and no I'm not involved in the project :)

Now, I would just love to see this in smbfs.

The EU wants Microsoft to disclose more code to its competitors, to allow them to make sure their systems can work together with Microsoft's rather than being disadvantaged by Microsoft's dominant market position.

When will this stuff finally be ironed out?